add option to disable access to instance

pinecrypt/server/api/access.py

@@ -0,0 +1,44 @@
+import falcon
+import logging
+import json
+import hashlib
+from pinecrypt.server import authority, errors, db
+from bson.objectid import ObjectId
+from pinecrypt.server.decorators import csrf_protection
+from .utils.firewall import login_required, authorize_admin
+
+logger = logging.getLogger(__name__)
+
+
+class DisableEnableAccessToInstance(object):
+    @csrf_protection
+    @login_required
+    @authorize_admin
+    def on_post(self, req, resp, id):
+        bool = req.get_param_as_bool("disable")
+
+        result = db.certificates.find_one_and_update({
+            "_id": ObjectId(id)
+        }, {
+            "$set": {
+                "disabled": bool
+           }
+        },
+        upsert=True,
+        return_document=db.return_new)
+
+        if not result:
+            resp.text = "No certificate found with id %s" % id
+            raise falcon.HTTPNotFound()
+
+
+    @login_required
+    @authorize_admin
+    def on_get(self, req, resp, id):
+        result = db.certificates.find_one({"_id": ObjectId(id)})
+
+        if not result:
+            resp.text = "No certificate found with id %s" % id
+            raise falcon.HTTPNotFound()
+
+        resp.text = str(result["disabled"])

pinecrypt/server/api/events.py

@@ -66,6 +66,7 @@ async def view_event(request):
             async for event in stream:
 
                 if event.get("ns").get("coll") == "certidude_certificates":
+
                     if event.get("operationType") == "insert" and event["fullDocument"].get("status") == "csr":
                         await resp.write("event: request-submitted\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
                         events_emitted.inc()
@@ -94,6 +95,10 @@ async def view_event(request):
                         await resp.write("event: attribute-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
                         events_emitted.inc()
 
+                    if event.get("operationType") == "update" and "disabled" in event.get("updateDescription").get("updatedFields"):
+                        await resp.write("event: instance-access-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
+                        events_emitted.inc()
+
                 if event.get("ns").get("coll") == "certidude_logs":
 
                     from pinecrypt.server.decorators import MyEncoder

pinecrypt/server/api/session.py

@@ -92,6 +92,7 @@ class SessionResource(object):
                 # TODO: dedup
                 serialized = dict(
                     id=str(cert_doc["_id"]),
+                    disabled=cert_doc["disabled"],
                     serial="%x" % cert.serial_number,
                     organizational_unit=cert.subject.native.get("organizational_unit_name"),
                     common_name=cert_doc["common_name"],

pinecrypt/server/api/signed.py

@@ -3,7 +3,7 @@ import falcon
 import logging
 import json
 import hashlib
-from pinecrypt.server import authority, errors
+from pinecrypt.server import authority, errors, db
 from pinecrypt.server.decorators import csrf_protection
 from .utils.firewall import login_required, authorize_admin
 

pinecrypt/server/cli.py

@@ -406,6 +406,7 @@ def pinecone_serve_backend():
     from pinecrypt.server.api.revoked import RevokedCertificateDetailResource
     from pinecrypt.server.api.log import LogResource
     from pinecrypt.server.api.revoked import RevocationListResource
+    from pinecrypt.server.api.access import DisableEnableAccessToInstance
 
     app = falcon.App(middleware=NormalizeMiddleware())
     app.req_options.strip_url_path_trailing_slash = True
@@ -424,6 +425,7 @@ def pinecone_serve_backend():
     app.add_route("/api/revoked/{serial_number}", RevokedCertificateDetailResource())
     app.add_route("/api/log", LogResource())
     app.add_route("/api/revoked", RevocationListResource())
+    app.add_route("/api/toggleaccess/id/{id}", DisableEnableAccessToInstance())
 
     token_resource = None
     token_manager = None