add-quality-check-script #20

Open
jandd wants to merge 6 commits from add-quality-check-script into main
jandd commented 3 weeks ago
Owner

This pull requests adds a script to check the quality of certificate signing requests and certificates recorded in the webdb database. The script uses read-only access to the database and filesystem.

Poetry is used to manage the required Python dependencies. Database access uses SQLAlchemy and the MariaDB connector/Python. The cryptography library is used to check the CSR and certificate data.

Script operation can be controlled using a set of environment variables.

Environment Variable Usage
DB_USER database user
DB_PASSWORD database password
DB_HOST database hostname
DB_PORT database TCP port
DB_NAME database name
ROOT_CA_CERTIFICATE filename to the class 1 root CA certificate
SUB_CA_CERTIFICATE filename to the class 3 sub CA certificate
DEBUG enable debug logging

DEBUG is evaluated using the bool builtin function.

This pull requests adds a script to check the quality of certificate signing requests and certificates recorded in the webdb database. The script uses read-only access to the database and filesystem. [Poetry](https://python-poetry.org/docs/) is used to manage the required Python dependencies. Database access uses [SQLAlchemy](https://www.sqlalchemy.org/) and the [MariaDB connector/Python](https://pypi.org/project/mariadb/). The [cryptography](https://cryptography.io/en/latest/) library is used to check the CSR and certificate data. Script operation can be controlled using a set of environment variables. | Environment Variable | Usage | | --------------------- | ------------------------------------------- | | `DB_USER` | database user | | `DB_PASSWORD` | database password | | `DB_HOST` | database hostname | | `DB_PORT` | database TCP port | | `DB_NAME` | database name | | `ROOT_CA_CERTIFICATE` | filename to the class 1 root CA certificate | | `SUB_CA_CERTIFICATE` | filename to the class 3 sub CA certificate | | `DEBUG` | enable debug logging | `DEBUG` is evaluated using the [bool](https://docs.python.org/3/library/functions.html#bool) builtin function.
jandd added 3 commits 3 weeks ago
jandd requested review from dirk 3 weeks ago
jandd added 1 commit 3 weeks ago
bmc approved these changes 3 weeks ago
jandd added 1 commit 2 weeks ago
jandd added 1 commit 2 weeks ago
46db965846 Use mariadb version compatible with Debian 11
webdb is currently deployed on a Debian 11 system that comes with
mariadb client library version 10.5.23. The mariadb driver version broke
compatibilty in release 1.1.x. This commit ensures that versions below
1.1.x are used. This should be changed when upgrading the webdb systems
to Debian 12 or later.
dirk approved these changes 1 week ago
dirk left a comment
Owner

I'm only able to understand Python a little bit, so I don't know special details about this language ...

... but as far as I'm able to read the code, it could be installed on webdb2 (for testing) AS LONG AS THERE IS A SECOND REVIEW by a person having more/detailed python-knowledge.

(After successful testing on webdb2 with production data it could be installed on webdb1, too).

I'm only able to understand Python a little bit, so I don't know special details about this language ... ... but as far as I'm able to read the code, it could be installed on webdb2 (for testing) AS LONG AS THERE IS A SECOND REVIEW by a person having more/detailed python-knowledge. (After successful testing on webdb2 with production data it could be installed on webdb1, too).

Reviewers

bmc approved these changes 3 weeks ago
dirk approved these changes 1 week ago
This pull request can be merged automatically.
You are not authorized to merge this pull request.
Sign in to join this conversation.
No reviewers
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cacert/cacert-webdb#20
Loading…
There is no content yet.