Save issued certificates to database

dnstapir · Dec 19, 2024 · 519210a · 519210a
1 parent 9d59a4e
commit 519210a
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 0 deletions.
diff --git a/nodeman/db_models.py b/nodeman/db_models.py
@@ -41,3 +41,24 @@ class TapirNodeEnrollment(Document):
 
     name = StringField(unique=True)
     key = DictField()
+
+
+class TapirCertificate(Document):
+    meta = {
+        "collection": "certificates",
+        "indexes": [
+            {"fields": ["name"]},
+            {"fields": ["issuer", "serial"], "unique": True},
+        ],
+    }
+
+    name = StringField()
+
+    issuer = StringField()
+    subject = StringField()
+    serial = StringField()
+
+    not_valid_before = DateTimeField()
+    not_valid_after = DateTimeField()
+
+    certificate = StringField()
diff --git a/nodeman/models.py b/nodeman/models.py
@@ -72,6 +72,7 @@ class NodeCertificate(BaseModel):
     x509_certificate: str = Field(title="X.509 Client Certificate Bundle")
     x509_ca_certificate: str = Field(title="X.509 CA Certificate Bundle")
     x509_certificate_serial_number: int | None = Field(default=None, exclude=True)
+    x509_certificate_not_valid_after: datetime
 
     @field_validator("x509_certificate", "x509_ca_certificate")
     @classmethod

diff --git a/nodeman/nodes.py b/nodeman/nodes.py
@@ -276,6 +276,7 @@ async def enroll_node(
         x509_certificate=node_certificate.x509_certificate,
         x509_ca_certificate=node_certificate.x509_ca_certificate,
         x509_certificate_serial_number=node_certificate.x509_certificate_serial_number,
+        x509_certificate_not_valid_after=node_certificate.x509_certificate_not_valid_after,
     )
 
 

diff --git a/nodeman/x509.py b/nodeman/x509.py
@@ -13,6 +13,7 @@
 from cryptography.x509.oid import ExtensionOID, NameOID
 from fastapi import HTTPException, Request, status
 
+from .db_models import TapirCertificate
 from .models import NodeCertificate
 
 RSA_EXPONENT = 65537
@@ -145,6 +146,16 @@ def process_csr_request(request: Request, csr: x509.CertificateSigningRequest, n
     x509_certificate_serial_number = x509_certificate.serial_number
     x509_not_valid_after_utc = x509_certificate.not_valid_after_utc.isoformat()
 
+    TapirCertificate(
+        name=name,
+        issuer=x509_certificate.issuer.rfc4514_string(),
+        subject=x509_certificate.subject.rfc4514_string(),
+        certificate=x509_certificate.public_bytes(serialization.Encoding.PEM).decode(),
+        serial=str(x509_certificate.serial_number),
+        not_valid_before=x509_certificate.not_valid_before_utc,
+        not_valid_after=x509_certificate.not_valid_after_utc,
+    ).save()
+
     logger.info(
         "Issued certificate for name=%s serial=%d not_valid_after=%s",
         name,
@@ -161,6 +172,7 @@ def process_csr_request(request: Request, csr: x509.CertificateSigningRequest, n
         x509_certificate=x509_certificate_pem,
         x509_ca_certificate=x509_ca_certificate_pem,
         x509_certificate_serial_number=x509_certificate_serial_number,
+        x509_certificate_not_valid_after=x509_certificate.not_valid_after_utc,
     )