diff --git a/scripts/revoke-user-cert b/scripts/revoke-user-cert new file mode 100644 index 0000000..05840f0 --- /dev/null +++ b/scripts/revoke-user-cert @@ -0,0 +1,53 @@ +#!/usr/bin/env python +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import argparse +import json +import os +import requests +import subprocess +import uuid +from Crypto.PublicKey import RSA + +parser = argparse.ArgumentParser(description='Revoke a Tatu-generated user SSH certificate.') +parser.add_argument('--projid', '-P', required=True) +parser.add_argument('--serial', '-K', required=True) +parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322', + help='URL of the Tatu API') +args = parser.parse_args() + +try: + auth_id = str(uuid.UUID(args.projid, version=4)) +except: + print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).' + exit() + +if not args.serial.isdigit(): + print '--serial should be a number' + exit() + +server = args.tatu_url + +body = { + 'serial': args.serial, + 'auth_id': auth_id, + 'key.pub': pubkeytext +} + +response = requests.post( + server + '/revokeduserkeys/' + auth_id, + data=json.dumps({'serial': args.serial}) +) +if response.status_code != 200: + print 'Failed: ' + str(response) + exit() diff --git a/tatu/db/models.py b/tatu/db/models.py index 6f0f99f..cc37012 100644 --- a/tatu/db/models.py +++ b/tatu/db/models.py @@ -149,6 +149,8 @@ def revokeUserKey(session, auth_id, serial=None, key_id=None, cert=None): if ser is None or userCert is None: raise falcon.HTTPBadRequest("Cannot identify which Cert to revoke.") + if userCert.revoked: + raise falcon.HTTPBadRequest("Certificate was already revoked.") userCert.revoked = True session.add(userCert)