lemur/lemur/certificates/schemas.py

"""
.. module: lemur.certificates.schemas
    :platform: unix
    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
from flask import current_app
from marshmallow import fields, validates_schema, post_load, pre_load
from marshmallow.exceptions import ValidationError

from lemur.schemas import AssociatedAuthoritySchema, AssociatedDestinationSchema, AssociatedCertificateSchema, \
    AssociatedNotificationSchema, PluginInputSchema, ExtensionSchema, AssociatedRoleSchema, EndpointNestedOutputSchema

from lemur.authorities.schemas import AuthorityNestedOutputSchema
from lemur.destinations.schemas import DestinationNestedOutputSchema
from lemur.notifications.schemas import NotificationNestedOutputSchema
from lemur.roles.schemas import RoleNestedOutputSchema
from lemur.domains.schemas import DomainNestedOutputSchema
from lemur.users.schemas import UserNestedOutputSchema

from lemur.common.schema import LemurInputSchema, LemurOutputSchema
from lemur.common import validators, missing
from lemur.notifications import service as notification_service


class CertificateSchema(LemurInputSchema):
    owner = fields.Email(required=True)
    description = fields.String()


class CertificateCreationSchema(CertificateSchema):
    @post_load
    def default_notification(self, data):
        if not data['notifications']:
            notification_name = "DEFAULT_{0}".format(data['owner'].split('@')[0].upper())
            data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, [data['owner']])

        notification_name = 'DEFAULT_SECURITY'
        data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
        return data


class CertificateInputSchema(CertificateCreationSchema):
    name = fields.String()
    common_name = fields.String(required=True, validate=validators.sensitive_domain)
    authority = fields.Nested(AssociatedAuthoritySchema, required=True)

    validity_start = fields.DateTime()
    validity_end = fields.DateTime()
    validity_years = fields.Integer()

    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)

    csr = fields.String(validate=validators.csr)

    # certificate body fields
    organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))
    organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))
    location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))
    country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))
    state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))

    extensions = fields.Nested(ExtensionSchema)

    @validates_schema
    def validate_dates(self, data):
        validators.dates(data)

    @pre_load
    def ensure_dates(self, data):
        return missing.convert_validity_years(data)


class CertificateEditInputSchema(CertificateSchema):
    active = fields.Boolean()
    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)


class CertificateNestedOutputSchema(LemurOutputSchema):
    __envelope__ = False
    id = fields.Integer()
    active = fields.Boolean()
    bits = fields.Integer()
    body = fields.String()
    chain = fields.String()
    description = fields.String()
    name = fields.String()
    cn = fields.String()
    not_after = fields.DateTime()
    not_before = fields.DateTime()
    owner = fields.Email()
    status = fields.Boolean()
    creator = fields.Nested(UserNestedOutputSchema)
    issuer = fields.Nested(AuthorityNestedOutputSchema)


class CertificateOutputSchema(LemurOutputSchema):
    id = fields.Integer()
    active = fields.Boolean()
    bits = fields.Integer()
    body = fields.String()
    chain = fields.String()
    deleted = fields.Boolean(default=False)
    description = fields.String()
    issuer = fields.String()
    name = fields.String()
    cn = fields.String()
    not_after = fields.DateTime()
    not_before = fields.DateTime()
    owner = fields.Email()
    san = fields.Boolean()
    serial = fields.String()
    signing_algorithm = fields.String()
    status = fields.Boolean()
    user = fields.Nested(UserNestedOutputSchema)
    domains = fields.Nested(DomainNestedOutputSchema, many=True)
    destinations = fields.Nested(DestinationNestedOutputSchema, many=True)
    notifications = fields.Nested(NotificationNestedOutputSchema, many=True)
    replaces = fields.Nested(CertificateNestedOutputSchema, many=True)
    authority = fields.Nested(AuthorityNestedOutputSchema)
    roles = fields.Nested(RoleNestedOutputSchema, many=True)
    endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])


class CertificateUploadInputSchema(CertificateCreationSchema):
    name = fields.String()
    active = fields.Boolean(missing=True)

    private_key = fields.String(validate=validators.private_key)
    body = fields.String(required=True, validate=validators.public_certificate)
    chain = fields.String(validate=validators.public_certificate)  # TODO this could be multiple certificates

    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)

    @validates_schema
    def keys(self, data):
        if data.get('destinations'):
            if not data.get('private_key'):
                raise ValidationError('Destinations require private key.')


class CertificateExportInputSchema(LemurInputSchema):
    plugin = fields.Nested(PluginInputSchema)


certificate_input_schema = CertificateInputSchema()
certificate_output_schema = CertificateOutputSchema()
certificates_output_schema = CertificateOutputSchema(many=True)
certificate_upload_input_schema = CertificateUploadInputSchema()
certificate_export_input_schema = CertificateExportInputSchema()
certificate_edit_input_schema = CertificateEditInputSchema()
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`"""`
			`.. module: lemur.certificates.schemas`
			`:platform: unix`
			`:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more`
			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`from flask import current_app`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`from marshmallow import fields, validates_schema, post_load, pre_load`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`from marshmallow.exceptions import ValidationError`

			`from lemur.schemas import AssociatedAuthoritySchema, AssociatedDestinationSchema, AssociatedCertificateSchema, \`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`AssociatedNotificationSchema, PluginInputSchema, ExtensionSchema, AssociatedRoleSchema, EndpointNestedOutputSchema`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00
			`from lemur.authorities.schemas import AuthorityNestedOutputSchema`
			`from lemur.destinations.schemas import DestinationNestedOutputSchema`
			`from lemur.notifications.schemas import NotificationNestedOutputSchema`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`from lemur.roles.schemas import RoleNestedOutputSchema`
Closes #147 (#328) * Closes #147 * Fixing tests * Ensuring we can validate max dates. 2016-05-23 20:28:25 +02:00			`from lemur.domains.schemas import DomainNestedOutputSchema`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`from lemur.users.schemas import UserNestedOutputSchema`

Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`from lemur.common.schema import LemurInputSchema, LemurOutputSchema`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`from lemur.common import validators, missing`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`from lemur.notifications import service as notification_service`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`class CertificateSchema(LemurInputSchema):`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`owner = fields.Email(required=True)`
			`description = fields.String()`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00
Fixed an issue were default notifications were added even when updati… (#395) * Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications. * Ensuring imported certificates get the same treatment. 2016-07-07 20:44:11 +02:00
			`class CertificateCreationSchema(CertificateSchema):`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`@post_load`
Fixed an issue were default notifications were added even when updati… (#395) * Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications. * Ensuring imported certificates get the same treatment. 2016-07-07 20:44:11 +02:00			`def default_notification(self, data):`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`if not data['notifications']:`
			`notification_name = "DEFAULT_{0}".format(data['owner'].split('@')[0].upper())`
			`data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, [data['owner']])`

			`notification_name = 'DEFAULT_SECURITY'`
			`data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))`
			`return data`


Fixed an issue were default notifications were added even when updati… (#395) * Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications. * Ensuring imported certificates get the same treatment. 2016-07-07 20:44:11 +02:00			`class CertificateInputSchema(CertificateCreationSchema):`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`name = fields.String()`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`common_name = fields.String(required=True, validate=validators.sensitive_domain)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`authority = fields.Nested(AssociatedAuthoritySchema, required=True)`

			`validity_start = fields.DateTime()`
			`validity_end = fields.DateTime()`
			`validity_years = fields.Integer()`

			`destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)`
			`notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)`
			`replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`csr = fields.String(validate=validators.csr)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`# certificate body fields`
			`organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))`
			`organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))`
			`location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))`
			`country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))`
			`state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))`

			`extensions = fields.Nested(ExtensionSchema)`

			`@validates_schema`
			`def validate_dates(self, data):`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`validators.dates(data)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00			`@pre_load`
			`def ensure_dates(self, data):`
Adds option to restrict certificate expiration dates to weekdays. (#453) * Adding ability to restrict certificate creation to weekdays. * Ensuring that we test for weekends. 2016-10-15 09:04:35 +02:00			`return missing.convert_validity_years(data)`
Adding a toy certificate authority. (#378) 2016-06-29 18:05:39 +02:00
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`class CertificateEditInputSchema(CertificateSchema):`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`active = fields.Boolean()`
			`destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)`
			`notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)`
			`replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00

			`class CertificateNestedOutputSchema(LemurOutputSchema):`
			`__envelope__ = False`
			`id = fields.Integer()`
			`active = fields.Boolean()`
			`bits = fields.Integer()`
			`body = fields.String()`
			`chain = fields.String()`
			`description = fields.String()`
			`name = fields.String()`
			`cn = fields.String()`
			`not_after = fields.DateTime()`
			`not_before = fields.DateTime()`
			`owner = fields.Email()`
			`status = fields.Boolean()`
			`creator = fields.Nested(UserNestedOutputSchema)`
			`issuer = fields.Nested(AuthorityNestedOutputSchema)`


Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`class CertificateOutputSchema(LemurOutputSchema):`
			`id = fields.Integer()`
			`active = fields.Boolean()`
			`bits = fields.Integer()`
			`body = fields.String()`
			`chain = fields.String()`
			`deleted = fields.Boolean(default=False)`
			`description = fields.String()`
			`issuer = fields.String()`
			`name = fields.String()`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`cn = fields.String()`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`not_after = fields.DateTime()`
			`not_before = fields.DateTime()`
			`owner = fields.Email()`
			`san = fields.Boolean()`
			`serial = fields.String()`
			`signing_algorithm = fields.String()`
			`status = fields.Boolean()`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`user = fields.Nested(UserNestedOutputSchema)`
Fixes (#332) * Ensuring domains are returned correctly. * Ensuring certificates receive owner role 2016-05-25 02:10:19 +02:00			`domains = fields.Nested(DomainNestedOutputSchema, many=True)`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`destinations = fields.Nested(DestinationNestedOutputSchema, many=True)`
			`notifications = fields.Nested(NotificationNestedOutputSchema, many=True)`
			`replaces = fields.Nested(CertificateNestedOutputSchema, many=True)`
			`authority = fields.Nested(AuthorityNestedOutputSchema)`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`roles = fields.Nested(RoleNestedOutputSchema, many=True)`
Closes #284 (#336) 2016-06-27 23:40:46 +02:00			`endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

Fixed an issue were default notifications were added even when updati… (#395) * Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications. * Ensuring imported certificates get the same treatment. 2016-07-07 20:44:11 +02:00			`class CertificateUploadInputSchema(CertificateCreationSchema):`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00			`name = fields.String()`
			`active = fields.Boolean(missing=True)`

Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`private_key = fields.String(validate=validators.private_key)`
Fixing a few things, adding tests. (#326) 2016-05-20 18:03:34 +02:00			`body = fields.String(required=True, validate=validators.public_certificate)`
Authorities marshmallow addition (#303) 2016-05-09 20:00:16 +02:00			`chain = fields.String(validate=validators.public_certificate) # TODO this could be multiple certificates`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)`
			`notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)`
			`replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00
			`@validates_schema`
			`def keys(self, data):`
			`if data.get('destinations'):`
			`if not data.get('private_key'):`
			`raise ValidationError('Destinations require private key.')`


			`class CertificateExportInputSchema(LemurInputSchema):`
254 duplication certificate name (#319) 2016-05-17 00:59:40 +02:00			`plugin = fields.Nested(PluginInputSchema)`
Closes #278 and #199, Starting transition to marshmallow (#299) * Closes #278 and #199, Starting transition to marshmallow 2016-05-05 21:52:08 +02:00

			`certificate_input_schema = CertificateInputSchema()`
			`certificate_output_schema = CertificateOutputSchema()`
			`certificates_output_schema = CertificateOutputSchema(many=True)`
			`certificate_upload_input_schema = CertificateUploadInputSchema()`
			`certificate_export_input_schema = CertificateExportInputSchema()`
Fixing various issues. (#318) * Fixing various issues. * Fixing tests 2016-05-16 20:09:50 +02:00			`certificate_edit_input_schema = CertificateEditInputSchema()`