diff --git a/pinecrypt/server/api/access.py b/pinecrypt/server/api/access.py new file mode 100644 index 0000000..e04798d --- /dev/null +++ b/pinecrypt/server/api/access.py @@ -0,0 +1,44 @@ +import falcon +import logging +import json +import hashlib +from pinecrypt.server import authority, errors, db +from bson.objectid import ObjectId +from pinecrypt.server.decorators import csrf_protection +from .utils.firewall import login_required, authorize_admin + +logger = logging.getLogger(__name__) + + +class DisableEnableAccessToInstance(object): + @csrf_protection + @login_required + @authorize_admin + def on_post(self, req, resp, id): + bool = req.get_param_as_bool("disable") + + result = db.certificates.find_one_and_update({ + "_id": ObjectId(id) + }, { + "$set": { + "disabled": bool + } + }, + upsert=True, + return_document=db.return_new) + + if not result: + resp.text = "No certificate found with id %s" % id + raise falcon.HTTPNotFound() + + + @login_required + @authorize_admin + def on_get(self, req, resp, id): + result = db.certificates.find_one({"_id": ObjectId(id)}) + + if not result: + resp.text = "No certificate found with id %s" % id + raise falcon.HTTPNotFound() + + resp.text = str(result["disabled"]) diff --git a/pinecrypt/server/api/events.py b/pinecrypt/server/api/events.py index b054be4..0be06b2 100644 --- a/pinecrypt/server/api/events.py +++ b/pinecrypt/server/api/events.py @@ -66,6 +66,7 @@ async def view_event(request): async for event in stream: if event.get("ns").get("coll") == "certidude_certificates": + if event.get("operationType") == "insert" and event["fullDocument"].get("status") == "csr": await resp.write("event: request-submitted\ndata: %s\n\n" % str(event["documentKey"].get("_id"))) events_emitted.inc() @@ -94,6 +95,10 @@ async def view_event(request): await resp.write("event: attribute-update\ndata: %s\n\n" % str(event["documentKey"].get("_id"))) events_emitted.inc() + if event.get("operationType") == "update" and "disabled" in event.get("updateDescription").get("updatedFields"): + await resp.write("event: instance-access-update\ndata: %s\n\n" % str(event["documentKey"].get("_id"))) + events_emitted.inc() + if event.get("ns").get("coll") == "certidude_logs": from pinecrypt.server.decorators import MyEncoder diff --git a/pinecrypt/server/api/session.py b/pinecrypt/server/api/session.py index ef3d632..21fb0c0 100644 --- a/pinecrypt/server/api/session.py +++ b/pinecrypt/server/api/session.py @@ -92,6 +92,7 @@ class SessionResource(object): # TODO: dedup serialized = dict( id=str(cert_doc["_id"]), + disabled=cert_doc["disabled"], serial="%x" % cert.serial_number, organizational_unit=cert.subject.native.get("organizational_unit_name"), common_name=cert_doc["common_name"], diff --git a/pinecrypt/server/api/signed.py b/pinecrypt/server/api/signed.py index 30e361d..f44fde8 100644 --- a/pinecrypt/server/api/signed.py +++ b/pinecrypt/server/api/signed.py @@ -3,7 +3,7 @@ import falcon import logging import json import hashlib -from pinecrypt.server import authority, errors +from pinecrypt.server import authority, errors, db from pinecrypt.server.decorators import csrf_protection from .utils.firewall import login_required, authorize_admin diff --git a/pinecrypt/server/cli.py b/pinecrypt/server/cli.py index 996503f..9dd3cc0 100644 --- a/pinecrypt/server/cli.py +++ b/pinecrypt/server/cli.py @@ -406,6 +406,7 @@ def pinecone_serve_backend(): from pinecrypt.server.api.revoked import RevokedCertificateDetailResource from pinecrypt.server.api.log import LogResource from pinecrypt.server.api.revoked import RevocationListResource + from pinecrypt.server.api.access import DisableEnableAccessToInstance app = falcon.App(middleware=NormalizeMiddleware()) app.req_options.strip_url_path_trailing_slash = True @@ -424,6 +425,7 @@ def pinecone_serve_backend(): app.add_route("/api/revoked/{serial_number}", RevokedCertificateDetailResource()) app.add_route("/api/log", LogResource()) app.add_route("/api/revoked", RevocationListResource()) + app.add_route("/api/toggleaccess/id/{id}", DisableEnableAccessToInstance()) token_resource = None token_manager = None