Merge branch 'master' into verify-cert-chain

2019-03-07 12:46:19 -08:00
parent 92b60b279a bd27932783
commit 93ce259fb2
7 changed files with 48 additions and 10 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -101,7 +101,7 @@ class Certificate(db.Model):
    issuer = Column(String(128))
    serial = Column(String(128))
    cn = Column(String(128))
-    deleted = Column(Boolean, index=True)
+    deleted = Column(Boolean, index=True, default=False)
    dns_provider_id = Column(Integer(), ForeignKey('dns_providers.id', ondelete='CASCADE'), nullable=True)

    not_before = Column(ArrowType)
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -381,6 +381,9 @@ def render(args):
        now = arrow.now().format('YYYY-MM-DD')
        query = query.filter(Certificate.not_after <= to).filter(Certificate.not_after >= now)

+    if current_app.config.get('ALLOW_CERT_DELETION', False):
+        query = query.filter(Certificate.deleted == False)  # noqa
+
    result = database.sort_and_page(query, Certificate, args)
    return result

--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@ -6,10 +6,9 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 import base64
-import arrow
 from builtins import str

-from flask import Blueprint, make_response, jsonify, g
+from flask import Blueprint, make_response, jsonify, g, current_app
 from flask_restful import reqparse, Api, inputs

 from lemur.common.schema import validate_schema
@ -678,19 +677,26 @@ class Certificates(AuthenticatedResource):

           .. sourcecode:: http

-              HTTP/1.1 200 OK
+              HTTP/1.1 204 OK

           :reqheader Authorization: OAuth token to authenticate
           :statuscode 204: no error
           :statuscode 403: unauthenticated
-           :statusoode 404: certificate not found
+           :statuscode 404: certificate not found
+           :statuscode 405: certificate deletion is disabled

        """
+        if not current_app.config.get('ALLOW_CERT_DELETION', False):
+            return dict(message="Certificate deletion is disabled"), 405
+
        cert = service.get(certificate_id)

        if not cert:
            return dict(message="Cannot find specified certificate"), 404

+        if cert.deleted:
+            return dict(message="Certificate is already deleted"), 412
+
        # allow creators
        if g.current_user != cert.user:
            owner_role = role_service.get_by_name(cert.owner)
@ -699,12 +705,9 @@ class Certificates(AuthenticatedResource):
            if not permission.can():
                return dict(message='You are not authorized to delete this certificate'), 403

-        if arrow.get(cert.not_after) > arrow.utcnow():
-            return dict(message='Certificate is still valid, only expired certificates can be deleted'), 412
-
        service.update(certificate_id, deleted=True)
        log_service.create(g.current_user, 'delete_cert', certificate=cert)
-        return '', 204
+        return 'Certificate deleted', 204


 class NotificationCertificatesList(AuthenticatedResource):