From 610d6a8c817d889915aaafd88f8744b2451cdd26 Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Thu, 22 Sep 2016 14:03:54 -0400
Subject: [PATCH 1/6] Split up long lines to comply with PEP8 standards

---
 manage.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/manage.py b/manage.py
index 92210ae5..d0049302 100644
--- a/manage.py
+++ b/manage.py
@@ -29,8 +29,9 @@ import ssl
 
 from rida import app, conf, db
 from rida.config import Config
-from rida.pdc import get_pdc_client_session, get_module, get_module_runtime_dependencies, get_module_tag, \
-    get_module_build_dependencies
+from rida.pdc import (
+    get_pdc_client_session, get_module, get_module_runtime_dependencies,
+    get_module_tag, get_module_build_dependencies)
 import rida.auth
 
 
@@ -75,12 +76,14 @@ def testpdc():
     cfg.pdc_develop = True
 
     pdc_session = get_pdc_client_session(cfg)
-    module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43', 'release': '1'})
+    module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43',
+                                      'release': '1'})
 
     if module:
         print ("pdc_data=%s" % str(module))
         print ("deps=%s" % get_module_runtime_dependencies(pdc_session, module))
-        print ("build_deps=%s" % get_module_build_dependencies(pdc_session, module))
+        print ("build_deps=%s" % get_module_build_dependencies(
+            pdc_session, module))
         print ("tag=%s" % get_module_tag(pdc_session, module))
     else:
         print ('module was not found')

From 681ca5a8cfa0eba08fbedd26bdb75c30957f90ab Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Fri, 23 Sep 2016 10:16:43 -0400
Subject: [PATCH 2/6] Implement `python manage.py gendevfedmsgcert` command

---
 manage.py | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)

diff --git a/manage.py b/manage.py
index d0049302..616b2941 100644
--- a/manage.py
+++ b/manage.py
@@ -26,6 +26,7 @@ import flask_migrate
 import logging
 import os
 import ssl
+from shutil import rmtree
 
 from rida import app, conf, db
 from rida.config import Config
@@ -96,6 +97,105 @@ def upgradedb():
     flask_migrate.upgrade()
 
 
+@manager.command
+def gendevfedmsgcert(pki_dir='/opt/fm-orchestrator/pki', force=False):
+    """
+    Creates a CA, a certificate signed by that CA, and generates a CRL.
+    """
+    from OpenSSL import crypto
+
+    if os.path.exists(pki_dir):
+        if force:
+            rmtree(pki_dir)
+        else:
+            print('The directory "{}" already exists'.format(pki_dir))
+            return
+
+    os.mkdir(pki_dir)
+
+    ca_crt_path = os.path.join(pki_dir, 'ca.crt')
+    ca_key_path = os.path.join(pki_dir, 'ca.key')
+    msg_key_path = os.path.join(pki_dir, 'msg_signing.key')
+    msg_crt_path = os.path.join(pki_dir, 'msg_signing.crt')
+    ca_crl = os.path.join(pki_dir, 'ca.crl')
+
+    # Create a key pair for the CA
+    ca_key = crypto.PKey()
+    ca_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open(ca_key_path, 'w') as ca_key_file:
+        ca_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
+
+    # Create a self-signed CA cert
+    ca_cert = crypto.X509()
+    ca_subject = ca_cert.get_subject()
+    ca_subject.C = 'US'
+    ca_subject.ST = 'MA'
+    ca_subject.L = 'Boston'
+    ca_subject.O = 'Development'
+    ca_subject.CN = 'Dev-CA'
+    ca_cert.set_serial_number(1)
+    ca_cert.gmtime_adj_notBefore(0)
+    ca_cert.gmtime_adj_notAfter(315360000)  # 10 years
+    ca_cert.set_issuer(ca_cert.get_subject())
+    ca_cert.set_pubkey(ca_key)
+    ca_cert.add_extensions([
+        crypto.X509Extension('basicConstraints', True, 'CA:true')])
+    ca_cert.sign(ca_key, 'sha256')
+
+    with open(ca_crt_path, 'w') as ca_crt_file:
+        ca_crt_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
+
+    # Create a key pair for the message signing cert
+    msg_key = crypto.PKey()
+    msg_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open(msg_key_path, 'w') as msg_key_file:
+        msg_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, msg_key))
+
+    # Create a cert signed by the CA
+    msg_cert = crypto.X509()
+    msg_cert_subject = msg_cert.get_subject()
+    msg_cert_subject.C = 'US'
+    msg_cert_subject.ST = 'MA'
+    msg_cert_subject.L = 'Boston'
+    msg_cert_subject.O = 'Development'
+    msg_cert_subject.CN = 'localhost'
+    msg_cert.set_serial_number(2)
+    msg_cert.gmtime_adj_notBefore(0)
+    msg_cert.gmtime_adj_notAfter(315360000)  # 10 years
+    msg_cert.set_issuer(ca_cert.get_subject())
+    msg_cert.set_pubkey(msg_key)
+    cert_extensions = [
+        crypto.X509Extension(
+            'keyUsage', True,
+            'digitalSignature, keyEncipherment, nonRepudiation'),
+        crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
+        crypto.X509Extension('basicConstraints', True, 'CA:false'),
+        crypto.X509Extension('crlDistributionPoints', False,
+                             'URI:http://localhost/crl/ca.crl'),
+        crypto.X509Extension('authorityInfoAccess', False,
+                             'caIssuers;URI:http://localhost/crl/ca.crt'),
+        crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
+                             subject=ca_cert)
+    ]
+    msg_cert.add_extensions(cert_extensions)
+    msg_cert.sign(ca_key, 'sha256')
+
+    with open(msg_crt_path, 'w') as msg_crt_file:
+        msg_crt_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, msg_cert))
+
+    # Generate the CRL
+    with open(ca_crl, 'w') as ca_crl_file:
+        ca_crl_file.write(
+            crypto.CRL().export(ca_cert, ca_key, type=crypto.FILETYPE_PEM,
+                                days=3650, digest='sha256'))
+
+
 @manager.command
 def runssl(host=conf.host, port=conf.port, debug=False):
     """ Runs the Flask app with the HTTPS settings configured in config.py

From c77be1c4d3a67e2f72a0623c0d8c4a799c99422c Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Fri, 23 Sep 2016 10:50:54 -0400
Subject: [PATCH 3/6] Add the dependencies required for fedmsg signing

---
 Dockerfile       | 2 +-
 Vagrantfile      | 2 +-
 manage.py        | 4 ++--
 requirements.txt | 2 ++
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 600fdf78..c5bf9f13 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM fedora:24
 
 # so we don't have to compile those when fetched from PyPI
-RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client && \
+RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client swig && \
     dnf autoremove -y && dnf clean all && \
     mkdir /opt/fm-orchestrator/
 WORKDIR /opt/fm-orchestrator/
diff --git a/Vagrantfile b/Vagrantfile
index bb10a555..786f05e5 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -2,7 +2,7 @@
 # vi: set ft=ruby :
 
 $script = <<SCRIPT
-    dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git
+    dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git swig
     pip install -r /opt/fm-orchestrator/src/requirements.txt
     pip install -r /opt/fm-orchestrator/src/test-requirements.txt
     cd /opt/fm-orchestrator/src
diff --git a/manage.py b/manage.py
index 616b2941..7a2f7e71 100644
--- a/manage.py
+++ b/manage.py
@@ -115,8 +115,8 @@ def gendevfedmsgcert(pki_dir='/opt/fm-orchestrator/pki', force=False):
 
     ca_crt_path = os.path.join(pki_dir, 'ca.crt')
     ca_key_path = os.path.join(pki_dir, 'ca.key')
-    msg_key_path = os.path.join(pki_dir, 'msg_signing.key')
-    msg_crt_path = os.path.join(pki_dir, 'msg_signing.crt')
+    msg_key_path = os.path.join(pki_dir, 'localhost.key')
+    msg_crt_path = os.path.join(pki_dir, 'localhost.crt')
     ca_crl = os.path.join(pki_dir, 'ca.crl')
 
     # Create a key pair for the CA
diff --git a/requirements.txt b/requirements.txt
index d0fc5f7a..a1ec17f8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,3 +12,5 @@ Flask-SQLAlchemy
 Flask-Migrate
 python-fedora
 funcsigs # Python2 only
+m2crypto
+m2ext

From d86374f3605c745200a0cd9a710872dee77a60e0 Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Fri, 23 Sep 2016 10:51:38 -0400
Subject: [PATCH 4/6] Add documentation on how to setup fedmsg signing in
 development

---
 README.rst       | 24 ++++++++++++++++++++++++
 fedmsg.d/rida.py | 17 +++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/README.rst b/README.rst
index a1879cf7..38cde04a 100644
--- a/README.rst
+++ b/README.rst
@@ -395,3 +395,27 @@ It may happen that you will run into issues and the container won't start proper
     $ sudo docker-compose build --no-cache --pull
 
 First command will stop and remove all containers and volumes and second command will pull latest base image and perform a clean build without cache.
+
+
+``fedmsg Signing for Development``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to enable fedmsg signing in development, you will need to follow a series of steps.
+Note that this will conflict with signed messages from a different CA that are on the message bus, so this may cause unexpected results.
+
+Generate the CA, the certificate to be used by fedmsg, and the CRL with::
+
+    $ python manage.py gendevfedmsgcert
+
+Setup Apache to host the CRL::
+
+    $ dnf install httpd && systemctl enable httpd && systemctl start httpd
+    $ mkdir -p /var/www/html/crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crl /var/www/html/crl/ca.crl
+    $ ln -s /opt/fm-orchestrator/pki/ca.crt /var/www/html/crl/ca.crt
+
+Create a directory to house the fedmsg cache::
+
+    $ mkdir -p /etc/pki/fedmsg
+
+Then uncomment the fedmsg signing configuration in fedmsg.d/rida.py.
diff --git a/fedmsg.d/rida.py b/fedmsg.d/rida.py
index da06b44b..d588f24f 100644
--- a/fedmsg.d/rida.py
+++ b/fedmsg.d/rida.py
@@ -8,4 +8,21 @@ config = {
             "tcp://127.0.0.1:300%i" % i for i in range(10)
         ],
     },
+
+    # Start of code signing configuration
+    # 'sign_messages': True,
+    # 'validate_signatures': True,
+    # 'crypto_backend': 'x509',
+    # 'crypto_validate_backends': ['x509'],
+    # 'ssldir': '/opt/fm-orchestrator/pki',
+    # 'crl_location': 'http://localhost/crl/ca.crl',
+    # 'crl_cache': '/etc/pki/fedmsg/crl.pem',
+    # 'crl_cache_expiry': 10,
+    # 'ca_cert_location': 'http://localhost/crl/ca.crt',
+    # 'ca_cert_cache': '/etc/pki/fedmsg/ca.crt',
+    # 'ca_cert_cache_expiry': 0,  # Never expires
+    # 'certnames': {
+    #     'rida.localhost': 'localhost'
+    # }
+    # End of code signing configuration
 }

From 02b24cdda98db4f130572752d69c531d91f2eb67 Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Fri, 23 Sep 2016 11:41:28 -0400
Subject: [PATCH 5/6] Replace generate_localhost_cert.sh with `python manage.py
 generatelocalhostcert`

---
 Dockerfile                 |  2 +-
 Vagrantfile                |  2 +-
 generate_localhost_cert.sh |  3 ---
 manage.py                  | 37 +++++++++++++++++++++++++++++++++++++
 4 files changed, 39 insertions(+), 5 deletions(-)
 delete mode 100755 generate_localhost_cert.sh

diff --git a/Dockerfile b/Dockerfile
index c5bf9f13..7f04e0fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,5 +12,5 @@ COPY koji.conf /etc/rida/
 
 COPY . /opt/fm-orchestrator/
 
-RUN python2 ./manage.py upgradedb && ./generate_localhost_cert.sh
+RUN python2 ./manage.py upgradedb && python2 manage.py generatelocalhostcert
 CMD ["python2", "manage.py", "runssl"]
diff --git a/Vagrantfile b/Vagrantfile
index 786f05e5..332b668c 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -9,7 +9,7 @@ $script = <<SCRIPT
     mkdir -p /etc/rida
     cp -av koji.conf /etc/rida/
     python manage.py upgradedb
-    ./generate_localhost_cert.sh
+    python manage.py generatelocalhostcert
 SCRIPT
 
 Vagrant.configure("2") do |config|
diff --git a/generate_localhost_cert.sh b/generate_localhost_cert.sh
deleted file mode 100755
index 0ffe5dc8..00000000
--- a/generate_localhost_cert.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-openssl req -subj '/CN=localhost/O=My Company Name LTD./C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt
diff --git a/manage.py b/manage.py
index 7a2f7e71..0632802d 100644
--- a/manage.py
+++ b/manage.py
@@ -196,6 +196,43 @@ def gendevfedmsgcert(pki_dir='/opt/fm-orchestrator/pki', force=False):
                                 days=3650, digest='sha256'))
 
 
+@manager.command
+def generatelocalhostcert():
+    # Create a key pair for the message signing cert
+    from OpenSSL import crypto
+    cert_key = crypto.PKey()
+    cert_key.generate_key(crypto.TYPE_RSA, 2048)
+
+    with open('server.key', 'w') as cert_key_file:
+        cert_key_file.write(
+            crypto.dump_privatekey(crypto.FILETYPE_PEM, cert_key))
+
+    cert = crypto.X509()
+    msg_cert_subject = cert.get_subject()
+    msg_cert_subject.C = 'US'
+    msg_cert_subject.ST = 'MA'
+    msg_cert_subject.L = 'Boston'
+    msg_cert_subject.O = 'Development'
+    msg_cert_subject.CN = 'localhost'
+    cert.set_serial_number(2)
+    cert.gmtime_adj_notBefore(0)
+    cert.gmtime_adj_notAfter(315360000)  # 10 years
+    cert.set_issuer(cert.get_subject())
+    cert.set_pubkey(cert_key)
+    cert_extensions = [
+        crypto.X509Extension(
+            'keyUsage', True,
+            'digitalSignature, keyEncipherment, nonRepudiation'),
+        crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
+    ]
+    cert.add_extensions(cert_extensions)
+    cert.sign(cert_key, 'sha256')
+
+    with open('server.crt', 'w') as cert_file:
+        cert_file.write(
+            crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
+
+
 @manager.command
 def runssl(host=conf.host, port=conf.port, debug=False):
     """ Runs the Flask app with the HTTPS settings configured in config.py

From 7a84e657523d588c47e4e3a1348ca89478b7d2ed Mon Sep 17 00:00:00 2001
From: Matt Prahl <mprahl@redhat.com>
Date: Thu, 22 Sep 2016 12:41:28 -0400
Subject: [PATCH 6/6] Fix the API URL in submit-build.sh

---
 submit-build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/submit-build.sh b/submit-build.sh
index 05521273..bb237463 100755
--- a/submit-build.sh
+++ b/submit-build.sh
@@ -3,5 +3,5 @@ echo "Submmiting a build of modules/testmodule, #020ea37251df5019fde9e7899d2f7d7
 echo "Using https://localhost:5000/rida/module-builds/"
 echo "NOTE: You need to be a Fedora packager for this to work"
 echo
-curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/module-builds/
+curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/1/module-builds/
 echo