Commit d17ae39d authored by Sophie Herold's avatar Sophie Herold 🌼

Remove HTTPS cert support

parent 1ee44f89
......@@ -83,15 +83,15 @@ INSERT INTO dns.service (backend_status, domain, registered, service, service_en
SELECT web.ins_site(
p_domain:='www.fun.example',
p_port:=80,
p_https:=FALSE,
p_user:='sshusr',
p_service_entity_name:='web.my-org.example'
);
SELECT web.upd_site('www.fun.example', 80, NULL);
SELECT web.ins_site(
p_domain:='www.fun.example',
p_port:=443,
p_https:=TRUE,
p_user:='sshusr',
p_service_entity_name:='web.my-org.example'
);
......@@ -130,6 +130,7 @@ $$ BEGIN
PERFORM web.ins_site(
p_domain:='www.fun.example',
p_port:=81,
p_https:=FALSE,
p_user:='sshusr',
p_service_entity_name:='web.my-org.example'
);
......
---
name: del_intermediate_chain
description: sdf
templates:
- user.userlogin
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
---
DELETE FROM web.intermediate_chain
WHERE
domain = p_domain AND
port = p_port AND
identifier = p_identifier;
---
name: fwd_x509_request
description: x509 request
templates:
- backend.backend
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
-
name: p_x509_request
type: web.t_cert
---
UPDATE web.https
SET x509_request = p_x509_request
WHERE
domain = p_domain AND
port = p_port AND
identifier = p_identifier;
---
name: ins_https
description: |
Create new HTTPS certificate
.. todo::
Fix missing owner verification (not critical)
templates:
- user.userlogin
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
---
INSERT INTO web.https
(domain, port, identifier)
VALUES
(p_domain, p_port, p_identifier);
PERFORM backend._notify_domain('web', 'site', p_domain);
---
name: ins_intermediate_cert
description: Xxx
templates:
- user.userlogin
returns: void
parameters:
-
name: p_subject_key_identifier
type: varchar
-
name: p_authority_key_identifier
type: varchar
-
name: p_x509_certificate
type: web.t_cert
---
INSERT INTO web.intermediate_cert
(subject_key_identifier, authority_key_identifier, x509_certificate)
VALUES
(p_subject_key_identifier, p_authority_key_identifier, p_x509_certificate);
---
name: ins_intermediate_chain
description: sdf
templates:
- user.userlogin
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
-
name: p_order
type: integer
-
name: p_subject_key_identifier
type: varchar
---
INSERT INTO web.intermediate_chain
(domain, port, identifier, "order", subject_key_identifier)
VALUES
(p_domain, p_port, p_identifier, p_order, p_subject_key_identifier);
......@@ -17,6 +17,9 @@ parameters:
-
name: p_port
type: commons.t_port
-
name: p_https
type: bool
-
name: p_user
type: server_access.t_user
......@@ -37,8 +40,8 @@ PERFORM system._contingent_ensure(
);
INSERT INTO web.site
(domain, service, subservice, port, "user", service_entity_name, owner)
(domain, service, subservice, port, https, "user", service_entity_name, owner)
VALUES
(p_domain, 'web', 'site', p_port, p_user, p_service_entity_name, v_owner);
(p_domain, 'web', 'site', p_port, p_https, p_user, p_service_entity_name, v_owner);
PERFORM backend._notify_domain('web', 'site', p_domain);
---
name: sel_https
description: sel https
templates:
- user.userlogin
returns: TABLE
returns_columns:
-
name: identifier
type: commons.t_key
-
name: domain
type: dns.t_hostname
-
name: port
type: commons.t_port
-
name: x509_request
type: web.t_cert
-
name: x509_certificate
type: web.t_cert
-
name: authority_key_identifier
type: varchar
-
name: backend_status
type: backend.t_status
---
RETURN QUERY
SELECT
t.identifier,
t.domain,
t.port,
t.x509_request,
t.x509_certificate,
t.authority_key_identifier,
t.backend_status
FROM web.https AS t
ORDER BY t.backend_status, t.identifier;
---
name: sel_intermediate_cert
description: int
templates:
- user.userlogin
returns: TABLE
returns_columns:
-
name: subject_key_identifier
type: varchar
-
name: authority_key_identifier
type: varchar
-
name: x509_certificate
type: web.t_cert
parameters:
-
name: p_subject_key_identifier
type: varchar
---
RETURN QUERY
SELECT
t.subject_key_identifier,
t.authority_key_identifier,
t.x509_certificate
FROM web.intermediate_cert AS t
WHERE
t.subject_key_identifier = p_subject_key_identifier;
---
name: sel_intermediate_chain
description: sel
templates:
- user.userlogin
returns: TABLE
returns_columns:
-
name: domain
type: dns.t_hostname
-
name: port
type: commons.t_port
-
name: identifier
type: commons.t_key
-
name: subject_key_identifier
type: varchar
-
name: x509_certificate
type: web.t_cert
-
name: order
type: integer
---
RETURN QUERY
SELECT
t.domain,
t.port,
t.identifier,
t.subject_key_identifier,
s.x509_certificate,
t.order
FROM web.intermediate_chain AS t
JOIN web.intermediate_cert AS s
USING (subject_key_identifier)
ORDER BY t.order;
......@@ -28,7 +28,7 @@ returns_columns:
type: dns.t_hostname
-
name: https
type: commons.t_key
type: bool
-
name: backend_status
type: backend.t_status
......
---
name: srv_https
description: |
Certs
templates:
- backend.backend
returns: TABLE
returns_columns:
-
name: identifier
type: commons.t_key
-
name: domain
type: dns.t_hostname
-
name: port
type: commons.t_port
-
name: x509_request
type: web.t_cert
-
name: x509_certificate
type: web.t_cert
-
name: x509_chain
type: varchar[]
-
name: backend_status
type: backend.t_status
---
RETURN QUERY
WITH
-- NO DELETE OPTION
-- UPDATE
s AS (
UPDATE web.https AS t
SET backend_status = NULL
WHERE
backend._machine_priviledged('web', t.domain) AND
backend._active(t.backend_status)
)
-- SELECT
SELECT
t.identifier,
t.domain,
t.port,
t.x509_request,
t.x509_certificate,
ARRAY(
SELECT s.x509_certificate::varchar
FROM web.intermediate_chain AS u
JOIN web.intermediate_cert AS s
USING (subject_key_identifier)
WHERE
u.domain = t.domain AND
u.port = t.port AND
u.identifier = t.identifier
ORDER by "order"
),
t.backend_status
FROM web.https AS t
WHERE
backend._machine_priviledged('web', t.domain) AND
(backend._active(t.backend_status) OR p_include_inactive);
......@@ -21,7 +21,7 @@ returns_columns:
type: dns.t_hostname
-
name: https
type: commons.t_key
type: bool
-
name: subservice
type: commons.t_key
......
---
name: upd_https
description: upd https
templates:
- user.userlogin
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
-
name: p_x509_certificate
type: web.t_cert
-
name: p_authority_key_identifier
type: varchar
---
UPDATE web.https
SET
x509_certificate = p_x509_certificate,
authority_key_identifier = p_authority_key_identifier
WHERE
domain = p_domain AND
port = p_port AND
identifier = p_identifier;
PERFORM backend._conditional_notify(FOUND, 'web', 'site', p_domain);
---
name: upd_site
description: set https identif.
templates:
- user.userlogin
returns: void
parameters:
-
name: p_domain
type: dns.t_hostname
-
name: p_port
type: commons.t_port
-
name: p_identifier
type: commons.t_key
---
UPDATE web.site AS s
SET https = p_identifier
WHERE
s.owner = v_owner AND
s.domain = p_domain AND
s.port = p_port;
PERFORM backend._conditional_notify(FOUND, 'web', 'site', p_domain);
......@@ -22,14 +22,3 @@ exec_post_install_and_upgrade: |
SELECT system._setup_register_subservice('web', 'dns_activatable');
SELECT system._setup_register_subservice('web', 'http_redirect');
domains:
-
name: t_cert
type: text
description: PEM cert
checks:
-
name: base64
description: no newlines in db
check: VALUE ~ '^[a-zA-Z\d/+]+[=]{0,2}$'
name: https
description: stores https information
templates:
- backend.status
primary_key:
- identifier
- domain
- port
columns:
-
name: identifier
type: commons.t_key
description: PK
-
name: domain
type: dns.t_hostname
description: Domain
-
name: port
type: commons.t_port
description: Port
-
name: x509_request
type: web.t_cert
description: Certificate request
null: true
-
name: x509_certificate
type: web.t_cert
null: true
description: Certificate
-
name: authority_key_identifier
type: varchar
null: true
description: |
Identifier of the certificate that has signed this cert.
The Authority Key Identifier allows to build the chain of trust.
See <http://www.ietf.org/rfc/rfc3280.txt>.
Hopefully there exists an entry in web.intermediate_cert
or a root certificate with an equal subjectKeyIdentifier.
Is NULL whenever x509_certificate is NULL.
foreign_keys:
-
name: site
columns:
- domain
- port
ref_table: web.site
ref_columns:
- domain
- port
on_delete: CASCADE
name: intermediate_cert
description: |
Intermediate certificates
primary_key:
- subject_key_identifier
columns:
-
name: subject_key_identifier
type: varchar
description: Identifies this certificate
-
name: authority_key_identifier
type: varchar
description: |
Subject key identifier of the cert that has signed this cert.
NULL is not allowed, since self signed cert do not belong into intermediate
certs.
-
name: x509_certificate
type: web.t_cert
description: Intermediate certificate
name: intermediate_chain
description: xxx
primary_key:
- domain
- port
- identifier
- subject_key_identifier
columns:
-
name: domain
type: dns.t_hostname
description: Domain
-
name: port
type: commons.t_port
description: Port
-
name: identifier
type: commons.t_key
description: Identifier
-
name: order
type: integer
description: Ordering from leaf to root
-
name: subject_key_identifier
type: varchar
description: SubjectKeyIdentifier
references: web.intermediate_cert.subject_key_identifier
foreign_keys:
-
name: https cert
columns:
- domain
- port
- identifier
ref_table: web.https
ref_columns:
- domain
- port
- identifier
on_delete: CASCADE
......@@ -24,9 +24,8 @@ columns:
description: Server account under which the htdocs reside
-
name: https
type: commons.t_key
null: true
description: If null, HTTPS is deactivated
type: bool
description: HTTPS
checks:
-
......@@ -35,18 +34,6 @@ checks:
check: subservice <> 'http_redirect' OR (option->>'redirect_url')::varchar IS NOT NULL
foreign_keys:
-
name: https
columns:
- domain
- port
- https
ref_table: web.https
ref_columns:
- domain
- port
- identifier
-
name: server_access
columns:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment