management.models.security ========================== .. py:module:: management.models.security .. autoapi-nested-parse:: Security Configuration Model. Module Contents --------------- .. py:class:: SecurityConfig(*args, **kwargs) Bases: :py:obj:`django.db.models.Model` Security Configuration model. Stores the active security level together with all security thresholds for that level: * :attr:`rsa_minimum_key_size` — minimum acceptable RSA key size in bits (``0`` = any RSA key size allowed, ``None`` = RSA not allowed). * :attr:`not_permitted_ecc_curve_oids` — JSON list of :class:`trustpoint_core.oid.NamedCurve` OID strings that are not permitted at the current level. * :attr:`not_permitted_signature_algorithm_oids` — JSON list of :class:`trustpoint_core.oid.HashAlgorithm` OID strings that are not permitted. * :attr:`max_cert_validity_days` — maximum certificate validity in days (``None`` = no limit). * :attr:`max_crl_validity_days` — maximum CRL validity in days (``None`` = no limit). * :attr:`allow_ca_issuance` — whether BasicConstraints ca=True is permitted in issued certs. * :attr:`allow_auto_gen_pki` — whether auto-generated PKI may be enabled. * :attr:`allow_self_signed_ca` — whether self-signed CAs with credentials are allowed. * :attr:`require_physical_hsm` — whether key storage must be a physical HSM. * :attr:`permitted_no_onboarding_pki_protocols` — JSON list of allowed :class:`onboarding.models.NoOnboardingPkiProtocol` integer values. * :attr:`permitted_onboarding_protocols` — JSON list of allowed :class:`onboarding.models.OnboardingProtocol` integer values. Calling :meth:`apply_security_settings` applies the mode defaults onto this instance. .. py:class:: SecurityModeChoices(*args, **kwds) Bases: :py:obj:`django.db.models.TextChoices` Types of security modes. .. py:attribute:: LAB .. py:attribute:: BROWNFIELD .. py:attribute:: INDUSTRIAL .. py:attribute:: HARDENED .. py:attribute:: CRITICAL .. py:class:: NamedCurveChoices(*args, **kwds) Bases: :py:obj:`django.db.models.TextChoices` Selectable ECC curve OIDs sourced from :class:`trustpoint_core.oid.NamedCurve`. .. py:attribute:: SECP192R1 .. py:attribute:: SECP224R1 .. py:attribute:: SECP256K1 .. py:attribute:: SECP256R1 .. py:attribute:: SECP384R1 .. py:attribute:: SECP521R1 .. py:attribute:: BRAINPOOLP256R1 .. py:attribute:: BRAINPOOLP384R1 .. py:attribute:: BRAINPOOLP512R1 .. py:class:: HashAlgorithmChoices(*args, **kwds) Bases: :py:obj:`django.db.models.TextChoices` Selectable hash/signature algorithm OIDs from :class:`trustpoint_core.oid.HashAlgorithm`. .. py:attribute:: MD5 .. py:attribute:: SHA1 .. py:attribute:: SHA224 .. py:attribute:: SHA256 .. py:attribute:: SHA384 .. py:attribute:: SHA512 .. py:attribute:: security_mode .. py:attribute:: auto_gen_pki .. py:attribute:: auto_gen_pki_key_algorithm .. py:attribute:: rsa_minimum_key_size .. py:attribute:: not_permitted_ecc_curve_oids .. py:attribute:: not_permitted_signature_algorithm_oids .. py:attribute:: max_cert_validity_days .. py:attribute:: max_crl_validity_days .. py:attribute:: allow_ca_issuance .. py:attribute:: allow_auto_gen_pki .. py:attribute:: allow_self_signed_ca .. py:attribute:: require_physical_hsm .. py:attribute:: permitted_no_onboarding_pki_protocols .. py:attribute:: permitted_onboarding_protocols .. py:method:: apply_security_settings() Reset all thresholds to the defaults for the current security mode. .. py:method:: get_settings_preview_json() :classmethod: Return a JSON string of each mode's display-friendly threshold values for the settings JS. .. py:method:: check_mode_transition(target_mode) Check whether the existing data satisfies all requirements of *target_mode*.