Merge branch 'master' of https://github.com/truenas/middleware

src/middlewared/middlewared/api/base/decorator.py

@@ -116,7 +116,7 @@ def wrapped(*args):
         wrapped.audit_callback = audit_callback
         wrapped.audit_extended = audit_extended
         wrapped.rate_limit = rate_limit
-        wrapped.roles = roles or ['FULL_ADMIN']
+        wrapped.roles = roles or []
         wrapped._private = private
         wrapped._cli_private = cli_private
 

src/middlewared/middlewared/api/v25_04_0/__init__.py

@@ -17,6 +17,7 @@
 from .config import *  # noqa
 from .core import *  # noqa
 from .cronjob import *  # noqa
+from .crypto_ca_profiles import *  # noqa
 from .crypto_cert_profiles import *  # noqa
 from .device import *  # noqa
 from .disk import *  # noqa

src/middlewared/middlewared/api/v25_04_0/crypto_ca_profiles.py

@@ -0,0 +1,55 @@
+from typing import final
+
+from middlewared.api.base import BaseModel
+
+__all__ = ("CAProfilesArgs",  "CAProfilesModel", "CAProfilesResult")
+
+# Defines the default lifetime of a certificate
+# (https://support.apple.com/en-us/HT211025)
+DEFAULT_LIFETIME_DAYS = 397
+
+
+@final
+class KeyUsageModel(BaseModel):
+    enabled: bool = True
+    key_cert_sign: bool = True
+    crl_sign: bool = True
+    extension_critical: bool = True
+
+
+@final
+class BasicConstraintsModel(BaseModel):
+    enabled: bool = True
+    ca: bool = True
+    extension_critical: bool = True
+
+
+@final
+class ExtendedKeyUsageModel(BaseModel):
+    enabled: bool = True
+    extension_critical: bool = True
+    usages: list[str] = ["SERVER_AUTH"]
+
+
+@final
+class CertExtensionsModel(BaseModel):
+    KeyUsage: KeyUsageModel = KeyUsageModel()
+    BasicConstraints: BasicConstraintsModel = BasicConstraintsModel()
+    ExtentedKeyUsage: ExtendedKeyUsageModel = ExtendedKeyUsageModel()
+
+
+@final
+class CAProfilesModel(BaseModel):
+    key_length: int = 2048
+    key_type: str = "RSA"
+    lifetime: int = DEFAULT_LIFETIME_DAYS
+    digest_algorithm: str = "SHA256"
+    cert_extensions: CertExtensionsModel = CertExtensionsModel()
+
+
+class CAProfilesArgs(BaseModel):
+    pass
+
+
+class CAProfilesResult(BaseModel):
+    result: CAProfilesModel = CAProfilesModel()

src/middlewared/middlewared/api/v25_04_0/crypto_cert_profiles.py

@@ -6,11 +6,11 @@
 
 __all__ = (
     "CertProfilesArgs",
+    "CertProfilesModel",
     "CertProfilesResult",
     "CSRProfilesArgs",
+    "CSRProfilesModel",
     "CSRProfilesResult",
-    "CERTPROFILES",
-    "CSRPROFILES",
 )
 
 
@@ -174,7 +174,3 @@ class CSRProfilesArgs(BaseModel):
 @final
 class CSRProfilesResult(BaseModel):
     result: CSRProfilesModel = CSRProfilesModel()
-
-
-CERTPROFILES = CertProfilesModel().model_dump(by_alias=True)
-CSRPROFILES = CSRProfilesModel().model_dump(by_alias=True)

src/middlewared/middlewared/plugins/crypto_/ca_profiles.py

@@ -1,49 +1,20 @@
-from middlewared.schema import accepts, Dict, returns
+from middlewared.api import api_method
+from middlewared.api.current import (
+    CAProfilesArgs,
+    CAProfilesModel,
+    CAProfilesResult,
+)
 from middlewared.service import Service
 
-from .utils import DEFAULT_LIFETIME_DAYS
-
 
 class CertificateAuthorityService(Service):
-
     class Config:
-        cli_namespace = 'system.certificate.authority'
-
-    PROFILES = {
-        'CA': {
-            'key_length': 2048,
-            'key_type': 'RSA',
-            'lifetime': DEFAULT_LIFETIME_DAYS,
-            'digest_algorithm': 'SHA256',
-            'cert_extensions': {
-                'KeyUsage': {
-                    'enabled': True,
-                    'key_cert_sign': True,
-                    'crl_sign': True,
-                    'extension_critical': True
-                },
-                'BasicConstraints': {
-                    'enabled': True,
-                    'ca': True,
-                    'extension_critical': True
-                },
-                'ExtendedKeyUsage': {
-                    'enabled': True,
-                    'extension_critical': False,
-                    'usages': ['SERVER_AUTH']
-                }
-            }
-        }
-    }
+        cli_namespace = "system.certificate.authority"
 
-    @accepts(roles=['CERTIFICATE_AUTHORITY_READ'])
-    @returns(Dict(
-        'certificate_authority_profiles',
-        *[Dict(profile, additional_attrs=True) for profile in PROFILES]
-    ))
+    @api_method(CAProfilesArgs, CAProfilesResult, roles=["CERTIFICATE_AUTHORITY_READ"])
     async def profiles(self):
         """
-        Returns a dictionary of predefined options for specific use cases i.e OpenVPN certificate authority
-        configurations which can be used for creating certificate authorities.
+        Returns a dictionary of predefined options for
+        creating certificate authority requests.
         """
-        return self.PROFILES
+        return CAProfilesModel().model_dump(by_alias=True)

src/middlewared/middlewared/plugins/crypto_/cert_profiles.py

@@ -1,11 +1,11 @@
 from middlewared.api import api_method
 from middlewared.api.current import (
-    CERTPROFILES,
     CertProfilesArgs,
+    CertProfilesModel,
     CertProfilesResult,
     CSRProfilesArgs,
+    CSRProfilesModel,
     CSRProfilesResult,
-    CSRPROFILES,
 )
 from middlewared.service import Service
 
@@ -17,12 +17,12 @@ async def profiles(self):
         Returns a dictionary of predefined configuration
         options for creating certificates.
         """
-        return CERTPROFILES
+        return CertProfilesModel().model_dump(by_alias=True)
 
     @api_method(CSRProfilesArgs, CSRProfilesResult, roles=["CERTIFICATE_READ"])
     async def certificate_signing_requests_profiles(self):
         """
         Returns a dictionary of predefined configuration
         options for creating certificate signing requests.
         """
-        return CSRPROFILES
+        return CSRProfilesModel().model_dump(by_alias=True)

src/middlewared/middlewared/plugins/webui/crypto.py

@@ -1,11 +1,14 @@
 from middlewared.api import api_method
 from middlewared.api.current import (
-    CERTPROFILES,
+    CAProfilesArgs,
+    CAProfilesModel,
+    CAProfilesResult,
     CertProfilesArgs,
+    CertProfilesModel,
     CertProfilesResult,
     CSRProfilesArgs,
+    CSRProfilesModel,
     CSRProfilesResult,
-    CSRPROFILES,
 )
 from middlewared.schema import accepts, Int
 from middlewared.service import Service
@@ -21,14 +24,18 @@ class Config:
     @api_method(
         CertProfilesArgs,
         CertProfilesResult,
-        roles=['READONLY_ADMIN']
+        roles=['CERTIFICATE_READ']
     )
     async def certificate_profiles(self):
-        return CERTPROFILES
+        return CertProfilesModel().model_dump(by_alias=True)
 
-    @accepts(roles=['READONLY_ADMIN'])
+    @api_method(
+        CAProfilesArgs,
+        CAProfilesResult,
+        roles=['CERTIFICATE_AUTHORITY_READ']
+    )
     async def certificateauthority_profiles(self):
-        return await self.middleware.call('certificateauthority.profiles')
+        return CAProfilesModel().model_dump(by_alias=True)
 
     @accepts(Int('cert_id'), roles=['READONLY_ADMIN'])
     async def get_certificate_domain_names(self, cert_id):
@@ -37,7 +44,7 @@ async def get_certificate_domain_names(self, cert_id):
     @api_method(
         CSRProfilesArgs,
         CSRProfilesResult,
-        roles=['READONLY_ADMIN']
+        roles=['CERTIFICATE_READ']
     )
     async def csr_profiles(self):
-        return CSRPROFILES
+        return CSRProfilesModel().model_dump(by_alias=True)