lemur/lemur/certificates/models.py

"""
.. module: lemur.certificates.models
    :platform: Unix
    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
import datetime

from flask import current_app

from sqlalchemy import event, Integer, ForeignKey, String, DateTime, PassiveDefault, func, Column, Text, Boolean
from sqlalchemy.orm import relationship

from lemur.database import db
from lemur.models import certificate_associations, certificate_source_associations, \
    certificate_destination_associations, certificate_notification_associations, \
    certificate_replacement_associations, roles_certificates
from lemur.plugins.base import plugins
from lemur.utils import Vault

from lemur.common import defaults
from lemur.domains.models import Domain


def get_or_increase_name(name):
    count = Certificate.query.filter(Certificate.name.ilike('{0}%'.format(name))).count()

    if count >= 1:
        return name + '-' + str(count)

    return name


class Certificate(db.Model):
    __tablename__ = 'certificates'
    id = Column(Integer, primary_key=True)
    owner = Column(String(128), nullable=False)
    name = Column(String(128))  # , unique=True) TODO make all names unique
    description = Column(String(1024))
    active = Column(Boolean, default=True)

    body = Column(Text(), nullable=False)
    chain = Column(Text())
    private_key = Column(Vault)

    issuer = Column(String(128))
    serial = Column(String(128))
    cn = Column(String(128))
    deleted = Column(Boolean, index=True)

    not_before = Column(DateTime)
    not_after = Column(DateTime)
    date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)

    signing_algorithm = Column(String(128))
    status = Column(String(128))
    bits = Column(Integer())
    san = Column(String(1024))  # TODO this should be migrated to boolean

    user_id = Column(Integer, ForeignKey('users.id'))
    authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))
    root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))

    notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')
    destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')
    sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')
    domains = relationship("Domain", secondary=certificate_associations, backref="certificate")
    roles = relationship("Role", secondary=roles_certificates, backref="certificate")
    replaces = relationship("Certificate",
                            secondary=certificate_replacement_associations,
                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
                            backref='replaced')

    def __init__(self, **kwargs):
        cert = defaults.parse_certificate(kwargs['body'])
        self.owner = kwargs['owner']
        self.body = kwargs['body']
        self.private_key = kwargs.get('private_key')
        self.chain = kwargs.get('chain')
        self.destinations = kwargs.get('destinations', [])
        self.notifications = kwargs.get('notifications', [])
        self.description = kwargs.get('description')
        self.roles = list(set(kwargs.get('roles', [])))
        self.replaces = kwargs.get('replacements', [])
        self.signing_algorithm = defaults.signing_algorithm(cert)
        self.bits = defaults.bitstrength(cert)
        self.issuer = defaults.issuer(cert)
        self.serial = defaults.serial(cert)
        self.cn = defaults.common_name(cert)
        self.san = defaults.san(cert)
        self.not_before = defaults.not_before(cert)
        self.not_after = defaults.not_after(cert)
        self.name = get_or_increase_name(defaults.certificate_name(self.cn, self.issuer, self.not_before, self.not_after, self.san))

        for domain in defaults.domains(cert):
            self.domains.append(Domain(name=domain))

    @property
    def is_expired(self):
        if self.not_after < datetime.datetime.now():
            return True

    @property
    def is_unused(self):
        if self.elb_listeners.count() == 0:
            return True

    @property
    def is_revoked(self):
        # we might not yet know the condition of the cert
        if self.status:
            if 'revoked' in self.status:
                return True

    def get_arn(self, account_number):
        """
        Generate a valid AWS IAM arn

        :rtype : str
        :param account_number:
        :return:
        """
        return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)


@event.listens_for(Certificate.destinations, 'append')
def update_destinations(target, value, initiator):
    """
    Attempt to upload the new certificate to the new destination

    :param target:
    :param value:
    :param initiator:
    :return:
    """
    destination_plugin = plugins.get(value.plugin_name)
    try:
        destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
    except Exception as e:
        current_app.logger.exception(e)


@event.listens_for(Certificate.replaces, 'append')
def update_replacement(target, value, initiator):
    """
    When a certificate is marked as 'replaced' it is then marked as in-active

    :param target:
    :param value:
    :param initiator:
    :return:
    """
    value.active = False


@event.listens_for(Certificate, 'before_update')
def protect_active(mapper, connection, target):
    """
    When a certificate has a replacement do not allow it to be marked as 'active'

    :param connection:
    :param mapper:
    :param target:
    :return:
    """
    if target.active:
        if target.replaced:
            raise Exception("Cannot mark certificate as active, certificate has been marked as replaced.")
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`.. module: lemur.certificates.models`
			`:platform: Unix`
			`:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more`
			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`import datetime`
Making Lemur py3 compatible 2015-08-04 06:07:28 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`from flask import current_app`

Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00			`from sqlalchemy import event, Integer, ForeignKey, String, DateTime, PassiveDefault, func, Column, Text, Boolean`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`from sqlalchemy.orm import relationship`
initial commit 2015-06-22 22:47:27 +02:00
			`from lemur.database import db`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`from lemur.models import certificate_associations, certificate_source_associations, \`
Closes #122 2015-11-24 23:53:22 +01:00			`certificate_destination_associations, certificate_notification_associations, \`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`certificate_replacement_associations, roles_certificates`
			`from lemur.plugins.base import plugins`
			`from lemur.utils import Vault`
initial commit 2015-06-22 22:47:27 +02:00
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`from lemur.common import defaults`
			`from lemur.domains.models import Domain`
initial commit 2015-06-22 22:47:27 +02:00

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`def get_or_increase_name(name):`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`count = Certificate.query.filter(Certificate.name.ilike('{0}%'.format(name))).count()`
initial commit 2015-06-22 22:47:27 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`if count >= 1:`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`return name + '-' + str(count)`
initial commit 2015-06-22 22:47:27 +02:00
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`return name`
initial commit 2015-06-22 22:47:27 +02:00

			`class Certificate(db.Model):`
			`__tablename__ = 'certificates'`
			`id = Column(Integer, primary_key=True)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`owner = Column(String(128), nullable=False)`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`name = Column(String(128)) # , unique=True) TODO make all names unique`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`description = Column(String(1024))`
			`active = Column(Boolean, default=True)`

			`body = Column(Text(), nullable=False)`
initial commit 2015-06-22 22:47:27 +02:00			`chain = Column(Text())`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`private_key = Column(Vault)`

initial commit 2015-06-22 22:47:27 +02:00			`issuer = Column(String(128))`
			`serial = Column(String(128))`
			`cn = Column(String(128))`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`deleted = Column(Boolean, index=True)`

initial commit 2015-06-22 22:47:27 +02:00			`not_before = Column(DateTime)`
			`not_after = Column(DateTime)`
			`date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00
Adding the ability to track a certificates signing key algorithm 2015-10-06 21:51:59 +02:00			`signing_algorithm = Column(String(128))`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`status = Column(String(128))`
			`bits = Column(Integer())`
			`san = Column(String(1024)) # TODO this should be migrated to boolean`

initial commit 2015-06-22 22:47:27 +02:00			`user_id = Column(Integer, ForeignKey('users.id'))`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))`
			`root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))`

Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00			`notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')`
			`destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')`
			`domains = relationship("Domain", secondary=certificate_associations, backref="certificate")`
			`roles = relationship("Role", secondary=roles_certificates, backref="certificate")`
Closes #122 2015-11-24 23:53:22 +01:00			`replaces = relationship("Certificate",`
			`secondary=certificate_replacement_associations,`
			`primaryjoin=id == certificate_replacement_associations.c.certificate_id, # noqa`
			`secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id, # noqa`
			`backref='replaced')`
initial commit 2015-06-22 22:47:27 +02:00
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`def __init__(self, **kwargs):`
			`cert = defaults.parse_certificate(kwargs['body'])`
			`self.owner = kwargs['owner']`
			`self.body = kwargs['body']`
			`self.private_key = kwargs.get('private_key')`
			`self.chain = kwargs.get('chain')`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`self.destinations = kwargs.get('destinations', [])`
			`self.notifications = kwargs.get('notifications', [])`
			`self.description = kwargs.get('description')`
Fixing and error causing duplicate roles to be created. (#339) * Fixing and error causing duplicate roles to be created. * Fixing python3 * Fixing python2 and python3 2016-06-01 00:44:54 +02:00			`self.roles = list(set(kwargs.get('roles', [])))`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`self.replaces = kwargs.get('replacements', [])`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`self.signing_algorithm = defaults.signing_algorithm(cert)`
			`self.bits = defaults.bitstrength(cert)`
			`self.issuer = defaults.issuer(cert)`
			`self.serial = defaults.serial(cert)`
			`self.cn = defaults.common_name(cert)`
			`self.san = defaults.san(cert)`
			`self.not_before = defaults.not_before(cert)`
			`self.not_after = defaults.not_after(cert)`
			`self.name = get_or_increase_name(defaults.certificate_name(self.cn, self.issuer, self.not_before, self.not_after, self.san))`

			`for domain in defaults.domains(cert):`
initial commit 2015-06-22 22:47:27 +02:00			`self.domains.append(Domain(name=domain))`

			`@property`
			`def is_expired(self):`
			`if self.not_after < datetime.datetime.now():`
			`return True`

			`@property`
			`def is_unused(self):`
			`if self.elb_listeners.count() == 0:`
			`return True`

			`@property`
			`def is_revoked(self):`
			`# we might not yet know the condition of the cert`
			`if self.status:`
			`if 'revoked' in self.status:`
			`return True`

			`def get_arn(self, account_number):`
			`"""`
			`Generate a valid AWS IAM arn`

			`:rtype : str`
			`:param account_number:`
			`:return:`
			`"""`
			`return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)`

Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00
			`@event.listens_for(Certificate.destinations, 'append')`
			`def update_destinations(target, value, initiator):`
Closes #122 2015-11-24 23:53:22 +01:00			`"""`
			`Attempt to upload the new certificate to the new destination`

			`:param target:`
			`:param value:`
			`:param initiator:`
			`:return:`
			`"""`
Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00			`destination_plugin = plugins.get(value.plugin_name)`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`try:`
			`destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)`
			`except Exception as e:`
			`current_app.logger.exception(e)`
Closes #122 2015-11-24 23:53:22 +01:00

			`@event.listens_for(Certificate.replaces, 'append')`
			`def update_replacement(target, value, initiator):`
			`"""`
			`When a certificate is marked as 'replaced' it is then marked as in-active`

			`:param target:`
			`:param value:`
			`:param initiator:`
			`:return:`
			`"""`
			`value.active = False`


			`@event.listens_for(Certificate, 'before_update')`
			`def protect_active(mapper, connection, target):`
			`"""`
			`When a certificate has a replacement do not allow it to be marked as 'active'`

			`:param connection:`
			`:param mapper:`
			`:param target:`
			`:return:`
			`"""`
			`if target.active:`
			`if target.replaced:`
			`raise Exception("Cannot mark certificate as active, certificate has been marked as replaced.")`