certidude/certidude/api/revoked.py


import click
import falcon
import json
import logging
from certidude import const, config
from certidude.firewall import whitelist_subnets

logger = logging.getLogger(__name__)

class RevocationListResource(object):
    def __init__(self, authority):
        self.authority = authority

    @whitelist_subnets(config.CRL_SUBNETS)
    def on_get(self, req, resp):
        # Primarily offer DER encoded CRL as per RFC5280
        # This is also what StrongSwan expects
        if req.client_accepts("application/x-pkcs7-crl"):
            resp.set_header("Content-Type", "application/x-pkcs7-crl")
            resp.append_header(
                "Content-Disposition",
                ("attachment; filename=%s.crl" % const.HOSTNAME))
            # Convert PEM to DER
            logger.debug("Serving revocation list (DER) to %s", req.context.get("remote_addr"))
            resp.body = self.authority.export_crl(pem=False)
        elif req.client_accepts("application/x-pem-file"):
            if req.get_param_as_bool("wait"):
                url = config.LONG_POLL_SUBSCRIBE % "crl"
                resp.status = falcon.HTTP_SEE_OTHER
                resp.set_header("Location", url)
                logger.debug("Redirecting to CRL request to %s", url)
                resp.body = "Redirecting to %s" % url
            else:
                resp.set_header("Content-Type", "application/x-pem-file")
                resp.append_header(
                    "Content-Disposition",
                    ("attachment; filename=%s-crl.pem" % const.HOSTNAME))
                logger.debug("Serving revocation list (PEM) to %s", req.context.get("remote_addr"))
                resp.body = self.authority.export_crl()
        else:
            logger.debug("Client %s asked revocation list in unsupported format" % req.context.get("remote_addr"))
            raise falcon.HTTPUnsupportedMediaType(
                "Client did not accept application/x-pkcs7-crl or application/x-pem-file")
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`import click`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`import falcon`
Add revocation list JSON serialization 2016-03-30 19:00:18 +00:00			`import json`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`import logging`
Add long poll support for CRL API call 2017-01-30 06:29:01 +00:00			`from certidude import const, config`
tests: Add test for machine attribute updates 2017-07-07 21:07:25 +00:00			`from certidude.firewall import whitelist_subnets`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Add file based rotating log handler 2017-04-04 05:02:08 +00:00			`logger = logging.getLogger(__name__)`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`class RevocationListResource(object):`
api: revoked: drop usage of global authority import 2018-02-03 10:51:27 +00:00			`def __init__(self, authority):`
			`self.authority = authority`

tests: Add test for machine attribute updates 2017-07-07 21:07:25 +00:00			`@whitelist_subnets(config.CRL_SUBNETS)`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`def on_get(self, req, resp):`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`# Primarily offer DER encoded CRL as per RFC5280`
			`# This is also what StrongSwan expects`
			`if req.client_accepts("application/x-pkcs7-crl"):`
			`resp.set_header("Content-Type", "application/x-pkcs7-crl")`
			`resp.append_header(`
			`"Content-Disposition",`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`("attachment; filename=%s.crl" % const.HOSTNAME))`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`# Convert PEM to DER`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`logger.debug("Serving revocation list (DER) to %s", req.context.get("remote_addr"))`
api: revoked: drop usage of global authority import 2018-02-03 10:51:27 +00:00			`resp.body = self.authority.export_crl(pem=False)`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`elif req.client_accepts("application/x-pem-file"):`
Add long poll support for CRL API call 2017-01-30 06:29:01 +00:00			`if req.get_param_as_bool("wait"):`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`url = config.LONG_POLL_SUBSCRIBE % "crl"`
Add long poll support for CRL API call 2017-01-30 06:29:01 +00:00			`resp.status = falcon.HTTP_SEE_OTHER`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`resp.set_header("Location", url)`
			`logger.debug("Redirecting to CRL request to %s", url)`
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`resp.body = "Redirecting to %s" % url`
Add long poll support for CRL API call 2017-01-30 06:29:01 +00:00			`else:`
			`resp.set_header("Content-Type", "application/x-pem-file")`
			`resp.append_header(`
			`"Content-Disposition",`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`("attachment; filename=%s-crl.pem" % const.HOSTNAME))`
			`logger.debug("Serving revocation list (PEM) to %s", req.context.get("remote_addr"))`
api: revoked: drop usage of global authority import 2018-02-03 10:51:27 +00:00			`resp.body = self.authority.export_crl()`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`else:`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`logger.debug("Client %s asked revocation list in unsupported format" % req.context.get("remote_addr"))`
Make /api/revoked conform to RFC5280 2016-03-29 10:28:58 +00:00			`raise falcon.HTTPUnsupportedMediaType(`
			`"Client did not accept application/x-pkcs7-crl or application/x-pem-file")`