From a3e410f3a9f7b5964b40ab28bc3f7ac449ce4c70 Mon Sep 17 00:00:00 2001
From: Marvin Martinson <marvin@pinecrypt.com>
Date: Wed, 7 Jul 2021 13:07:47 +0000
Subject: [PATCH] add option to disable access to instance

---
 pinecrypt/server/api/access.py  | 44 +++++++++++++++++++++++++++++++++
 pinecrypt/server/api/events.py  |  5 ++++
 pinecrypt/server/api/session.py |  1 +
 pinecrypt/server/api/signed.py  |  2 +-
 pinecrypt/server/cli.py         |  2 ++
 5 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 pinecrypt/server/api/access.py

diff --git a/pinecrypt/server/api/access.py b/pinecrypt/server/api/access.py
new file mode 100644
index 0000000..e04798d
--- /dev/null
+++ b/pinecrypt/server/api/access.py
@@ -0,0 +1,44 @@
+import falcon
+import logging
+import json
+import hashlib
+from pinecrypt.server import authority, errors, db
+from bson.objectid import ObjectId
+from pinecrypt.server.decorators import csrf_protection
+from .utils.firewall import login_required, authorize_admin
+
+logger = logging.getLogger(__name__)
+
+
+class DisableEnableAccessToInstance(object):
+    @csrf_protection
+    @login_required
+    @authorize_admin
+    def on_post(self, req, resp, id):
+        bool = req.get_param_as_bool("disable")
+
+        result = db.certificates.find_one_and_update({
+            "_id": ObjectId(id)
+        }, {
+            "$set": {
+                "disabled": bool
+           }
+        },
+        upsert=True,
+        return_document=db.return_new)
+
+        if not result:
+            resp.text = "No certificate found with id %s" % id
+            raise falcon.HTTPNotFound()
+
+
+    @login_required
+    @authorize_admin
+    def on_get(self, req, resp, id):
+        result = db.certificates.find_one({"_id": ObjectId(id)})
+
+        if not result:
+            resp.text = "No certificate found with id %s" % id
+            raise falcon.HTTPNotFound()
+
+        resp.text = str(result["disabled"])
diff --git a/pinecrypt/server/api/events.py b/pinecrypt/server/api/events.py
index b054be4..0be06b2 100644
--- a/pinecrypt/server/api/events.py
+++ b/pinecrypt/server/api/events.py
@@ -66,6 +66,7 @@ async def view_event(request):
             async for event in stream:
 
                 if event.get("ns").get("coll") == "certidude_certificates":
+
                     if event.get("operationType") == "insert" and event["fullDocument"].get("status") == "csr":
                         await resp.write("event: request-submitted\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
                         events_emitted.inc()
@@ -94,6 +95,10 @@ async def view_event(request):
                         await resp.write("event: attribute-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
                         events_emitted.inc()
 
+                    if event.get("operationType") == "update" and "disabled" in event.get("updateDescription").get("updatedFields"):
+                        await resp.write("event: instance-access-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
+                        events_emitted.inc()
+
                 if event.get("ns").get("coll") == "certidude_logs":
 
                     from pinecrypt.server.decorators import MyEncoder
diff --git a/pinecrypt/server/api/session.py b/pinecrypt/server/api/session.py
index ef3d632..21fb0c0 100644
--- a/pinecrypt/server/api/session.py
+++ b/pinecrypt/server/api/session.py
@@ -92,6 +92,7 @@ class SessionResource(object):
                 # TODO: dedup
                 serialized = dict(
                     id=str(cert_doc["_id"]),
+                    disabled=cert_doc["disabled"],
                     serial="%x" % cert.serial_number,
                     organizational_unit=cert.subject.native.get("organizational_unit_name"),
                     common_name=cert_doc["common_name"],
diff --git a/pinecrypt/server/api/signed.py b/pinecrypt/server/api/signed.py
index 30e361d..f44fde8 100644
--- a/pinecrypt/server/api/signed.py
+++ b/pinecrypt/server/api/signed.py
@@ -3,7 +3,7 @@ import falcon
 import logging
 import json
 import hashlib
-from pinecrypt.server import authority, errors
+from pinecrypt.server import authority, errors, db
 from pinecrypt.server.decorators import csrf_protection
 from .utils.firewall import login_required, authorize_admin
 
diff --git a/pinecrypt/server/cli.py b/pinecrypt/server/cli.py
index 996503f..9dd3cc0 100644
--- a/pinecrypt/server/cli.py
+++ b/pinecrypt/server/cli.py
@@ -406,6 +406,7 @@ def pinecone_serve_backend():
     from pinecrypt.server.api.revoked import RevokedCertificateDetailResource
     from pinecrypt.server.api.log import LogResource
     from pinecrypt.server.api.revoked import RevocationListResource
+    from pinecrypt.server.api.access import DisableEnableAccessToInstance
 
     app = falcon.App(middleware=NormalizeMiddleware())
     app.req_options.strip_url_path_trailing_slash = True
@@ -424,6 +425,7 @@ def pinecone_serve_backend():
     app.add_route("/api/revoked/{serial_number}", RevokedCertificateDetailResource())
     app.add_route("/api/log", LogResource())
     app.add_route("/api/revoked", RevocationListResource())
+    app.add_route("/api/toggleaccess/id/{id}", DisableEnableAccessToInstance())
 
     token_resource = None
     token_manager = None