From 4b7a55c89f1031e5d599ca355dae767ec226f127 Mon Sep 17 00:00:00 2001 From: kevgliss Date: Fri, 21 Aug 2015 16:08:53 -0700 Subject: [PATCH 1/5] Fixing issue with a certificate with no role not being viewable --- lemur/certificates/views.py | 13 ++++++------- lemur/utils.py | 1 + 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lemur/certificates/views.py b/lemur/certificates/views.py index 3e10b7fb..7cde93bc 100644 --- a/lemur/certificates/views.py +++ b/lemur/certificates/views.py @@ -446,14 +446,13 @@ class CertificatePrivateKey(AuthenticatedResource): role = role_service.get_by_name(cert.owner) - if role: - permission = ViewKeyPermission(certificate_id, role.name) + permission = ViewKeyPermission(certificate_id, getattr(role, 'name', None)) - if permission.can(): - response = make_response(jsonify(key=cert.private_key), 200) - response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store' - response.headers['pragma'] = 'no-cache' - return response + if permission.can(): + response = make_response(jsonify(key=cert.private_key), 200) + response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store' + response.headers['pragma'] = 'no-cache' + return response return dict(message='You are not authorized to view this key'), 403 diff --git a/lemur/utils.py b/lemur/utils.py index 1ea73759..41b054c3 100644 --- a/lemur/utils.py +++ b/lemur/utils.py @@ -17,4 +17,5 @@ def get_key(): try: return current_app.config.get('LEMUR_ENCRYPTION_KEY').strip() except RuntimeError: + print("No Encryption Key Found") return '' From a07db5625ba76c64d69e09e1190af21e251bd1f2 Mon Sep 17 00:00:00 2001 From: kevgliss Date: Sat, 22 Aug 2015 10:22:36 -0700 Subject: [PATCH 2/5] Fixing an issue were extensions were implicitly required --- lemur/certificates/service.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 8dbc7597..8a1e20fa 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -320,17 +320,18 @@ def create_csr(csr_config): x509.BasicConstraints(ca=False, path_length=None), critical=True, ) - for k, v in csr_config.get('extensions', {}).items(): - if k == 'subAltNames': - # map types to their x509 objects - general_names = [] - for name in v['names']: - if name['nameType'] == 'DNSName': - general_names.append(x509.DNSName(name['value'])) + if csr_config.get('extensions'): + for k, v in csr_config.get('extensions', {}).items(): + if k == 'subAltNames': + # map types to their x509 objects + general_names = [] + for name in v['names']: + if name['nameType'] == 'DNSName': + general_names.append(x509.DNSName(name['value'])) - builder = builder.add_extension( - x509.SubjectAlternativeName(general_names), critical=True - ) + builder = builder.add_extension( + x509.SubjectAlternativeName(general_names), critical=True + ) # TODO support more CSR options, none of the authority plugins currently support these options # builder.add_extension( From 45c442000e3511edd48c1763ddf7561823628abe Mon Sep 17 00:00:00 2001 From: kevgliss Date: Sat, 22 Aug 2015 10:56:15 -0700 Subject: [PATCH 3/5] Fixing some unfortunate casting that prevent creators from viewing/updating their certs --- lemur/auth/permissions.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/auth/permissions.py b/lemur/auth/permissions.py index c07119d4..13d8f6e1 100644 --- a/lemur/auth/permissions.py +++ b/lemur/auth/permissions.py @@ -21,13 +21,13 @@ CertificateCreatorNeed = partial(CertificateCreator, 'key') class ViewKeyPermission(Permission): def __init__(self, certificate_id, owner): - c_need = CertificateCreatorNeed(str(certificate_id)) + c_need = CertificateCreatorNeed(certificate_id) super(ViewKeyPermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin')) class UpdateCertificatePermission(Permission): def __init__(self, certificate_id, owner): - c_need = CertificateCreatorNeed(str(certificate_id)) + c_need = CertificateCreatorNeed(certificate_id) super(UpdateCertificatePermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin')) From b4c348aef74e61632c5029f0677bd5fb403981fb Mon Sep 17 00:00:00 2001 From: kevgliss Date: Mon, 24 Aug 2015 09:41:03 -0700 Subject: [PATCH 4/5] switching out default orgname --- .../angular/certificates/certificate/distinguishedName.tpl.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index e2262213..356653b1 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -36,7 +36,7 @@ Organization
- +

You must enter a organization

From 75de814b15c9556e8b83dbaa7f64969316e81bb0 Mon Sep 17 00:00:00 2001 From: kevgliss Date: Mon, 24 Aug 2015 09:43:30 -0700 Subject: [PATCH 5/5] Adding new verisign error --- lemur/plugins/lemur_verisign/plugin.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_verisign/plugin.py b/lemur/plugins/lemur_verisign/plugin.py index 5b2ee94a..930b2574 100644 --- a/lemur/plugins/lemur_verisign/plugin.py +++ b/lemur/plugins/lemur_verisign/plugin.py @@ -56,6 +56,7 @@ VERISIGN_ERRORS = { "0x4828": "Verisign certificates can be at most two years in length", "0x3043": "Certificates must have a validity of at least 1 day", "0x950b": "CSR: Invalid State", + "0x3105": "Organization Name Not Matched", }