Certificate generation and sync, implemented proper grant and revocation flows. Pubkey uploading. Added openssh-client to Dockerfile

app/apps/accounts/views.py

@@ -2,9 +2,14 @@ from django.conf import settings
 from django.contrib.auth import logout
 from django.contrib.auth import views as auth_views
 from django.contrib.auth.decorators import login_required
+from django.core.exceptions import ValidationError
+from django.db import IntegrityError
 from django.shortcuts import redirect, render
 
-from .forms import ErasureRequestForm
+from apps.keys.certificates import issue_certificate_for_key
+from apps.keys.models import SSHKey
+
+from .forms import ErasureRequestForm, SSHKeyForm
 from .models import ErasureRequest
 
 
@@ -13,25 +18,55 @@ def profile(request):
   erasure_request = (
     ErasureRequest.objects.filter(user=request.user).order_by("-requested_at").first()
   )
+  can_add_key = request.user.has_perm("keys.add_sshkey")
   if request.method == "POST":
-    form = ErasureRequestForm(request.POST)
-    if form.is_valid():
-      if erasure_request and erasure_request.status == ErasureRequest.Status.PENDING:
-        form.add_error(None, "You already have a pending erasure request.")
-      else:
-        ErasureRequest.objects.create(
-          user=request.user,
-          reason=form.cleaned_data["reason"].strip(),
-        )
-        return redirect("accounts:profile")
+    form_type = request.POST.get("form_type")
+    if form_type == "ssh_key":
+      erasure_form = ErasureRequestForm()
+      key_form = SSHKeyForm(request.POST)
+      if key_form.is_valid():
+        if not can_add_key:
+          key_form.add_error(None, "You do not have permission to add SSH keys.")
+        else:
+          name = key_form.cleaned_data["name"].strip()
+          public_key = key_form.cleaned_data["public_key"].strip()
+          key = SSHKey(user=request.user, name=name)
+          try:
+            key.set_public_key(public_key)
+            key.save()
+            issue_certificate_for_key(key, created_by=request.user)
+            return redirect("accounts:profile")
+          except ValidationError as exc:
+            key_form.add_error("public_key", str(exc))
+          except IntegrityError:
+            key_form.add_error("public_key", "Key already exists.")
+          except Exception:
+            key_form.add_error(None, "Certificate issuance failed.")
+    else:
+      key_form = SSHKeyForm()
+      erasure_form = ErasureRequestForm(request.POST)
+      if erasure_form.is_valid():
+        if erasure_request and erasure_request.status == ErasureRequest.Status.PENDING:
+          erasure_form.add_error(None, "You already have a pending erasure request.")
+        else:
+          ErasureRequest.objects.create(
+            user=request.user,
+            reason=erasure_form.cleaned_data["reason"].strip(),
+          )
+          return redirect("accounts:profile")
   else:
-    form = ErasureRequestForm()
+    erasure_form = ErasureRequestForm()
+    key_form = SSHKeyForm()
 
+  ssh_keys = SSHKey.objects.filter(user=request.user).order_by("-created_at")
   context = {
     "user": request.user,
     "auth_mode": getattr(settings, "KEYWARDEN_AUTH_MODE", "hybrid"),
     "erasure_request": erasure_request,
-    "erasure_form": form,
+    "erasure_form": erasure_form,
+    "key_form": key_form,
+    "ssh_keys": ssh_keys,
+    "can_add_key": can_add_key,
   }
   return render(request, "accounts/profile.html", context)