def upload(pending_certificate_id, **kwargs): """ Uploads a (signed) pending certificate. The allowed fields are validated by PendingCertificateUploadInputSchema. The certificate is also validated to be signed by the correct authoritity. """ pending_cert = get(pending_certificate_id) partial_cert = kwargs uploaded_chain = partial_cert['chain'] authority = authorities_service.get(pending_cert.authority.id) # Construct the chain for cert validation if uploaded_chain: chain = uploaded_chain + '\n' + authority.authority_certificate.body else: chain = authority.authority_certificate.body parsed_chain = parse_cert_chain(chain) # Check that the certificate is actually signed by the CA to avoid incorrect cert pasting validators.verify_cert_chain([parse_certificate(partial_cert['body'])] + parsed_chain) final_cert = create_certificate(pending_cert, partial_cert, pending_cert.user) update( pending_cert.id, resolved=True ) pending_cert_final_result = update( pending_cert.id, resolved_cert_id=final_cert.id ) return pending_cert_final_result
def get(self, authority_id): """ {"name": "flare", "children": [ { "name": "analytics", "children": [ { "name": "cluster", "children": [ {"name": "AgglomerativeCluster", "size": 3938}, {"name": "CommunityStructure", "size": 3812}, {"name": "HierarchicalCluster", "size": 6714}, {"name": "MergeEdge", "size": 743} ] } ] } ]} """ authority = service.get(authority_id) return dict(name=authority.name, children=[{ "name": c.name } for c in authority.certificates])
def upload(pending_certificate_id, **kwargs): """ Uploads a (signed) pending certificate. The allowed fields are validated by PendingCertificateUploadInputSchema. The certificate is also validated to be signed by the correct authoritity. """ pending_cert = get(pending_certificate_id) partial_cert = kwargs uploaded_chain = partial_cert['chain'] authority = authorities_service.get(pending_cert.authority.id) # Construct the chain for cert validation if uploaded_chain: chain = uploaded_chain + '\n' + authority.authority_certificate.body else: chain = authority.authority_certificate.body parsed_chain = parse_cert_chain(chain) # Check that the certificate is actually signed by the CA to avoid incorrect cert pasting validators.verify_cert_chain([parse_certificate(partial_cert['body'])] + parsed_chain) final_cert = create_certificate(pending_cert, partial_cert, pending_cert.user) update(pending_cert.id, resolved=True) pending_cert_final_result = update(pending_cert.id, resolved_cert_id=final_cert.id) return pending_cert_final_result
def get(self, authority_id): """ .. http:get:: /authorities/1/visualize Authority visualization **Example request**: .. sourcecode:: http GET /certificates/1/visualize HTTP/1.1 Host: example.com Accept: application/json, text/javascript **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript {"name": "flare", "children": [ { "name": "analytics", "children": [ { "name": "cluster", "children": [ {"name": "AgglomerativeCluster", "size": 3938}, {"name": "CommunityStructure", "size": 3812}, {"name": "HierarchicalCluster", "size": 6714}, {"name": "MergeEdge", "size": 743} ] } ] } ] } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ authority = service.get(authority_id) return dict( name=authority.name, children=[{ "name": c.name } for c in authority.certificates], )
def get(self, authority_id): """ .. http:get:: /authorities/1 One authority **Example request**: .. sourcecode:: http GET /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "roles": [{ "id": 123, "name": "*****@*****.**" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "active": true, "owner": "*****@*****.**", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." } :arg description: a sensible description about what the CA with be used for :arg owner: the team or person who 'owns' this authority :arg active: set whether this authoritity is currently in use :reqheader Authorization: OAuth token to authenticate :statuscode 403: unauthenticated :statuscode 200: no error :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ return service.get(authority_id)
def get(self, authority_id): """ {"name": "flare", "children": [ { "name": "analytics", "children": [ { "name": "cluster", "children": [ {"name": "AgglomerativeCluster", "size": 3938}, {"name": "CommunityStructure", "size": 3812}, {"name": "HierarchicalCluster", "size": 6714}, {"name": "MergeEdge", "size": 743} ] } } ]} """ authority = service.get(authority_id) return dict(name=authority.name, children=[{"name": c.name} for c in authority.certificates])
def get(self, authority_id): """ .. http:get:: /authorities/1 One authority **Example request**: .. sourcecode:: http GET /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "id": 1, "name": "authority1", "description": "this is authority1", "pluginName": null, "chain": "-----Begin ...", "body": "-----Begin ...", "active": true, "notBefore": "2015-06-05T17:09:39", "notAfter": "2015-06-10T17:09:39" "options": null } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ return service.get(authority_id)
def put(self, authority_id, data=None): """ .. http:put:: /authorities/1 Update an authority **Example request**: .. sourcecode:: http PUT /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "name": "TestAuthority5", "roles": [{ "id": 566, "name": "TestAuthority5_admin" }, { "id": 567, "name": "TestAuthority5_operator" }, { "id": 123, "name": "*****@*****.**" }], "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----", "status": null, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority5 certificate authority.", "chain": "", "notBefore": "2016-06-03T00:00:51+00:00", "notAfter": "2036-06-03T23:59:51+00:00", "owner": "*****@*****.**", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 3 }, "active": true, "bits": 2048, "id": 2280, "name": "TestAuthority5" }, "owner": "*****@*****.**", "id": 44, "description": "This is the ROOT certificate for the TestAuthority5 certificate authority." } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "name": "TestAuthority", "roles": [{ "id": 123, "name": "*****@*****.**" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "*****@*****.**", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "*****@*****.**", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ authority = service.get(authority_id) if not authority: return dict(message='Not Found'), 404 # all the authority role members should be allowed roles = [x.name for x in authority.roles] permission = AuthorityPermission(authority_id, roles) if permission.can(): return service.update(authority_id, owner=data['owner'], description=data['description'], active=data['active'], roles=data['roles']) return dict( message="You are not authorized to update this authority."), 403
def put(self, authority_id, data=None): """ .. http:put:: /authorities/1 Update an authority **Example request**: .. sourcecode:: http PUT /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "name": "TestAuthority5", "roles": [{ "id": 566, "name": "TestAuthority5_admin" }, { "id": 567, "name": "TestAuthority5_operator" }, { "id": 123, "name": "*****@*****.**" }], "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----", "status": null, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority5 certificate authority.", "chain": "", "notBefore": "2016-06-03T00:00:51+00:00", "notAfter": "2036-06-03T23:59:51+00:00", "owner": "*****@*****.**", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 3 }, "active": true, "bits": 2048, "id": 2280, "name": "TestAuthority5" }, "owner": "*****@*****.**", "id": 44, "description": "This is the ROOT certificate for the TestAuthority5 certificate authority." } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "name": "TestAuthority", "roles": [{ "id": 123, "name": "*****@*****.**" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "*****@*****.**", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "*****@*****.**", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ authority = service.get(authority_id) if not authority: return dict(message='Not Found'), 404 # all the authority role members should be allowed roles = [x.name for x in authority.roles] permission = AuthorityPermission(authority_id, roles) if permission.can(): return service.update( authority_id, owner=data['owner'], description=data['description'], active=data['active'], roles=data['roles'] ) return dict(message="You are not authorized to update this authority."), 403
def put(self, authority_id, data=None): """ .. http:put:: /authorities/1 Update a authority **Example request**: .. sourcecode:: http PUT /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "roles": [], "active": false, "owner": "*****@*****.**", "description": "this is authority1" } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "id": 1, "name": "authority1", "description": "this is authority1", "pluginName": null, "chain": "-----begin ...", "body": "-----begin ...", "active": false, "notBefore": "2015-06-05t17:09:39", "notAfter": "2015-06-10t17:09:39" "options": null } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ authority = service.get(authority_id) if not authority: return dict(message='Not Found'), 404 role = role_service.get_by_name(authority.owner) # all the authority role members should be allowed roles = [x.name for x in authority.roles] # allow "owner" roles by team DL roles.append(role) permission = AuthorityPermission(authority_id, roles) # we want to make sure that we cannot add roles that we are not members of if not g.current_user.is_admin: role_ids = set([r.id for r in data['roles']]) user_role_ids = set([r.id for r in g.current_user.roles]) if not role_ids.issubset(user_role_ids): return dict(message="You are not allowed to associate a role which you are not a member of"), 400 if permission.can(): return service.update( authority_id, owner=data['owner'], description=data['description'], active=data['active'], roles=data['roles'] ) return dict(message="You are not authorized to update this authority"), 403
def put(self, authority_id): """ .. http:put:: /authorities/1 Update a authority **Example request**: .. sourcecode:: http PUT /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "roles": [], "active": false, "owner": "*****@*****.**", "description": "this is authority1" } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "id": 1, "name": "authority1", "description": "this is authority1", "pluginName": null, "chain": "-----begin ...", "body": "-----begin ...", "active": false, "notBefore": "2015-06-05t17:09:39", "notAfter": "2015-06-10t17:09:39" "options": null } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ self.reqparse.add_argument('roles', type=list, default=[], location='json') self.reqparse.add_argument('active', type=str, location='json', required=True) self.reqparse.add_argument('owner', type=str, location='json', required=True) self.reqparse.add_argument('description', type=str, location='json', required=True) args = self.reqparse.parse_args() authority = service.get(authority_id) role = role_service.get_by_name(authority.owner) # all the authority role members should be allowed roles = [x.name for x in authority.roles] # allow "owner" roles by team DL roles.append(role) permission = AuthorityPermission(authority_id, roles) # we want to make sure that we cannot add roles that we are not members of if not g.current_user.is_admin: role_ids = set([r['id'] for r in args['roles']]) user_role_ids = set([r.id for r in g.current_user.roles]) if not role_ids.issubset(user_role_ids): return dict( message= "You are not allowed to associate a role which you are not a member of" ), 400 if permission.can(): return service.update(authority_id, owner=args['owner'], description=args['description'], active=args['active'], roles=args['roles']) return dict( message="You are not authorized to update this authority"), 403