diff --git a/Cargo.lock b/Cargo.lock index b939bca..3c7ee79 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3083,7 +3083,7 @@ dependencies = [ [[package]] name = "trifid-api" -version = "0.3.0-alpha1" +version = "0.3.0-alpha2" dependencies = [ "actix-cors", "actix-web", diff --git a/trifid-api/Cargo.toml b/trifid-api/Cargo.toml index 735f07b..77ad4d3 100644 --- a/trifid-api/Cargo.toml +++ b/trifid-api/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "trifid-api" -version = "0.3.0-alpha1" +version = "0.3.0-alpha2" authors = ["core "] edition = "2021" description = "An open-source reimplementation of the Defined Networking API server" diff --git a/trifid-api/src/config_generator.rs b/trifid-api/src/config_generator.rs index 384b561..230c064 100644 --- a/trifid-api/src/config_generator.rs +++ b/trifid-api/src/config_generator.rs @@ -4,9 +4,9 @@ // Review carefully what you write here! use crate::crypt::sign_cert_with_ca; -use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA}; +use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA}; use crate::schema::{ - host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas, + host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas, }; use crate::AppState; use actix_web::web::Data; @@ -109,6 +109,15 @@ pub async fn generate_config( signature: vec![], }; + let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap(); + + if cert.details.not_before < ca_cert.details.not_before { + cert.details.not_before = ca_cert.details.not_before; // prevent issuing invalid certs + } + if cert.details.not_after > ca_cert.details.not_after { + cert.details.not_after = ca_cert.details.not_after; // prevent issuing invalid certs + } + sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap(); let all_blocked_hosts = hosts::dsl::hosts