CRL Reason for certificate revoke

2020-11-30 20:06:37 -08:00
parent 817abb2ca8
commit 7a1f13dcb5
17 changed files with 151 additions and 35 deletions
--- a/lemur/certificates/cli.py
+++ b/lemur/certificates/cli.py
@ -623,7 +623,8 @@ def clear_pending():
@manager.option(
    "-p", "--path", dest="path", help="Absolute file path to a Lemur query csv."
 )
-@manager.option("-r", "--reason", dest="reason", help="Reason to revoke certificate.")
+@manager.option("-r", "--reason", dest="reason", default="unspecified", help="CRL Reason as per RFC 5280 section 5.3.1")
+@manager.option("-m", "--message", dest="message", help="Message explaining reason for revocation")
@manager.option(
    "-c",
    "--commit",
@ -632,7 +633,7 @@ def clear_pending():
    default=False,
    help="Persist changes.",
 )
-def revoke(path, reason, commit):
+def revoke(path, reason, message, commit):
    """
    Revokes given certificate.
    """
@ -640,9 +641,10 @@ def revoke(path, reason, commit):
        print("[!] Running in COMMIT mode.")

    print("[+] Starting certificate revocation.")
+    comments = {"comments": message, "crl_reason": reason}

    with open(path, "r") as f:
-        args = [[x, commit, reason] for x in f.readlines()[2:]]
+        args = [[x, commit, comments] for x in f.readlines()[2:]]

    with multiprocessing.Pool(processes=3) as pool:
        pool.starmap(worker, args)
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -16,7 +16,7 @@ from lemur.certificates import utils as cert_utils
 from lemur.common import missing, utils, validators
 from lemur.common.fields import ArrowDateTime, Hex
 from lemur.common.schema import LemurInputSchema, LemurOutputSchema
-from lemur.constants import CERTIFICATE_KEY_TYPES
+from lemur.constants import CERTIFICATE_KEY_TYPES, CRLReason
 from lemur.destinations.schemas import DestinationNestedOutputSchema
 from lemur.dns_providers.schemas import DnsProvidersNestedOutputSchema
 from lemur.domains.schemas import DomainNestedOutputSchema
@ -455,6 +455,7 @@ class CertificateNotificationOutputSchema(LemurOutputSchema):

 class CertificateRevokeSchema(LemurInputSchema):
    comments = fields.String()
+    crl_reason = fields.String(validate=validate.OneOf(CRLReason.__members__), missing="unspecified")


 certificates_list_request_parser = RequestParser()
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -828,6 +828,14 @@ def remove_from_destination(certificate, destination):
        plugin.clean(certificate=certificate, options=destination.options)


+def revoke(certificate, reason):
+    plugin = plugins.get(certificate.authority.plugin_name)
+    plugin.revoke_certificate(certificate, reason)
+
+    # Perform cleanup after revoke
+    return cleanup_after_revoke(certificate)
+
+
 def cleanup_after_revoke(certificate):
    """
    Perform the needed cleanup for a revoked certificate. This includes -
--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@ -20,7 +20,6 @@ from lemur.auth.permissions import AuthorityPermission, CertificatePermission
 from lemur.certificates import service
 from lemur.certificates.models import Certificate
 from lemur.extensions import sentry
-from lemur.plugins.base import plugins
 from lemur.certificates.schemas import (
    certificate_input_schema,
    certificate_output_schema,
@ -29,6 +28,7 @@ from lemur.certificates.schemas import (
    certificate_export_input_schema,
    certificate_edit_input_schema,
    certificates_list_output_schema_factory,
+    certificate_revoke_schema,
 )

 from lemur.roles import service as role_service
@ -1398,7 +1398,7 @@ class CertificateRevoke(AuthenticatedResource):
        self.reqparse = reqparse.RequestParser()
        super(CertificateRevoke, self).__init__()

-    @validate_schema(None, None)
+    @validate_schema(certificate_revoke_schema, None)
    def put(self, certificate_id, data=None):
        """
        .. http:put:: /certificates/1/revoke
@ -1459,13 +1459,9 @@ class CertificateRevoke(AuthenticatedResource):
                        403,
                    )

-        plugin = plugins.get(cert.authority.plugin_name)
-        plugin.revoke_certificate(cert, data)
-
+        error_message = service.revoke(cert, data)
        log_service.create(g.current_user, "revoke_cert", certificate=cert)

-        # Perform cleanup after revoke
-        error_message = service.cleanup_after_revoke(cert)
        if error_message:
            return dict(message=f"Certificate (id:{cert.id}) is revoked - {error_message}"), 400
        return dict(id=cert.id)