lemur/lemur/authorities/service.py

"""
.. module: lemur.authorities.service
    :platform: Unix
    :synopsis: This module contains all of the services level functions used to
    administer authorities in Lemur
    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>

"""

import json

from lemur import database
from lemur.common.utils import truthiness
from lemur.extensions import metrics
from lemur.authorities.models import Authority
from lemur.certificates.models import Certificate
from lemur.roles import service as role_service

from lemur.certificates.service import upload


def update(authority_id, description, owner, active, roles):
    """
    Update an authority with new values.

    :param authority_id:
    :param roles: roles that are allowed to use this authority
    :return:
    """
    authority = get(authority_id)

    authority.roles = roles
    authority.active = active
    authority.description = description
    authority.owner = owner

    return database.update(authority)


def update_options(authority_id, options):
    """
    Update an authority with new options.

    :param authority_id:
    :param options: the new options to be saved into the authority
    :return:
    """

    authority = get(authority_id)

    authority.options = options

    return database.update(authority)


def mint(**kwargs):
    """
    Creates the authority based on the plugin provided.
    """
    issuer = kwargs["plugin"]["plugin_object"]
    values = issuer.create_authority(kwargs)

    # support older plugins
    if len(values) == 3:
        body, chain, roles = values
        private_key = None
    elif len(values) == 4:
        body, private_key, chain, roles = values

    roles = create_authority_roles(
        roles,
        kwargs["owner"],
        kwargs["plugin"]["plugin_object"].title,
        kwargs["creator"],
    )
    return body, private_key, chain, roles


def create_authority_roles(roles, owner, plugin_title, creator):
    """
    Creates all of the necessary authority roles.
    :param creator:
    :param roles:
    :return:
    """
    role_objs = []
    for r in roles:
        role = role_service.get_by_name(r["name"])
        if not role:
            role = role_service.create(
                r["name"],
                password=r["password"],
                description="Auto generated role for {0}".format(plugin_title),
                username=r["username"],
            )

        # the user creating the authority should be able to administer it
        if role.username == "admin":
            creator.roles.append(role)

        role_objs.append(role)

    # create an role for the owner and assign it
    owner_role = role_service.get_by_name(owner)
    if not owner_role:
        owner_role = role_service.create(
            owner, description="Auto generated role based on owner: {0}".format(owner)
        )

    role_objs.append(owner_role)
    return role_objs


def create(**kwargs):
    """
    Creates a new authority.
    """
    ca_name = kwargs.get("name")
    if get_by_name(ca_name):
        raise Exception(f"Authority with name {ca_name} already exists")
    if role_service.get_by_name(f"{ca_name}_admin") or role_service.get_by_name(f"{ca_name}_operator"):
        raise Exception(f"Admin and/or operator roles for authority {ca_name} already exist")

    body, private_key, chain, roles = mint(**kwargs)

    kwargs["creator"].roles = list(set(list(kwargs["creator"].roles) + roles))

    kwargs["body"] = body
    kwargs["private_key"] = private_key
    kwargs["chain"] = chain

    if kwargs.get("roles"):
        kwargs["roles"] += roles
    else:
        kwargs["roles"] = roles

    cert = upload(**kwargs)
    kwargs["authority_certificate"] = cert
    if kwargs.get("plugin", {}).get("plugin_options", []):
        kwargs["options"] = json.dumps(kwargs["plugin"]["plugin_options"])

    authority = Authority(**kwargs)
    authority = database.create(authority)
    kwargs["creator"].authorities.append(authority)

    metrics.send(
        "authority_created", "counter", 1, metric_tags=dict(owner=authority.owner)
    )
    return authority


def get_all():
    """
    Get all authorities that are currently in Lemur.

    :rtype : List
    :return:
    """
    query = database.session_query(Authority)
    return database.find_all(query, Authority, {}).all()


def get(authority_id):
    """
    Retrieves an authority given it's ID

    :param authority_id:
    :return:
    """
    return database.get(Authority, authority_id)


def get_by_name(authority_name):
    """
    Retrieves an authority given it's name.

    :param authority_name:
    :return:
    """
    return database.get(Authority, authority_name, field="name")


def get_authority_role(ca_name, creator=None):
    """
    Attempts to get the authority role for a given ca uses current_user
    as a basis for accomplishing that.

    :param ca_name:
    """
    if creator:
        if creator.is_admin:
            return role_service.get_by_name("{0}_admin".format(ca_name))
    return role_service.get_by_name("{0}_operator".format(ca_name))


def render(args):
    """
    Helper that helps us render the REST Api responses.
    :param args:
    :return:
    """
    query = database.session_query(Authority)
    filt = args.pop("filter")

    if filt:
        terms = filt.split(";")
        if "active" in filt:
            query = query.filter(Authority.active == truthiness(terms[1]))
        elif "cn" in filt:
            term = "%{0}%".format(terms[1])
            sub_query = (
                database.session_query(Certificate.root_authority_id)
                .filter(Certificate.cn.ilike(term))
                .subquery()
            )

            query = query.filter(Authority.id.in_(sub_query))
        else:
            query = database.filter(query, Authority, terms)

    # we make sure that a user can only use an authority they either own are a member of - admins can see all
    if not args["user"].is_admin:
        authority_ids = []
        for authority in args["user"].authorities:
            authority_ids.append(authority.id)

        for role in args["user"].roles:
            for authority in role.authorities:
                authority_ids.append(authority.id)
        query = query.filter(Authority.id.in_(authority_ids))

    return database.sort_and_page(query, Authority, args)
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`.. module: lemur.authorities.service`
			`:platform: Unix`
			`:synopsis: This module contains all of the services level functions used to`
			`administer authorities in Lemur`
Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
initial commit 2015-06-22 22:47:27 +02:00			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`

			`"""`
WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-10 23:28:53 +02:00
			`import json`

initial commit 2015-06-22 22:47:27 +02:00			`from lemur import database`
Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade SQLAlchemy 1.2 does not allow comparing string values to boolean columns. This caused errors like: sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true' For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values 2018-04-02 17:33:51 +02:00			`from lemur.common.utils import truthiness`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`from lemur.extensions import metrics`
initial commit 2015-06-22 22:47:27 +02:00			`from lemur.authorities.models import Authority`
adjusting the query to filter authorities based on matching CN 2019-01-15 02:52:06 +01:00			`from lemur.certificates.models import Certificate`
initial commit 2015-06-22 22:47:27 +02:00			`from lemur.roles import service as role_service`

Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`from lemur.certificates.service import upload`
initial commit 2015-06-22 22:47:27 +02:00
Pleasing the PEP8 gods 2015-07-21 22:06:13 +02:00
Fix ability to remove all roles from authority (#880) 2017-08-29 02:35:01 +02:00			`def update(authority_id, description, owner, active, roles):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`Update an authority with new values.`
initial commit 2015-06-22 22:47:27 +02:00
			`:param authority_id:`
			`:param roles: roles that are allowed to use this authority`
			`:return:`
			`"""`
			`authority = get(authority_id)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00
Fix ability to remove all roles from authority (#880) 2017-08-29 02:35:01 +02:00			`authority.roles = roles`
Fixes bug where authority status was not set correctly. (#739) 2017-03-29 19:10:51 +02:00			`authority.active = active`
Allows authorities to have editable owners and descriptions 2015-09-01 23:05:32 +02:00			`authority.description = description`
			`authority.owner = owner`
Fix ability to remove all roles from authority (#880) 2017-08-29 02:35:01 +02:00
initial commit 2015-06-22 22:47:27 +02:00			`return database.update(authority)`


Add update_options to authorities service 2020-09-23 16:36:59 +02:00			`def update_options(authority_id, options):`
			`"""`
			`Update an authority with new options.`

			`:param authority_id:`
			`:param options: the new options to be saved into the authority`
			`:return:`
			`"""`

			`authority = get(authority_id)`

			`authority.options = options`

			`return database.update(authority)`

Fix flake8/linting errors 2020-09-23 16:57:48 +02:00
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`def mint(**kwargs):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`Creates the authority based on the plugin provided.`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`issuer = kwargs["plugin"]["plugin_object"]`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`values = issuer.create_authority(kwargs)`

			`# support older plugins`
			`if len(values) == 3:`
			`body, chain, roles = values`
			`private_key = None`
			`elif len(values) == 4:`
			`body, private_key, chain, roles = values`

Black lint all the things 2019-05-16 16:57:02 +02:00			`roles = create_authority_roles(`
			`roles,`
			`kwargs["owner"],`
			`kwargs["plugin"]["plugin_object"].title,`
			`kwargs["creator"],`
			`)`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`return body, private_key, chain, roles`
initial commit 2015-06-22 22:47:27 +02:00
Closes #139 2015-11-23 18:53:55 +01:00
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`def create_authority_roles(roles, owner, plugin_title, creator):`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`"""`
			`Creates all of the necessary authority roles.`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`:param creator:`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`:param roles:`
			`:return:`
			`"""`
initial commit 2015-06-22 22:47:27 +02:00			`role_objs = []`
Fixing several small issues. (#341) * Fixing several small issues. * Fixing tests. 2016-06-01 20:18:00 +02:00			`for r in roles:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`role = role_service.get_by_name(r["name"])`
Fixing several small issues. (#341) * Fixing several small issues. * Fixing tests. 2016-06-01 20:18:00 +02:00			`if not role:`
			`role = role_service.create(`
Black lint all the things 2019-05-16 16:57:02 +02:00			`r["name"],`
			`password=r["password"],`
Fixing several small issues. (#341) * Fixing several small issues. * Fixing tests. 2016-06-01 20:18:00 +02:00			`description="Auto generated role for {0}".format(plugin_title),`
Black lint all the things 2019-05-16 16:57:02 +02:00			`username=r["username"],`
			`)`
Changing the signature of save_cert, we don't create a csr_config anymore so it doesn't make sense to store it. Additionally 'challenge' is a verisign specific thing and should be factored out. We have stopped saving it as well. 2015-07-09 01:37:48 +02:00
initial commit 2015-06-22 22:47:27 +02:00			`# the user creating the authority should be able to administer it`
Black lint all the things 2019-05-16 16:57:02 +02:00			`if role.username == "admin":`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`creator.roles.append(role)`
Changing the signature of save_cert, we don't create a csr_config anymore so it doesn't make sense to store it. Additionally 'challenge' is a verisign specific thing and should be factored out. We have stopped saving it as well. 2015-07-09 01:37:48 +02:00
initial commit 2015-06-22 22:47:27 +02:00			`role_objs.append(role)`

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`# create an role for the owner and assign it`
Fixing several small issues. (#341) * Fixing several small issues. * Fixing tests. 2016-06-01 20:18:00 +02:00			`owner_role = role_service.get_by_name(owner)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`if not owner_role:`
			`owner_role = role_service.create(`
Black lint all the things 2019-05-16 16:57:02 +02:00			`owner, description="Auto generated role based on owner: {0}".format(owner)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`)`

			`role_objs.append(owner_role)`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`return role_objs`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00
initial commit 2015-06-22 22:47:27 +02:00
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`def create(**kwargs):`
			`"""`
			`Creates a new authority.`
			`"""`
Security fixes 2021-03-17 18:51:21 +01:00			`ca_name = kwargs.get("name")`
			`if get_by_name(ca_name):`
			`raise Exception(f"Authority with name {ca_name} already exists")`
			`if role_service.get_by_name(f"{ca_name}_admin") or role_service.get_by_name(f"{ca_name}_operator"):`
			`raise Exception(f"Admin and/or operator roles for authority {ca_name} already exist")`

Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`body, private_key, chain, roles = mint(**kwargs)`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`kwargs["creator"].roles = list(set(list(kwargs["creator"].roles) + roles))`
Fixing a few errors. * Fixing organizational_unit and common name * FIxing organization name and allow creaters to view CA. 2016-06-30 01:16:37 +02:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`kwargs["body"] = body`
			`kwargs["private_key"] = private_key`
			`kwargs["chain"] = chain`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`if kwargs.get("roles"):`
			`kwargs["roles"] += roles`
Fixes (#329) * Modifying the way roles are assigned. * Adding migration scripts. * Adding endpoints field for future use. * Fixing dropdowns. 2016-05-24 03:38:04 +02:00			`else:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`kwargs["roles"] = roles`
Fixes (#329) * Modifying the way roles are assigned. * Adding migration scripts. * Adding endpoints field for future use. * Fixing dropdowns. 2016-05-24 03:38:04 +02:00
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`cert = upload(**kwargs)`
Black lint all the things 2019-05-16 16:57:02 +02:00			`kwargs["authority_certificate"] = cert`
			`if kwargs.get("plugin", {}).get("plugin_options", []):`
			`kwargs["options"] = json.dumps(kwargs["plugin"]["plugin_options"])`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00
			`authority = Authority(**kwargs)`
			`authority = database.create(authority)`
Black lint all the things 2019-05-16 16:57:02 +02:00			`kwargs["creator"].authorities.append(authority)`
initial commit 2015-06-22 22:47:27 +02:00
Black lint all the things 2019-05-16 16:57:02 +02:00			`metrics.send(`
			`"authority_created", "counter", 1, metric_tags=dict(owner=authority.owner)`
			`)`
initial commit 2015-06-22 22:47:27 +02:00			`return authority`


			`def get_all():`
			`"""`
			`Get all authorities that are currently in Lemur.`

			`:rtype : List`
			`:return:`
			`"""`
			`query = database.session_query(Authority)`
			`return database.find_all(query, Authority, {}).all()`


			`def get(authority_id):`
			`"""`
			`Retrieves an authority given it's ID`

			`:param authority_id:`
			`:return:`
			`"""`
			`return database.get(Authority, authority_id)`


			`def get_by_name(authority_name):`
			`"""`
			`Retrieves an authority given it's name.`

			`:param authority_name:`
			`:return:`
			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`return database.get(Authority, authority_name, field="name")`
initial commit 2015-06-22 22:47:27 +02:00

minor fixes and downgrading requests (#535) 2016-11-29 01:50:26 +01:00			`def get_authority_role(ca_name, creator=None):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`Attempts to get the authority role for a given ca uses current_user`
			`as a basis for accomplishing that.`

			`:param ca_name:`
			`"""`
minor fixes and downgrading requests (#535) 2016-11-29 01:50:26 +01:00			`if creator:`
			`if creator.is_admin:`
			`return role_service.get_by_name("{0}_admin".format(ca_name))`
			`return role_service.get_by_name("{0}_operator".format(ca_name))`
initial commit 2015-06-22 22:47:27 +02:00

			`def render(args):`
			`"""`
			`Helper that helps us render the REST Api responses.`
			`:param args:`
			`:return:`
			`"""`
			`query = database.session_query(Authority)`
Black lint all the things 2019-05-16 16:57:02 +02:00			`filt = args.pop("filter")`
initial commit 2015-06-22 22:47:27 +02:00
			`if filt:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`terms = filt.split(";")`
			`if "active" in filt:`
Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade SQLAlchemy 1.2 does not allow comparing string values to boolean columns. This caused errors like: sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true' For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values 2018-04-02 17:33:51 +02:00			`query = query.filter(Authority.active == truthiness(terms[1]))`
Black lint all the things 2019-05-16 16:57:02 +02:00			`elif "cn" in filt:`
			`term = "%{0}%".format(terms[1])`
			`sub_query = (`
			`database.session_query(Certificate.root_authority_id)`
			`.filter(Certificate.cn.ilike(term))`
adjusting the query to filter authorities based on matching CN 2019-01-15 02:52:06 +01:00			`.subquery()`
Black lint all the things 2019-05-16 16:57:02 +02:00			`)`
adjusting the query to filter authorities based on matching CN 2019-01-15 02:52:06 +01:00
			`query = query.filter(Authority.id.in_(sub_query))`
initial commit 2015-06-22 22:47:27 +02:00			`else:`
			`query = database.filter(query, Authority, terms)`

Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`# we make sure that a user can only use an authority they either own are a member of - admins can see all`
Black lint all the things 2019-05-16 16:57:02 +02:00			`if not args["user"].is_admin:`
initial commit 2015-06-22 22:47:27 +02:00			`authority_ids = []`
Black lint all the things 2019-05-16 16:57:02 +02:00			`for authority in args["user"].authorities:`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`authority_ids.append(authority.id)`

Black lint all the things 2019-05-16 16:57:02 +02:00			`for role in args["user"].roles:`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`for authority in role.authorities:`
			`authority_ids.append(authority.id)`
initial commit 2015-06-22 22:47:27 +02:00			`query = query.filter(Authority.id.in_(authority_ids))`

Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`return database.sort_and_page(query, Authority, args)`