Disallow issuing certificates from inactive authority (#936)

lemur/tests/test_certificates.py

@@ -286,6 +286,26 @@ def test_certificate_allowed_names(client, authority, session, logged_in_user):
     assert not errors
 
 
+def test_certificate_incative_authority(client, authority, session, logged_in_user):
+    """Cannot issue certificates with an inactive authority."""
+    from lemur.certificates.schemas import CertificateInputSchema
+
+    authority.active = False
+    session.add(authority)
+
+    input_data = {
+        'commonName': 'foo.example.com',
+        'owner': 'jim@example.com',
+        'authority': {'id': authority.id},
+        'description': 'testtestest',
+        'validityStart': '2020-01-01T00:00:00',
+        'validityEnd': '2020-01-01T00:00:01',
+    }
+
+    data, errors = CertificateInputSchema().load(input_data)
+    assert errors['authority'][0] == "The authority is inactive."
+
+
 def test_certificate_disallowed_names(client, authority, session, logged_in_user):
     """The CN and SAN are disallowed by LEMUR_WHITELISTED_DOMAINS."""
     from lemur.certificates.schemas import CertificateInputSchema