Skip to content

erp5
erp5
Commit f07ba7a6 authored by Rafael Monnerat's avatar Rafael Monnerat
Browse files
Options

erp5_certificate_authority: Implement updateCACertificateChain 

   Store and check the CA Certificate Chain to ensure we are talking to the same CA. Save the CA Cert. Chain for future usage.
parent fc240840
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 379 additions and 1 deletion
bt5/erp5_certificate_authority/DocumentTemplateItem/portal_components/document.erp5.CaucaseConnector.py
View file @ f07ba7a6
...@@ -186,6 +186,21 @@ class CaucaseConnector(XMLObject): ...@@ -186,6 +186,21 @@ class CaucaseConnector(XMLObject):
def getCACertificate(self): def getCACertificate(self):
return self._getServiceConnection().getCACertificate() return self._getServiceConnection().getCACertificate()
def updateCACertificateChain(self):
with tempfile.NamedTemporaryFile(prefix='caucase_ca_certificate_chain_', bufsize=0) as ca_crt_file:
if self.getCaCertificateChain():
ca_crt_file.write(self.getCaCertificateChain())
ca_crt_file.write("\n")
ca_crt_file.flush()
ca_crt_file.seek(0)
updated = self._getServiceConnection().updateCAFile(
url="%s/cas" % self.getUrlString(""),
ca_crt_path=ca_crt_file.name)
if updated:
ca_crt_file.seek(0)
self.setCaCertificateChain(ca_crt_file.read())
def createCertificateSigningRequest(self, csr): def createCertificateSigningRequest(self, csr):
return self._getServiceConnection().createCertificateSigningRequest(csr) return self._getServiceConnection().createCertificateSigningRequest(csr)
......
bt5/erp5_certificate_authority/PropertySheetTemplateItem/portal_property_sheets/CaucaseConnector/ca_certificate_chain_property.xml 0 → 100644
View file @ f07ba7a6
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="Standard Property" module="erp5.portal_type"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>categories</string> </key>
<value>
<tuple>
<string>elementary_type/text</string>
</tuple>
</value>
</item>
<item>
<key> <string>description</string> </key>
<value>
<none/>
</value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>ca_certificate_chain_property</string> </value>
</item>
<item>
<key> <string>read_permission</string> </key>
<value> <string>Manage users</string> </value>
</item>
<item>
<key> <string>write_permission</string> </key>
<value> <string>Manage users</string> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
bt5/erp5_certificate_authority/SkinTemplateItem/portal_skins/erp5_certificate_authority/CaucaseConnector_view.xml
View file @ f07ba7a6
...@@ -93,6 +93,7 @@ ...@@ -93,6 +93,7 @@
<string>my_user_certificate_request_reference</string> <string>my_user_certificate_request_reference</string>
<string>my_user_certificate</string> <string>my_user_certificate</string>
<string>my_user_key</string> <string>my_user_key</string>
<string>my_ca_certificate_chain</string>
</list> </list>
</value> </value>
</item> </item>
......
bt5/erp5_certificate_authority/SkinTemplateItem/portal_skins/erp5_certificate_authority/CaucaseConnector_view/my_user_certificate.xml
View file @ f07ba7a6
...@@ -257,7 +257,7 @@ ...@@ -257,7 +257,7 @@
</item> </item>
<item> <item>
<key> <string>title</string> </key> <key> <string>title</string> </key>
<value> <string>Caucase User Certifificate</string> </value> <value> <string>Caucase User Certificate</string> </value>
</item> </item>
<item> <item>
<key> <string>unicode</string> </key> <key> <string>unicode</string> </key>
......
bt5/erp5_certificate_authority/TestTemplateItem/portal_components/test.erp5.testCertificateAuthorityCaucaseConnector.py
View file @ f07ba7a6
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
from Products.ERP5Type.tests.ERP5TypeCaucaseTestCase import ERP5TypeCaucaseTestCase from Products.ERP5Type.tests.ERP5TypeCaucaseTestCase import ERP5TypeCaucaseTestCase
from Products.ERP5Type.Core.Workflow import ValidationFailed from Products.ERP5Type.Core.Workflow import ValidationFailed
from caucase.client import CaucaseError
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
...@@ -134,3 +135,46 @@ class TestCertificateAuthorityCaucaseConnector(ERP5TypeCaucaseTestCase): ...@@ -134,3 +135,46 @@ class TestCertificateAuthorityCaucaseConnector(ERP5TypeCaucaseTestCase):
self.assertRaises(CaucaseHTTPError, self.caucase_connector.revokeCertificate, cert_data) self.assertRaises(CaucaseHTTPError, self.caucase_connector.revokeCertificate, cert_data)
def test_updateCACertificateChain(self):
self.caucase_connector.setCaCertificateChain(None)
self.caucase_connector.updateCACertificateChain()
self.assertNotEqual(
self.caucase_connector.getCaCertificateChain(), None)
ca_cert = self.caucase_connector.getCaCertificateChain()
# Repeat to ensure nothing is updated
self.assertEqual(
self.caucase_connector.getCaCertificateChain(), ca_cert)
# Ensure you get the same thing if you repeat
self.caucase_connector.setCaCertificateChain(None)
self.caucase_connector.updateCACertificateChain()
self.assertEqual(
self.caucase_connector.getCaCertificateChain(), ca_cert)
def test_updateCACertificateChain_untrust(self):
self.caucase_connector.setCaCertificateChain("""-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIUWur7vpjLtzdWTuaBVQtzgEnDNegwDQYJKoZIhvcNAQEL
BQAwNTEzMDEGA1UEAwwqQ2F1Y2FzZSBDQVMgYXQgaHR0cDovLzEwLjAuNzcuMjI3
Ojg4OTAvY2FzMB4XDTIzMTAwMzE5MTM0NloXDTI0MTAwOTE5MTM0NlowNTEzMDEG
A1UEAwwqQ2F1Y2FzZSBDQVMgYXQgaHR0cDovLzEwLjAuNzcuMjI3Ojg4OTAvY2Fz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoUPOUx/glzpxe1lmD2vq
ZS5UlOR7oeBoNsdmFpuikZ6ksQvVlnQehsRwvCa8plOWC01ob/NqcVbTqhUCEcnf
LL7y8wqD4qg1wTBOEQ9T2BjNSfY+y5UxGDiTqKSYCre+OY5jWipwNUGXZ7rsQPvU
ExUP/itu1E8vDe9c6uCVq5IR+SJvwwwgB4LwCl14xRpKmkoRcduJFI51mjQmG1/u
q9dbBffZXddEQGZwrjvHXgCMfEccfyPU67PVuyCX6q/1pX3HCxaFR1Z2QVHa2MqV
wjPxqbxOVBK/3oXAVYUS9ksGWxzFdzyDZwPi714sUjUhI/0UholZslQniWhNWp+P
xwIDAQABo2YwZDAdBgNVHQ4EFgQU6xc8HvOdfmnhZ85cxFlfecnVBNAwHwYDVR0j
BBgwFoAU6xc8HvOdfmnhZ85cxFlfecnVBNAwEgYDVR0TAQH/BAgwBgEB/wIBADAO
BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAGLjwIByLsnohRAx7qVX
2o8d8UvzUXEDTmx2NStYTX53nPu+ajngPV+qr7n7e6PD6xLyNp585aH7P1jt9ZDE
i4JrbtUSl8toB1hizBJeWG4BTRfJ/70ojOEhn/BodhoCIo/Qzn9cuLCjfMXbDhlK
ySrBjKOrG9nl16sT5iao5lJJw2KqzDB7e1SKvBwwILtO74VwdkdUO9itUkP7d6Do
LSnalc7gqVsf8BAlymRktQuDUXZzP3AbWNH6c7ihhNqsP8npKdA/Z4rWCTtIHj+P
YvI3c9Ftc8ACdjv7cMHEdtRmxCYLxIitkfr2wG2sWbGmHoUVjGQdvAjBq8iyMY4q
PB8=
-----END CERTIFICATE-----
""")
self.assertRaises(CaucaseError, self.caucase_connector.updateCACertificateChain)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7