Merge pull request #4977 from jtschladen/allow-cab-default-validity

Allow configuring default validity for cab_compliant CAs
Netflix · Oct 11, 2024 · 6388cfd · 6388cfd
2 parents 2462e93 + eef04f0
commit 6388cfd
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py
@@ -1,12 +1,9 @@
+import base64
 import os.path
 import secrets
 import string
 from typing import Dict, Any, List
 
-from celery.schedules import crontab
-
-import base64
-
 _basedir = os.path.abspath(os.path.dirname(__file__))
 
 # See the Lemur docs (https://lemur.readthedocs.org) for more information on configuration
@@ -167,6 +164,7 @@ def get_random_secret(length):
 # mail configuration
 # MAIL_SERVER = 'mail.example.com'
 
+PUBLIC_CA_DEFAULT_VALIDITY_DAYS = 397
 PUBLIC_CA_MAX_VALIDITY_DAYS = 397
 DEFAULT_VALIDITY_DAYS = 365
 

diff --git a/docs/administration.rst b/docs/administration.rst
@@ -238,11 +238,24 @@ Basic Configuration
         LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
 
 
+.. data:: PUBLIC_CA_DEFAULT_VALIDITY_DAYS
+    :noindex:
+
+        Use this config to set a default validity for certificates issued by CA/Browser compliant authorities.
+        The authorities with cab_compliant option set to true will use this config. This value defaults to
+        `PUBLIC_CA_MAX_VALIDITY_DAYS` (see below) if not configured. The example below overrides the default validity
+        to 365 days.
+
+    ::
+
+        PUBLIC_CA_DEFAULT_VALIDITY_DAYS = 365
+
+
 .. data:: PUBLIC_CA_MAX_VALIDITY_DAYS
     :noindex:
 
         Use this config to override the limit of 397 days of validity for certificates issued by CA/Browser compliant authorities.
-        The authorities with cab_compliant option set to true will use this config. The example below overrides the default validity
+        The authorities with cab_compliant option set to true will use this config. The example below overrides the default max validity
         of 397 days and sets it to 365 days.
 
     ::

diff --git a/lemur/authorities/models.py b/lemur/authorities/models.py
@@ -9,7 +9,6 @@
 import json
 
 from flask import current_app
-from sqlalchemy.orm import relationship
 from sqlalchemy import (
     Column,
     Integer,
@@ -22,10 +21,11 @@
     Boolean,
 )
 from sqlalchemy.dialects.postgresql import JSON
+from sqlalchemy.orm import relationship
 
 from lemur.database import BaseModel, db
-from lemur.plugins.base import plugins
 from lemur.models import roles_authorities
+from lemur.plugins.base import plugins
 
 
 class Authority(BaseModel):
@@ -117,7 +117,7 @@ def max_issuance_days(self):
     @property
     def default_validity_days(self):
         if self.is_cab_compliant:
-            return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397)
+            return current_app.config.get("PUBLIC_CA_DEFAULT_VALIDITY_DAYS", current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397))
 
         return current_app.config.get("DEFAULT_VALIDITY_DAYS", 365)  # 1 year default