From 134bc22840c0c73d7b6176201db24286cfbf4564 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Thu, 22 Dec 2022 23:56:01 +0100
Subject: [PATCH] user cert is now revoked when user is deleted

---
 certificates.py | 16 +++++++++++-----
 main.py         | 10 ++++++----
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/certificates.py b/certificates.py
index 5810406..8b23e40 100644
--- a/certificates.py
+++ b/certificates.py
@@ -123,11 +123,17 @@ def revoke_certificate(cn: str):
     :param cn: CN (common name) identifying the certificate
     """
     _check_cn(cn)
-    raise NotImplementedError
-    # cmd = [{EASYRSA}, "TODO", cn]
-    # result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
-    # if result.returncode != 0:
-    #     raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+    # Revoke the certificate
+    cmd = [EASYRSA, "revoke", cn]
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    if result.returncode != 0:
+        raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+    # Refresh the CRL list
+    cmd = [EASYRSA, "gen-crl"]
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    if result.returncode != 0:
+        raise CertError(f"Certificate revoked, but there was an error during generating CRL: {result.stderr[:500]}")
+    # TODO check that Keycloak really looks into the CRL during user authentication
 
 
 def get_pem_files(cn: str):
diff --git a/main.py b/main.py
index 21c8cdb..9a5f264 100644
--- a/main.py
+++ b/main.py
@@ -374,8 +374,6 @@ def add_user():
         try:
             certificates.generate_certificate(user.cn)
             flash(f'Certificate for user "{user.username}" was successfully created.', "success")
-
-
         except certificates.CertError as e:
             flash(str(e), "error")
             return redirect_to_main_page() # don't continue creating user accounts in services
@@ -531,12 +529,16 @@ def delete_user(username: str):
         flash(f"Error: Can't get user info from KeyCloak: {e}", "error")
         return redirect_to_main_page()
 
-    # TODO revoke certificate
+    try:
+        certificates.revoke_certificate(user_spec.cn)
+        flash(f'Certificate for "{user_spec.cn}" revoked.', "success")
+    except certificates.CertError as e:
+        flash(f"Error: {e}", "error")
 
     # Keycloak
     try:
         kc_delete_user(user_spec.kcid)
-        flash('User successfully deleted from KeyCloak.', "success")
+        flash(f'User "{user_spec.username}" successfully deleted from KeyCloak.', "success")
     except KeycloakError as e:
         flash(f'Error when deleting user from KeyCloak: {e}', "error")
 
-- 
GitLab