0.3.0-alpha2: fix edge case where trifid would issue certs that outlive the CA sometimes

2024-01-02 20:21:16 -05:00 · 2024-01-02 20:21:16 -05:00 · 0b807b351d
parent 51bb540ab4
commit 0b807b351d
3 changed files with 13 additions and 4 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -3135,7 +3135,7 @@ dependencies = [

 [[package]]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 dependencies = [
 "actix-cors",
 "actix-web",
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 authors = ["core <core@e3t.cc>"]
 edition = "2021"
 description = "An open-source reimplementation of the Defined Networking API server"
--- a/trifid-api/src/config_generator.rs
+++ b/trifid-api/src/config_generator.rs
@ -4,9 +4,9 @@
 // Review carefully what you write here!

 use crate::crypt::sign_cert_with_ca;
-use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA};
+use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
 use crate::schema::{
-    host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas,
+    host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
 };
 use crate::AppState;
 use actix_web::web::Data;
@ -109,6 +109,15 @@ pub async fn generate_config(
        signature: vec![],
    };

+    let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
+
+    if cert.details.not_before < ca_cert.details.not_before {
+        cert.details.not_before = ca_cert.details.not_before;
+    }
+    if cert.details.not_after > ca_cert.details.not_after {
+        cert.details.not_after = ca_cert.details.not_after;
+    }
+
    sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();

    let all_blocked_hosts = hosts::dsl::hosts