0.3.0-alpha2: fix edge case where trifid would issue certs that outlive the CA sometimes

Cargo.lock

@@ -3083,7 +3083,7 @@ dependencies = [
 
 [[package]]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 dependencies = [
  "actix-cors",
  "actix-web",

trifid-api/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "trifid-api"
-version = "0.3.0-alpha1"
+version = "0.3.0-alpha2"
 authors = ["core <core@e3t.cc>"]
 edition = "2021"
 description = "An open-source reimplementation of the Defined Networking API server"

trifid-api/src/config_generator.rs

@@ -4,9 +4,9 @@
 // Review carefully what you write here!
 
 use crate::crypt::sign_cert_with_ca;
-use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA};
+use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
 use crate::schema::{
-    host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas,
+    host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
 };
 use crate::AppState;
 use actix_web::web::Data;
@@ -109,6 +109,15 @@ pub async fn generate_config(
         signature: vec![],
     };
 
+    let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
+
+    if cert.details.not_before < ca_cert.details.not_before {
+        cert.details.not_before = ca_cert.details.not_before; // prevent issuing invalid certs
+    }
+    if cert.details.not_after > ca_cert.details.not_after {
+        cert.details.not_after = ca_cert.details.not_after; // prevent issuing invalid certs
+    }
+
     sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();
 
     let all_blocked_hosts = hosts::dsl::hosts