Better custom cert handling in the superuser tool
We now only allow certificates ending in .crt to be uploaded and we automatically install the certificate once it has been validated
This commit is contained in:
Joseph Schorr
parent
da8032fe61
commit
e509eb4cba
6 changed files with 58 additions and 18 deletions
|
|
@ -3,6 +3,7 @@
|
|||
import logging
|
||||
import os
|
||||
import string
|
||||
import subprocess
|
||||
|
||||
import pathvalidate
|
||||
|
||||
|
|
@ -894,9 +895,27 @@ class SuperUserCustomCertificate(ApiResource):
|
|||
if not uploaded_file:
|
||||
abort(400)
|
||||
|
||||
# Save the certificate.
|
||||
certpath = pathvalidate.sanitize_filename(certpath)
|
||||
if not certpath.endswith('.crt'):
|
||||
abort(400)
|
||||
|
||||
cert_full_path = os.path.join(EXTRA_CA_DIRECTORY, certpath)
|
||||
config_provider.save_volume_file(cert_full_path, uploaded_file)
|
||||
|
||||
# Validate the certificate.
|
||||
try:
|
||||
with config_provider.get_volume_file(cert_full_path) as f:
|
||||
load_certificate(f.read())
|
||||
|
||||
# Call the update script to install the certificate immediately.
|
||||
if not app.config['TESTING']:
|
||||
subprocess.check_call(['/conf/init/certs_install.sh'])
|
||||
except CertInvalidException:
|
||||
pass
|
||||
except IOError:
|
||||
pass
|
||||
|
||||
return '', 204
|
||||
|
||||
abort(403)
|
||||
|
|
|
|||
Reference in a new issue