From 6275cb6d3eb0ad1019ef1818bf84056d8d21c5c4 Mon Sep 17 00:00:00 2001
From: core <core@coredoes.dev>
Date: Tue, 2 Jan 2024 20:13:57 -0500
Subject: [PATCH] 0.3.0-alpha2: fix edge case where trifid would issue certs
 that outlive the CA sometimes

---
 Cargo.lock                         |  2 +-
 trifid-api/Cargo.toml              |  2 +-
 trifid-api/src/config_generator.rs | 13 +++++++++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b939bca..3c7ee79 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3083,7 +3083,7 @@ dependencies = [
 
 [[package]]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 dependencies = [
  "actix-cors",
  "actix-web",
diff --git a/trifid-api/Cargo.toml b/trifid-api/Cargo.toml
index 735f07b..77ad4d3 100644
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 authors = ["core <core@e3t.cc>"]
 edition = "2021"
 description = "An open-source reimplementation of the Defined Networking API server"
diff --git a/trifid-api/src/config_generator.rs b/trifid-api/src/config_generator.rs
index 384b561..230c064 100644
--- a/trifid-api/src/config_generator.rs
+++ b/trifid-api/src/config_generator.rs
@@ -4,9 +4,9 @@
 // Review carefully what you write here!
 
 use crate::crypt::sign_cert_with_ca;
-use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA};
+use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
 use crate::schema::{
-    host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas,
+    host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
 };
 use crate::AppState;
 use actix_web::web::Data;
@@ -109,6 +109,15 @@ pub async fn generate_config(
         signature: vec![],
     };
 
+    let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
+
+    if cert.details.not_before < ca_cert.details.not_before {
+        cert.details.not_before = ca_cert.details.not_before; // prevent issuing invalid certs
+    }
+    if cert.details.not_after > ca_cert.details.not_after {
+        cert.details.not_after = ca_cert.details.not_after; // prevent issuing invalid certs
+    }
+
     sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();
 
     let all_blocked_hosts = hosts::dsl::hosts