Add a script to revoke certificates.
This commit is contained in:
Pino de Candia
parent
8e52c850ce
commit
0b207f6123
53
scripts/revoke-user-cert
Normal file
53
scripts/revoke-user-cert
Normal file
@ -0,0 +1,53 @@
|
||||
#!/usr/bin/env python
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import os
|
||||
import requests
|
||||
import subprocess
|
||||
import uuid
|
||||
from Crypto.PublicKey import RSA
|
||||
|
||||
parser = argparse.ArgumentParser(description='Revoke a Tatu-generated user SSH certificate.')
|
||||
parser.add_argument('--projid', '-P', required=True)
|
||||
parser.add_argument('--serial', '-K', required=True)
|
||||
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
|
||||
help='URL of the Tatu API')
|
||||
args = parser.parse_args()
|
||||
|
||||
try:
|
||||
auth_id = str(uuid.UUID(args.projid, version=4))
|
||||
except:
|
||||
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
|
||||
exit()
|
||||
|
||||
if not args.serial.isdigit():
|
||||
print '--serial should be a number'
|
||||
exit()
|
||||
|
||||
server = args.tatu_url
|
||||
|
||||
body = {
|
||||
'serial': args.serial,
|
||||
'auth_id': auth_id,
|
||||
'key.pub': pubkeytext
|
||||
}
|
||||
|
||||
response = requests.post(
|
||||
server + '/revokeduserkeys/' + auth_id,
|
||||
data=json.dumps({'serial': args.serial})
|
||||
)
|
||||
if response.status_code != 200:
|
||||
print 'Failed: ' + str(response)
|
||||
exit()
|
||||
@ -149,6 +149,8 @@ def revokeUserKey(session, auth_id, serial=None, key_id=None, cert=None):
|
||||
|
||||
if ser is None or userCert is None:
|
||||
raise falcon.HTTPBadRequest("Cannot identify which Cert to revoke.")
|
||||
if userCert.revoked:
|
||||
raise falcon.HTTPBadRequest("Certificate was already revoked.")
|
||||
|
||||
userCert.revoked = True
|
||||
session.add(userCert)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user