Commit 3fccc2ec authored by Łukasz Nowak's avatar Łukasz Nowak

app: Add support for multiple CRLs.

See merge request nexedi/kedifa!10
parents 1e38bcb3 2a434732
......@@ -302,13 +302,14 @@ class Kedifa(object):
GET (no auth required) one time access URL which returns auth key
content-type: text/plain
"""
def loadCertificate(self, ca_certificate, crl):
def loadCertificate(self, ca_certificate_path, crl_path):
self.ca_certificate_list = [
caucase.utils.load_ca_certificate(x)
for x in caucase.utils.getCertList(ca_certificate.name)]
for x in caucase.utils.getCertList(ca_certificate_path)]
self.crl = caucase.utils.load_crl(
crl.read(), self.ca_certificate_list).public_bytes(encoding=Encoding.PEM)
self.crl_list = [
caucase.utils.load_crl(x, self.ca_certificate_list)
for x in caucase.utils.getCRLList(crl_path)]
def __init__(self, pocket, ca_certificate, crl):
self.pocket_db = SQLite3Storage(pocket)
......@@ -348,10 +349,7 @@ class Kedifa(object):
caucase.utils.load_certificate(
environ.get('SSL_CLIENT_CERT', b''),
trusted_cert_list=self.ca_certificate_list,
crl=caucase.utils.load_crl(
self.crl,
self.ca_certificate_list,
),
crl_list=self.crl_list,
)
except (caucase.exceptions.CertificateVerificationError, ValueError):
raise Unauthroized
......@@ -506,8 +504,7 @@ class Reloader(object):
self.app = app
def handle(self, signum, frame):
with open(self.ca_certificate_path) as ca, open(self.crl_path) as crl:
self.app.loadCertificate(ca, crl)
self.app.loadCertificate(self.ca_certificate_path, self.crl_path)
ssl_context = getSSLContext(
self.server_key_path, self.ca_certificate_path, self.crl_path)
ssl_socket = self.httpd.socket
......@@ -574,7 +571,7 @@ def http(host, port, pocket, certificate, ca_certificate, crl, pidfile,
pid = str(os.getpid())
pidfile.write(pid)
pidfile.close()
kedifa = Kedifa(pocket, ca_certificate, crl)
kedifa = Kedifa(pocket, ca_certificate.name, crl.name)
if ':' in host:
access_format = 'https://[%s]:%s/'
else:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment