0.3.0-alpha2: fix edge case where trifid would issue certs that outlive the CA sometimes
/ build (push) Successful in 42s Details
/ build_x64 (push) Successful in 3m14s Details
/ build_win64 (push) Successful in 3m52s Details
/ build_arm64 (push) Failing after 49m48s Details

This commit is contained in:
core 2024-01-02 20:21:16 -05:00
parent 51bb540ab4
commit 0b807b351d
Signed by: core
GPG Key ID: FDBF740DADDCEECF
3 changed files with 13 additions and 4 deletions

2
Cargo.lock generated
View File

@ -3135,7 +3135,7 @@ dependencies = [
[[package]] [[package]]
name = "trifid-api" name = "trifid-api"
version = "0.3.0-alpha1" version = "0.3.0-alpha2"
dependencies = [ dependencies = [
"actix-cors", "actix-cors",
"actix-web", "actix-web",

View File

@ -1,6 +1,6 @@
[package] [package]
name = "trifid-api" name = "trifid-api"
version = "0.3.0-alpha1" version = "0.3.0-alpha2"
authors = ["core <core@e3t.cc>"] authors = ["core <core@e3t.cc>"]
edition = "2021" edition = "2021"
description = "An open-source reimplementation of the Defined Networking API server" description = "An open-source reimplementation of the Defined Networking API server"

View File

@ -4,9 +4,9 @@
// Review carefully what you write here! // Review carefully what you write here!
use crate::crypt::sign_cert_with_ca; use crate::crypt::sign_cert_with_ca;
use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA}; use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
use crate::schema::{ use crate::schema::{
host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas, host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
}; };
use crate::AppState; use crate::AppState;
use actix_web::web::Data; use actix_web::web::Data;
@ -109,6 +109,15 @@ pub async fn generate_config(
signature: vec![], signature: vec![],
}; };
let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
if cert.details.not_before < ca_cert.details.not_before {
cert.details.not_before = ca_cert.details.not_before;
}
if cert.details.not_after > ca_cert.details.not_after {
cert.details.not_after = ca_cert.details.not_after;
}
sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap(); sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();
let all_blocked_hosts = hosts::dsl::hosts let all_blocked_hosts = hosts::dsl::hosts