Refactor

* Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source
2025-10-31 01:19:11 +00:00 · 2017-02-07 22:07:21 +00:00
parent 703970c1d3
commit 2a8109704a
15 changed files with 160 additions and 265 deletions
--- a/certidude/api/init.py
+++ b/certidude/api/init.py
@@ -59,7 +59,7 @@ class SessionResource(object):
                user_mutliple_certificates=config.USER_MULTIPLE_CERTIFICATES,
                outbox = config.OUTBOX,
                certificate = authority.certificate,
-                events = config.PUSH_EVENT_SOURCE % config.PUSH_TOKEN,
+                events = config.EVENT_SOURCE_SUBSCRIBE % config.EVENT_SOURCE_TOKEN,
                requests=authority.list_requests(),
                signed=authority.list_signed(),
                revoked=authority.list_revoked(),
--- a/certidude/api/request.py
+++ b/certidude/api/request.py
@@ -52,11 +52,11 @@ class RequestListResource(object):
                raise falcon.HTTPBadRequest(
                    "Bad request",
                    "Common name %s differs from Kerberos credential %s!" % (csr.common_name, machine))
-            if csr.signable:
-                # Automatic enroll with Kerberos machine cerdentials
-                resp.set_header("Content-Type", "application/x-x509-user-cert")
-                resp.body = authority.sign(csr, overwrite=True).dump()
-                return
+
+            # Automatic enroll with Kerberos machine cerdentials
+            resp.set_header("Content-Type", "application/x-x509-user-cert")
+            resp.body = authority.sign(csr, overwrite=True).dump()
+            return


        # Check if this request has been already signed and return corresponding certificte if it has been signed
@@ -73,7 +73,7 @@ class RequestListResource(object):
        # TODO: check for revoked certificates and return HTTP 410 Gone

        # Process automatic signing if the IP address is whitelisted, autosigning was requested and certificate can be automatically signed
-        if req.get_param_as_bool("autosign") and csr.signable:
+        if req.get_param_as_bool("autosign") and csr.is_client:
            for subnet in config.AUTOSIGN_SUBNETS:
                if req.context.get("remote_addr") in subnet:
                    try:
@@ -103,7 +103,7 @@ class RequestListResource(object):
        # Wait the certificate to be signed if waiting is requested
        if req.get_param("wait"):
            # Redirect to nginx pub/sub
-            url = config.PUSH_LONG_POLL % csr.fingerprint()
+            url = config.LONG_POLL_SUBSCRIBE % csr.fingerprint()
            click.echo("Redirecting to: %s"  % url)
            resp.status = falcon.HTTP_SEE_OTHER
            resp.set_header("Location", url.encode("ascii"))
--- a/certidude/api/revoked.py
+++ b/certidude/api/revoked.py
@@ -27,7 +27,7 @@ class RevocationListResource(object):
                default_backend()).public_bytes(Encoding.DER)
        elif req.client_accepts("application/x-pem-file"):
            if req.get_param_as_bool("wait"):
-                url = config.PUSH_LONG_POLL % "crl"
+                url = config.LONG_POLL_SUBSCRIBE % "crl"
                resp.status = falcon.HTTP_SEE_OTHER
                resp.set_header("Location", url.encode("ascii"))
                logger.debug(u"Redirecting to CRL request to %s", url)