ansible/flaskpaste
1
0
Fork 0
forked from claw/flaskpaste
Code Pull Requests Activity

allow untrusted certs to manage own pastes

Browse Source 
Split authentication into two functions:
- get_client_fingerprint(): Identity for ownership (any cert)
- get_client_id(): Elevated privileges (trusted certs only)

Behavior:
- Anonymous: Create only, strict limits
- Untrusted cert: Create + delete/update/list own pastes, strict limits
- Trusted cert: All operations, relaxed limits (50MB, 5x rate)

Updated tests to reflect new behavior where revoked certs
can still manage their own pastes.
This commit is contained in:
Username
2025-12-21 12:59:18 +01:00
parent 1f09f2686a
commit 098789ff89
3 changed files with 65 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/test_pki.py
View File

@@ -283,9 +283,10 @@ class TestRevocationIntegration:
# Revoke the certificate
client.post(f"/pki/revoke/{serial}", headers={"X-SSL-Client-SHA1": issuer})
# Try to delete paste with revoked cert - should fail
# Revoked cert can still delete their own paste (ownership by fingerprint)
# They just lose elevated rate/size limits
delete_resp = client.delete(f"/{paste_id}", headers={"X-SSL-Client-SHA1": cert_fingerprint})
assert delete_resp.status_code == 401
assert delete_resp.status_code == 200
class TestPKICryptoFunctions: