Verified Commit 3205cdda authored by Vojtech Myslivec's avatar Vojtech Myslivec
Browse files

main: Do not process old requests

parent 9b725e9a
......@@ -3,6 +3,7 @@ Main entry point of Sentinel:CA package
"""
import logging
import time
import sn
......@@ -13,9 +14,19 @@ from .exceptions import CAParseError, CARequestClientError, CARequestServerError
from .redis import init_redis, get_request, check_request, set_cert, set_auth_ok, set_auth_fail, set_auth_error
from .sn import check_auth, config, init_sn
# a request should be dealed in several tens of seconds
VALID_REQUEST_THRESHOLD = 40
logger = logging.getLogger("ca")
def check_timestamp(request):
threshold = request["ts"] + VALID_REQUEST_THRESHOLD
if int(time.time()) > threshold:
raise CARequestServerError("Request is too old")
def process(r, socket, ca):
try:
request = get_request(r)
......@@ -25,7 +36,11 @@ def process(r, socket, ca):
return
try:
# if anything fails, CARequestServerError is risen
# CARequestClientError or CARequestServerError is risen if anything fails
# do not process old requests
check_timestamp(request)
csr = csr_from_str(request["csr_str"])
check_csr(csr, request["sn"])
check_auth(socket, request)
......
......@@ -4,6 +4,7 @@ Redis wrappers for Sentinel:CA
import json
import logging
import redis
# to setup logger handlers
......@@ -21,6 +22,7 @@ AUTH_TTL = 5*60
QUEUE_NAME = "csr"
REQUIRED_REQUEST_KEYS = [
"sn",
"ts",
"sid",
"auth_type",
"nonce",
......
......@@ -5,6 +5,7 @@ Reusable functions for cryptography stuff
import datetime
import hashlib
import os
import time
# backend
from cryptography.hazmat.backends import default_backend
......@@ -190,6 +191,8 @@ def gen_no_key_identifiers_cacert(private_key):
def build_request(renew=False, valid_subject_name=True, valid_hash=True):
ts = int(time.time())
device_id = os.urandom(8).hex()
sid = os.urandom(16).hex()
nonce = os.urandom(16).hex()
......@@ -211,6 +214,7 @@ def build_request(renew=False, valid_subject_name=True, valid_hash=True):
req = {
"sn": device_id,
"ts": ts,
"sid": sid,
"auth_type": "dummy",
"nonce": nonce,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment