app: Add support for multiple CRLs.

See merge request nexedi/kedifa!10

app: Add support for multiple CRLs.
See merge request nexedi/kedifa!10
3fccc2ec · Łukasz Nowak · 1e38bcb3 · 2a434732 · 3fccc2ec
Commit 3fccc2ec authored Mar 04, 2021 by Łukasz Nowak
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 11 deletions

kedifa/app.py kedifa/app.py +8 -11

No files found.
--- a/kedifa/app.py
+++ b/kedifa/app.py
@@ -302,13 +302,14 @@ class Kedifa(object):
  GET (no auth required) one time access URL which returns auth key
  content-type: text/plain
 """
-  def loadCertificate(self, ca_certificate, crl):
+  def loadCertificate(self, ca_certificate_path, crl_path):
    self.ca_certificate_list = [
      caucase.utils.load_ca_certificate(x)
-      for x in caucase.utils.getCertList(ca_certificate.name)]
+      for x in caucase.utils.getCertList(ca_certificate_path)]

-    self.crl = caucase.utils.load_crl(
-      crl.read(), self.ca_certificate_list).public_bytes(encoding=Encoding.PEM)
+    self.crl_list = [
+      caucase.utils.load_crl(x, self.ca_certificate_list)
+      for x in caucase.utils.getCRLList(crl_path)]

  def __init__(self, pocket, ca_certificate, crl):
    self.pocket_db = SQLite3Storage(pocket)
@@ -348,10 +349,7 @@ class Kedifa(object):
      caucase.utils.load_certificate(
        environ.get('SSL_CLIENT_CERT', b''),
        trusted_cert_list=self.ca_certificate_list,
-        crl=caucase.utils.load_crl(
-          self.crl,
-          self.ca_certificate_list,
-        ),
+        crl_list=self.crl_list,
      )
    except (caucase.exceptions.CertificateVerificationError, ValueError):
      raise Unauthroized
@@ -506,8 +504,7 @@ class Reloader(object):
    self.app = app

  def handle(self, signum, frame):
-    with open(self.ca_certificate_path) as ca, open(self.crl_path) as crl:
-      self.app.loadCertificate(ca, crl)
+    self.app.loadCertificate(self.ca_certificate_path, self.crl_path)
    ssl_context = getSSLContext(
      self.server_key_path, self.ca_certificate_path, self.crl_path)
    ssl_socket = self.httpd.socket
@@ -574,7 +571,7 @@ def http(host, port, pocket, certificate, ca_certificate, crl, pidfile,
  pid = str(os.getpid())
  pidfile.write(pid)
  pidfile.close()
-  kedifa = Kedifa(pocket, ca_certificate, crl)
+  kedifa = Kedifa(pocket, ca_certificate.name, crl.name)
  if ':' in host:
    access_format = 'https://[%s]:%s/'
  else: