mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
api: request: drop usage of global authority import
This commit is contained in:
parent
7f2729e6f4
commit
916afba685
@ -220,8 +220,8 @@ def certidude_app(log_handlers=[]):
|
|||||||
# Certificate authority API calls
|
# Certificate authority API calls
|
||||||
app.add_route("/api/certificate/", CertificateAuthorityResource())
|
app.add_route("/api/certificate/", CertificateAuthorityResource())
|
||||||
app.add_route("/api/signed/{cn}/", SignedCertificateDetailResource())
|
app.add_route("/api/signed/{cn}/", SignedCertificateDetailResource())
|
||||||
app.add_route("/api/request/{cn}/", RequestDetailResource())
|
app.add_route("/api/request/{cn}/", RequestDetailResource(authority))
|
||||||
app.add_route("/api/request/", RequestListResource())
|
app.add_route("/api/request/", RequestListResource(authority))
|
||||||
app.add_route("/api/", SessionResource())
|
app.add_route("/api/", SessionResource())
|
||||||
|
|
||||||
if config.USER_ENROLLMENT_ALLOWED: # TODO: add token enable/disable flag for config
|
if config.USER_ENROLLMENT_ALLOWED: # TODO: add token enable/disable flag for config
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
|
|
||||||
import click
|
import click
|
||||||
import falcon
|
import falcon
|
||||||
import logging
|
import logging
|
||||||
@ -9,7 +8,7 @@ import hashlib
|
|||||||
from asn1crypto import pem
|
from asn1crypto import pem
|
||||||
from asn1crypto.csr import CertificationRequest
|
from asn1crypto.csr import CertificationRequest
|
||||||
from base64 import b64decode
|
from base64 import b64decode
|
||||||
from certidude import config, authority, push, errors
|
from certidude import config, push, errors
|
||||||
from certidude.auth import login_required, login_optional, authorize_admin
|
from certidude.auth import login_required, login_optional, authorize_admin
|
||||||
from certidude.decorators import csrf_protection, MyEncoder, serialize
|
from certidude.decorators import csrf_protection, MyEncoder, serialize
|
||||||
from certidude.firewall import whitelist_subnets, whitelist_content_types
|
from certidude.firewall import whitelist_subnets, whitelist_content_types
|
||||||
@ -28,6 +27,9 @@ curl -f -L -H "Content-type: application/pkcs10" --data-binary @test.csr \
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
class RequestListResource(object):
|
class RequestListResource(object):
|
||||||
|
def __init__(self, authority):
|
||||||
|
self.authority = authority
|
||||||
|
|
||||||
@login_optional
|
@login_optional
|
||||||
@whitelist_subnets(config.REQUEST_SUBNETS)
|
@whitelist_subnets(config.REQUEST_SUBNETS)
|
||||||
@whitelist_content_types("application/pkcs10")
|
@whitelist_content_types("application/pkcs10")
|
||||||
@ -61,7 +63,7 @@ class RequestListResource(object):
|
|||||||
|
|
||||||
# Automatic enroll with Kerberos machine cerdentials
|
# Automatic enroll with Kerberos machine cerdentials
|
||||||
resp.set_header("Content-Type", "application/x-pem-file")
|
resp.set_header("Content-Type", "application/x-pem-file")
|
||||||
cert, resp.body = authority._sign(csr, body, overwrite=True)
|
cert, resp.body = self.authority._sign(csr, body, overwrite=True)
|
||||||
logger.info("Automatically enrolled Kerberos authenticated machine %s from %s",
|
logger.info("Automatically enrolled Kerberos authenticated machine %s from %s",
|
||||||
machine, req.context.get("remote_addr"))
|
machine, req.context.get("remote_addr"))
|
||||||
return
|
return
|
||||||
@ -72,7 +74,7 @@ class RequestListResource(object):
|
|||||||
Attempt to renew certificate using currently valid key pair
|
Attempt to renew certificate using currently valid key pair
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
path, buf, cert, signed, expires = authority.get_signed(common_name)
|
path, buf, cert, signed, expires = self.authority.get_signed(common_name)
|
||||||
except EnvironmentError:
|
except EnvironmentError:
|
||||||
pass # No currently valid certificate for this common name
|
pass # No currently valid certificate for this common name
|
||||||
else:
|
else:
|
||||||
@ -112,7 +114,7 @@ class RequestListResource(object):
|
|||||||
reasons.append("Renewal requested, but not allowed by authority settings")
|
reasons.append("Renewal requested, but not allowed by authority settings")
|
||||||
else:
|
else:
|
||||||
resp.set_header("Content-Type", "application/x-x509-user-cert")
|
resp.set_header("Content-Type", "application/x-x509-user-cert")
|
||||||
_, resp.body = authority._sign(csr, body, overwrite=True)
|
_, resp.body = self.authority._sign(csr, body, overwrite=True)
|
||||||
logger.info("Renewed certificate for %s", common_name)
|
logger.info("Renewed certificate for %s", common_name)
|
||||||
return
|
return
|
||||||
|
|
||||||
@ -122,12 +124,12 @@ class RequestListResource(object):
|
|||||||
autosigning was requested and certificate can be automatically signed
|
autosigning was requested and certificate can be automatically signed
|
||||||
"""
|
"""
|
||||||
if req.get_param_as_bool("autosign"):
|
if req.get_param_as_bool("autosign"):
|
||||||
if not authority.server_flags(common_name):
|
if not self.authority.server_flags(common_name):
|
||||||
for subnet in config.AUTOSIGN_SUBNETS:
|
for subnet in config.AUTOSIGN_SUBNETS:
|
||||||
if req.context.get("remote_addr") in subnet:
|
if req.context.get("remote_addr") in subnet:
|
||||||
try:
|
try:
|
||||||
resp.set_header("Content-Type", "application/x-pem-file")
|
resp.set_header("Content-Type", "application/x-pem-file")
|
||||||
_, resp.body = authority._sign(csr, body)
|
_, resp.body = self.authority._sign(csr, body)
|
||||||
logger.info("Autosigned %s as %s is whitelisted", common_name, req.context.get("remote_addr"))
|
logger.info("Autosigned %s as %s is whitelisted", common_name, req.context.get("remote_addr"))
|
||||||
return
|
return
|
||||||
except EnvironmentError:
|
except EnvironmentError:
|
||||||
@ -142,7 +144,7 @@ class RequestListResource(object):
|
|||||||
|
|
||||||
# Attempt to save the request otherwise
|
# Attempt to save the request otherwise
|
||||||
try:
|
try:
|
||||||
request_path, _, _ = authority.store_request(body,
|
request_path, _, _ = self.authority.store_request(body,
|
||||||
address=str(req.context.get("remote_addr")))
|
address=str(req.context.get("remote_addr")))
|
||||||
except errors.RequestExists:
|
except errors.RequestExists:
|
||||||
reasons.append("Same request already uploaded exists")
|
reasons.append("Same request already uploaded exists")
|
||||||
@ -176,13 +178,16 @@ class RequestListResource(object):
|
|||||||
|
|
||||||
|
|
||||||
class RequestDetailResource(object):
|
class RequestDetailResource(object):
|
||||||
|
def __init__(self, authority):
|
||||||
|
self.authority = authority
|
||||||
|
|
||||||
def on_get(self, req, resp, cn):
|
def on_get(self, req, resp, cn):
|
||||||
"""
|
"""
|
||||||
Fetch certificate signing request as PEM
|
Fetch certificate signing request as PEM
|
||||||
"""
|
"""
|
||||||
|
|
||||||
try:
|
try:
|
||||||
path, buf, _, submitted = authority.get_request(cn)
|
path, buf, _, submitted = self.authority.get_request(cn)
|
||||||
except errors.RequestDoesNotExist:
|
except errors.RequestDoesNotExist:
|
||||||
logger.warning("Failed to serve non-existant request %s to %s",
|
logger.warning("Failed to serve non-existant request %s to %s",
|
||||||
cn, req.context.get("remote_addr"))
|
cn, req.context.get("remote_addr"))
|
||||||
@ -206,7 +211,7 @@ class RequestDetailResource(object):
|
|||||||
resp.body = json.dumps(dict(
|
resp.body = json.dumps(dict(
|
||||||
submitted = submitted,
|
submitted = submitted,
|
||||||
common_name = cn,
|
common_name = cn,
|
||||||
server = authority.server_flags(cn),
|
server = self.authority.server_flags(cn),
|
||||||
address = getxattr(path, "user.request.address").decode("ascii"), # TODO: move to authority.py
|
address = getxattr(path, "user.request.address").decode("ascii"), # TODO: move to authority.py
|
||||||
md5sum = hashlib.md5(buf).hexdigest(),
|
md5sum = hashlib.md5(buf).hexdigest(),
|
||||||
sha1sum = hashlib.sha1(buf).hexdigest(),
|
sha1sum = hashlib.sha1(buf).hexdigest(),
|
||||||
@ -225,7 +230,7 @@ class RequestDetailResource(object):
|
|||||||
Sign a certificate signing request
|
Sign a certificate signing request
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
cert, buf = authority.sign(cn,
|
cert, buf = self.authority.sign(cn,
|
||||||
profile=req.get_param("profile", default="default"),
|
profile=req.get_param("profile", default="default"),
|
||||||
overwrite=True,
|
overwrite=True,
|
||||||
signer=req.context.get("user").name)
|
signer=req.context.get("user").name)
|
||||||
@ -244,7 +249,7 @@ class RequestDetailResource(object):
|
|||||||
@authorize_admin
|
@authorize_admin
|
||||||
def on_delete(self, req, resp, cn):
|
def on_delete(self, req, resp, cn):
|
||||||
try:
|
try:
|
||||||
authority.delete_request(cn)
|
self.authority.delete_request(cn)
|
||||||
# Logging implemented in the function above
|
# Logging implemented in the function above
|
||||||
except errors.RequestDoesNotExist as e:
|
except errors.RequestDoesNotExist as e:
|
||||||
resp.body = "No certificate signing request for %s found" % cn
|
resp.body = "No certificate signing request for %s found" % cn
|
||||||
|
Loading…
Reference in New Issue
Block a user