Initial linux agent and api functionality for enrolling servers

app/apps/servers/admin.py

@@ -1,17 +1,27 @@
 from django.contrib import admin
-from guardian.admin import GuardedModelAdmin
 from django.utils.html import format_html
-from .models import Server
+from guardian.admin import GuardedModelAdmin
+
+from .models import AgentCertificateAuthority, EnrollmentToken, Server
 
 
 @admin.register(Server)
 class ServerAdmin(GuardedModelAdmin):
-    list_display = ("avatar", "display_name", "hostname", "ipv4", "ipv6", "created_at")
+    list_display = ("avatar", "display_name", "hostname", "ipv4", "ipv6", "agent_enrolled_at", "created_at")
     list_display_links = ("display_name",)
     search_fields = ("display_name", "hostname", "ipv4", "ipv6")
     list_filter = ("created_at",)
-    readonly_fields = ("created_at", "updated_at")
-    fields = ("display_name", "hostname", "ipv4", "ipv6", "image", "created_at", "updated_at")
+    readonly_fields = ("created_at", "updated_at", "agent_enrolled_at")
+    fields = (
+        "display_name",
+        "hostname",
+        "ipv4",
+        "ipv6",
+        "image",
+        "agent_enrolled_at",
+        "created_at",
+        "updated_at",
+    )
 
     def avatar(self, obj: Server):
         if obj.image_url:
@@ -27,3 +37,52 @@ class ServerAdmin(GuardedModelAdmin):
         )
     avatar.short_description = ""
 
+
+@admin.register(EnrollmentToken)
+class EnrollmentTokenAdmin(admin.ModelAdmin):
+    list_display = ("token", "created_at", "expires_at", "used_at", "server")
+    list_filter = ("created_at", "used_at")
+    search_fields = ("token", "server__display_name", "server__hostname")
+    readonly_fields = ("token", "created_at", "used_at", "server", "created_by")
+    fields = ("token", "expires_at", "created_by", "created_at", "used_at", "server")
+
+    def save_model(self, request, obj, form, change) -> None:
+        if not obj.pk:
+            obj.ensure_token()
+            if request.user and request.user.is_authenticated and not obj.created_by_id:
+                obj.created_by = request.user
+        super().save_model(request, obj, form, change)
+
+
+@admin.register(AgentCertificateAuthority)
+class AgentCertificateAuthorityAdmin(admin.ModelAdmin):
+    list_display = ("name", "is_active", "created_at", "revoked_at")
+    list_filter = ("is_active", "created_at", "revoked_at")
+    search_fields = ("name", "fingerprint")
+    readonly_fields = ("fingerprint", "serial", "created_at", "revoked_at", "created_by")
+    fields = (
+        "name",
+        "is_active",
+        "cert_pem",
+        "key_pem",
+        "fingerprint",
+        "serial",
+        "created_by",
+        "created_at",
+        "revoked_at",
+    )
+    actions = ["revoke_selected"]
+
+    def save_model(self, request, obj, form, change) -> None:
+        if request.user and request.user.is_authenticated and not obj.created_by_id:
+            obj.created_by = request.user
+        obj.ensure_material()
+        if obj.is_active:
+            AgentCertificateAuthority.objects.exclude(pk=obj.pk).update(is_active=False)
+        super().save_model(request, obj, form, change)
+
+    @admin.action(description="Revoke selected CAs")
+    def revoke_selected(self, request, queryset):
+        for ca in queryset:
+            ca.revoke()
+            ca.save(update_fields=["is_active", "revoked_at"])

app/apps/servers/migrations/0002_agent_enrollment.py

@@ -0,0 +1,73 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.utils.timezone
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("servers", "0001_initial"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="server",
+            name="agent_cert_fingerprint",
+            field=models.CharField(blank=True, max_length=128, null=True),
+        ),
+        migrations.AddField(
+            model_name="server",
+            name="agent_cert_serial",
+            field=models.CharField(blank=True, max_length=64, null=True),
+        ),
+        migrations.AddField(
+            model_name="server",
+            name="agent_enrolled_at",
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.CreateModel(
+            name="EnrollmentToken",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("token", models.CharField(max_length=128, unique=True)),
+                ("created_at", models.DateTimeField(default=django.utils.timezone.now, editable=False)),
+                ("expires_at", models.DateTimeField(blank=True, null=True)),
+                ("used_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "created_by",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="server_enrollment_tokens",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "server",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="enrollment_tokens",
+                        to="servers.server",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Enrollment token",
+                "verbose_name_plural": "Enrollment tokens",
+                "ordering": ["-created_at"],
+            },
+        ),
+        migrations.AddIndex(
+            model_name="enrollmenttoken",
+            index=models.Index(fields=["created_at"], name="servers_enroll_created_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="enrollmenttoken",
+            index=models.Index(fields=["used_at"], name="servers_enroll_used_idx"),
+        ),
+    ]

app/apps/servers/migrations/0003_agent_ca.py

@@ -0,0 +1,44 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("servers", "0002_agent_enrollment"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AgentCertificateAuthority",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("name", models.CharField(default="Keywarden Agent CA", max_length=128)),
+                ("cert_pem", models.TextField()),
+                ("key_pem", models.TextField()),
+                ("fingerprint", models.CharField(blank=True, max_length=128)),
+                ("serial", models.CharField(blank=True, max_length=64)),
+                ("created_at", models.DateTimeField(default=django.utils.timezone.now, editable=False)),
+                ("revoked_at", models.DateTimeField(blank=True, null=True)),
+                ("is_active", models.BooleanField(db_index=True, default=True)),
+                (
+                    "created_by",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="agent_certificate_authorities",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Agent certificate authority",
+                "verbose_name_plural": "Agent certificate authorities",
+                "ordering": ["-created_at"],
+            },
+        ),
+    ]

app/apps/servers/models.py

@@ -1,8 +1,16 @@
 from __future__ import annotations
 
+import secrets
+from datetime import datetime, timedelta
+
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+from django.conf import settings
 from django.core.validators import RegexValidator
 from django.db import models
-from django.utils.text import slugify
+from django.utils import timezone
 
 
 hostname_validator = RegexValidator(
@@ -17,6 +25,9 @@ class Server(models.Model):
     ipv4 = models.GenericIPAddressField(null=True, blank=True, protocol="IPv4", unique=True)
     ipv6 = models.GenericIPAddressField(null=True, blank=True, protocol="IPv6", unique=True)
     image = models.ImageField(upload_to="servers/", null=True, blank=True)
+    agent_enrolled_at = models.DateTimeField(null=True, blank=True)
+    agent_cert_fingerprint = models.CharField(max_length=128, null=True, blank=True)
+    agent_cert_serial = models.CharField(max_length=64, null=True, blank=True)
     created_at = models.DateTimeField(auto_now_add=True)
     updated_at = models.DateTimeField(auto_now=True)
 
@@ -41,3 +52,108 @@ class Server(models.Model):
         return (self.display_name or "?").strip()[:1].upper() or "?"
 
 
+class EnrollmentToken(models.Model):
+    token = models.CharField(max_length=128, unique=True)
+    created_at = models.DateTimeField(default=timezone.now, editable=False)
+    expires_at = models.DateTimeField(null=True, blank=True)
+    created_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="server_enrollment_tokens",
+    )
+    used_at = models.DateTimeField(null=True, blank=True)
+    server = models.ForeignKey(
+        Server, null=True, blank=True, on_delete=models.SET_NULL, related_name="enrollment_tokens"
+    )
+
+    class Meta:
+        verbose_name = "Enrollment token"
+        verbose_name_plural = "Enrollment tokens"
+        indexes = [
+            models.Index(fields=["created_at"], name="servers_enroll_created_idx"),
+            models.Index(fields=["used_at"], name="servers_enroll_used_idx"),
+        ]
+        ordering = ["-created_at"]
+
+    def __str__(self) -> str:
+        return f"{self.token[:8]}... ({'used' if self.used_at else 'unused'})"
+
+    def ensure_token(self) -> None:
+        if not self.token:
+            self.token = secrets.token_urlsafe(32)
+
+    def is_valid(self) -> bool:
+        if self.used_at:
+            return False
+        if self.expires_at and self.expires_at <= timezone.now():
+            return False
+        return True
+
+    def mark_used(self, server: Server) -> None:
+        self.used_at = timezone.now()
+        self.server = server
+
+    def save(self, *args, **kwargs):
+        self.ensure_token()
+        super().save(*args, **kwargs)
+
+
+class AgentCertificateAuthority(models.Model):
+    name = models.CharField(max_length=128, default="Keywarden Agent CA")
+    cert_pem = models.TextField()
+    key_pem = models.TextField()
+    fingerprint = models.CharField(max_length=128, blank=True)
+    serial = models.CharField(max_length=64, blank=True)
+    created_at = models.DateTimeField(default=timezone.now, editable=False)
+    revoked_at = models.DateTimeField(null=True, blank=True)
+    is_active = models.BooleanField(default=True, db_index=True)
+    created_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="agent_certificate_authorities",
+    )
+
+    class Meta:
+        verbose_name = "Agent certificate authority"
+        verbose_name_plural = "Agent certificate authorities"
+        ordering = ["-created_at"]
+
+    def __str__(self) -> str:
+        status = "active" if self.is_active and not self.revoked_at else "revoked"
+        return f"{self.name} ({status})"
+
+    def revoke(self) -> None:
+        self.is_active = False
+        self.revoked_at = timezone.now()
+
+    def ensure_material(self) -> None:
+        if self.cert_pem and self.key_pem:
+            return
+        key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+        subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, self.name)])
+        now = datetime.utcnow()
+        cert = (
+            x509.CertificateBuilder()
+            .subject_name(subject)
+            .issuer_name(subject)
+            .public_key(key.public_key())
+            .serial_number(x509.random_serial_number())
+            .not_valid_before(now - timedelta(minutes=5))
+            .not_valid_after(now + timedelta(days=3650))
+            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
+            .sign(key, hashes.SHA256())
+        )
+        cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode("utf-8")
+        key_pem = key.private_bytes(
+            encoding=serialization.Encoding.PEM,
+            format=serialization.PrivateFormat.TraditionalOpenSSL,
+            encryption_algorithm=serialization.NoEncryption(),
+        ).decode("utf-8")
+        self.cert_pem = cert_pem
+        self.key_pem = key_pem
+        self.fingerprint = cert.fingerprint(hashes.SHA256()).hex()
+        self.serial = format(cert.serial_number, "x")