Add backends for managing certificates, CA bundles, and fingerprints.

Review Request #13163 — Created July 28, 2023 and submitted

Information

Review Board
release-6.x

Reviewers

This introduces support for storage backends for certificate-related
data. Backends are responsible for adding, deleting, fetching, and
iterating through SSL/TLS certificates, CA bundles, and verified
certificate fingerprints, along with providing stats on the data stored.

These can all be tied to a specific Local Site or to the global site.
Each object has an ID specific to the backend, which can be used for
lookup or deletions. IDs must be set by the backend, and consumers of
the backends must take care not to allow user-provided input to be used
without validation.

Backends are given a space within the site's data directory where they
can store files. Most libraries and tools expect a file path to PEMs, so
the backend is responsible for ensuring that those files exist when
needed.

Each object type being managed has a "stored" counterpart class. These
are subclassed by the backend and used to associate any necessary
information needed to identify or place the object somewhere in a
storage system.

By default, we ship a file-based storage backend. This is designed for
most single-server or managed-sitedir needs. All data is managed on the
filesystem, using known paths and filenames. These files can be
hand-added to the correct directory, so long as they follow the correct
naming and file format schemes.

For most standard deployments, this will more than suffice. However,
we'll be providing a database-managed solution in Power Pack, for
handling very large numbers of certificates across unlimited numbers of
Local Sites in a manner that allows for synchronizing across servers.

For Review Board 6.0.0, we may not include any UI for interfacing with
storage, but rather can provide documentation for file-based storage. UI
would come in a follow-up release.

Unit tests pass.

Summary ID
Add backends for managing certificates, CA bundles, and fingerprints.
This introduces support for storage backends for certificate-related data. Backends are responsible for adding, deleting, fetching, and iterating through SSL/TLS certificates, CA bundles, and verified certificate fingerprints, along with providing stats on the data stored. These can all be tied to a specific Local Site or to the global site. Each object has an ID specific to the backend, which can be used for lookup or deletions. IDs must be set by the backend, and consumers of the backends must take care not to allow user-provided input to be used without validation. Backends are given a space within the site's data directory where they can store files. Most libraries and tools expect a file path to PEMs, so the backend is responsible for ensuring that those files exist when needed. Each object type being managed has a "stored" counterpart class. These are subclassed by the backend and used to associate any necessary information needed to identify or place the object somewhere in a storage system. By default, we ship a file-based storage backend. This is designed for most single-server or managed-sitedir needs. All data is managed on the filesystem, using known paths and filenames. These files can be hand-added to the correct directory, so long as they follow the correct naming and file format schemes. For most standard deployments, this will more than suffice. However, we'll be providing a database-managed solution in Power Pack, for handling very large numbers of certificates across unlimited numbers of Local Sites in a manner that allows for synchronizing across servers. For Review Board 6.0.0, we may not include any UI for interfacing with storage, but rather can provide documentation for file-based storage. UI would come in a follow-up release.
283b256ea9ba74a0c829240001318b46eeb7dcf3
Description From Last Updated

'typing.TYPE_CHECKING' imported but unused Column: 1 Error code: F401

reviewbotreviewbot

'typing.Union' imported but unused Column: 1 Error code: F401

reviewbotreviewbot

'djblets.testing.decorators.add_fixtures' imported but unused Column: 1 Error code: F401

reviewbotreviewbot

This should have an "or" in it. Same for several other instances throughout this change.

daviddavid
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

chipx86
chipx86
david
  1. 
      
  2. reviewboard/certs/storage/base.py (Diff revision 3)
     
     
     
    Show all issues

    This should have an "or" in it. Same for several other instances throughout this change.

  3. 
      
chipx86
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-6.x (0aea6b0)