Disallow issuing certificates from inactive authority (#936)

This commit is contained in:
Marti Raudsepp 2017-09-26 01:34:49 +03:00 committed by kevgliss
parent 645641f4bd
commit 54ff4cddbf
4 changed files with 27 additions and 8 deletions

View File

@ -84,6 +84,11 @@ class CertificateInputSchema(CertificateCreationSchema):
extensions = fields.Nested(ExtensionSchema) extensions = fields.Nested(ExtensionSchema)
@validates_schema
def validate_authority(self, data):
if not data['authority'].active:
raise ValidationError("The authority is inactive.", ['authority'])
@validates_schema @validates_schema
def validate_dates(self, data): def validate_dates(self, data):
validators.dates(data) validators.dates(data)

View File

@ -107,13 +107,7 @@ angular.module('lemur')
AuthorityService.findActiveAuthorityByName = function (filterValue) { AuthorityService.findActiveAuthorityByName = function (filterValue) {
return AuthorityApi.getList({'filter[name]': filterValue}) return AuthorityApi.getList({'filter[name]': filterValue})
.then(function (authorities) { .then(function (authorities) {
var activeAuthorities = []; return authorities.filter(function(authority) { return authority.active; });
_.each(authorities, function (authority) {
if (authority.active) {
activeAuthorities.push(authority);
}
});
return activeAuthorities;
}); });
}; };

View File

@ -95,7 +95,7 @@ angular.module('lemur')
}; };
$scope.getAuthoritiesByName = function (value) { $scope.getAuthoritiesByName = function (value) {
return AuthorityService.findAuthorityByName(value).then(function (authorities) { return AuthorityService.findActiveAuthorityByName(value).then(function (authorities) {
$scope.authorities = authorities; $scope.authorities = authorities;
}); });
}; };

View File

@ -286,6 +286,26 @@ def test_certificate_allowed_names(client, authority, session, logged_in_user):
assert not errors assert not errors
def test_certificate_incative_authority(client, authority, session, logged_in_user):
"""Cannot issue certificates with an inactive authority."""
from lemur.certificates.schemas import CertificateInputSchema
authority.active = False
session.add(authority)
input_data = {
'commonName': 'foo.example.com',
'owner': 'jim@example.com',
'authority': {'id': authority.id},
'description': 'testtestest',
'validityStart': '2020-01-01T00:00:00',
'validityEnd': '2020-01-01T00:00:01',
}
data, errors = CertificateInputSchema().load(input_data)
assert errors['authority'][0] == "The authority is inactive."
def test_certificate_disallowed_names(client, authority, session, logged_in_user): def test_certificate_disallowed_names(client, authority, session, logged_in_user):
"""The CN and SAN are disallowed by LEMUR_WHITELISTED_DOMAINS.""" """The CN and SAN are disallowed by LEMUR_WHITELISTED_DOMAINS."""
from lemur.certificates.schemas import CertificateInputSchema from lemur.certificates.schemas import CertificateInputSchema