diff --git a/src/middlewared/middlewared/plugins/crypto_/cert_entry.py b/src/middlewared/middlewared/plugins/crypto_/cert_entry.py index 0fb8ccd2d6459..38be5d00f2997 100644 --- a/src/middlewared/middlewared/plugins/crypto_/cert_entry.py +++ b/src/middlewared/middlewared/plugins/crypto_/cert_entry.py @@ -49,6 +49,7 @@ Int('lifetime', null=True), Int('serial', null=True), Int('key_length', null=True), + Bool('add_to_trusted_store', default=False), Bool('chain', null=True), Bool('CA_type_existing'), Bool('CA_type_internal'), @@ -68,5 +69,4 @@ def get_ca_result_entry(): entry = copy.deepcopy(CERT_ENTRY) entry.name = 'certificateauthority_entry' - entry.attrs['add_to_trusted_store'] = Bool('add_to_trusted_store') return entry diff --git a/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py b/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py index a5eca60258885..a53e18cebfb20 100644 --- a/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py +++ b/src/middlewared/middlewared/plugins/crypto_/certificate_authorities.py @@ -203,7 +203,6 @@ def set_defaults(attr): ('edit', _set_enum('create_type')), ('edit', _set_cert_extensions_defaults('cert_extensions')), ('rm', {'name': 'dns_mapping'}), - ('add', Bool('add_to_trusted_store', default=False)), register=True ), ) diff --git a/src/middlewared/middlewared/plugins/crypto_/certificates.py b/src/middlewared/middlewared/plugins/crypto_/certificates.py index 47e5c585387a4..49bd70aed5aaa 100644 --- a/src/middlewared/middlewared/plugins/crypto_/certificates.py +++ b/src/middlewared/middlewared/plugins/crypto_/certificates.py @@ -37,6 +37,7 @@ class CertificateModel(sa.Model): cert_renew_days = sa.Column(sa.Integer(), nullable=True, default=10) cert_acme_id = sa.Column(sa.ForeignKey('system_acmeregistration.id'), index=True, nullable=True) cert_revoked_date = sa.Column(sa.DateTime(), nullable=True) + cert_add_to_trusted_store = sa.Column(sa.Boolean(), default=False, nullable=False) class CertificateService(CRUDService): @@ -199,6 +200,7 @@ async def validate_common_attributes(self, data, schema_name): Str('digest_algorithm', enum=['SHA224', 'SHA256', 'SHA384', 'SHA512']), List('san', items=[Str('san')]), Ref('cert_extensions'), + Bool('add_to_trusted_store', default=False), register=True ), ) @@ -327,7 +329,7 @@ async def do_create(self, job, data): ).items() if k in [ 'name', 'certificate', 'CSR', 'privatekey', 'type', 'signedby', 'acme', 'acme_uri', - 'domains_authenticators', 'renew_days' + 'domains_authenticators', 'renew_days', 'add_to_trusted_store', ] } @@ -554,6 +556,7 @@ async def create_internal(self, job, data): 'certificate_update', Bool('revoked'), Int('renew_days', validators=[Range(min_=1, max_=30)]), + Bool('add_to_trusted_store'), Str('name'), ), ) @@ -594,7 +597,7 @@ async def do_update(self, job, id_, data): new.update(data) - if any(new.get(k) != old.get(k) for k in ('name', 'revoked', 'renew_days')): + if any(new.get(k) != old.get(k) for k in ('name', 'revoked', 'renew_days', 'add_to_trusted_store')): verrors = ValidationErrors() @@ -626,6 +629,12 @@ async def do_update(self, job, id_, data): 'Certificate has already been revoked and this cannot be reversed' ) + if not verrors and new['revoked'] and new['add_to_trusted_store']: + verrors.add( + 'certificate_update.add_to_trusted_store', + 'Revoked certificates cannot be added to system\'s trusted store' + ) + verrors.check() to_update = {'renew_days': new['renew_days']} if data.get('renew_days') else {} @@ -636,7 +645,7 @@ async def do_update(self, job, id_, data): 'datastore.update', self._config.datastore, id_, - {'name': new['name'], **to_update}, + {'name': new['name'], 'add_to_trusted_store': new['add_to_trusted_store'], **to_update}, {'prefix': self._config.datastore_prefix} )