Bugfixes, OU support and image builder fixes

certidude/api/__init__.py

@@ -44,6 +44,7 @@ class SessionResource(object):
                 except IOError:
                     submission_hostname = None
                 yield dict(
+                    server = authority.server_flags(common_name),
                     submitted = submitted,
                     common_name = common_name,
                     address = submission_address,
@@ -103,6 +104,7 @@ class SessionResource(object):
 
                 yield dict(
                     serial = "%x" % cert.serial_number,
+                    organizational_unit = cert.subject.native.get("organizational_unit_name"),
                     common_name = common_name,
                     # TODO: key type, key length, key exponent, key modulo
                     signed = signed,
@@ -158,10 +160,8 @@ class SessionResource(object):
                 request_subnets = config.REQUEST_SUBNETS or None,
                 admin_subnets=config.ADMIN_SUBNETS or None,
                 signature = dict(
-                    server_certificate_lifetime=config.SERVER_CERTIFICATE_LIFETIME,
-                    client_certificate_lifetime=config.CLIENT_CERTIFICATE_LIFETIME,
                     revocation_list_lifetime=config.REVOCATION_LIST_LIFETIME,
-                    profiles = [dict(organizational_unit=ou, flags=f, lifetime=lt) for f, lt, ou in config.PROFILES.values()]
+                    profiles = [dict(name=k, server=v[0]=="server", lifetime=v[1], organizational_unit=v[2], title=v[3]) for k,v in config.PROFILES.items()]
                 )
             ) if req.context.get("user").is_admin() else None,
             features=dict(

certidude/api/builder.py

@@ -21,6 +21,7 @@ class ImageBuilderResource(object):
         suffix = config.cp2.get(profile, "filename")
 
         build = "/var/lib/certidude/builder/" + profile
+        log_path = build + "/build.log"
         if not os.path.exists(build + "/overlay/etc/uci-defaults"):
             os.makedirs(build + "/overlay/etc/uci-defaults")
         os.system("rsync -av " + overlay_path + "/ " + build + "/overlay/")
@@ -31,12 +32,16 @@ class ImageBuilderResource(object):
                 fh.write(template.render(authority_name=const.FQDN))
 
         proc = subprocess.Popen(("/bin/bash", build_script_path),
-            stdout=open(build + "/build.log", "w"), stderr=subprocess.STDOUT,
+            stdout=open(log_path, "w"), stderr=subprocess.STDOUT,
             close_fds=True, shell=False,
-            cwd=build,
-            env={"PROFILE":model, "PATH":"/usr/sbin:/usr/bin:/sbin:/bin"},
+            cwd=os.path.dirname(os.path.realpath(build_script_path)),
+            env={"PROFILE":model, "PATH":"/usr/sbin:/usr/bin:/sbin:/bin",
+                "BUILD":build, "OVERLAY":build + "/overlay/"},
             startupinfo=None, creationflags=0)
         proc.communicate()
+        if proc.returncode:
+            logger.info("Build script finished with non-zero exitcode, see %s for more information" % log_path)
+            raise falcon.HTTPInternalServerError("Build script finished with non-zero exitcode")
 
         for dname in os.listdir(build):
             if dname.startswith("lede-imagebuilder-"):

certidude/api/lease.py

@@ -33,6 +33,11 @@ class LeaseResource(object):
     @authorize_server
     def on_post(self, req, resp):
         client_common_name = req.get_param("client", required=True)
+        if "=" in client_common_name: # It's actually DN, resolve it to CN
+            _, client_common_name = client_common_name.split(" CN=", 1)
+            if "," in client_common_name:
+                client_common_name, _ = client_common_name.split(",", 1)
+
         path, buf, cert, signed, expires = authority.get_signed(client_common_name) # TODO: catch exceptions
         if req.get_param("serial") and cert.serial_number != req.get_param_as_int("serial"): # OCSP-ish solution for OpenVPN, not exposed for StrongSwan
             raise falcon.HTTPForbidden("Forbidden", "Invalid serial number supplied")

certidude/api/request.py

@@ -225,7 +225,10 @@ class RequestDetailResource(object):
         Sign a certificate signing request
         """
         try:
-            cert, buf = authority.sign(cn, ou=req.get_param("ou"), overwrite=True, signer=req.context.get("user").name)
+            cert, buf = authority.sign(cn,
+                profile=req.get_param("profile", default="default"),
+                overwrite=True,
+                signer=req.context.get("user").name)
             # Mailing and long poll publishing implemented in the function above
         except EnvironmentError: # no such CSR
             raise falcon.HTTPNotFound()

certidude/api/signed.py

@@ -38,6 +38,7 @@ class SignedCertificateDetailResource(object):
                 common_name = cn,
                 signer = signer_username,
                 serial_number = "%x" % cert.serial_number,
+                organizational_unit = cert.subject.native.get("organizational_unit_name"),
                 signed = cert["tbs_certificate"]["validity"]["not_before"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z",
                 expires = cert["tbs_certificate"]["validity"]["not_after"].native.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z",
                 sha256sum = hashlib.sha256(buf).hexdigest()))