Use cab_compliant option instead of authority name list
This commit is contained in:
parent
f38380d156
commit
9dc476f393
@ -155,17 +155,12 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c
|
||||
|
||||
LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
|
||||
|
||||
.. data:: PUBLIC_CA_AUTHORITY_NAMES
|
||||
:noindex:
|
||||
A list of public issuers which would be checked against to determine whether limit of max validity of 397 days
|
||||
should be applied to the certificate. Configure public CA authority names in this list to enforce validity check.
|
||||
This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive
|
||||
string comparision.
|
||||
|
||||
.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS
|
||||
:noindex:
|
||||
Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured
|
||||
using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days.
|
||||
Use this config to override the limit of 397 days of validity for certificates issued by CA/Browser compliant authorities.
|
||||
The authorities with cab_compliant option set to true will use this config. Below example overrides the default validity
|
||||
of 397 days and sets it to 365 days.
|
||||
|
||||
::
|
||||
|
||||
@ -175,7 +170,7 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c
|
||||
.. data:: DEFAULT_VALIDITY_DAYS
|
||||
:noindex:
|
||||
Use this config to override the default validity of 365 days for certificates offered through Lemur UI. Any CA which
|
||||
is not listed in PUBLIC_CA_AUTHORITY_NAMES will be using this value as default validity to be displayed on UI. Please
|
||||
is not CA/Browser Forum compliant will be using this value as default validity to be displayed on UI. Please
|
||||
note that this config is used for cert issuance only through Lemur UI. Below example overrides the default validity
|
||||
of 365 days and sets it to 1095 days (3 years).
|
||||
|
||||
|
@ -8,6 +8,7 @@
|
||||
"""
|
||||
import json
|
||||
|
||||
from flask import current_app
|
||||
from sqlalchemy.orm import relationship
|
||||
from sqlalchemy import (
|
||||
Column,
|
||||
@ -98,5 +99,17 @@ class Authority(db.Model):
|
||||
|
||||
return None
|
||||
|
||||
@property
|
||||
def max_issuance_days(self):
|
||||
if self.is_cab_compliant:
|
||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||
|
||||
@property
|
||||
def default_validity_days(self):
|
||||
if self.is_cab_compliant:
|
||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||
|
||||
return current_app.config.get("DEFAULT_VALIDITY_DAYS", 365) # 1 year default
|
||||
|
||||
def __repr__(self):
|
||||
return "Authority(name={name})".format(name=self.name)
|
||||
|
@ -111,8 +111,6 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema):
|
||||
cn = fields.String()
|
||||
not_after = fields.DateTime()
|
||||
not_before = fields.DateTime()
|
||||
max_issuance_days = fields.Integer()
|
||||
default_validity_days = fields.Integer()
|
||||
owner = fields.Email()
|
||||
status = fields.Boolean()
|
||||
user = fields.Nested(UserNestedOutputSchema)
|
||||
@ -127,6 +125,8 @@ class AuthorityOutputSchema(LemurOutputSchema):
|
||||
active = fields.Boolean()
|
||||
options = fields.Dict()
|
||||
roles = fields.List(fields.Nested(AssociatedRoleSchema))
|
||||
max_issuance_days = fields.Integer()
|
||||
default_validity_days = fields.Integer()
|
||||
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)
|
||||
|
||||
|
||||
@ -138,8 +138,10 @@ class AuthorityNestedOutputSchema(LemurOutputSchema):
|
||||
owner = fields.Email()
|
||||
plugin = fields.Nested(PluginOutputSchema)
|
||||
active = fields.Boolean()
|
||||
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days", "default_validity_days"])
|
||||
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["not_after", "not_before"])
|
||||
is_cab_compliant = fields.Boolean()
|
||||
max_issuance_days = fields.Integer()
|
||||
default_validity_days = fields.Integer()
|
||||
|
||||
|
||||
authority_update_schema = AuthorityUpdateSchema()
|
||||
|
@ -317,20 +317,6 @@ class Certificate(db.Model):
|
||||
def validity_range(self):
|
||||
return self.not_after - self.not_before
|
||||
|
||||
@property
|
||||
def max_issuance_days(self):
|
||||
public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", [])
|
||||
if self.name.lower() in [ca.lower() for ca in public_CA]:
|
||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||
|
||||
@property
|
||||
def default_validity_days(self):
|
||||
public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", [])
|
||||
if self.name.lower() in [ca.lower() for ca in public_CA]:
|
||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||
|
||||
return current_app.config.get("DEFAULT_VALIDITY_DAYS", 365) # 1 year default
|
||||
|
||||
@property
|
||||
def subject(self):
|
||||
return self.parsed_cert.subject
|
||||
|
@ -190,7 +190,7 @@ angular.module('lemur')
|
||||
function populateValidityDateAsPerDefault(certificate) {
|
||||
// calculate start and end date as per default validity
|
||||
let startDate = new Date(), endDate = new Date();
|
||||
endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays);
|
||||
endDate.setDate(startDate.getDate() + certificate.authority.defaultValidityDays);
|
||||
certificate.validityStart = startDate;
|
||||
certificate.validityEnd = endDate;
|
||||
}
|
||||
@ -359,7 +359,7 @@ angular.module('lemur')
|
||||
function populateValidityDateAsPerDefault(certificate) {
|
||||
// calculate start and end date as per default validity
|
||||
let startDate = new Date(), endDate = new Date();
|
||||
endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays);
|
||||
endDate.setDate(startDate.getDate() + certificate.authority.defaultValidityDays);
|
||||
certificate.validityStart = startDate;
|
||||
certificate.validityEnd = endDate;
|
||||
}
|
||||
|
@ -139,7 +139,7 @@
|
||||
<div class="col-sm-4">
|
||||
<div class="btn-group btn-group-toggle" data-toggle="buttons">
|
||||
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'defaultDays'" ng-click="clearDates()">
|
||||
Default ({{certificate.authority.authorityCertificate.defaultValidityDays}} days)</label>
|
||||
Default ({{certificate.authority.defaultValidityDays}} days)</label>
|
||||
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'customDates'" ng-change="clearDates()">Custom</label>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -172,12 +172,12 @@ angular.module('lemur')
|
||||
// Minimum end date will be same as selected start date
|
||||
this.authority.authorityCertificate.minValidityEnd = value;
|
||||
|
||||
if(!this.authority.authorityCertificate || !this.authority.authorityCertificate.maxIssuanceDays) {
|
||||
if(!this.authority.maxIssuanceDays) {
|
||||
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
||||
} else {
|
||||
// Move max end date by maxIssuanceDays
|
||||
let endDate = new Date(value);
|
||||
endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays);
|
||||
endDate.setDate(endDate.getDate() + this.authority.maxIssuanceDays);
|
||||
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
||||
}
|
||||
}
|
||||
|
@ -152,12 +152,12 @@ angular.module('lemur')
|
||||
// Minimum end date will be same as selected start date
|
||||
this.authority.authorityCertificate.minValidityEnd = value;
|
||||
|
||||
if(!this.authority.authorityCertificate || !this.authority.authorityCertificate.maxIssuanceDays) {
|
||||
if(!this.authority.maxIssuanceDays) {
|
||||
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
||||
} else {
|
||||
// Move max end date by maxIssuanceDays
|
||||
let endDate = new Date(value);
|
||||
endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays);
|
||||
endDate.setDate(endDate.getDate() + this.authority.maxIssuanceDays);
|
||||
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user