1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-22 08:15:18 +00:00

Sevral bugfixes

This commit is contained in:
Lauri Võsandi 2018-03-03 13:54:31 +00:00
parent a46ffcba35
commit 1c49626f50
6 changed files with 28 additions and 12 deletions

View File

@ -100,6 +100,7 @@ class SessionResource(AuthorityHandler):
except IOError: except IOError:
signer_username = None signer_username = None
# TODO: dedup
yield dict( yield dict(
serial = "%x" % cert.serial_number, serial = "%x" % cert.serial_number,
organizational_unit = cert.subject.native.get("organizational_unit_name"), organizational_unit = cert.subject.native.get("organizational_unit_name"),

View File

@ -5,7 +5,7 @@ import json
import hashlib import hashlib
from certidude.auth import login_required, authorize_admin from certidude.auth import login_required, authorize_admin
from certidude.decorators import csrf_protection from certidude.decorators import csrf_protection
from xattr import getxattr from xattr import listxattr, getxattr
from .utils import AuthorityHandler from .utils import AuthorityHandler
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -34,14 +34,28 @@ class SignedCertificateDetailResource(AuthorityHandler):
signer_username = getxattr(path, "user.signature.username").decode("ascii") signer_username = getxattr(path, "user.signature.username").decode("ascii")
except IOError: except IOError:
signer_username = None signer_username = None
attributes = {}
for key in listxattr(path):
if key.startswith(b"user.machine."):
attributes[key[13:].decode("ascii")] = getxattr(path, key).decode("ascii")
# TODO: dedup
resp.body = json.dumps(dict( resp.body = json.dumps(dict(
common_name = cn, common_name = cn,
signer = signer_username, signer = signer_username,
serial_number = "%x" % cert.serial_number, serial = "%x" % cert.serial_number,
organizational_unit = cert.subject.native.get("organizational_unit_name"), organizational_unit = cert.subject.native.get("organizational_unit_name"),
signed = cert["tbs_certificate"]["validity"]["not_before"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z", signed = cert["tbs_certificate"]["validity"]["not_before"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z",
expires = cert["tbs_certificate"]["validity"]["not_after"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z", expires = cert["tbs_certificate"]["validity"]["not_after"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z",
sha256sum = hashlib.sha256(buf).hexdigest())) sha256sum = hashlib.sha256(buf).hexdigest(),
attributes = attributes or None,
lease = None,
extensions = dict([
(e["extn_id"].native, e["extn_value"].native)
for e in cert["tbs_certificate"]["extensions"]
if e["extn_value"] in ("extended_key_usage",)])
))
logger.debug("Served certificate %s to %s as application/json", logger.debug("Served certificate %s to %s as application/json",
cn, req.context.get("remote_addr")) cn, req.context.get("remote_addr"))
else: else:

View File

@ -41,7 +41,7 @@ class TokenResource(AuthorityHandler):
common_name = csr["certification_request_info"]["subject"].native["common_name"] common_name = csr["certification_request_info"]["subject"].native["common_name"]
assert common_name == username or common_name.startswith(username + "@"), "Invalid common name %s" % common_name assert common_name == username or common_name.startswith(username + "@"), "Invalid common name %s" % common_name
try: try:
_, resp.body = self.authority._sign(csr, body) _, resp.body = self.authority._sign(csr, body, profile="default")
resp.set_header("Content-Type", "application/x-pem-file") resp.set_header("Content-Type", "application/x-pem-file")
logger.info("Autosigned %s as proven by token ownership", common_name) logger.info("Autosigned %s as proven by token ownership", common_name)
except FileExistsError: except FileExistsError:

View File

@ -68,7 +68,7 @@ def self_enroll():
from certidude import authority from certidude import authority
from certidude.common import drop_privileges from certidude.common import drop_privileges
drop_privileges() drop_privileges()
authority.sign(common_name, skip_push=True, overwrite=True) authority.sign(common_name, skip_push=True, overwrite=True, profile="srv")
sys.exit(0) sys.exit(0)
else: else:
os.waitpid(pid, 0) os.waitpid(pid, 0)
@ -307,7 +307,7 @@ def delete_request(common_name):
config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest(), config.LONG_POLL_PUBLISH % hashlib.sha256(buf).hexdigest(),
headers={"User-Agent": "Certidude API"}) headers={"User-Agent": "Certidude API"})
def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profile="default", signer=None): def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profile=None, signer=None):
""" """
Sign certificate signing request by it's common name Sign certificate signing request by it's common name
""" """
@ -325,12 +325,12 @@ def sign(common_name, skip_notify=False, skip_push=False, overwrite=False, profi
os.unlink(req_path) os.unlink(req_path)
return cert, buf return cert, buf
def _sign(csr, buf, skip_notify=False, skip_push=False, overwrite=False, profile="default", signer=None): def _sign(csr, buf, skip_notify=False, skip_push=False, overwrite=False, profile=None, signer=None):
# TODO: CRLDistributionPoints, OCSP URL, Certificate URL # TODO: CRLDistributionPoints, OCSP URL, Certificate URL
if profile not in config.PROFILES: if profile not in config.PROFILES:
raise ValueError("Invalid profile supplied '%s'" % profile) raise ValueError("Invalid profile supplied '%s'" % profile)
assert buf.startswith(b"-----BEGIN CERTIFICATE REQUEST-----") assert buf.startswith(b"-----BEGIN ")
assert isinstance(csr, CertificationRequest) assert isinstance(csr, CertificationRequest)
csr_pubkey = asymmetric.load_public_key(csr["certification_request_info"]["subject_pk_info"]) csr_pubkey = asymmetric.load_public_key(csr["certification_request_info"]["subject_pk_info"])
common_name = csr["certification_request_info"]["subject"].native["common_name"] common_name = csr["certification_request_info"]["subject"].native["common_name"]

View File

@ -956,7 +956,7 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
os.system("apt-get install -qq -y cython3 python3-dev python3-mimeparse \ os.system("apt-get install -qq -y cython3 python3-dev python3-mimeparse \
python3-markdown python3-pyxattr python3-jinja2 python3-cffi \ python3-markdown python3-pyxattr python3-jinja2 python3-cffi \
software-properties-common libsasl2-modules-gssapi-mit npm nodejs \ software-properties-common libsasl2-modules-gssapi-mit npm nodejs \
libkrb5-dev libldap2-dev libsasl2-dev gawk libncurses5-dev") libkrb5-dev libldap2-dev libsasl2-dev gawk libncurses5-dev rsync")
os.system("pip3 install -q --upgrade gssapi falcon humanize ipaddress simplepam") os.system("pip3 install -q --upgrade gssapi falcon humanize ipaddress simplepam")
os.system("pip3 install -q --pre --upgrade python-ldap") os.system("pip3 install -q --pre --upgrade python-ldap")
@ -1308,11 +1308,12 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign
@click.command("sign", help="Sign certificate") @click.command("sign", help="Sign certificate")
@click.argument("common_name") @click.argument("common_name")
@click.option("--profile", "-p", default=None, help="Profile")
@click.option("--overwrite", "-o", default=False, is_flag=True, help="Revoke valid certificate with same CN") @click.option("--overwrite", "-o", default=False, is_flag=True, help="Revoke valid certificate with same CN")
def certidude_sign(common_name, overwrite): def certidude_sign(common_name, overwrite, profile):
from certidude import authority from certidude import authority
drop_privileges() drop_privileges()
cert = authority.sign(common_name, overwrite=overwrite) cert = authority.sign(common_name, overwrite=overwrite, profile=profile)
@click.command("revoke", help="Revoke certificate") @click.command("revoke", help="Revoke certificate")

View File

@ -1,4 +1,4 @@
<i class="fa fa-circle" style="color:{% if certificate.lease.age > 86400 %}#d9534f{% else %}{% if certificate.lease.age > 3600 %}#0275d8{% else %}#5cb85c{% endif %}{% endif %};"/> <i class="fa fa-circle" style="color:{% if certificate.lease.age > 172800 %}#d9534f{% else %}{% if certificate.lease.age > 3600 %}#0275d8{% else %}#5cb85c{% endif %}{% endif %};"/>
Last seen Last seen
<time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time> <time class="timeago" datetime="{{ certificate.lease.last_seen }}">{{ certificate.lease.last_seen }}</time>
at at