lemur/lemur/certificates/models.py

"""
.. module: lemur.certificates.models
    :platform: Unix
    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
import arrow

from flask import current_app

from cryptography.hazmat.primitives.asymmetric import rsa

from sqlalchemy.orm import relationship
from sqlalchemy.sql.expression import case
from sqlalchemy.ext.hybrid import hybrid_property
from sqlalchemy import event, Integer, ForeignKey, String, PassiveDefault, func, Column, Text, Boolean

import lemur.common.utils
from lemur.database import db
from lemur.models import certificate_associations, certificate_source_associations, \
    certificate_destination_associations, certificate_notification_associations, \
    certificate_replacement_associations, roles_certificates
from lemur.plugins.base import plugins
from lemur.utils import Vault

from sqlalchemy_utils.types.arrow import ArrowType

from lemur.common import defaults
from lemur.domains.models import Domain


def get_or_increase_name(name):
    name = '-'.join(name.strip().split(' '))
    count = Certificate.query.filter(Certificate.name.ilike('{0}%'.format(name))).count()

    if count >= 1:
        return name + '-' + str(count)

    return name


class Certificate(db.Model):
    __tablename__ = 'certificates'
    id = Column(Integer, primary_key=True)
    owner = Column(String(128), nullable=False)
    name = Column(String(128), unique=True)
    description = Column(String(1024))
    notify = Column(Boolean, default=True)

    body = Column(Text(), nullable=False)
    chain = Column(Text())
    private_key = Column(Vault)

    issuer = Column(String(128))
    serial = Column(String(128))
    cn = Column(String(128))
    deleted = Column(Boolean, index=True)

    not_before = Column(ArrowType)
    not_after = Column(ArrowType)
    date_created = Column(ArrowType, PassiveDefault(func.now()), nullable=False)

    signing_algorithm = Column(String(128))
    status = Column(String(128))
    bits = Column(Integer())
    san = Column(String(1024))  # TODO this should be migrated to boolean

    rotation = Column(Boolean, default=False)

    user_id = Column(Integer, ForeignKey('users.id'))
    authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))
    root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))

    notifications = relationship('Notification', secondary=certificate_notification_associations, backref='certificate')
    destinations = relationship('Destination', secondary=certificate_destination_associations, backref='certificate')
    sources = relationship('Source', secondary=certificate_source_associations, backref='certificate')
    domains = relationship('Domain', secondary=certificate_associations, backref='certificate')
    roles = relationship('Role', secondary=roles_certificates, backref='certificate')
    replaces = relationship('Certificate',
                            secondary=certificate_replacement_associations,
                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
                            backref='replaced')

    logs = relationship('Log', backref='certificate')
    endpoints = relationship('Endpoint', backref='certificate')

    def __init__(self, **kwargs):
        cert = lemur.common.utils.parse_certificate(kwargs['body'])

        self.issuer = defaults.issuer(cert)
        self.cn = defaults.common_name(cert)
        self.san = defaults.san(cert)
        self.not_before = defaults.not_before(cert)
        self.not_after = defaults.not_after(cert)

        # when destinations are appended they require a valid name.
        if kwargs.get('name'):
            self.name = get_or_increase_name(kwargs['name'])
        else:
            self.name = get_or_increase_name(defaults.certificate_name(self.cn, self.issuer, self.not_before, self.not_after, self.san))

        self.owner = kwargs['owner']
        self.body = kwargs['body'].strip()

        if kwargs.get('private_key'):
            self.private_key = kwargs['private_key'].strip()

        if kwargs.get('chain'):
            self.chain = kwargs['chain'].strip()

        self.notify = kwargs.get('notify', True)
        self.destinations = kwargs.get('destinations', [])
        self.notifications = kwargs.get('notifications', [])
        self.description = kwargs.get('description')
        self.roles = list(set(kwargs.get('roles', [])))
        self.replaces = kwargs.get('replaces', [])
        self.rotation = kwargs.get('rotation')
        self.signing_algorithm = defaults.signing_algorithm(cert)
        self.bits = defaults.bitstrength(cert)
        self.serial = defaults.serial(cert)

        for domain in defaults.domains(cert):
            self.domains.append(Domain(name=domain))

    @property
    def active(self):
        return self.notify

    @property
    def organization(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.organization(cert)

    @property
    def organizational_unit(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.organizational_unit(cert)

    @property
    def country(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.country(cert)

    @property
    def state(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.state(cert)

    @property
    def location(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        return defaults.location(cert)

    @property
    def key_type(self):
        cert = lemur.common.utils.parse_certificate(self.body)
        if isinstance(cert.public_key(), rsa.RSAPublicKey):
            return 'RSA{key_size}'.format(key_size=cert.public_key().key_size)

    @property
    def validity_remaining(self):
        return abs(self.not_after - arrow.utcnow())

    @property
    def validity_range(self):
        return self.not_after - self.not_before

    @hybrid_property
    def expired(self):
        if self.not_after <= arrow.utcnow():
            return True

    @expired.expression
    def expired(cls):
        return case(
            [
                (cls.not_after <= arrow.utcnow(), True)
            ],
            else_=False
        )

    @hybrid_property
    def revoked(self):
        if 'revoked' == self.status:
            return True

    @revoked.expression
    def revoked(cls):
        return case(
            [
                (cls.status == 'revoked', True)
            ],
            else_=False
        )

    @property
    def extensions(self):
        # TODO pull the OU, O, CN, etc + other extensions.
        names = [{'name_type': 'DNSName', 'value': x.name} for x in self.domains]

        extensions = {
            'sub_alt_names': {
                'names': names
            }
        }

        return extensions

    def get_arn(self, account_number):
        """
        Generate a valid AWS IAM arn

        :rtype : str
        :param account_number:
        :return:
        """
        return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)

    def __repr__(self):
        return "Certificate(name={name})".format(name=self.name)


@event.listens_for(Certificate.destinations, 'append')
def update_destinations(target, value, initiator):
    """
    Attempt to upload the new certificate to the new destination

    :param target:
    :param value:
    :param initiator:
    :return:
    """
    destination_plugin = plugins.get(value.plugin_name)

    try:
        destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
    except Exception as e:
        current_app.logger.exception(e)


@event.listens_for(Certificate.replaces, 'append')
def update_replacement(target, value, initiator):
    """
    When a certificate is marked as 'replaced' we should not notify.

    :param target:
    :param value:
    :param initiator:
    :return:
    """
    value.notify = False


# @event.listens_for(Certificate, 'before_update')
# def protect_active(mapper, connection, target):
#    """
#     When a certificate has a replacement do not allow it to be marked as 'active'
#
#     :param connection:
#     :param mapper:
#     :param target:
#     :return:
#     """
#     if target.active:
#         if not target.notify:
#             raise Exception(
#                 "Cannot silence notification for a certificate Lemur has been found to be currently deployed onto endpoints"
#             )
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`.. module: lemur.certificates.models`
			`:platform: Unix`
			`:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more`
			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`import arrow`
Making Lemur py3 compatible 2015-08-04 06:07:28 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`from flask import current_app`

Enabling RSA2048 and RSA4096 as available key types (#551) * Enabling RSA2048 and RSA4096 as available key types * Fixing re-issuance 2016-12-02 00:41:53 +01:00			`from cryptography.hazmat.primitives.asymmetric import rsa`

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`from sqlalchemy.orm import relationship`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`from sqlalchemy.sql.expression import case`
			`from sqlalchemy.ext.hybrid import hybrid_property`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`from sqlalchemy import event, Integer, ForeignKey, String, PassiveDefault, func, Column, Text, Boolean`
initial commit 2015-06-22 22:47:27 +02:00
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`import lemur.common.utils`
initial commit 2015-06-22 22:47:27 +02:00			`from lemur.database import db`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`from lemur.models import certificate_associations, certificate_source_associations, \`
Closes #122 2015-11-24 23:53:22 +01:00			`certificate_destination_associations, certificate_notification_associations, \`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`certificate_replacement_associations, roles_certificates`
			`from lemur.plugins.base import plugins`
			`from lemur.utils import Vault`
initial commit 2015-06-22 22:47:27 +02:00
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`from sqlalchemy_utils.types.arrow import ArrowType`

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`from lemur.common import defaults`
			`from lemur.domains.models import Domain`
initial commit 2015-06-22 22:47:27 +02:00

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`def get_or_increase_name(name):`
Removing the ability to use spaces in custom names. (#455) 2016-10-15 13:56:25 +02:00			`name = '-'.join(name.strip().split(' '))`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`count = Certificate.query.filter(Certificate.name.ilike('{0}%'.format(name))).count()`
initial commit 2015-06-22 22:47:27 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`if count >= 1:`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`return name + '-' + str(count)`
initial commit 2015-06-22 22:47:27 +02:00
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`return name`
initial commit 2015-06-22 22:47:27 +02:00

			`class Certificate(db.Model):`
			`__tablename__ = 'certificates'`
			`id = Column(Integer, primary_key=True)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`owner = Column(String(128), nullable=False)`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`name = Column(String(128), unique=True)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`description = Column(String(1024))`
Prevents the silencing of notifications that are actively deployed. (#454) * Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint. * Adding migration script to alter 'active' column. 2016-10-15 09:12:11 +02:00			`notify = Column(Boolean, default=True)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00
			`body = Column(Text(), nullable=False)`
initial commit 2015-06-22 22:47:27 +02:00			`chain = Column(Text())`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`private_key = Column(Vault)`

initial commit 2015-06-22 22:47:27 +02:00			`issuer = Column(String(128))`
			`serial = Column(String(128))`
			`cn = Column(String(128))`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`deleted = Column(Boolean, index=True)`

[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`not_before = Column(ArrowType)`
			`not_after = Column(ArrowType)`
			`date_created = Column(ArrowType, PassiveDefault(func.now()), nullable=False)`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00
Adding the ability to track a certificates signing key algorithm 2015-10-06 21:51:59 +02:00			`signing_algorithm = Column(String(128))`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`status = Column(String(128))`
			`bits = Column(Integer())`
			`san = Column(String(1024)) # TODO this should be migrated to boolean`

Rotation ui (#633) * Adding rotation to the UI. * Removing spinkit dependency. 2016-12-27 00:55:11 +01:00			`rotation = Column(Boolean, default=False)`
Certificate rotation enhancements (#570) 2016-12-08 01:24:59 +01:00
initial commit 2015-06-22 22:47:27 +02:00			`user_id = Column(Integer, ForeignKey('users.id'))`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))`
			`root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))`

Log fixes (#534) * tying up some loose ends with event logging * Ensuring creators can access 2016-11-28 23:13:16 +01:00			`notifications = relationship('Notification', secondary=certificate_notification_associations, backref='certificate')`
			`destinations = relationship('Destination', secondary=certificate_destination_associations, backref='certificate')`
			`sources = relationship('Source', secondary=certificate_source_associations, backref='certificate')`
			`domains = relationship('Domain', secondary=certificate_associations, backref='certificate')`
			`roles = relationship('Role', secondary=roles_certificates, backref='certificate')`
			`replaces = relationship('Certificate',`
Closes #122 2015-11-24 23:53:22 +01:00			`secondary=certificate_replacement_associations,`
			`primaryjoin=id == certificate_replacement_associations.c.certificate_id, # noqa`
			`secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id, # noqa`
			`backref='replaced')`
initial commit 2015-06-22 22:47:27 +02:00
Log fixes (#534) * tying up some loose ends with event logging * Ensuring creators can access 2016-11-28 23:13:16 +01:00			`logs = relationship('Log', backref='certificate')`
			`endpoints = relationship('Endpoint', backref='certificate')`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`def __init__(self, **kwargs):`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`cert = lemur.common.utils.parse_certificate(kwargs['body'])`
Fixing destination upload. (#347) * Fixing an issue where uploaded certificates would have a name of 'None' * Clarifying comment. * Improving order. 2016-06-04 03:45:58 +02:00
			`self.issuer = defaults.issuer(cert)`
			`self.cn = defaults.common_name(cert)`
			`self.san = defaults.san(cert)`
			`self.not_before = defaults.not_before(cert)`
			`self.not_after = defaults.not_after(cert)`

			`# when destinations are appended they require a valid name.`
			`if kwargs.get('name'):`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`self.name = get_or_increase_name(kwargs['name'])`
Fixing destination upload. (#347) * Fixing an issue where uploaded certificates would have a name of 'None' * Clarifying comment. * Improving order. 2016-06-04 03:45:58 +02:00			`else:`
			`self.name = get_or_increase_name(defaults.certificate_name(self.cn, self.issuer, self.not_before, self.not_after, self.san))`

Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`self.owner = kwargs['owner']`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`self.body = kwargs['body'].strip()`

			`if kwargs.get('private_key'):`
			`self.private_key = kwargs['private_key'].strip()`

			`if kwargs.get('chain'):`
			`self.chain = kwargs['chain'].strip()`

Adding the ability to silence notifications on creation. (#490) 2016-11-12 18:29:42 +01:00			`self.notify = kwargs.get('notify', True)`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`self.destinations = kwargs.get('destinations', [])`
			`self.notifications = kwargs.get('notifications', [])`
			`self.description = kwargs.get('description')`
Fixing and error causing duplicate roles to be created. (#339) * Fixing and error causing duplicate roles to be created. * Fixing python3 * Fixing python2 and python3 2016-06-01 00:44:54 +02:00			`self.roles = list(set(kwargs.get('roles', [])))`
Replacement refactor. (#631) * Deprecating replacement keyword. * Def renaming. 2016-12-26 20:09:50 +01:00			`self.replaces = kwargs.get('replaces', [])`
Modifying the way rotation works. (#629) * Modifying the way rotation works. * Adding docs. * Fixing tests. 2016-12-23 22:18:42 +01:00			`self.rotation = kwargs.get('rotation')`
Closes 262 (#324) Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities. 2016-05-19 22:37:05 +02:00			`self.signing_algorithm = defaults.signing_algorithm(cert)`
			`self.bits = defaults.bitstrength(cert)`
			`self.serial = defaults.serial(cert)`

			`for domain in defaults.domains(cert):`
initial commit 2015-06-22 22:47:27 +02:00			`self.domains.append(Domain(name=domain))`

Prevents the silencing of notifications that are actively deployed. (#454) * Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint. * Adding migration script to alter 'active' column. 2016-10-15 09:12:11 +02:00			`@property`
			`def active(self):`
removing new 'active' logic for the time being (#505) 2016-11-17 00:56:24 +01:00			`return self.notify`
Prevents the silencing of notifications that are actively deployed. (#454) * Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint. * Adding migration script to alter 'active' column. 2016-10-15 09:12:11 +02:00
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`@property`
			`def organization(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`return defaults.organization(cert)`

			`@property`
			`def organizational_unit(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`return defaults.organizational_unit(cert)`

			`@property`
			`def country(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`return defaults.country(cert)`

			`@property`
			`def state(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`return defaults.state(cert)`

			`@property`
			`def location(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`return defaults.location(cert)`

Enabling RSA2048 and RSA4096 as available key types (#551) * Enabling RSA2048 and RSA4096 as available key types * Fixing re-issuance 2016-12-02 00:41:53 +01:00			`@property`
			`def key_type(self):`
			`cert = lemur.common.utils.parse_certificate(self.body)`
			`if isinstance(cert.public_key(), rsa.RSAPublicKey):`
			`return 'RSA{key_size}'.format(key_size=cert.public_key().key_size)`

Adding additional reporting and refactoring existing setup. (#620) 2016-12-20 21:48:14 +01:00			`@property`
			`def validity_remaining(self):`
			`return abs(self.not_after - arrow.utcnow())`

			`@property`
			`def validity_range(self):`
			`return self.not_after - self.not_before`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`@hybrid_property`
			`def expired(self):`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`if self.not_after <= arrow.utcnow():`
initial commit 2015-06-22 22:47:27 +02:00			`return True`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`@expired.expression`
			`def expired(cls):`
			`return case(`
			`[`
Refactors how notifications are generated. (#584) 2016-12-12 20:22:49 +01:00			`(cls.not_after <= arrow.utcnow(), True)`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`],`
			`else_=False`
			`)`

			`@hybrid_property`
			`def revoked(self):`
			`if 'revoked' == self.status:`
initial commit 2015-06-22 22:47:27 +02:00			`return True`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`@revoked.expression`
			`def revoked(cls):`
			`return case(`
			`[`
			`(cls.status == 'revoked', True)`
			`],`
			`else_=False`
			`)`
initial commit 2015-06-22 22:47:27 +02:00
Adds the ability to clone existing certificates. (#513) 2016-11-18 01:19:52 +01:00			`@property`
			`def extensions(self):`
			`# TODO pull the OU, O, CN, etc + other extensions.`
			`names = [{'name_type': 'DNSName', 'value': x.name} for x in self.domains]`

			`extensions = {`
			`'sub_alt_names': {`
			`'names': names`
			`}`
			`}`

			`return extensions`

initial commit 2015-06-22 22:47:27 +02:00			`def get_arn(self, account_number):`
			`"""`
			`Generate a valid AWS IAM arn`

			`:rtype : str`
			`:param account_number:`
			`:return:`
			`"""`
			`return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)`

Ensuring model's have a basic __repr__. (#499) 2016-11-16 18:30:54 +01:00			`def __repr__(self):`
			`return "Certificate(name={name})".format(name=self.name)`

Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00
			`@event.listens_for(Certificate.destinations, 'append')`
			`def update_destinations(target, value, initiator):`
Closes #122 2015-11-24 23:53:22 +01:00			`"""`
			`Attempt to upload the new certificate to the new destination`

			`:param target:`
			`:param value:`
			`:param initiator:`
			`:return:`
			`"""`
Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-30 02:13:06 +02:00			`destination_plugin = plugins.get(value.plugin_name)`
Ensuring that destinations require private keys by default. (#390) * Ensuring that destinations require private keys by default. 2016-07-05 00:30:20 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`try:`
			`destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)`
			`except Exception as e:`
			`current_app.logger.exception(e)`
Closes #122 2015-11-24 23:53:22 +01:00

			`@event.listens_for(Certificate.replaces, 'append')`
			`def update_replacement(target, value, initiator):`
			`"""`
Disabling the protect active flag (#498) 2016-11-16 18:31:02 +01:00			`When a certificate is marked as 'replaced' we should not notify.`
Closes #122 2015-11-24 23:53:22 +01:00
			`:param target:`
			`:param value:`
			`:param initiator:`
			`:return:`
			`"""`
Disabling the protect active flag (#498) 2016-11-16 18:31:02 +01:00			`value.notify = False`


			`# @event.listens_for(Certificate, 'before_update')`
			`# def protect_active(mapper, connection, target):`
			`# """`
			`# When a certificate has a replacement do not allow it to be marked as 'active'`
			`#`
			`# :param connection:`
			`# :param mapper:`
			`# :param target:`
			`# :return:`
			`# """`
			`# if target.active:`
			`# if not target.notify:`
			`# raise Exception(`
			`# "Cannot silence notification for a certificate Lemur has been found to be currently deployed onto endpoints"`
			`# )`