add option to disable access to instance

This commit is contained in:
Marvin Martinson 2021-07-07 13:07:47 +00:00
parent ce0eb1a400
commit a3e410f3a9
5 changed files with 53 additions and 1 deletions

View File

@ -0,0 +1,44 @@
import falcon
import logging
import json
import hashlib
from pinecrypt.server import authority, errors, db
from bson.objectid import ObjectId
from pinecrypt.server.decorators import csrf_protection
from .utils.firewall import login_required, authorize_admin
logger = logging.getLogger(__name__)
class DisableEnableAccessToInstance(object):
@csrf_protection
@login_required
@authorize_admin
def on_post(self, req, resp, id):
bool = req.get_param_as_bool("disable")
result = db.certificates.find_one_and_update({
"_id": ObjectId(id)
}, {
"$set": {
"disabled": bool
}
},
upsert=True,
return_document=db.return_new)
if not result:
resp.text = "No certificate found with id %s" % id
raise falcon.HTTPNotFound()
@login_required
@authorize_admin
def on_get(self, req, resp, id):
result = db.certificates.find_one({"_id": ObjectId(id)})
if not result:
resp.text = "No certificate found with id %s" % id
raise falcon.HTTPNotFound()
resp.text = str(result["disabled"])

View File

@ -66,6 +66,7 @@ async def view_event(request):
async for event in stream: async for event in stream:
if event.get("ns").get("coll") == "certidude_certificates": if event.get("ns").get("coll") == "certidude_certificates":
if event.get("operationType") == "insert" and event["fullDocument"].get("status") == "csr": if event.get("operationType") == "insert" and event["fullDocument"].get("status") == "csr":
await resp.write("event: request-submitted\ndata: %s\n\n" % str(event["documentKey"].get("_id"))) await resp.write("event: request-submitted\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
events_emitted.inc() events_emitted.inc()
@ -94,6 +95,10 @@ async def view_event(request):
await resp.write("event: attribute-update\ndata: %s\n\n" % str(event["documentKey"].get("_id"))) await resp.write("event: attribute-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
events_emitted.inc() events_emitted.inc()
if event.get("operationType") == "update" and "disabled" in event.get("updateDescription").get("updatedFields"):
await resp.write("event: instance-access-update\ndata: %s\n\n" % str(event["documentKey"].get("_id")))
events_emitted.inc()
if event.get("ns").get("coll") == "certidude_logs": if event.get("ns").get("coll") == "certidude_logs":
from pinecrypt.server.decorators import MyEncoder from pinecrypt.server.decorators import MyEncoder

View File

@ -92,6 +92,7 @@ class SessionResource(object):
# TODO: dedup # TODO: dedup
serialized = dict( serialized = dict(
id=str(cert_doc["_id"]), id=str(cert_doc["_id"]),
disabled=cert_doc["disabled"],
serial="%x" % cert.serial_number, serial="%x" % cert.serial_number,
organizational_unit=cert.subject.native.get("organizational_unit_name"), organizational_unit=cert.subject.native.get("organizational_unit_name"),
common_name=cert_doc["common_name"], common_name=cert_doc["common_name"],

View File

@ -3,7 +3,7 @@ import falcon
import logging import logging
import json import json
import hashlib import hashlib
from pinecrypt.server import authority, errors from pinecrypt.server import authority, errors, db
from pinecrypt.server.decorators import csrf_protection from pinecrypt.server.decorators import csrf_protection
from .utils.firewall import login_required, authorize_admin from .utils.firewall import login_required, authorize_admin

View File

@ -406,6 +406,7 @@ def pinecone_serve_backend():
from pinecrypt.server.api.revoked import RevokedCertificateDetailResource from pinecrypt.server.api.revoked import RevokedCertificateDetailResource
from pinecrypt.server.api.log import LogResource from pinecrypt.server.api.log import LogResource
from pinecrypt.server.api.revoked import RevocationListResource from pinecrypt.server.api.revoked import RevocationListResource
from pinecrypt.server.api.access import DisableEnableAccessToInstance
app = falcon.App(middleware=NormalizeMiddleware()) app = falcon.App(middleware=NormalizeMiddleware())
app.req_options.strip_url_path_trailing_slash = True app.req_options.strip_url_path_trailing_slash = True
@ -424,6 +425,7 @@ def pinecone_serve_backend():
app.add_route("/api/revoked/{serial_number}", RevokedCertificateDetailResource()) app.add_route("/api/revoked/{serial_number}", RevokedCertificateDetailResource())
app.add_route("/api/log", LogResource()) app.add_route("/api/log", LogResource())
app.add_route("/api/revoked", RevocationListResource()) app.add_route("/api/revoked", RevocationListResource())
app.add_route("/api/toggleaccess/id/{id}", DisableEnableAccessToInstance())
token_resource = None token_resource = None
token_manager = None token_manager = None