Add long poll support for CRL API call

2017-01-30 06:29:01 +00:00 · 2017-01-30 06:29:01 +00:00 · 4ae40c5d45
parent c979d73bec
commit 4ae40c5d45
3 changed files with 22 additions and 7 deletions
--- a/certidude/api/revoked.py
+++ b/certidude/api/revoked.py
@ -2,7 +2,7 @@
 import falcon
 import json
 import logging
-from certidude import const
+from certidude import const, config
 from certidude.authority import export_crl, list_revoked
 from certidude.decorators import MyEncoder
 from cryptography import x509
@ -26,11 +26,17 @@ class RevocationListResource(object):
            resp.body = x509.load_pem_x509_crl(export_crl(),
                default_backend()).public_bytes(Encoding.DER)
        elif req.client_accepts("application/x-pem-file"):
-            resp.set_header("Content-Type", "application/x-pem-file")
-            resp.append_header(
-                "Content-Disposition",
-                ("attachment; filename=%s-crl.pem" % const.HOSTNAME).encode("ascii"))
-            resp.body = export_crl()
+            if req.get_param_as_bool("wait"):
+                url = config.PUSH_LONG_POLL % "crl"
+                resp.status = falcon.HTTP_SEE_OTHER
+                resp.set_header("Location", url.encode("ascii"))
+                logger.debug(u"Redirecting to CRL request to %s", url)
+            else:
+                resp.set_header("Content-Type", "application/x-pem-file")
+                resp.append_header(
+                    "Content-Disposition",
+                    ("attachment; filename=%s-crl.pem" % const.HOSTNAME).encode("ascii"))
+                resp.body = export_crl()
        elif req.accept.startswith("application/json"):
            resp.set_header("Content-Type", "application/json")
            resp.set_header("Content-Disposition", "inline")
--- a/certidude/authority.py
+++ b/certidude/authority.py
@ -131,6 +131,14 @@ def revoke_certificate(common_name):
    revoked_filename = os.path.join(config.REVOKED_DIR, "%s.pem" % cert.serial_number)
    os.rename(cert.path, revoked_filename)
    push.publish("certificate-revoked", cert.common_name)
+
+    # Publish CRL for long polls
+    if config.PUSH_PUBLISH:
+        url = config.PUSH_PUBLISH % "crl"
+        click.echo("Publishing CRL at %s ..." % url)
+        requests.post(url, data=export_crl(),
+            headers={"User-Agent": "Certidude API", "Content-Type": "application/x-pem-file"})
+
    mailer.send("certificate-revoked.md", attachments=(cert,), certificate=cert)


--- a/certidude/static/views/authority.html
+++ b/certidude/static/views/authority.html
@ -181,7 +181,8 @@ cat example.csr
 <section id="revoked">
    <h1>Revoked certificates</h1>
    <p>To fetch <a href="{{window.location.href}}api/revoked/">certificate revocation list</a>:</p>
-    <pre>curl {{window.location.href}}api/revoked/ | openssl crl -inform der -text -noout</pre>
+    <pre>curl {{window.location.href}}api/revoked/ > crl.der
+curl http://ca2.koodur.lan/api/revoked/?wait=yes -H "Accept: application/x-pem-file" > crl.pem</pre>
    <!--
    <p>To perform online certificate status request</p>