Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caucase
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Łukasz Nowak
caucase
Commits
5ddb439a
Commit
5ddb439a
authored
Oct 22, 2017
by
Vincent Pelletier
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
client: Name API after protocol documentation.
parent
4ebf6259
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
37 additions
and
37 deletions
+37
-37
caucase/cli.py
caucase/cli.py
+18
-18
caucase/client.py
caucase/client.py
+18
-18
caucase/test.py
caucase/test.py
+1
-1
No files found.
caucase/cli.py
View file @
5ddb439a
...
...
@@ -65,14 +65,14 @@ class CLICaucaseClient(object):
csr_pem
=
utils
.
getCertRequest
(
csr_path
)
# Quick sanity check
utils
.
load_certificate_request
(
csr_pem
)
print
self
.
_client
.
putCSR
(
csr_pem
),
csr_path
print
self
.
_client
.
createCertificateSigningRequest
(
csr_pem
),
csr_path
def
getCSR
(
self
,
csr_id_path_list
):
"""
--get-csr
"""
for
csr_id
,
csr_path
in
csr_id_path_list
:
csr_pem
=
self
.
_client
.
getC
SR
(
int
(
csr_id
))
csr_pem
=
self
.
_client
.
getC
ertificateSigningRequest
(
int
(
csr_id
))
with
open
(
csr_path
,
'a'
)
as
csr_file
:
csr_file
.
write
(
csr_pem
)
...
...
@@ -83,12 +83,12 @@ class CLICaucaseClient(object):
for
crt_id
,
crt_path
in
crt_id_path_list
:
crt_id
=
int
(
crt_id
)
try
:
crt_pem
=
self
.
_client
.
getC
RT
(
crt_id
)
crt_pem
=
self
.
_client
.
getC
ertificate
(
crt_id
)
except
CaucaseError
,
e
:
if
e
.
args
[
0
]
!=
httplib
.
NOT_FOUND
:
raise
try
:
self
.
_client
.
getC
SR
(
crt_id
)
self
.
_client
.
getC
ertificateSigningRequest
(
crt_id
)
except
CaucaseError
,
e
:
if
e
.
args
[
0
]
!=
httplib
.
NOT_FOUND
:
raise
...
...
@@ -145,7 +145,7 @@ class CLICaucaseClient(object):
)
error
=
True
continue
self
.
_client
.
revokeC
RT
(
crt
,
key
)
self
.
_client
.
revokeC
ertificate
(
crt
,
key
)
return
error
def
renewCRT
(
...
...
@@ -184,7 +184,7 @@ class CLICaucaseClient(object):
if
renewal_deadline
<
old_crt
.
not_valid_after
:
print
crt_path
,
'did not reach renew threshold, not renewing'
continue
new_key_pem
,
new_crt_pem
=
self
.
_client
.
renewC
RT
(
new_key_pem
,
new_crt_pem
=
self
.
_client
.
renewC
ertificate
(
old_crt
=
old_crt
,
old_key
=
utils
.
load_privatekey
(
old_key_pem
),
key_len
=
key_len
,
...
...
@@ -209,7 +209,7 @@ class CLICaucaseClient(object):
'csr_id'
,
'subject preview (fetch csr and check full content !)'
,
)
for
entry
in
self
.
_client
.
get
CSR
List
():
for
entry
in
self
.
_client
.
get
PendingCertificateRequest
List
():
csr
=
utils
.
load_certificate_request
(
entry
[
'csr'
])
print
'%20i | %r'
%
(
entry
[
'id'
],
...
...
@@ -222,14 +222,14 @@ class CLICaucaseClient(object):
--sign-csr
"""
for
csr_id
in
csr_id_list
:
self
.
_client
.
signCSR
(
int
(
csr_id
))
self
.
_client
.
createCertificate
(
int
(
csr_id
))
def
signCSRWith
(
self
,
csr_id_path_list
):
"""
--sign-csr-with
"""
for
csr_id
,
csr_path
in
csr_id_path_list
:
self
.
_client
.
signCSR
(
self
.
_client
.
createCertificate
(
int
(
csr_id
),
template_csr
=
utils
.
getCertRequest
(
csr_path
),
)
...
...
@@ -239,7 +239,7 @@ class CLICaucaseClient(object):
--reject-csr
"""
for
csr_id
in
csr_id_list
:
self
.
_client
.
delete
CSR
(
int
(
csr_id
))
self
.
_client
.
delete
PendingCertificateRequest
(
int
(
csr_id
))
def
revokeOtherCRT
(
self
,
crt_list
):
"""
...
...
@@ -263,7 +263,7 @@ class CLICaucaseClient(object):
crt_path
,
)
)
self
.
_client
.
revokeC
RT
(
crt_pem
)
self
.
_client
.
revokeC
ertificate
(
crt_pem
)
return
error
def
revokeSerial
(
self
,
serial_list
):
...
...
@@ -573,14 +573,14 @@ def probe(argv=None):
http_client
=
CaucaseClient
(
ca_url
=
cas_url
,
)
http_ca_pem
=
http_client
.
getCA
()
http_ca_pem
=
http_client
.
getCA
Certificate
()
https_ca_pem
=
HTTPSOnlyCaucaseClient
(
ca_url
=
cas_url
,
ca_crt_pem_list
=
[
http_ca_pem
],
).
getCA
()
).
getCA
Certificate
()
# Retrieve again in case there was a renewal between both calls - we do
# not expect 2 renewals in very short succession.
http2_ca_pem
=
http_client
.
getCA
()
http2_ca_pem
=
http_client
.
getCA
Certificate
()
if
https_ca_pem
not
in
(
http_ca_pem
,
http2_ca_pem
):
raise
ValueError
(
'http and https do not serve the same caucase database'
)
...
...
@@ -700,18 +700,18 @@ def updater(argv=None):
csr_pem
=
utils
.
getCertRequest
(
args
.
csr
)
# Quick sanity check before bothering server
utils
.
load_certificate_request
(
csr_pem
)
csr_id
=
client
.
putCSR
(
csr_pem
)
csr_id
=
client
.
createCertificateSigningRequest
(
csr_pem
)
print
'Waiting for signature of'
,
csr_id
while
True
:
try
:
crt_pem
=
client
.
getC
RT
(
csr_id
)
crt_pem
=
client
.
getC
ertificate
(
csr_id
)
except
CaucaseError
,
e
:
if
e
.
args
[
0
]
!=
httplib
.
NOT_FOUND
:
raise
# If server does not know our CSR anymore, getCSR will raise.
# If it does, we were likely rejected, so exit by letting exception
# through.
client
.
getC
SR
(
csr_id
)
client
.
getC
ertificateSigningRequest
(
csr_id
)
# Still here ? Ok, wait a bit and try again.
utils
.
interruptibleSleep
(
60
)
else
:
...
...
@@ -746,7 +746,7 @@ def updater(argv=None):
next_deadline
=
crt
.
not_valid_after
-
threshold
if
next_deadline
<=
now
:
print
'Renewing'
,
args
.
crt
new_key_pem
,
new_crt_pem
=
client
.
renewC
RT
(
new_key_pem
,
new_crt_pem
=
client
.
renewC
ertificate
(
old_crt
=
crt
,
old_key
=
utils
.
load_privatekey
(
key_pem
),
key_len
=
args
.
key_len
,
...
...
caucase/client.py
View file @
5ddb439a
...
...
@@ -61,7 +61,7 @@ def updateCAFile(url, ca_crt_path):
if
not
os
.
path
.
exists
(
ca_crt_path
):
ca_pem
=
CaucaseClient
(
ca_url
=
url
,
).
getCA
()
).
getCA
Certificate
()
with
open
(
ca_crt_path
,
'w'
)
as
ca_crt_file
:
ca_crt_file
.
write
(
ca_pem
)
updated
=
True
...
...
@@ -78,7 +78,7 @@ def updateCAFile(url, ca_crt_path):
CaucaseClient
(
ca_url
=
url
,
ca_crt_pem_list
=
ca_pem_list
,
).
get
NewCAList
(),
).
get
CACertificateChain
(),
)
if
ca_pem_list
!=
loaded_ca_pem_list
:
data
=
''
.
join
(
ca_pem_list
)
...
...
@@ -107,7 +107,7 @@ def updateCRLFile(url, crl_path, ca_list):
my_crl
=
None
latest_crl_pem
=
CaucaseClient
(
ca_url
=
url
,
).
getC
RL
()
).
getC
ertificateRevocationList
()
latest_crl
=
utils
.
load_crl
(
latest_crl_pem
,
ca_list
)
if
latest_crl
!=
my_crl
:
with
open
(
crl_path
,
'w'
)
as
crl_file
:
...
...
@@ -166,19 +166,19 @@ class CaucaseClient(object):
def
_https
(
self
,
method
,
url
,
body
=
None
,
headers
=
None
):
return
self
.
_request
(
self
.
_https_connection
,
method
,
url
,
body
,
headers
)
def
getC
RL
(
self
):
def
getC
ertificateRevocationList
(
self
):
"""
[ANONYMOUS] Retrieve latest CRL.
"""
return
self
.
_http
(
'GET'
,
'/crl'
)
def
getC
SR
(
self
,
csr_id
):
def
getC
ertificateSigningRequest
(
self
,
csr_id
):
"""
[ANONYMOUS] Retrieve an CSR by its identifier.
"""
return
self
.
_http
(
'GET'
,
'/csr/%i'
%
(
csr_id
,
))
def
get
CSR
List
(
self
):
def
get
PendingCertificateRequest
List
(
self
):
"""
[AUTHENTICATED] Retrieve all pending CSRs.
"""
...
...
@@ -190,7 +190,7 @@ class CaucaseClient(object):
for
x
in
json
.
loads
(
self
.
_https
(
'GET'
,
'/csr'
))
]
def
putCSR
(
self
,
csr
):
def
createCertificateSigningRequest
(
self
,
csr
):
"""
[ANONYMOUS] Store a CSR and return its identifier.
"""
...
...
@@ -198,29 +198,29 @@ class CaucaseClient(object):
'Content-Type'
:
'application/pkcs10'
,
}))
def
delete
CSR
(
self
,
csr_id
):
def
delete
PendingCertificateRequest
(
self
,
csr_id
):
"""
[AUTHENTICATED] Reject a pending CSR.
"""
self
.
_https
(
'DELETE'
,
'/csr/%i'
%
(
csr_id
,
))
def
_getC
RT
(
self
,
crt_id
):
def
_getC
ertificate
(
self
,
crt_id
):
return
self
.
_http
(
'GET'
,
'/crt'
+
crt_id
)
def
getC
RT
(
self
,
csr_id
):
def
getC
ertificate
(
self
,
csr_id
):
"""
[ANONYMOUS] Retrieve CRT by its identifier (same as corresponding CRL
identifier).
"""
return
self
.
_getC
RT
(
'/%i'
%
(
csr_id
,
))
return
self
.
_getC
ertificate
(
'/%i'
%
(
csr_id
,
))
def
getCA
(
self
):
def
getCA
Certificate
(
self
):
"""
[ANONYMOUS] Retrieve current CA certificate.
"""
return
self
.
_getC
RT
(
'/ca.crt.pem'
)
return
self
.
_getC
ertificate
(
'/ca.crt.pem'
)
def
get
NewCAList
(
self
):
def
get
CACertificateChain
(
self
):
"""
[ANONYMOUS] Retrieve CA certificate chain, with CA certificate N+1 signed
by CA certificate N, allowing automated CA cert rollout.
...
...
@@ -234,7 +234,7 @@ class CaucaseClient(object):
key
=
lambda
x
:
x
.
not_valid_before
,
)[
-
1
]
result
=
[]
for
entry
in
json
.
loads
(
self
.
_getC
RT
(
'/ca.crt.json'
)):
for
entry
in
json
.
loads
(
self
.
_getC
ertificate
(
'/ca.crt.json'
)):
try
:
payload
=
utils
.
unwrap
(
entry
,
...
...
@@ -257,7 +257,7 @@ class CaucaseClient(object):
previous_ca
=
utils
.
load_ca_certificate
(
new_pem
)
return
result
def
renewC
RT
(
self
,
old_crt
,
old_key
,
key_len
):
def
renewC
ertificate
(
self
,
old_crt
,
old_key
,
key_len
):
"""
[ANONYMOUS] Request certificate renewal.
"""
...
...
@@ -292,7 +292,7 @@ class CaucaseClient(object):
),
)
def
revokeC
RT
(
self
,
crt
,
key
=
None
):
def
revokeC
ertificate
(
self
,
crt
,
key
=
None
):
"""
Revoke certificate.
[ANONYMOUS] if key is provided.
...
...
@@ -334,7 +334,7 @@ class CaucaseClient(object):
{
'Content-Type'
:
'application/json'
},
)
def
signCSR
(
self
,
csr_id
,
template_csr
=
''
):
def
createCertificate
(
self
,
csr_id
,
template_csr
=
''
):
"""
[AUTHENTICATED] Sign certificate signing request.
"""
...
...
caucase/test.py
View file @
5ddb439a
...
...
@@ -722,7 +722,7 @@ class CaucaseTest(unittest.TestCase):
"""
client
=
CaucaseClient
(
self
.
_caucase_url
+
'/cas'
)
try
:
client
.
putCSR
(
'Not actually a CSR'
)
client
.
createCertificateSigningRequest
(
'Not actually a CSR'
)
except
CaucaseError
,
e
:
self
.
assertEqual
(
e
.
args
[
0
],
400
,
e
)
else
:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment