Merge branch 'master' into re-enable-gulp-backend-proxy
This commit is contained in:
commit
0de42fdf0f
|
@ -113,7 +113,10 @@ def retrieve_user(user_api_url, access_token):
|
||||||
user_params = dict(access_token=access_token, schema='profile')
|
user_params = dict(access_token=access_token, schema='profile')
|
||||||
|
|
||||||
# retrieve information about the current user.
|
# retrieve information about the current user.
|
||||||
r = requests.get(user_api_url, params=user_params)
|
r = requests.get(
|
||||||
|
user_api_url,
|
||||||
|
params=user_params,
|
||||||
|
headers={'Authorization': 'Bearer {}'.format(access_token)})
|
||||||
profile = r.json()
|
profile = r.json()
|
||||||
|
|
||||||
user = user_service.get_by_email(profile['email'])
|
user = user_service.get_by_email(profile['email'])
|
||||||
|
|
|
@ -66,8 +66,9 @@ def create_txt_record(host, value, account_number):
|
||||||
return zone_id, r['id']
|
return zone_id, r['id']
|
||||||
|
|
||||||
|
|
||||||
def delete_txt_record(change_id, account_number, host, value):
|
def delete_txt_record(change_ids, account_number, host, value):
|
||||||
cf = cf_api_call()
|
cf = cf_api_call()
|
||||||
|
for change_id in change_ids:
|
||||||
zone_id, record_id = change_id
|
zone_id, record_id = change_id
|
||||||
current_app.logger.debug("Removing record with id {0}".format(record_id))
|
current_app.logger.debug("Removing record with id {0}".format(record_id))
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -17,11 +17,122 @@ from flask import current_app
|
||||||
from lemur.common.defaults import common_name
|
from lemur.common.defaults import common_name
|
||||||
from lemur.common.utils import parse_certificate
|
from lemur.common.utils import parse_certificate
|
||||||
from lemur.plugins.bases import DestinationPlugin
|
from lemur.plugins.bases import DestinationPlugin
|
||||||
|
from lemur.plugins.bases import SourcePlugin
|
||||||
|
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
from cryptography.hazmat.backends import default_backend
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
|
||||||
|
|
||||||
|
class VaultSourcePlugin(SourcePlugin):
|
||||||
|
""" Class for importing certificates from Hashicorp Vault"""
|
||||||
|
title = 'Vault'
|
||||||
|
slug = 'vault-source'
|
||||||
|
description = 'Discovers all certificates in a given path'
|
||||||
|
|
||||||
|
author = 'Christopher Jolley'
|
||||||
|
author_url = 'https://github.com/alwaysjolley/lemur'
|
||||||
|
|
||||||
|
options = [
|
||||||
|
{
|
||||||
|
'name': 'vaultUrl',
|
||||||
|
'type': 'str',
|
||||||
|
'required': True,
|
||||||
|
'validation': '^https?://[a-zA-Z0-9.:-]+$',
|
||||||
|
'helpMessage': 'Valid URL to Hashi Vault instance'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'vaultKvApiVersion',
|
||||||
|
'type': 'select',
|
||||||
|
'value': '2',
|
||||||
|
'available': [
|
||||||
|
'1',
|
||||||
|
'2'
|
||||||
|
],
|
||||||
|
'required': True,
|
||||||
|
'helpMessage': 'Version of the Vault KV API to use'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'vaultAuthTokenFile',
|
||||||
|
'type': 'str',
|
||||||
|
'required': True,
|
||||||
|
'validation': '(/[^/]+)+',
|
||||||
|
'helpMessage': 'Must be a valid file path!'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'vaultMount',
|
||||||
|
'type': 'str',
|
||||||
|
'required': True,
|
||||||
|
'validation': r'^\S+$',
|
||||||
|
'helpMessage': 'Must be a valid Vault secrets mount name!'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'vaultPath',
|
||||||
|
'type': 'str',
|
||||||
|
'required': True,
|
||||||
|
'validation': '^([a-zA-Z0-9_-]+/?)+$',
|
||||||
|
'helpMessage': 'Must be a valid Vault secrets path'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'objectName',
|
||||||
|
'type': 'str',
|
||||||
|
'required': True,
|
||||||
|
'validation': '[0-9a-zA-Z:_-]+',
|
||||||
|
'helpMessage': 'Object Name to search'
|
||||||
|
},
|
||||||
|
]
|
||||||
|
|
||||||
|
def get_certificates(self, options, **kwargs):
|
||||||
|
"""Pull certificates from objects in Hashicorp Vault"""
|
||||||
|
data = []
|
||||||
|
cert = []
|
||||||
|
body = ''
|
||||||
|
url = self.get_option('vaultUrl', options)
|
||||||
|
token_file = self.get_option('vaultAuthTokenFile', options)
|
||||||
|
mount = self.get_option('vaultMount', options)
|
||||||
|
path = self.get_option('vaultPath', options)
|
||||||
|
obj_name = self.get_option('objectName', options)
|
||||||
|
api_version = self.get_option('vaultKvApiVersion', options)
|
||||||
|
cert_filter = '-----BEGIN CERTIFICATE-----'
|
||||||
|
cert_delimiter = '-----END CERTIFICATE-----'
|
||||||
|
|
||||||
|
with open(token_file, 'r') as tfile:
|
||||||
|
token = tfile.readline().rstrip('\n')
|
||||||
|
|
||||||
|
client = hvac.Client(url=url, token=token)
|
||||||
|
client.secrets.kv.default_kv_version = api_version
|
||||||
|
|
||||||
|
path = '{0}/{1}'.format(path, obj_name)
|
||||||
|
|
||||||
|
secret = get_secret(client, mount, path)
|
||||||
|
for cname in secret['data']:
|
||||||
|
if 'crt' in secret['data'][cname]:
|
||||||
|
cert = secret['data'][cname]['crt'].split(cert_delimiter + '\n')
|
||||||
|
elif 'pem' in secret['data'][cname]:
|
||||||
|
cert = secret['data'][cname]['pem'].split(cert_delimiter + '\n')
|
||||||
|
else:
|
||||||
|
for key in secret['data'][cname]:
|
||||||
|
if secret['data'][cname][key].startswith(cert_filter):
|
||||||
|
cert = secret['data'][cname][key].split(cert_delimiter + '\n')
|
||||||
|
break
|
||||||
|
body = cert[0] + cert_delimiter
|
||||||
|
if 'chain' in secret['data'][cname]:
|
||||||
|
chain = secret['data'][cname]['chain']
|
||||||
|
elif len(cert) > 1:
|
||||||
|
if cert[1].startswith(cert_filter):
|
||||||
|
chain = cert[1] + cert_delimiter
|
||||||
|
else:
|
||||||
|
chain = None
|
||||||
|
else:
|
||||||
|
chain = None
|
||||||
|
data.append({'body': body, 'chain': chain, 'name': cname})
|
||||||
|
return [dict(body=c['body'], chain=c.get('chain'), name=c['name']) for c in data]
|
||||||
|
|
||||||
|
def get_endpoints(self, options, **kwargs):
|
||||||
|
""" Not implemented yet """
|
||||||
|
endpoints = []
|
||||||
|
return endpoints
|
||||||
|
|
||||||
|
|
||||||
class VaultDestinationPlugin(DestinationPlugin):
|
class VaultDestinationPlugin(DestinationPlugin):
|
||||||
"""Hashicorp Vault Destination plugin for Lemur"""
|
"""Hashicorp Vault Destination plugin for Lemur"""
|
||||||
title = 'Vault'
|
title = 'Vault'
|
||||||
|
@ -61,7 +172,7 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
'name': 'vaultMount',
|
'name': 'vaultMount',
|
||||||
'type': 'str',
|
'type': 'str',
|
||||||
'required': True,
|
'required': True,
|
||||||
'validation': '^\S+$',
|
'validation': r'^\S+$',
|
||||||
'helpMessage': 'Must be a valid Vault secrets mount name!'
|
'helpMessage': 'Must be a valid Vault secrets mount name!'
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -85,6 +196,7 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
'available': [
|
'available': [
|
||||||
'Nginx',
|
'Nginx',
|
||||||
'Apache',
|
'Apache',
|
||||||
|
'PEM',
|
||||||
'no chain'
|
'no chain'
|
||||||
],
|
],
|
||||||
'required': True,
|
'required': True,
|
||||||
|
@ -136,8 +248,8 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
"Exception compiling regex filter: invalid filter",
|
"Exception compiling regex filter: invalid filter",
|
||||||
exc_info=True)
|
exc_info=True)
|
||||||
|
|
||||||
with open(token_file, 'r') as file:
|
with open(token_file, 'r') as tfile:
|
||||||
token = file.readline().rstrip('\n')
|
token = tfile.readline().rstrip('\n')
|
||||||
|
|
||||||
client = hvac.Client(url=url, token=token)
|
client = hvac.Client(url=url, token=token)
|
||||||
client.secrets.kv.default_kv_version = api_version
|
client.secrets.kv.default_kv_version = api_version
|
||||||
|
@ -150,11 +262,15 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
secret = get_secret(client, mount, path)
|
secret = get_secret(client, mount, path)
|
||||||
secret['data'][cname] = {}
|
secret['data'][cname] = {}
|
||||||
|
|
||||||
if bundle == 'Nginx' and cert_chain:
|
if bundle == 'Nginx':
|
||||||
secret['data'][cname]['crt'] = '{0}\n{1}'.format(body, cert_chain)
|
secret['data'][cname]['crt'] = '{0}\n{1}'.format(body, cert_chain)
|
||||||
elif bundle == 'Apache' and cert_chain:
|
secret['data'][cname]['key'] = private_key
|
||||||
|
elif bundle == 'Apache':
|
||||||
secret['data'][cname]['crt'] = body
|
secret['data'][cname]['crt'] = body
|
||||||
secret['data'][cname]['chain'] = cert_chain
|
secret['data'][cname]['chain'] = cert_chain
|
||||||
|
secret['data'][cname]['key'] = private_key
|
||||||
|
elif bundle == 'PEM':
|
||||||
|
secret['data'][cname]['pem'] = '{0}\n{1}\n{2}'.format(body, cert_chain, private_key)
|
||||||
else:
|
else:
|
||||||
secret['data'][cname]['crt'] = body
|
secret['data'][cname]['crt'] = body
|
||||||
secret['data'][cname]['key'] = private_key
|
secret['data'][cname]['key'] = private_key
|
||||||
|
@ -184,7 +300,7 @@ def get_san_list(body):
|
||||||
|
|
||||||
|
|
||||||
def get_secret(client, mount, path):
|
def get_secret(client, mount, path):
|
||||||
""" retreiive existing data from mount path and return dictionary """
|
""" retreive existing data from mount path and return dictionary """
|
||||||
result = {'data': {}}
|
result = {'data': {}}
|
||||||
try:
|
try:
|
||||||
if client.secrets.kv.default_kv_version == '1':
|
if client.secrets.kv.default_kv_version == '1':
|
||||||
|
|
1
setup.py
1
setup.py
|
@ -155,6 +155,7 @@ setup(
|
||||||
'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
|
'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
|
||||||
'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
|
'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
|
||||||
'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin',
|
'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin',
|
||||||
|
'vault_source = lemur.plugins.lemur_vault_dest.plugin:VaultSourcePlugin',
|
||||||
'vault_desination = lemur.plugins.lemur_vault_dest.plugin:VaultDestinationPlugin',
|
'vault_desination = lemur.plugins.lemur_vault_dest.plugin:VaultDestinationPlugin',
|
||||||
'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin',
|
'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin',
|
||||||
'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin'
|
'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin'
|
||||||
|
|
Loading…
Reference in New Issue