lemur/lemur/authorities/schemas.py

"""
.. module: lemur.authorities.schemas
    :platform: unix
    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
from flask import current_app

from marshmallow import fields, validates_schema, pre_load
from marshmallow import validate
from marshmallow.exceptions import ValidationError

from lemur.schemas import PluginInputSchema, PluginOutputSchema, ExtensionSchema, AssociatedAuthoritySchema, AssociatedRoleSchema
from lemur.users.schemas import UserNestedOutputSchema
from lemur.common.schema import LemurInputSchema, LemurOutputSchema
from lemur.common import validators, missing

from lemur.common.fields import ArrowDateTime


class AuthorityInputSchema(LemurInputSchema):
    name = fields.String(required=True)
    owner = fields.Email(required=True)
    description = fields.String()
    common_name = fields.String(required=True, validate=validators.common_name)

    validity_start = ArrowDateTime()
    validity_end = ArrowDateTime()
    validity_years = fields.Integer()

    # certificate body fields
    organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))
    organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))
    location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))
    country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))
    state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))

    plugin = fields.Nested(PluginInputSchema)

    # signing related options
    type = fields.String(validate=validate.OneOf(['root', 'subca']), missing='root')
    parent = fields.Nested(AssociatedAuthoritySchema)
    signing_algorithm = fields.String(validate=validate.OneOf(['sha256WithRSA', 'sha1WithRSA']), missing='sha256WithRSA')
    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')
    key_name = fields.String()
    sensitivity = fields.String(validate=validate.OneOf(['medium', 'high']), missing='medium')
    serial_number = fields.Integer()
    first_serial = fields.Integer(missing=1)

    extensions = fields.Nested(ExtensionSchema)

    roles = fields.Nested(AssociatedRoleSchema(many=True))

    @validates_schema
    def validate_dates(self, data):
        validators.dates(data)

    @validates_schema
    def validate_subca(self, data):
        if data['type'] == 'subca':
            if not data.get('parent'):
                raise ValidationError("If generating a subca, parent 'authority' must be specified.")

    @pre_load
    def ensure_dates(self, data):
        return missing.convert_validity_years(data)


class AuthorityUpdateSchema(LemurInputSchema):
    owner = fields.Email(required=True)
    description = fields.String()
    active = fields.Boolean(missing=True)
    roles = fields.Nested(AssociatedRoleSchema(many=True))


class RootAuthorityCertificateOutputSchema(LemurOutputSchema):
    __envelope__ = False
    id = fields.Integer()
    active = fields.Boolean()
    bits = fields.Integer()
    body = fields.String()
    chain = fields.String()
    description = fields.String()
    name = fields.String()
    cn = fields.String()
    not_after = fields.DateTime()
    not_before = fields.DateTime()
    owner = fields.Email()
    status = fields.Boolean()
    user = fields.Nested(UserNestedOutputSchema)


class AuthorityOutputSchema(LemurOutputSchema):
    id = fields.Integer()
    description = fields.String()
    name = fields.String()
    owner = fields.Email()
    plugin = fields.Nested(PluginOutputSchema)
    active = fields.Boolean()
    options = fields.Dict()
    roles = fields.List(fields.Nested(AssociatedRoleSchema))
    authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)


class AuthorityNestedOutputSchema(LemurOutputSchema):
    __envelope__ = False
    id = fields.Integer()
    description = fields.String()
    name = fields.String()
    owner = fields.Email()
    plugin = fields.Nested(PluginOutputSchema)
    active = fields.Boolean()


authority_update_schema = AuthorityUpdateSchema()
authority_input_schema = AuthorityInputSchema()
authority_output_schema = AuthorityOutputSchema()
authorities_output_schema = AuthorityOutputSchema(many=True)
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`"""`
			`.. module: lemur.authorities.schemas`
			`:platform: unix`
Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`from flask import current_app`

Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`from marshmallow import fields, validates_schema, pre_load`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`from marshmallow import validate`
			`from marshmallow.exceptions import ValidationError`

Fixes various issues. (#316) 2016-05-13 23:35:38 +02:00			`from lemur.schemas import PluginInputSchema, PluginOutputSchema, ExtensionSchema, AssociatedAuthoritySchema, AssociatedRoleSchema`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`from lemur.users.schemas import UserNestedOutputSchema`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`from lemur.common.schema import LemurInputSchema, LemurOutputSchema`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`from lemur.common import validators, missing`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
Time (#482) * adding python 3.5 as a target * adding env flag * Aligning on arrow dates. 2016-11-09 19:56:22 +01:00			`from lemur.common.fields import ArrowDateTime`

Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
			`class AuthorityInputSchema(LemurInputSchema):`
			`name = fields.String(required=True)`
			`owner = fields.Email(required=True)`
			`description = fields.String()`
Reworked sensitive domain name and restriction logic (#878) * This is a fix for a potential security issue; the old code had edge cases with unexpected behavior. * LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS is a list of allowed domain name patterns. Per discussion in PR #600 * Domain restrictions are now checked everywhere: in domain name-like CN (common name) values and SAN DNSNames, including raw CSR requests. * Common name values that contain a space are exempt, since they cannot be valid domain names. 2017-08-17 04:24:49 +02:00			`common_name = fields.String(required=True, validate=validators.common_name)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
Time (#482) * adding python 3.5 as a target * adding env flag * Aligning on arrow dates. 2016-11-09 19:56:22 +01:00			`validity_start = ArrowDateTime()`
			`validity_end = ArrowDateTime()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`validity_years = fields.Integer()`

			`# certificate body fields`
			`organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))`
			`organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))`
			`location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))`
			`country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))`
			`state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))`

Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00			`plugin = fields.Nested(PluginInputSchema)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
			`# signing related options`
			`type = fields.String(validate=validate.OneOf(['root', 'subca']), missing='root')`
Fixes (#329) * Modifying the way roles are assigned. * Adding migration scripts. * Adding endpoints field for future use. * Fixing dropdowns. 2016-05-24 03:38:04 +02:00			`parent = fields.Nested(AssociatedAuthoritySchema)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`signing_algorithm = fields.String(validate=validate.OneOf(['sha256WithRSA', 'sha1WithRSA']), missing='sha256WithRSA')`
			`key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')`
			`key_name = fields.String()`
			`sensitivity = fields.String(validate=validate.OneOf(['medium', 'high']), missing='medium')`
			`serial_number = fields.Integer()`
			`first_serial = fields.Integer(missing=1)`

			`extensions = fields.Nested(ExtensionSchema)`

			`roles = fields.Nested(AssociatedRoleSchema(many=True))`

			`@validates_schema`
			`def validate_dates(self, data):`
			`validators.dates(data)`

			`@validates_schema`
			`def validate_subca(self, data):`
			`if data['type'] == 'subca':`
Fixing and error causing duplicate roles to be created. (#339) * Fixing and error causing duplicate roles to be created. * Fixing python3 * Fixing python2 and python3 2016-06-01 00:44:54 +02:00			`if not data.get('parent'):`
Correcting grammar for subca ValidationError message for clarity (#657) 2017-01-18 21:34:16 +01:00			`raise ValidationError("If generating a subca, parent 'authority' must be specified.")`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`@pre_load`
			`def ensure_dates(self, data):`
Adds option to restrict certificate expiration dates to weekdays. (#453) * Adding ability to restrict certificate creation to weekdays. * Ensuring that we test for weekends. 2016-10-15 09:04:35 +02:00			`return missing.convert_validity_years(data)`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`class AuthorityUpdateSchema(LemurInputSchema):`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`owner = fields.Email(required=True)`
Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`description = fields.String()`
Fixes bug where authority status was not set correctly. (#739) 2017-03-29 19:10:51 +02:00			`active = fields.Boolean(missing=True)`
Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`roles = fields.Nested(AssociatedRoleSchema(many=True))`


Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`class RootAuthorityCertificateOutputSchema(LemurOutputSchema):`
			`__envelope__ = False`
			`id = fields.Integer()`
			`active = fields.Boolean()`
			`bits = fields.Integer()`
			`body = fields.String()`
			`chain = fields.String()`
			`description = fields.String()`
			`name = fields.String()`
			`cn = fields.String()`
			`not_after = fields.DateTime()`
			`not_before = fields.DateTime()`
			`owner = fields.Email()`
			`status = fields.Boolean()`
			`user = fields.Nested(UserNestedOutputSchema)`


Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`class AuthorityOutputSchema(LemurOutputSchema):`
			`id = fields.Integer()`
Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`description = fields.String()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`name = fields.String()`
			`owner = fields.Email()`
Fixes various issues. (#316) 2016-05-13 23:35:38 +02:00			`plugin = fields.Nested(PluginOutputSchema)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`active = fields.Boolean()`
			`options = fields.Dict()`
			`roles = fields.List(fields.Nested(AssociatedRoleSchema))`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00
			`class AuthorityNestedOutputSchema(LemurOutputSchema):`
Allowing the role-user associated to be updated. (#396) * Allowing the role-user associated to be updated. * Fixing tests * Fixing tests, for real. 2016-07-07 22:03:10 +02:00			`__envelope__ = False`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`id = fields.Integer()`
			`description = fields.String()`
			`name = fields.String()`
			`owner = fields.Email()`
			`plugin = fields.Nested(PluginOutputSchema)`
			`active = fields.Boolean()`


Fixes various issues. (#317) 2016-05-16 18:23:48 +02:00			`authority_update_schema = AuthorityUpdateSchema()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`authority_input_schema = AuthorityInputSchema()`
			`authority_output_schema = AuthorityOutputSchema()`
			`authorities_output_schema = AuthorityOutputSchema(many=True)`