Merge pull request #3190 from charhate/cab_compliant
Use cab_compliant option instead of authority name list
This commit is contained in:
commit
cb2f340277
|
@ -155,17 +155,12 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c
|
||||||
|
|
||||||
LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
|
LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
|
||||||
|
|
||||||
.. data:: PUBLIC_CA_AUTHORITY_NAMES
|
|
||||||
:noindex:
|
|
||||||
A list of public issuers which would be checked against to determine whether limit of max validity of 397 days
|
|
||||||
should be applied to the certificate. Configure public CA authority names in this list to enforce validity check.
|
|
||||||
This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive
|
|
||||||
string comparision.
|
|
||||||
|
|
||||||
.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS
|
.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS
|
||||||
:noindex:
|
:noindex:
|
||||||
Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured
|
Use this config to override the limit of 397 days of validity for certificates issued by CA/Browser compliant authorities.
|
||||||
using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days.
|
The authorities with cab_compliant option set to true will use this config. The example below overrides the default validity
|
||||||
|
of 397 days and sets it to 365 days.
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
|
@ -175,8 +170,8 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c
|
||||||
.. data:: DEFAULT_VALIDITY_DAYS
|
.. data:: DEFAULT_VALIDITY_DAYS
|
||||||
:noindex:
|
:noindex:
|
||||||
Use this config to override the default validity of 365 days for certificates offered through Lemur UI. Any CA which
|
Use this config to override the default validity of 365 days for certificates offered through Lemur UI. Any CA which
|
||||||
is not listed in PUBLIC_CA_AUTHORITY_NAMES will be using this value as default validity to be displayed on UI. Please
|
is not CA/Browser Forum compliant will be using this value as default validity to be displayed on UI. Please
|
||||||
note that this config is used for cert issuance only through Lemur UI. Below example overrides the default validity
|
note that this config is used for cert issuance only through Lemur UI. The example below overrides the default validity
|
||||||
of 365 days and sets it to 1095 days (3 years).
|
of 365 days and sets it to 1095 days (3 years).
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
"""
|
"""
|
||||||
import json
|
import json
|
||||||
|
|
||||||
|
from flask import current_app
|
||||||
from sqlalchemy.orm import relationship
|
from sqlalchemy.orm import relationship
|
||||||
from sqlalchemy import (
|
from sqlalchemy import (
|
||||||
Column,
|
Column,
|
||||||
|
@ -98,5 +99,17 @@ class Authority(db.Model):
|
||||||
|
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def max_issuance_days(self):
|
||||||
|
if self.is_cab_compliant:
|
||||||
|
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def default_validity_days(self):
|
||||||
|
if self.is_cab_compliant:
|
||||||
|
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
||||||
|
|
||||||
|
return current_app.config.get("DEFAULT_VALIDITY_DAYS", 365) # 1 year default
|
||||||
|
|
||||||
def __repr__(self):
|
def __repr__(self):
|
||||||
return "Authority(name={name})".format(name=self.name)
|
return "Authority(name={name})".format(name=self.name)
|
||||||
|
|
|
@ -111,8 +111,6 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema):
|
||||||
cn = fields.String()
|
cn = fields.String()
|
||||||
not_after = fields.DateTime()
|
not_after = fields.DateTime()
|
||||||
not_before = fields.DateTime()
|
not_before = fields.DateTime()
|
||||||
max_issuance_days = fields.Integer()
|
|
||||||
default_validity_days = fields.Integer()
|
|
||||||
owner = fields.Email()
|
owner = fields.Email()
|
||||||
status = fields.Boolean()
|
status = fields.Boolean()
|
||||||
user = fields.Nested(UserNestedOutputSchema)
|
user = fields.Nested(UserNestedOutputSchema)
|
||||||
|
@ -127,6 +125,8 @@ class AuthorityOutputSchema(LemurOutputSchema):
|
||||||
active = fields.Boolean()
|
active = fields.Boolean()
|
||||||
options = fields.Dict()
|
options = fields.Dict()
|
||||||
roles = fields.List(fields.Nested(AssociatedRoleSchema))
|
roles = fields.List(fields.Nested(AssociatedRoleSchema))
|
||||||
|
max_issuance_days = fields.Integer()
|
||||||
|
default_validity_days = fields.Integer()
|
||||||
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)
|
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)
|
||||||
|
|
||||||
|
|
||||||
|
@ -138,8 +138,10 @@ class AuthorityNestedOutputSchema(LemurOutputSchema):
|
||||||
owner = fields.Email()
|
owner = fields.Email()
|
||||||
plugin = fields.Nested(PluginOutputSchema)
|
plugin = fields.Nested(PluginOutputSchema)
|
||||||
active = fields.Boolean()
|
active = fields.Boolean()
|
||||||
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days", "default_validity_days"])
|
authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["not_after", "not_before"])
|
||||||
is_cab_compliant = fields.Boolean()
|
is_cab_compliant = fields.Boolean()
|
||||||
|
max_issuance_days = fields.Integer()
|
||||||
|
default_validity_days = fields.Integer()
|
||||||
|
|
||||||
|
|
||||||
authority_update_schema = AuthorityUpdateSchema()
|
authority_update_schema = AuthorityUpdateSchema()
|
||||||
|
|
|
@ -317,20 +317,6 @@ class Certificate(db.Model):
|
||||||
def validity_range(self):
|
def validity_range(self):
|
||||||
return self.not_after - self.not_before
|
return self.not_after - self.not_before
|
||||||
|
|
||||||
@property
|
|
||||||
def max_issuance_days(self):
|
|
||||||
public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", [])
|
|
||||||
if self.name.lower() in [ca.lower() for ca in public_CA]:
|
|
||||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
|
||||||
|
|
||||||
@property
|
|
||||||
def default_validity_days(self):
|
|
||||||
public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", [])
|
|
||||||
if self.name.lower() in [ca.lower() for ca in public_CA]:
|
|
||||||
return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
|
|
||||||
|
|
||||||
return current_app.config.get("DEFAULT_VALIDITY_DAYS", 365) # 1 year default
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def subject(self):
|
def subject(self):
|
||||||
return self.parsed_cert.subject
|
return self.parsed_cert.subject
|
||||||
|
|
|
@ -190,7 +190,7 @@ angular.module('lemur')
|
||||||
function populateValidityDateAsPerDefault(certificate) {
|
function populateValidityDateAsPerDefault(certificate) {
|
||||||
// calculate start and end date as per default validity
|
// calculate start and end date as per default validity
|
||||||
let startDate = new Date(), endDate = new Date();
|
let startDate = new Date(), endDate = new Date();
|
||||||
endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays);
|
endDate.setDate(startDate.getDate() + certificate.authority.defaultValidityDays);
|
||||||
certificate.validityStart = startDate;
|
certificate.validityStart = startDate;
|
||||||
certificate.validityEnd = endDate;
|
certificate.validityEnd = endDate;
|
||||||
}
|
}
|
||||||
|
@ -359,7 +359,7 @@ angular.module('lemur')
|
||||||
function populateValidityDateAsPerDefault(certificate) {
|
function populateValidityDateAsPerDefault(certificate) {
|
||||||
// calculate start and end date as per default validity
|
// calculate start and end date as per default validity
|
||||||
let startDate = new Date(), endDate = new Date();
|
let startDate = new Date(), endDate = new Date();
|
||||||
endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays);
|
endDate.setDate(startDate.getDate() + certificate.authority.defaultValidityDays);
|
||||||
certificate.validityStart = startDate;
|
certificate.validityStart = startDate;
|
||||||
certificate.validityEnd = endDate;
|
certificate.validityEnd = endDate;
|
||||||
}
|
}
|
||||||
|
|
|
@ -139,7 +139,7 @@
|
||||||
<div class="col-sm-4">
|
<div class="col-sm-4">
|
||||||
<div class="btn-group btn-group-toggle" data-toggle="buttons">
|
<div class="btn-group btn-group-toggle" data-toggle="buttons">
|
||||||
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'defaultDays'" ng-click="clearDates()">
|
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'defaultDays'" ng-click="clearDates()">
|
||||||
Default ({{certificate.authority.authorityCertificate.defaultValidityDays}} days)</label>
|
Default ({{certificate.authority.defaultValidityDays}} days)</label>
|
||||||
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'customDates'" ng-change="clearDates()">Custom</label>
|
<label class="btn btn-info" ng-model="certificate.validityType" uib-btn-radio="'customDates'" ng-change="clearDates()">Custom</label>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -172,12 +172,12 @@ angular.module('lemur')
|
||||||
// Minimum end date will be same as selected start date
|
// Minimum end date will be same as selected start date
|
||||||
this.authority.authorityCertificate.minValidityEnd = value;
|
this.authority.authorityCertificate.minValidityEnd = value;
|
||||||
|
|
||||||
if(!this.authority.authorityCertificate || !this.authority.authorityCertificate.maxIssuanceDays) {
|
if(!this.authority.maxIssuanceDays) {
|
||||||
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
||||||
} else {
|
} else {
|
||||||
// Move max end date by maxIssuanceDays
|
// Move max end date by maxIssuanceDays
|
||||||
let endDate = new Date(value);
|
let endDate = new Date(value);
|
||||||
endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays);
|
endDate.setDate(endDate.getDate() + this.authority.maxIssuanceDays);
|
||||||
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -152,12 +152,12 @@ angular.module('lemur')
|
||||||
// Minimum end date will be same as selected start date
|
// Minimum end date will be same as selected start date
|
||||||
this.authority.authorityCertificate.minValidityEnd = value;
|
this.authority.authorityCertificate.minValidityEnd = value;
|
||||||
|
|
||||||
if(!this.authority.authorityCertificate || !this.authority.authorityCertificate.maxIssuanceDays) {
|
if(!this.authority.maxIssuanceDays) {
|
||||||
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
this.authority.authorityCertificate.maxValidityEnd = this.authority.authorityCertificate.notAfter;
|
||||||
} else {
|
} else {
|
||||||
// Move max end date by maxIssuanceDays
|
// Move max end date by maxIssuanceDays
|
||||||
let endDate = new Date(value);
|
let endDate = new Date(value);
|
||||||
endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays);
|
endDate.setDate(endDate.getDate() + this.authority.maxIssuanceDays);
|
||||||
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
this.authority.authorityCertificate.maxValidityEnd = endDate;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue