user cert is now revoked when user is deleted

134bc228 · Václav Bartoš · 4097f905 · 134bc228 · 134bc228
Commit 134bc228 authored 2 years ago by Václav Bartoš
--- a/certificates.py
+++ b/certificates.py
@@ -123,11 +123,17 @@ def revoke_certificate(cn: str):
    :param cn: CN (common name) identifying the certificate
    """
    _check_cn(cn)
-    raise NotImplementedError
+    # Revoke the certificate
-    # cmd = [{EASYRSA}, "TODO", cn]
+    cmd = [EASYRSA, "revoke", cn]
-    # result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
-    # if result.returncode != 0:
+    if result.returncode != 0:
-    #     raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+        raise CertError(f"Can't revoke the certificate for '{cn}': {result.stderr[:500]}")
+    # Refresh the CRL list
+    cmd = [EASYRSA, "gen-crl"]
+    result = subprocess.run(cmd, env=EASYRSA_ENV, stderr=subprocess.PIPE)
+    if result.returncode != 0:
+        raise CertError(f"Certificate revoked, but there was an error during generating CRL: {result.stderr[:500]}")
+    # TODO check that Keycloak really looks into the CRL during user authentication
 def get_pem_files(cn: str):

--- a/main.py
+++ b/main.py
@@ -374,8 +374,6 @@ def add_user():
        try:
            certificates.generate_certificate(user.cn)
            flash(f'Certificate for user "{user.username}" was successfully created.', "success")
        except certificates.CertError as e:
            flash(str(e), "error")
            return redirect_to_main_page() # don't continue creating user accounts in services
@@ -531,12 +529,16 @@ def delete_user(username: str):
        flash(f"Error: Can't get user info from KeyCloak: {e}", "error")
        return redirect_to_main_page()
-    # TODO revoke certificate
+    try:
+        certificates.revoke_certificate(user_spec.cn)
+        flash(f'Certificate for "{user_spec.cn}" revoked.', "success")
+    except certificates.CertError as e:
+        flash(f"Error: {e}", "error")
    # Keycloak
    try:
        kc_delete_user(user_spec.kcid)
-        flash('User successfully deleted from KeyCloak.', "success")
+        flash(f'User "{user_spec.username}" successfully deleted from KeyCloak.', "success")
    except KeycloakError as e:
        flash(f'Error when deleting user from KeyCloak: {e}', "error")