From d8abde3d53381a3d19e26b86cbd78b02544fea43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Thu, 14 Jan 2016 11:02:57 +0200 Subject: [PATCH] Refactor request submission API now properly distinguishes duplicate request from other requests with same common name. --- certidude/api/request.py | 9 +++++++-- certidude/authority.py | 13 ++++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/certidude/api/request.py b/certidude/api/request.py index 80f0326..6dff484 100644 --- a/certidude/api/request.py +++ b/certidude/api/request.py @@ -68,12 +68,17 @@ class RequestListResource(object): # Attempt to save the request otherwise try: csr = authority.store_request(body) - except FileExistsError: + except authority.RequestExists: + # We should stil redirect client to long poll URL below + pass + except authority.DuplicateCommonNameError: + # TODO: Certificate renewal logger.warning("Rejected signing request with overlapping common name from %s", req.env["REMOTE_ADDR"]) raise falcon.HTTPConflict( "CSR with such CN already exists", "Will not overwrite existing certificate signing request, explicitly delete CSR and try again") - push.publish("request-submitted", csr.common_name) + else: + push.publish("request-submitted", csr.common_name) # Wait the certificate to be signed if waiting is requested if req.get_param("wait"): diff --git a/certidude/authority.py b/certidude/authority.py index 71c6562..4612fea 100644 --- a/certidude/authority.py +++ b/certidude/authority.py @@ -15,6 +15,12 @@ RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0 # https://jamielinux.com/docs/openssl-certificate-authority/ # http://pycopia.googlecode.com/svn/trunk/net/pycopia/ssl/certs.py +class RequestExists(Exception): + pass + +class DuplicateCommonNameError(Exception): + pass + def publish_certificate(func): # TODO: Implement e-mail and nginx notifications using hooks def wrapped(csr, *args, **kwargs): @@ -61,9 +67,10 @@ def store_request(buf, overwrite=False): # If there is cert, check if it's the same if os.path.exists(request_path): - if open(request_path).read() != buf: - print("Request already exists, not creating new request") - raise FileExistsError("Request already exists") + if open(request_path).read() == buf: + raise RequestExists("Request already exists") + else: + raise DuplicateCommonNameError("Another request with same common name already exists") else: with open(request_path + ".part", "w") as fh: fh.write(buf)