Is your feature request related to a problem? Please describe.
Because the device hostname and MAC address are explicitly bound to the certificate, via the CN and custom OIDs, any modification to the device's hardware properties results in a stale, inaccurate certificate. If an admin swaps a device's network interface card, changing the MAC, the existing certificate becomes an invalid identity.
Describe the solution you'd like
I will implement a handler to regenerate certificates when hardware properties drift:
-
Signal Monitoring: wire OpenWISP's existing device_name_changed and standard post_save signals in handlers.py to actively monitor for modifications to the hostname and mac_address fields.
-
Regeneration: if a modification is detected on a device that holds a DeviceCertificate, trigger a regenerate_device_certificate_task.
- Revoke the outdated certificate via the CRL.
- Generate a newly bound certificate with the updated hardware properties.
- Preserve the proposal requirement that device UUID and MAC address are stored as custom private OIDs in generated certificates.
-
Safe Cache Invalidation: after regeneration, the system must trigger a config update using OpenWISP's native update_status_if_checksum_changed() method. This prevents false positive modified statuses and avoids triggering unnecessary monitoring alarms.
-
UI Alerting: push a UI notification using openwisp_notifications of type generic_message to inform the administrator after successful automated hardware-binding regeneration.
Requirements from the GSoC proposal
- Regeneration upon hostname or MAC address changes must be user-configurable to prevent unexpected downtime.
- The exact configuration point and default behavior are intentionally left open and must be decided during implementation.
- The exact private OID values for MAC address and device UUID are intentionally left open and must be decided or documented during implementation.
Tests from the GSoC proposal
- Device property change triggers certificate regeneration when regeneration is enabled.
- The generated replacement certificate includes the updated hostname or MAC address binding.
- A
generic_message toast notification appears after certificate regeneration.
Measurable outcomes: 4
Implementation point: 8
Is your feature request related to a problem? Please describe.
Because the device hostname and MAC address are explicitly bound to the certificate, via the CN and custom OIDs, any modification to the device's hardware properties results in a stale, inaccurate certificate. If an admin swaps a device's network interface card, changing the MAC, the existing certificate becomes an invalid identity.
Describe the solution you'd like
I will implement a handler to regenerate certificates when hardware properties drift:
Signal Monitoring: wire OpenWISP's existing
device_name_changedand standardpost_savesignals inhandlers.pyto actively monitor for modifications to the hostname andmac_addressfields.Regeneration: if a modification is detected on a device that holds a
DeviceCertificate, trigger aregenerate_device_certificate_task.Safe Cache Invalidation: after regeneration, the system must trigger a config update using OpenWISP's native
update_status_if_checksum_changed()method. This prevents false positive modified statuses and avoids triggering unnecessary monitoring alarms.UI Alerting: push a UI notification using openwisp_notifications of type
generic_messageto inform the administrator after successful automated hardware-binding regeneration.Requirements from the GSoC proposal
Tests from the GSoC proposal
generic_messagetoast notification appears after certificate regeneration.Measurable outcomes: 4
Implementation point: 8