예제 #1
0
    def remove_user(self, body, is_admin=False):
        """Remove a user or admin."""
        fingerprint = None
        sig_path = write_sig_to_file(body["signature"])
        try:
            fingerprint = self.cert_processor.admin_verify(
                body["fingerprint"].encode("UTF-8"), sig_path)
            logger.info("Admin {adminfp} adding user {userfp}".format(
                adminfp=fingerprint, userfp=body["fingerprint"]))
        except (CertProcessorInvalidSignatureError,
                CertProcessorUntrustedSignatureError):
            os.remove(sig_path)
            logger.error(
                "Invalid signature on adding fingerprint: {fp}".format(
                    fp=body["fingerprint"]))
            return error_response("Unauthorized", 403)
        # Remove signature file
        os.remove(sig_path)

        if is_admin:
            # Add a user to the admin trust store
            self.cert_processor.admin_gpg.delete_keys(body["fingerprint"])

        # Add the user to the user trust store
        self.cert_processor.user_gpg.delete_keys(body["fingerprint"])
        return json.dumps({"msg": "success"}), 201
예제 #2
0
 def create_cert(self, body):
     """Create a certificate."""
     lifetime = int(body["lifetime"])
     min_lifetime = int(self.config.get("mtls", "min_lifetime",
                                        fallback=60))
     max_lifetime = int(self.config.get("mtls", "max_lifetime", fallback=0))
     if lifetime < min_lifetime:
         logger.info(
             "User requested lifetime less than minimum. {} < {}".format(
                 lifetime, min_lifetime))
         error_response("lifetime must be greater than {} seconds".format(
             min_lifetime))
     if max_lifetime != 0:
         if lifetime > max_lifetime:
             logger.info(
                 "User requested lifetime greater than maximum. {} < {}".
                 format(lifetime, max_lifetime))
             error_response("lifetime must be less than {} seconds".format(
                 max_lifetime))
     csr_str = body["csr"]
     csr = self.cert_processor.get_csr(csr_str)
     if csr is None:
         return error_response("Could not load CSR")
     try:
         csr_public_bytes = csr.public_bytes(serialization.Encoding.PEM)
         sig_path = write_sig_to_file(body["signature"])
         fingerprint = self.cert_processor.verify(csr_public_bytes,
                                                  sig_path)
         os.remove(sig_path)
     except CertProcessorUntrustedSignatureError as e:
         logger.info("Unauthorized: {}".format(e))
         return error_response("Unauthorized", 403)
     except CertProcessorInvalidSignatureError:
         logger.info("Invalid signature in CSR.")
         return error_response("Invalid signature", 401)
     if csr is None:
         logger.info("Invalid CSR.")
         return error_response("Invalid CSR")
     cert = None
     try:
         cert = self.cert_processor.generate_cert(csr, lifetime,
                                                  fingerprint)
         return json.dumps({"cert": cert.decode("UTF-8")}), 200
     except CertProcessorKeyNotFoundError:
         logger.critical("Key missing. Service not properly initialized")
         return error_response("Internal Error")
     except CertProcessorMismatchedPublicKeyError:
         logger.error("CSR Public Key does not match found certificate.")
         return error_response("Internal Error")
     except CertProcessorNotAdminUserError:
         logger.error(
             "User {} is not an admin and attempted ".format(fingerprint) +
             "to generate a certificate they are not allowed to generate.")
         return error_response("Invalid Request", 403)
     except CertProcessorNoPGPKeyFoundError:
         logger.info("PGP Key not found.")
         return error_response("Unauthorized", 401)
예제 #3
0
    def add_user(self, body, is_admin=False):
        """Add a user or admin."""
        fingerprint = None
        sig_path = write_sig_to_file(body["signature"])
        try:
            fingerprint = self.cert_processor.admin_verify(
                body["fingerprint"].encode("UTF-8"), sig_path)
        except (CertProcessorInvalidSignatureError,
                CertProcessorUntrustedSignatureError):
            os.remove(sig_path)
            logger.error(
                "Invalid signature on adding fingerprint: {fp}".format(
                    fp=body["fingerprint"]))
            return error_response("Unauthorized", 403)
        # Remove signature file
        os.remove(sig_path)

        fingerprint = body["fingerprint"]

        try:
            if is_admin:
                has_user = self.has_user(self.cert_processor.admin_gpg,
                                         fingerprint)
                if not has_user:
                    logger.info(
                        "Admin {adminfp} adding admin user {userfp}".format(
                            adminfp=fingerprint, userfp=body["fingerprint"]))
                    # Add a user to the admin trust store
                    self.add_and_trust_user(self.cert_processor.admin_gpg,
                                            fingerprint)

            has_user = self.has_user(self.cert_processor.user_gpg, fingerprint)

            if not has_user:
                # Add the user to the user trust store
                logger.info(
                    "Admin {adminfp} adding admin user {userfp}".format(
                        adminfp=fingerprint, userfp=body["fingerprint"]))
                self.add_and_trust_user(self.cert_processor.user_gpg,
                                        fingerprint)
            return json.dumps({"msg": "success"}), 201
        except GPGKeyNotFoundException:
            return (
                json.dumps(
                    {"msg": "Key not found on keyserver. Could not import"}),
                422,
            )
예제 #4
0
    def revoke_cert(self, body):
        """
        A user should be able to revoke their own certificate. An admin should
        be able to revoke the certificate of any user.

        Args:
            body: A dictionary from the JSON input.

        Returns:
            (json, int): a tuple of the json response and http status code.
        """
        is_admin = False
        fingerprint = None
        sig_path = write_sig_to_file(body["signature"])
        try:
            fingerprint = self.cert_processor.admin_verify(
                json.dumps(body["query"]).encode("UTF-8"), sig_path)
            is_admin = True
            logger.info(
                "Admin {adminfp} revoking certificate with query {query}".
                format(adminfp=fingerprint, query=json.dumps(body["query"])))
            os.remove(sig_path)
        except (CertProcessorInvalidSignatureError,
                CertProcessorUntrustedSignatureError):
            try:
                fingerprint = self.cert_processor.verify(
                    json.dumps(body["query"]).encode("UTF-8"), sig_path)
                logger.info(
                    "User {userfp} revoking certificate with query {query}".
                    format(userfp=fingerprint,
                           query=json.dumps(body["query"])))
                os.remove(sig_path)
            except (
                    CertProcessorInvalidSignatureError,
                    CertProcessorUntrustedSignatureError,
            ):
                os.remove(sig_path)
                return error_response("Unauthorized", 403)

        certs = self.cert_processor.storage.get_cert(**body["query"])
        if certs is None:
            return error_response("No Cert to revoke")
        for cert in certs:
            cert = x509.load_pem_x509_certificate(str(cert).encode("UTF-8"),
                                                  backend=default_backend())
            self.cert_processor.revoke_cert(cert.serial_number)
        return json.dumps({"msg": "success"}), 200