crans/lc_ldap
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[attributs, objets] Affinage des permissions sur les certificats

Browse source
This commit is contained in:
Valentin Samir 2014-02-23 16:06:11 +01:00
parent f5347106c7
commit fefad357fc
3 changed files with 21 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

16
attributs.py
View file

@ -1447,36 +1447,43 @@ class machineAlias(boolAttr):
@crans_attribute
class issuerCN(Attr):
ldap_name = "issuerCN"
can_modify = [nounou]
@crans_attribute
class serialNumber(Attr):
ldap_name = "serialNumber"
python_type = int
can_modify = [nounou]
@crans_attribute
class start(intAttr):
ldap_name = "start"
can_modify = [nounou]
@crans_attribute
class end(intAttr):
ldap_name = "end"
can_modify = [nounou]
@crans_attribute
class crlUrl(Attr):
ldap_name = "crlUrl"
optional = True
can_modify = [parent, nounou]
@crans_attribute
class revocked(boolAttr):
ldap_name = "revocked"
singlevalue = True
optional = True
can_modify = [nounou]
@crans_attribute
class certificat(Attr):
ldap_name = "certificat"
binary = True
python_type = str
can_modify = [parent, nounou]
def __init__(self, *args, **kwargs):
super(certificat, self).__init__(*args, **kwargs)
@ -1491,8 +1498,9 @@ class certificat(Attr):
name_type = name.getName()
if name_type == 'dNSName':
altName.append(unicode(name.getComponent()))
else:
raise ValueError("Seulement les dNSName sont supporté pour l'extension de certificat SubjectAltName")
# Cacert met des othername, du coup, on ignore juste
# else:
# raise ValueError("Seulement les dNSName sont supporté pour l'extension de certificat SubjectAltName (et pas %s)" % name_type)
return altName
def _format_cert(self, certificat):
@ -1556,16 +1564,19 @@ class certificat(Attr):
class certificatUsage(intAttr):
ldap_name = "certificatUsage"
singlevalue = True
can_modify = [parent, nounou]
@crans_attribute
class selector(intAttr):
ldap_name = "selector"
singlevalue = True
can_modify = [parent, nounou]
@crans_attribute
class matchingType(intAttr):
ldap_name = "matchingType"
singlevalue = True
can_modify = [parent, nounou]
@crans_attribute
class xid(intAttr):
@ -1573,6 +1584,7 @@ class xid(intAttr):
category = 'id'
unique = True
singlevalue = True
can_modify = []
@crans_attribute

1
lc_ldap.py
View file

@ -432,6 +432,7 @@ class lc_ldap(ldap.ldapobject.LDAPObject, object):
raise
return i
def _check_parent(self, objdn):
"""
Teste le rapport entre le dn fourni et self

11
objets.py
View file

@ -1124,9 +1124,9 @@ class facture(CransLdapObject):
@crans_object
class baseCert(CransLdapObject):
can_be_by = { variables.created: [attributs.nounou, attributs.bureau],
variables.modified: [attributs.nounou, attributs.bureau],
variables.deleted: [attributs.nounou, attributs.bureau],
can_be_by = { variables.created: [attributs.nounou, attributs.bureau, attributs.parent],
variables.modified: [attributs.nounou, attributs.bureau, attributs.parent],
variables.deleted: [attributs.nounou, attributs.bureau, attributs.parent],
}
attribs = [ attributs.xid, attributs.certificat, attributs.hostCert, attributs.historique]
@ -1202,10 +1202,11 @@ class baseCert(CransLdapObject):
def delete(self, comm="", login=None):
"""Supprimme l'objet de la base LDAP."""
if u"x509Cert" in self['objectClass']:
if not self['revocked'] or not self['revocked'][0]:
# Si le certificat est encore valide et qu'il n'a pas été révoqué
if self['end'] > int(time.time()) and (not self['revocked'] or not self['revocked'][0]):
for issuer in self['issuerCN']:
if issuer in self.protected_issuer:
raise EnvironmentError("Vous n'avez pas le droit de supprimer %s tant que le certificat n'aura pas été marqué comme révoqué" % self.dn)
raise EnvironmentError("Vous n'avez pas le droit de supprimer %s tant que le certificat n'aura pas expiré ou été marqué comme révoqué" % self.dn)
super(baseCert, self).delete(comm, login)