/{device_id}/issue mostly done
This commit is contained in:
parent
d89409f973
commit
2d755b8e3d
1 changed files with 21 additions and 27 deletions
|
@ -2,12 +2,10 @@
|
||||||
/device endpoints.
|
/device endpoints.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from datetime import datetime
|
|
||||||
|
|
||||||
from fastapi import APIRouter, Depends, HTTPException, status
|
from fastapi import APIRouter, Depends, HTTPException, status
|
||||||
|
|
||||||
from ..db import Connection, Device, DeviceCreate, DeviceRead, User
|
from ..db import Device, DeviceCreate, DeviceRead, User
|
||||||
from ..easyrsa import CertificateType, DistinguishedName, EasyRSA
|
from ..easyrsa import DistinguishedName, EasyRSA
|
||||||
from ._common import (Responses, get_current_user, get_device_by_id,
|
from ._common import (Responses, get_current_user, get_device_by_id,
|
||||||
get_user_by_name)
|
get_user_by_name)
|
||||||
|
|
||||||
|
@ -81,47 +79,43 @@ async def remove_device(
|
||||||
|
|
||||||
|
|
||||||
@router.post(
|
@router.post(
|
||||||
"/{device_id}/csr",
|
"/{device_id}/issue",
|
||||||
responses={
|
responses={
|
||||||
status.HTTP_200_OK: Responses.OK,
|
status.HTTP_200_OK: Responses.OK,
|
||||||
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
status.HTTP_400_BAD_REQUEST: Responses.NOT_INSTALLED,
|
||||||
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
status.HTTP_401_UNAUTHORIZED: Responses.NEEDS_USER,
|
||||||
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
status.HTTP_403_FORBIDDEN: Responses.NEEDS_PERMISSION,
|
||||||
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
status.HTTP_404_NOT_FOUND: Responses.ENTRY_DOESNT_EXIST,
|
||||||
|
status.HTTP_409_CONFLICT: Responses.ENTRY_EXISTS,
|
||||||
},
|
},
|
||||||
|
response_model=DeviceRead,
|
||||||
)
|
)
|
||||||
async def request_certificate(
|
async def request_certificate(
|
||||||
current_user: User = Depends(get_current_user),
|
current_user: User = Depends(get_current_user),
|
||||||
device: Device = Depends(get_device_by_id),
|
device: Device = Depends(get_device_by_id),
|
||||||
):
|
) -> Device:
|
||||||
"""
|
"""
|
||||||
POST ./{device_id}/csr: Request certificate for a device.
|
POST ./{device_id}/issue: Request certificate for a device.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# check permission
|
# check permission
|
||||||
if not current_user.can_edit(device):
|
if not current_user.can_edit(device):
|
||||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
|
||||||
|
|
||||||
easy_rsa = EasyRSA()
|
# cannot request for a newly created device
|
||||||
|
if device.approved is not None:
|
||||||
|
raise HTTPException(status_code=status.HTTP_409_CONFLICT)
|
||||||
|
|
||||||
with Connection.session as db:
|
# check if we must wait for approval
|
||||||
db.add(device)
|
device.approved = current_user.can_issue
|
||||||
dn = DistinguishedName.build(device)
|
|
||||||
|
|
||||||
if current_user.can_issue(device):
|
if device.approved:
|
||||||
device.approved = True
|
# issue the certificate immediately
|
||||||
|
if (certificate := EasyRSA._.issue(
|
||||||
|
dn=DistinguishedName.build(device)
|
||||||
|
)) is not None:
|
||||||
|
device.expiry = certificate.not_valid_after
|
||||||
|
|
||||||
if (cert := easy_rsa.issue(
|
# return updated device
|
||||||
dn=dn,
|
device.update()
|
||||||
cert_type=CertificateType.server,
|
return device
|
||||||
)) is not None:
|
|
||||||
assert (expiry := cert.get_notAfter()) is not None
|
|
||||||
|
|
||||||
date_format, encoding = "%Y%m%d%H%M%SZ", "ascii"
|
|
||||||
expiry = datetime.strptime(
|
|
||||||
expiry.decode(encoding),
|
|
||||||
date_format,
|
|
||||||
)
|
|
||||||
device.expiry = expiry
|
|
||||||
|
|
||||||
db.commit()
|
|
||||||
|
|
Loading…
Reference in a new issue