Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check if challenges are already validated, and skip them if possible

This commit is contained in:
Mathias Petermann 2020-11-10 16:47:56 +01:00
parent 960b8e78e3
commit 6ffe7bc526
1 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lemur/plugins/lemur_acme/challenge_types.py
View File

@ -12,6 +12,7 @@ import json
import OpenSSL import OpenSSL
from acme import challenges from acme import challenges
from acme.messages import STATUS_VALID
from flask import current_app from flask import current_app
from lemur.authorizations import service as authorization_service from lemur.authorizations import service as authorization_service
@ -81,17 +82,23 @@ class AcmeHttpChallenge(AcmeChallenge):
orderr = acme_client.new_order(csr) orderr = acme_client.new_order(csr)
chall = [] chall = []
validations = {}
all_pre_validated = True
for authz in orderr.authorizations: for authz in orderr.authorizations:
# Choosing challenge. # Choosing challenge.
# authz.body.challenges is a set of ChallengeBody objects. # authz.body.challenges is a set of ChallengeBody objects.
for i in authz.body.challenges: for i in authz.body.challenges:
# Find the supported challenge. # Find the supported challenge.
if i.status != STATUS_VALID:
if isinstance(i.chall, challenges.HTTP01): if isinstance(i.chall, challenges.HTTP01):
chall.append(i) chall.append(i)
all_pre_validated = False
if len(chall) == 0:
raise Exception('HTTP-01 challenge was not offered by the CA server.')
else: else:
current_app.logger.info("{} already validated, skipping".format(authz.body.identifier.value))
if len(chall) == 0 and not all_pre_validated:
raise Exception('HTTP-01 challenge was not offered by the CA server.')
elif not all_pre_validated:
validation_target = None validation_target = None
for option in json.loads(issuer_options["authority"].options): for option in json.loads(issuer_options["authority"].options):
if option["name"] == "tokenDestination": if option["name"] == "tokenDestination":
@ -100,7 +107,6 @@ class AcmeHttpChallenge(AcmeChallenge):
if validation_target is None: if validation_target is None:
raise Exception('No token_destination configured for this authority. Cant complete HTTP-01 challenge') raise Exception('No token_destination configured for this authority. Cant complete HTTP-01 challenge')
validations = {}
for challenge in chall: for challenge in chall:
response, validation = self.deploy(challenge, acme_client, validation_target) response, validation = self.deploy(challenge, acme_client, validation_target)
validations[challenge.chall.path] = validation validations[challenge.chall.path] = validation
@ -124,6 +130,7 @@ class AcmeHttpChallenge(AcmeChallenge):
else: else:
pem_certificate_chain = finalized_orderr.fullchain_pem[len(pem_certificate):].lstrip() pem_certificate_chain = finalized_orderr.fullchain_pem[len(pem_certificate):].lstrip()
if len(validations) != 0:
for token_path, token in validations.items(): for token_path, token in validations.items():
self.cleanup(token_path, token, validation_target) self.cleanup(token_path, token, validation_target)