lemur/lemur/sources/service.py

"""
.. module: lemur.sources.service
    :platform: Unix
    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
import arrow

from flask import current_app

from lemur import database
from lemur.sources.models import Source
from lemur.certificates.models import Certificate
from lemur.certificates import service as certificate_service
from lemur.endpoints import service as endpoint_service
from lemur.destinations import service as destination_service

from lemur.certificates.schemas import CertificateUploadInputSchema
from lemur.common.utils import find_matching_certificates_by_hash, parse_certificate
from lemur.common.defaults import serial

from lemur.plugins.base import plugins


def certificate_create(certificate, source):
    data, errors = CertificateUploadInputSchema().load(certificate)

    if errors:
        raise Exception("Unable to import certificate: {reasons}".format(reasons=errors))

    data['creator'] = certificate['creator']

    cert = certificate_service.import_certificate(**data)
    cert.description = "This certificate was automatically discovered by Lemur"
    cert.sources.append(source)
    sync_update_destination(cert, source)
    database.update(cert)
    return cert


def certificate_update(certificate, source):
    for s in certificate.sources:
        if s.label == source.label:
            break
    else:
        certificate.sources.append(source)

    sync_update_destination(certificate, source)
    database.update(certificate)


def sync_update_destination(certificate, source):
    dest = destination_service.get_by_label(source.label)
    if dest:
        for d in certificate.destinations:
            if d.label == source.label:
                break
        else:
            certificate.destinations.append(dest)


def sync_endpoints(source):
    new, updated = 0, 0
    current_app.logger.debug("Retrieving endpoints from {0}".format(source.label))
    s = plugins.get(source.plugin_name)

    try:
        endpoints = s.get_endpoints(source.options)
    except NotImplementedError:
        current_app.logger.warning("Unable to sync endpoints for source {0} plugin has not implemented 'get_endpoints'".format(source.label))
        return new, updated

    for endpoint in endpoints:
        exists = endpoint_service.get_by_dnsname_and_port(endpoint['dnsname'], endpoint['port'])

        certificate_name = endpoint.pop('certificate_name')

        endpoint['certificate'] = certificate_service.get_by_name(certificate_name)

        if not endpoint['certificate']:
            current_app.logger.error(
                "Certificate Not Found. Name: {0} Endpoint: {1}".format(certificate_name, endpoint['name']))
            continue

        policy = endpoint.pop('policy')

        policy_ciphers = []
        for nc in policy['ciphers']:
            policy_ciphers.append(endpoint_service.get_or_create_cipher(name=nc))

        policy['ciphers'] = policy_ciphers
        endpoint['policy'] = endpoint_service.get_or_create_policy(**policy)
        endpoint['source'] = source

        if not exists:
            current_app.logger.debug("Endpoint Created: Name: {name}".format(name=endpoint['name']))
            endpoint_service.create(**endpoint)
            new += 1

        else:
            current_app.logger.debug("Endpoint Updated: {}".format(endpoint))
            endpoint_service.update(exists.id, **endpoint)
            updated += 1

    return new, updated


# TODO this is very slow as we don't batch update certificates
def sync_certificates(source, user):
    new, updated = 0, 0

    current_app.logger.debug("Retrieving certificates from {0}".format(source.label))
    s = plugins.get(source.plugin_name)
    certificates = s.get_certificates(source.options)

    for certificate in certificates:
        exists = False

        if certificate.get('search', None):
            conditions = certificate.pop('search')
            exists = certificate_service.get_by_attributes(conditions)

        if not exists and certificate.get('name'):
            result = certificate_service.get_by_name(certificate['name'])
            if result:
                exists = [result]

        if not exists and certificate.get('serial'):
            exists = certificate_service.get_by_serial(certificate['serial'])

        if not exists:
            cert = parse_certificate(certificate['body'])
            matching_serials = certificate_service.get_by_serial(serial(cert))
            exists = find_matching_certificates_by_hash(cert, matching_serials)

        if not certificate.get('owner'):
            certificate['owner'] = user.email

        certificate['creator'] = user
        exists = [x for x in exists if x]

        if not exists:
            certificate_create(certificate, source)
            new += 1

        else:
            for e in exists:
                if certificate.get('external_id'):
                    e.external_id = certificate['external_id']
                if certificate.get('authority_id'):
                    e.authority_id = certificate['authority_id']
                certificate_update(e, source)
                updated += 1

    return new, updated


def sync(source, user):
    new_certs, updated_certs = sync_certificates(source, user)
    new_endpoints, updated_endpoints = sync_endpoints(source)

    source.last_run = arrow.utcnow()
    database.update(source)

    return {'endpoints': (new_endpoints, updated_endpoints), 'certificates': (new_certs, updated_certs)}


def create(label, plugin_name, options, description=None):
    """
    Creates a new source, that can then be used as a source for certificates.

    :param label: Source common name
    :param plugin_name:
    :param options:
    :param description:
    :rtype : Source
    :return: New source
    """
    source = Source(label=label, options=options, plugin_name=plugin_name, description=description)
    return database.create(source)


def update(source_id, label, options, description):
    """
    Updates an existing source.

    :param source_id:  Lemur assigned ID
    :param label: Source common name
    :param options:
    :param description:
    :rtype : Source
    :return:
    """
    source = get(source_id)

    source.label = label
    source.options = options
    source.description = description

    return database.update(source)


def delete(source_id):
    """
    Deletes an source.

    :param source_id: Lemur assigned ID
    """
    database.delete(get(source_id))


def get(source_id):
    """
    Retrieves an source by its lemur assigned ID.

    :param source_id: Lemur assigned ID
    :rtype : Source
    :return:
    """
    return database.get(Source, source_id)


def get_by_label(label):
    """
    Retrieves a source by its label

    :param label:
    :return:
    """
    return database.get(Source, label, field='label')


def get_all():
    """
    Retrieves all source currently known by Lemur.

    :return:
    """
    query = database.session_query(Source)
    return database.find_all(query, Source, {}).all()


def render(args):
    filt = args.pop('filter')
    certificate_id = args.pop('certificate_id', None)

    if certificate_id:
        query = database.session_query(Source).join(Certificate, Source.certificate)
        query = query.filter(Certificate.id == certificate_id)
    else:
        query = database.session_query(Source)

    if filt:
        terms = filt.split(';')
        query = database.filter(query, Source, terms)

    return database.sort_and_page(query, Source, args)
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`"""`
			`.. module: lemur.sources.service`
			`:platform: Unix`
Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`import arrow`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Adding more source syncing logic 2015-08-02 03:31:38 +02:00			`from flask import current_app`

Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`from lemur import database`
			`from lemur.sources.models import Source`
			`from lemur.certificates.models import Certificate`
Clean refactor (#635) * Adding rotation to the UI. * Removing spinkit dependency. * refactoring source cleaning 2016-12-27 19:31:33 +01:00			`from lemur.certificates import service as certificate_service`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`from lemur.endpoints import service as endpoint_service`
Fixing up some of the sync related code 2015-08-03 22:51:27 +02:00			`from lemur.destinations import service as destination_service`
Adding more source syncing logic 2015-08-02 03:31:38 +02:00
Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-12 06:08:13 +02:00			`from lemur.certificates.schemas import CertificateUploadInputSchema`
Compare certificate hashes to determine if Lemur already has a synced certificate 2019-01-14 22:35:55 +01:00			`from lemur.common.utils import find_matching_certificates_by_hash, parse_certificate`
Adding Digicert CIS Sourceplugin (#959) * Adding necessary features to complete backfill * Fixing pagination logic. 2017-10-05 01:56:01 +02:00			`from lemur.common.defaults import serial`
Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-12 06:08:13 +02:00
Adding more source syncing logic 2015-08-02 03:31:38 +02:00			`from lemur.plugins.base import plugins`


Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`def certificate_create(certificate, source):`
Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-12 06:08:13 +02:00			`data, errors = CertificateUploadInputSchema().load(certificate)`

			`if errors:`
			`raise Exception("Unable to import certificate: {reasons}".format(reasons=errors))`

[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`data['creator'] = certificate['creator']`

Clean refactor (#635) * Adding rotation to the UI. * Removing spinkit dependency. * refactoring source cleaning 2016-12-27 19:31:33 +01:00			`cert = certificate_service.import_certificate(**data)`
Misc fixed around certificate syncing 2015-08-19 01:17:20 +02:00			`cert.description = "This certificate was automatically discovered by Lemur"`
Fixing up some of the sync related code 2015-08-03 22:51:27 +02:00			`cert.sources.append(source)`
			`sync_update_destination(cert, source)`
			`database.update(cert)`
Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-12 06:08:13 +02:00			`return cert`
Fixing up some of the sync related code 2015-08-03 22:51:27 +02:00

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`def certificate_update(certificate, source):`
Fixing up some of the sync related code 2015-08-03 22:51:27 +02:00			`for s in certificate.sources:`
			`if s.label == source.label:`
			`break`
			`else:`
			`certificate.sources.append(source)`

			`sync_update_destination(certificate, source)`
			`database.update(certificate)`


			`def sync_update_destination(certificate, source):`
			`dest = destination_service.get_by_label(source.label)`
			`if dest:`
			`for d in certificate.destinations:`
			`if d.label == source.label:`
			`break`
			`else:`
			`certificate.destinations.append(dest)`


Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`def sync_endpoints(source):`
			`new, updated = 0, 0`
			`current_app.logger.debug("Retrieving endpoints from {0}".format(source.label))`
			`s = plugins.get(source.plugin_name)`

			`try:`
			`endpoints = s.get_endpoints(source.options)`
			`except NotImplementedError:`
			`current_app.logger.warning("Unable to sync endpoints for source {0} plugin has not implemented 'get_endpoints'".format(source.label))`
Source syncing tweaks. (#705) * Allow owner to be specified when syncing certs. * Ensuring non-endpoint plugins don't fail to complete syncing. * Adding in some additional error handling. 2017-03-03 23:53:56 +01:00			`return new, updated`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
			`for endpoint in endpoints:`
Ensures we can get multiple endpoints with the same name but different ports. (#1011) 2017-12-04 22:13:02 +01:00			`exists = endpoint_service.get_by_dnsname_and_port(endpoint['dnsname'], endpoint['port'])`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Fixing elb sync issues. (#641) * Fixing elb sync issues. * Fixing de-duplications of names. 2017-01-06 01:06:34 +01:00			`certificate_name = endpoint.pop('certificate_name')`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Fixing elb sync issues. (#641) * Fixing elb sync issues. * Fixing de-duplications of names. 2017-01-06 01:06:34 +01:00			`endpoint['certificate'] = certificate_service.get_by_name(certificate_name)`

			`if not endpoint['certificate']:`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`current_app.logger.error(`
Fixing elb sync issues. (#641) * Fixing elb sync issues. * Fixing de-duplications of names. 2017-01-06 01:06:34 +01:00			`"Certificate Not Found. Name: {0} Endpoint: {1}".format(certificate_name, endpoint['name']))`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`continue`

			`policy = endpoint.pop('policy')`

			`policy_ciphers = []`
			`for nc in policy['ciphers']:`
			`policy_ciphers.append(endpoint_service.get_or_create_cipher(name=nc))`

			`policy['ciphers'] = policy_ciphers`
			`endpoint['policy'] = endpoint_service.get_or_create_policy(**policy)`
Improving endpoint rotation logic (#545) 2016-12-01 00:11:17 +01:00			`endpoint['source'] = source`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
			`if not exists:`
Fixing an IAM syncing issue. Were duplicates were not properly sync'd… (#638) * Fixing an IAM syncing issue. Were duplicates were not properly sync'd with Lemur. This resulted in a visibility gap. Even 'duplicates' need to sync'd to Lemur such that we can track rotation correctly. Failing on duplicates lead to missing those certificates and the endpoints onto which they were deployed. This commit removes the duplicate handling altogether. * Fixing tests. 2017-01-05 02:46:47 +01:00			`current_app.logger.debug("Endpoint Created: Name: {name}".format(name=endpoint['name']))`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`endpoint_service.create(**endpoint)`
			`new += 1`

			`else:`
Ensures we can get multiple endpoints with the same name but different ports. (#1011) 2017-12-04 22:13:02 +01:00			`current_app.logger.debug("Endpoint Updated: {}".format(endpoint))`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`endpoint_service.update(exists.id, **endpoint)`
			`updated += 1`

Endpoint sync fixes (#604) 2016-12-15 19:26:59 +01:00			`return new, updated`
Fixing various problems with the syncing of endpoints, throttling sta… (#398) * Fixing various problems with the syncing of endpoints, throttling stale endpoints etc. 2016-07-12 17:40:49 +02:00
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Source plugin (#964) * Another minor fix. 2017-10-07 02:39:31 +02:00			`# TODO this is very slow as we don't batch update certificates`
Minor fixes. (#502) 2016-11-16 22:23:35 +01:00			`def sync_certificates(source, user):`
Adding more source syncing logic 2015-08-02 03:31:38 +02:00			`new, updated = 0, 0`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`current_app.logger.debug("Retrieving certificates from {0}".format(source.label))`
			`s = plugins.get(source.plugin_name)`
			`certificates = s.get_certificates(source.options)`

			`for certificate in certificates:`
Allow proper detection of zones, fix certificate detection 2018-08-14 23:37:45 +02:00			`exists = False`
Added get_by_attributes to the certificates service, for fetching certs based on arbitrary attributes. Also associated test and extra tests for other service methods 2018-10-17 17:42:09 +02:00
			`if certificate.get('search', None):`
			`conditions = certificate.pop('search')`
			`exists = certificate_service.get_by_attributes(conditions)`

			`if not exists and certificate.get('name'):`
Allow proper detection of zones, fix certificate detection 2018-08-14 23:37:45 +02:00			`result = certificate_service.get_by_name(certificate['name'])`
			`if result:`
			`exists = [result]`
Adding Digicert CIS Sourceplugin (#959) * Adding necessary features to complete backfill * Fixing pagination logic. 2017-10-05 01:56:01 +02:00
Allow proper detection of zones, fix certificate detection 2018-08-14 23:37:45 +02:00			`if not exists and certificate.get('serial'):`
Adding Digicert CIS Sourceplugin (#959) * Adding necessary features to complete backfill * Fixing pagination logic. 2017-10-05 01:56:01 +02:00			`exists = certificate_service.get_by_serial(certificate['serial'])`

Allow proper detection of zones, fix certificate detection 2018-08-14 23:37:45 +02:00			`if not exists:`
Adding Digicert CIS Sourceplugin (#959) * Adding necessary features to complete backfill * Fixing pagination logic. 2017-10-05 01:56:01 +02:00			`cert = parse_certificate(certificate['body'])`
Compare certificate hashes to determine if Lemur already has a synced certificate 2019-01-14 22:35:55 +01:00			`matching_serials = certificate_service.get_by_serial(serial(cert))`
			`exists = find_matching_certificates_by_hash(cert, matching_serials)`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Source syncing tweaks. (#705) * Allow owner to be specified when syncing certs. * Ensuring non-endpoint plugins don't fail to complete syncing. * Adding in some additional error handling. 2017-03-03 23:53:56 +01:00			`if not certificate.get('owner'):`
			`certificate['owner'] = user.email`

Minor fixes. (#502) 2016-11-16 22:23:35 +01:00			`certificate['creator'] = user`
Source plugin (#965) * Ensure that None values aren't passed. 2017-10-09 19:37:44 +02:00			`exists = [x for x in exists if x]`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`if not exists:`
			`certificate_create(certificate, source)`
			`new += 1`

			`else:`
Source plugin (#962) * Ensuring that we have default options for source plugins. * Handle duplicate serials. Serials are not unique across issuers. 2017-10-06 17:49:05 +02:00			`for e in exists:`
			`if certificate.get('external_id'):`
Source plugin (#964) * Another minor fix. 2017-10-07 02:39:31 +02:00			`e.external_id = certificate['external_id']`
fix for https://github.com/Netflix/lemur/issues/1045 (#1056) 2018-02-20 17:28:11 +01:00			`if certificate.get('authority_id'):`
			`e.authority_id = certificate['authority_id']`
Source plugin (#962) * Ensuring that we have default options for source plugins. * Handle duplicate serials. Serials are not unique across issuers. 2017-10-06 17:49:05 +02:00			`certificate_update(e, source)`
			`updated += 1`
Fixing an IAM syncing issue. Were duplicates were not properly sync'd… (#638) * Fixing an IAM syncing issue. Were duplicates were not properly sync'd with Lemur. This resulted in a visibility gap. Even 'duplicates' need to sync'd to Lemur such that we can track rotation correctly. Failing on duplicates lead to missing those certificates and the endpoints onto which they were deployed. This commit removes the duplicate handling altogether. * Fixing tests. 2017-01-05 02:46:47 +01:00
Endpoint sync fixes (#604) 2016-12-15 19:26:59 +01:00			`return new, updated`

Closes #284 (#336) 2016-06-27 23:40:46 +02:00
Minor fixes. (#502) 2016-11-16 22:23:35 +01:00			`def sync(source, user):`
Adding ability to modify ELBv2 endpoints. (#624) 2016-12-21 17:23:14 +01:00			`new_certs, updated_certs = sync_certificates(source, user)`
			`new_endpoints, updated_endpoints = sync_endpoints(source)`
Adding more source syncing logic 2015-08-02 03:31:38 +02:00
[WIP] - 422 elb rotate (#493) * Initial work on certificate rotation. * Adding ability to get additional certificate info. * - Adding endpoint rotation. - Removes the g requirement from all services to enable easier testing. 2016-11-18 20:27:46 +01:00			`source.last_run = arrow.utcnow()`
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00			`database.update(source)`

Adding ability to modify ELBv2 endpoints. (#624) 2016-12-21 17:23:14 +01:00			`return {'endpoints': (new_endpoints, updated_endpoints), 'certificates': (new_certs, updated_certs)}`
Endpoint sync fixes (#604) 2016-12-15 19:26:59 +01:00
Orphaned certificates (#406) * Fixing whitespace. * Fixing syncing. * Fixing tests 2016-07-28 22:08:24 +02:00
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`def create(label, plugin_name, options, description=None):`
			`"""`
			`Creates a new source, that can then be used as a source for certificates.`

			`:param label: Source common name`
Clean refactor (#635) * Adding rotation to the UI. * Removing spinkit dependency. * refactoring source cleaning 2016-12-27 19:31:33 +01:00			`:param plugin_name:`
			`:param options:`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`:param description:`
			`:rtype : Source`
			`:return: New source`
			`"""`
			`source = Source(label=label, options=options, plugin_name=plugin_name, description=description)`
			`return database.create(source)`


			`def update(source_id, label, options, description):`
			`"""`
			`Updates an existing source.`

			`:param source_id: Lemur assigned ID`
			`:param label: Source common name`
Clean refactor (#635) * Adding rotation to the UI. * Removing spinkit dependency. * refactoring source cleaning 2016-12-27 19:31:33 +01:00			`:param options:`
			`:param description:`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00			`:rtype : Source`
			`:return:`
			`"""`
			`source = get(source_id)`

			`source.label = label`
			`source.options = options`
			`source.description = description`

			`return database.update(source)`


			`def delete(source_id):`
			`"""`
			`Deletes an source.`

			`:param source_id: Lemur assigned ID`
			`"""`
			`database.delete(get(source_id))`


			`def get(source_id):`
			`"""`
Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`Retrieves an source by its lemur assigned ID.`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00
			`:param source_id: Lemur assigned ID`
			`:rtype : Source`
			`:return:`
			`"""`
			`return database.get(Source, source_id)`


			`def get_by_label(label):`
			`"""`
Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`Retrieves a source by its label`
Adding backend code for sources models 2015-08-02 00:29:34 +02:00
			`:param label:`
			`:return:`
			`"""`
			`return database.get(Source, label, field='label')`


			`def get_all():`
			`"""`
			`Retrieves all source currently known by Lemur.`

			`:return:`
			`"""`
			`query = database.session_query(Source)`
			`return database.find_all(query, Source, {}).all()`


			`def render(args):`
			`filt = args.pop('filter')`
			`certificate_id = args.pop('certificate_id', None)`

			`if certificate_id:`
			`query = database.session_query(Source).join(Certificate, Source.certificate)`
			`query = query.filter(Certificate.id == certificate_id)`
			`else:`
			`query = database.session_query(Source)`

			`if filt:`
			`terms = filt.split(';')`
			`query = database.filter(query, Source, terms)`

Marsmallowing sources (#310) 2016-05-10 22:16:33 +02:00			`return database.sort_and_page(query, Source, args)`