Commit f07ba7a6 authored by Rafael Monnerat's avatar Rafael Monnerat

erp5_certificate_authority: Implement updateCACertificateChain

   Store and check the CA Certificate Chain to ensure we are talking to the same CA. Save the CA Cert. Chain for future usage.
parent fc240840
......@@ -186,6 +186,21 @@ class CaucaseConnector(XMLObject):
def getCACertificate(self):
return self._getServiceConnection().getCACertificate()
def updateCACertificateChain(self):
with tempfile.NamedTemporaryFile(prefix='caucase_ca_certificate_chain_', bufsize=0) as ca_crt_file:
if self.getCaCertificateChain():
ca_crt_file.write(self.getCaCertificateChain())
ca_crt_file.write("\n")
ca_crt_file.flush()
ca_crt_file.seek(0)
updated = self._getServiceConnection().updateCAFile(
url="%s/cas" % self.getUrlString(""),
ca_crt_path=ca_crt_file.name)
if updated:
ca_crt_file.seek(0)
self.setCaCertificateChain(ca_crt_file.read())
def createCertificateSigningRequest(self, csr):
return self._getServiceConnection().createCertificateSigningRequest(csr)
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Standard Property" module="erp5.portal_type"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>categories</string> </key>
<value>
<tuple>
<string>elementary_type/text</string>
</tuple>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ca_certificate_chain_property</string> </value>
</item>
<item>
<key> <string>read_permission</string> </key>
<value> <string>Manage users</string> </value>
</item>
<item>
<key> <string>write_permission</string> </key>
<value> <string>Manage users</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
......@@ -93,6 +93,7 @@
<string>my_user_certificate_request_reference</string>
<string>my_user_certificate</string>
<string>my_user_key</string>
<string>my_ca_certificate_chain</string>
</list>
</value>
</item>
......
......@@ -257,7 +257,7 @@
</item>
<item>
<key> <string>title</string> </key>
<value> <string>Caucase User Certifificate</string> </value>
<value> <string>Caucase User Certificate</string> </value>
</item>
<item>
<key> <string>unicode</string> </key>
......
......@@ -30,6 +30,7 @@
from Products.ERP5Type.tests.ERP5TypeCaucaseTestCase import ERP5TypeCaucaseTestCase
from Products.ERP5Type.Core.Workflow import ValidationFailed
from caucase.client import CaucaseError
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
......@@ -134,3 +135,46 @@ class TestCertificateAuthorityCaucaseConnector(ERP5TypeCaucaseTestCase):
self.assertRaises(CaucaseHTTPError, self.caucase_connector.revokeCertificate, cert_data)
def test_updateCACertificateChain(self):
self.caucase_connector.setCaCertificateChain(None)
self.caucase_connector.updateCACertificateChain()
self.assertNotEqual(
self.caucase_connector.getCaCertificateChain(), None)
ca_cert = self.caucase_connector.getCaCertificateChain()
# Repeat to ensure nothing is updated
self.assertEqual(
self.caucase_connector.getCaCertificateChain(), ca_cert)
# Ensure you get the same thing if you repeat
self.caucase_connector.setCaCertificateChain(None)
self.caucase_connector.updateCACertificateChain()
self.assertEqual(
self.caucase_connector.getCaCertificateChain(), ca_cert)
def test_updateCACertificateChain_untrust(self):
self.caucase_connector.setCaCertificateChain("""-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIUWur7vpjLtzdWTuaBVQtzgEnDNegwDQYJKoZIhvcNAQEL
BQAwNTEzMDEGA1UEAwwqQ2F1Y2FzZSBDQVMgYXQgaHR0cDovLzEwLjAuNzcuMjI3
Ojg4OTAvY2FzMB4XDTIzMTAwMzE5MTM0NloXDTI0MTAwOTE5MTM0NlowNTEzMDEG
A1UEAwwqQ2F1Y2FzZSBDQVMgYXQgaHR0cDovLzEwLjAuNzcuMjI3Ojg4OTAvY2Fz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoUPOUx/glzpxe1lmD2vq
ZS5UlOR7oeBoNsdmFpuikZ6ksQvVlnQehsRwvCa8plOWC01ob/NqcVbTqhUCEcnf
LL7y8wqD4qg1wTBOEQ9T2BjNSfY+y5UxGDiTqKSYCre+OY5jWipwNUGXZ7rsQPvU
ExUP/itu1E8vDe9c6uCVq5IR+SJvwwwgB4LwCl14xRpKmkoRcduJFI51mjQmG1/u
q9dbBffZXddEQGZwrjvHXgCMfEccfyPU67PVuyCX6q/1pX3HCxaFR1Z2QVHa2MqV
wjPxqbxOVBK/3oXAVYUS9ksGWxzFdzyDZwPi714sUjUhI/0UholZslQniWhNWp+P
xwIDAQABo2YwZDAdBgNVHQ4EFgQU6xc8HvOdfmnhZ85cxFlfecnVBNAwHwYDVR0j
BBgwFoAU6xc8HvOdfmnhZ85cxFlfecnVBNAwEgYDVR0TAQH/BAgwBgEB/wIBADAO
BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAGLjwIByLsnohRAx7qVX
2o8d8UvzUXEDTmx2NStYTX53nPu+ajngPV+qr7n7e6PD6xLyNp585aH7P1jt9ZDE
i4JrbtUSl8toB1hizBJeWG4BTRfJ/70ojOEhn/BodhoCIo/Qzn9cuLCjfMXbDhlK
ySrBjKOrG9nl16sT5iao5lJJw2KqzDB7e1SKvBwwILtO74VwdkdUO9itUkP7d6Do
LSnalc7gqVsf8BAlymRktQuDUXZzP3AbWNH6c7ihhNqsP8npKdA/Z4rWCTtIHj+P
YvI3c9Ftc8ACdjv7cMHEdtRmxCYLxIitkfr2wG2sWbGmHoUVjGQdvAjBq8iyMY4q
PB8=
-----END CERTIFICATE-----
""")
self.assertRaises(CaucaseError, self.caucase_connector.updateCACertificateChain)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment