From 77cec4fde94e25dd2a11b4bceae206f98e1b1da5 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 5 Feb 2020 19:11:36 +0300 Subject: [PATCH 01/17] Fix ssl env. Add issuer and authority --- docker/src/lemur.conf.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 0f294b28..7c98227f 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -17,11 +17,14 @@ LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] -LEMUR_DEFAULT_COUNTRY = repr(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) -LEMUR_DEFAULT_STATE = repr(os.environ.get('LEMUR_DEFAULT_STATE','')) -LEMUR_DEFAULT_LOCATION = repr(os.environ.get('LEMUR_DEFAULT_LOCATION','')) -LEMUR_DEFAULT_ORGANIZATION = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) -LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) +LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) +LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) +LEMUR_DEFAULT_LOCATION = str(os.environ.get('LEMUR_DEFAULT_LOCATION','')) +LEMUR_DEFAULT_ORGANIZATION = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) +LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) + +LEMUR_DEFAULT_ISSUER_PLUGIN = str(os.environ.get('LEMUR_DEFAULT_ISSUER_PLUGIN','')) +LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY','')) ACTIVE_PROVIDERS = [] From 9612d291ed4fc17eb07ce5e71d1e34a4e3cf3f70 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:16:27 +0300 Subject: [PATCH 02/17] Add path suffix options --- lemur/plugins/lemur_vault_dest/plugin.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index e1715592..7cfc56db 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -180,6 +180,13 @@ class VaultDestinationPlugin(DestinationPlugin): "validation": "^([a-zA-Z0-9._-]+/?)+$", "helpMessage": "Must be a valid Vault secrets path", }, + { + "name": "vaultSuffix", + "type": "str", + "required": False, + "validation": "^([a-zA-Z0-9._-]+/?)+$", + "helpMessage": "Must be a valid Vault secrets path", + }, { "name": "objectName", "type": "str", @@ -222,6 +229,7 @@ class VaultDestinationPlugin(DestinationPlugin): token_file = self.get_option("vaultAuthTokenFile", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) + suffix = self.get_option("vaultSuffix", options) bundle = self.get_option("bundleChain", options) obj_name = self.get_option("objectName", options) api_version = self.get_option("vaultKvApiVersion", options) @@ -255,6 +263,9 @@ class VaultDestinationPlugin(DestinationPlugin): path = "{0}/{1}".format(path, obj_name) else: path = "{0}/{1}".format(path, cname) + + if suffix: + path = "{0}/{1}".format(path, suffix) secret = get_secret(client, mount, path) secret["data"][cname] = {} From ccb811516c11e209a759c6b131f3e9bab7d068d8 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:43:48 +0300 Subject: [PATCH 03/17] Add dockerfile to build from repo --- docker/Dockerfile-src | 64 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 docker/Dockerfile-src diff --git a/docker/Dockerfile-src b/docker/Dockerfile-src new file mode 100644 index 00000000..68f4ed7d --- /dev/null +++ b/docker/Dockerfile-src @@ -0,0 +1,64 @@ +FROM alpine:3.8 + +ARG VERSION +ENV VERSION master + +ENV uid 1337 +ENV gid 1337 +ENV user lemur +ENV group lemur + +RUN addgroup -S ${group} -g ${gid} && \ + adduser -D -S ${user} -G ${group} -u ${uid} && \ + apk --update add python3 libldap postgresql-client nginx supervisor curl tzdata openssl bash && \ + apk --update add --virtual build-dependencies \ + git \ + tar \ + curl \ + python3-dev \ + npm \ + bash \ + musl-dev \ + gcc \ + autoconf \ + automake \ + make \ + nasm \ + zlib-dev \ + postgresql-dev \ + libressl-dev \ + libffi-dev \ + cyrus-sasl-dev \ + openldap-dev && \ + pip3 install --upgrade pip && \ + pip3 install --upgrade setuptools && \ + mkdir -p /home/lemur/.lemur/ && \ + mkdir -p /run/nginx/ /etc/nginx/ssl/ + +COPY lemur /opt/lemur +WORKDIR /opt/lemur + +RUN chown -R $user:$group /opt/lemur/ /home/lemur/.lemur/ && \ + npm install --unsafe-perm && \ + pip3 install -e . && \ + node_modules/.bin/gulp build && \ + node_modules/.bin/gulp package --urlContextPath=$(urlContextPath) && \ + apk del build-dependencies + +COPY docker/entrypoint / +COPY docker/src/lemur.conf.py /home/lemur/.lemur/lemur.conf.py +COPY docker/supervisor.conf / +COPY docker/nginx/default.conf /etc/nginx/conf.d/ +COPY docker/nginx/default-ssl.conf /etc/nginx/conf.d/ + +RUN chmod +x /entrypoint +WORKDIR / + +HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \ + CMD curl --fail http://localhost:80/api/1/healthcheck | grep -q ok || exit 1 + +USER root + +ENTRYPOINT ["/entrypoint"] + +CMD ["/usr/bin/supervisord","-c","supervisor.conf"] From 1430ac539531dc38f60fd5eb9e250da50a1b6552 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:54:41 +0300 Subject: [PATCH 04/17] fix --- docker/Dockerfile-src | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile-src b/docker/Dockerfile-src index 68f4ed7d..c23f249c 100644 --- a/docker/Dockerfile-src +++ b/docker/Dockerfile-src @@ -35,7 +35,7 @@ RUN addgroup -S ${group} -g ${gid} && \ mkdir -p /home/lemur/.lemur/ && \ mkdir -p /run/nginx/ /etc/nginx/ssl/ -COPY lemur /opt/lemur +COPY ./ /opt/lemur WORKDIR /opt/lemur RUN chown -R $user:$group /opt/lemur/ /home/lemur/.lemur/ && \ From ce69d47b8b2e8b4dd4ca2f6b44f13ed5fe502e58 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 26 Feb 2020 19:43:16 +0300 Subject: [PATCH 05/17] Fix --- docker/entrypoint | 6 +++--- docker/supervisor.conf | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docker/entrypoint b/docker/entrypoint index 2a3a84e3..50df18dd 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -49,9 +49,9 @@ cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" echo " # Populating crontab" -echo "${cron_notify} lemur python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur_notify -echo "${cron_sync} lemur python3 /opt/lemur/lemur/manage.py source sync -s all" > /etc/crontabs/lemur_sync -echo "${cron_revoked} lemur python3 /opt/lemur/lemur/manage.py certificate check_revoked" > /etc/crontabs/lemur_revoked +echo "${cron_notify} python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur +echo "${cron_sync} python3 /opt/lemur/lemur/manage.py source sync -s all" >> /etc/crontabs/lemur +echo "${cron_revoked} python3 /opt/lemur/lemur/manage.py certificate check_revoked" >> /etc/crontabs/lemur echo " # Done" exec "$@" diff --git a/docker/supervisor.conf b/docker/supervisor.conf index fed01581..eedd5c16 100644 --- a/docker/supervisor.conf +++ b/docker/supervisor.conf @@ -24,6 +24,7 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 [program:cron] +environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py command=/usr/sbin/crond -f user=root stdout_logfile=/dev/stdout From a584aeb7eb25b8305da55685f576076cf6b4136a Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 26 Feb 2020 20:12:53 +0300 Subject: [PATCH 06/17] User lemur instead manage.py --- docker/entrypoint | 8 ++++---- docker/supervisor.conf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docker/entrypoint b/docker/entrypoint index 50df18dd..6ac17a7a 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -36,7 +36,7 @@ fi # fi echo " # Running init" -su lemur -s /bin/bash -c "cd /opt/lemur/lemur; python3 /opt/lemur/lemur/manage.py init -p ${LEMUR_ADMIN_PASSWORD}" +su lemur -s /bin/bash -c "cd /opt/lemur/lemur; lemur init -p ${LEMUR_ADMIN_PASSWORD}" echo " # Done" # echo "Creating user" @@ -49,9 +49,9 @@ cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" echo " # Populating crontab" -echo "${cron_notify} python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur -echo "${cron_sync} python3 /opt/lemur/lemur/manage.py source sync -s all" >> /etc/crontabs/lemur -echo "${cron_revoked} python3 /opt/lemur/lemur/manage.py certificate check_revoked" >> /etc/crontabs/lemur +echo "${cron_notify} lemur notify expirations" > /etc/crontabs/lemur +echo "${cron_sync} lemur source sync -s all" >> /etc/crontabs/lemur +echo "${cron_revoked} lemur certificate check_revoked" >> /etc/crontabs/lemur echo " # Done" exec "$@" diff --git a/docker/supervisor.conf b/docker/supervisor.conf index eedd5c16..ec4b221d 100644 --- a/docker/supervisor.conf +++ b/docker/supervisor.conf @@ -7,7 +7,7 @@ pidfile = /tmp/supervisord.pid [program:lemur] environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py -command=/usr/bin/python3 manage.py start -b 0.0.0.0:8000 +command=lemur start -b 0.0.0.0:8000 user=lemur directory=/opt/lemur/lemur stdout_logfile=/dev/stdout From 5fb3da8bec936c3568f6435015eb3417bc767a29 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Thu, 27 Feb 2020 11:24:35 +0300 Subject: [PATCH 07/17] Add certificate reissue to cron --- docker/entrypoint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/entrypoint b/docker/entrypoint index 6ac17a7a..3f25951a 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -47,11 +47,13 @@ echo " # Done" cron_notify="${CRON_NOTIFY:-"0 22 * * *"}" cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" +cron_reissue="${CRON_REISSUE:-"0 23 * * *"}" echo " # Populating crontab" echo "${cron_notify} lemur notify expirations" > /etc/crontabs/lemur echo "${cron_sync} lemur source sync -s all" >> /etc/crontabs/lemur echo "${cron_revoked} lemur certificate check_revoked" >> /etc/crontabs/lemur +echo "${cron_reissue} lemur certificate reissue -c" >> /etc/crontabs/lemur echo " # Done" exec "$@" From fe67ff21469fa2acda41710a97eacb154b7cf650 Mon Sep 17 00:00:00 2001 From: e11it Date: Mon, 2 Mar 2020 09:18:02 +0300 Subject: [PATCH 08/17] Update plugin.py Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index d1b6bc68..0101f5a9 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -297,7 +297,7 @@ class VaultDestinationPlugin(DestinationPlugin): path = "{0}/{1}".format(path, obj_name) else: path = "{0}/{1}".format(path, cname) - + if suffix: path = "{0}/{1}".format(path, suffix) From 27a86f5c189d6859ebf749b8f847ea78f29f7c89 Mon Sep 17 00:00:00 2001 From: e11it Date: Tue, 3 Mar 2020 21:45:33 +0300 Subject: [PATCH 09/17] Fix: San values #2921 Not sure is it correct solution --- lemur/certificates/schemas.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 8f15542d..bc7ff1b0 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -146,7 +146,9 @@ class CertificateInputSchema(CertificateCreationSchema): data["extensions"]["subAltNames"] = {"names": []} elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] - data["extensions"]["subAltNames"]["names"] += csr_sans + + if not data["extensions"]["subAltNames"]["names"]: + data["extensions"]["subAltNames"]["names"] += csr_sans return missing.convert_validity_years(data) From 790367ea5af4812a0c8032bf69aa1259fd8dcda1 Mon Sep 17 00:00:00 2001 From: e11it Date: Tue, 10 Mar 2020 13:46:59 +0300 Subject: [PATCH 10/17] Update lemur.conf.py ALLOW_CERT_DELETION from env --- docker/src/lemur.conf.py | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 7c98227f..3cc51792 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -16,6 +16,7 @@ LEMUR_WHITELISTED_DOMAINS = [] LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] +ALLOW_CERT_DELETION = os.environ.get('ALLOW_CERT_DELETION') == "True" LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) From d3cb0b517a0dd6dc29bb8565e065d5cdc0b53717 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 02:27:31 +0300 Subject: [PATCH 11/17] Add format support --- lemur/plugins/lemur_vault_dest/plugin.py | 56 +++++++++++++++--------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 0101f5a9..a63896d2 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -14,7 +14,7 @@ import re import hvac from flask import current_app -from lemur.common.defaults import common_name +from lemur.common.defaults import common_name,country,state,location,organizational_unit,organization from lemur.common.utils import parse_certificate from lemur.plugins.bases import DestinationPlugin from lemur.plugins.bases import SourcePlugin @@ -202,22 +202,15 @@ class VaultDestinationPlugin(DestinationPlugin): "name": "vaultPath", "type": "str", "required": True, - "validation": "^([a-zA-Z0-9._-]+/?)+$", - "helpMessage": "Must be a valid Vault secrets path", - }, - { - "name": "vaultSuffix", - "type": "str", - "required": False, - "validation": "^([a-zA-Z0-9._-]+/?)+$", - "helpMessage": "Must be a valid Vault secrets path", + "validation": "^(([a-zA-Z0-9._-]+|{(CN|OU|O|L|S|C)})+/?)+$", + "helpMessage": "Must be a valid Vault secrets path. Support vars: {CN|OU|O|L|S|C}", }, { "name": "objectName", "type": "str", "required": False, - "validation": "[0-9a-zA-Z.:_-]+", - "helpMessage": "Name to bundle certs under, if blank use cn", + "validation": "^([0-9a-zA-Z.:_-]+|{(CN|OU|O|L|S|C)})+$", + "helpMessage": "Name to bundle certs under, if blank use {CN}. Support vars: {CN|OU|O|L|S|C}", }, { "name": "bundleChain", @@ -248,14 +241,20 @@ class VaultDestinationPlugin(DestinationPlugin): :param cert_chain: :return: """ - cname = common_name(parse_certificate(body)) + cert = parse_certificate(body) + + cn = common_name(cert) + ou= organizational_unit(cert) + o= organization(cert) + l= location(cert) + s= state(cert) + c= country(cert) url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) auth_key = self.get_option("tokenFile/vaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) - suffix = self.get_option("vaultSuffix", options) bundle = self.get_option("bundleChain", options) obj_name = self.get_option("objectName", options) api_version = self.get_option("vaultKvApiVersion", options) @@ -293,15 +292,30 @@ class VaultDestinationPlugin(DestinationPlugin): client.secrets.kv.default_kv_version = api_version - if obj_name: - path = "{0}/{1}".format(path, obj_name) - else: - path = "{0}/{1}".format(path, cname) + t_path = path.format( + CN=cn, + OU=ou, + O=o, + L=l, + S=s, + C=c + ) + if not obj_name: + obj_name = '{CN}' + + f_obj_name = obj_name.format( + CN=cn, + OU=ou, + O=o, + L=l, + S=s, + C=c + ) - if suffix: - path = "{0}/{1}".format(path, suffix) + path = "{0}/{1}".format(t_path, obj_name) + # TODO: obj_name support for vars - secret = get_secret(client, mount, path) + secret_t = get_secret(client, mount, path) secret["data"][cname] = {} if not cert_chain: From 729ed3843dbfcce084bf7c52767876f2be26d3b4 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 14:16:29 +0300 Subject: [PATCH 12/17] Fix bug wth get_options and slash in name --- lemur/plugins/lemur_vault_dest/plugin.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index a63896d2..2de19004 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -58,7 +58,7 @@ class VaultSourcePlugin(SourcePlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -94,7 +94,7 @@ class VaultSourcePlugin(SourcePlugin): body = "" url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) obj_name = self.get_option("objectName", options) @@ -185,7 +185,7 @@ class VaultDestinationPlugin(DestinationPlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -252,7 +252,7 @@ class VaultDestinationPlugin(DestinationPlugin): url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) bundle = self.get_option("bundleChain", options) From ba8e315eed2f33ffb32dc79df96bfbfa17315675 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 14:22:04 +0300 Subject: [PATCH 13/17] Fix typo --- lemur/plugins/lemur_vault_dest/plugin.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 2de19004..0c6bb9b2 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -301,8 +301,8 @@ class VaultDestinationPlugin(DestinationPlugin): C=c ) if not obj_name: - obj_name = '{CN}' - + obj_name = '{CN}' + f_obj_name = obj_name.format( CN=cn, OU=ou, @@ -312,10 +312,10 @@ class VaultDestinationPlugin(DestinationPlugin): C=c ) - path = "{0}/{1}".format(t_path, obj_name) + path = "{0}/{1}".format(t_path, f_obj_name) # TODO: obj_name support for vars - secret_t = get_secret(client, mount, path) + secret = get_secret(client, mount, path) secret["data"][cname] = {} if not cert_chain: From a6c3b85fe154ff6c77965807d9b2d85c2d1eb3ee Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 15:15:56 +0300 Subject: [PATCH 14/17] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 34 ++++++++++-------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 0c6bb9b2..977f476e 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -14,7 +14,7 @@ import re import hvac from flask import current_app -from lemur.common.defaults import common_name,country,state,location,organizational_unit,organization +from lemur.common.defaults import common_name, country, state, location, organizational_unit, organization from lemur.common.utils import parse_certificate from lemur.plugins.bases import DestinationPlugin from lemur.plugins.bases import SourcePlugin @@ -242,13 +242,7 @@ class VaultDestinationPlugin(DestinationPlugin): :return: """ cert = parse_certificate(body) - - cn = common_name(cert) - ou= organizational_unit(cert) - o= organization(cert) - l= location(cert) - s= state(cert) - c= country(cert) + cname = common_name(cert) url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) @@ -293,23 +287,23 @@ class VaultDestinationPlugin(DestinationPlugin): client.secrets.kv.default_kv_version = api_version t_path = path.format( - CN=cn, - OU=ou, - O=o, - L=l, - S=s, - C=c + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), + L=location(cert), + S=state(cert), + C=country(cert) ) if not obj_name: obj_name = '{CN}' f_obj_name = obj_name.format( - CN=cn, - OU=ou, - O=o, - L=l, - S=s, - C=c + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), + L=location(cert), + S=state(cert), + C=country(cert) ) path = "{0}/{1}".format(t_path, f_obj_name) From 92a89427274de3c6ed536e2691183f2469bb5548 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 15:37:11 +0300 Subject: [PATCH 15/17] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 977f476e..6a1cd074 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -289,10 +289,10 @@ class VaultDestinationPlugin(DestinationPlugin): t_path = path.format( CN=cname, OU=organizational_unit(cert), - O=organization(cert), + O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert) + C=country(cert), ) if not obj_name: obj_name = '{CN}' @@ -300,14 +300,13 @@ class VaultDestinationPlugin(DestinationPlugin): f_obj_name = obj_name.format( CN=cname, OU=organizational_unit(cert), - O=organization(cert), + O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert) + C=country(cert), ) path = "{0}/{1}".format(t_path, f_obj_name) - # TODO: obj_name support for vars secret = get_secret(client, mount, path) secret["data"][cname] = {} From be722fb1b3e543fff03bef87adbda259e9597f83 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 20:51:10 +0300 Subject: [PATCH 16/17] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 6a1cd074..3c5301f7 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -292,7 +292,7 @@ class VaultDestinationPlugin(DestinationPlugin): O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert), + C=country(cert) ) if not obj_name: obj_name = '{CN}' @@ -303,7 +303,7 @@ class VaultDestinationPlugin(DestinationPlugin): O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert), + C=country(cert) ) path = "{0}/{1}".format(t_path, f_obj_name) From f83e3f764e9b8fccf921feb4ee490eb7de1e9726 Mon Sep 17 00:00:00 2001 From: e11it Date: Fri, 22 May 2020 21:52:43 +0300 Subject: [PATCH 17/17] always assign csr_sans to name --- lemur/certificates/schemas.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index bc7ff1b0..42e444bc 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -147,8 +147,7 @@ class CertificateInputSchema(CertificateCreationSchema): elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] - if not data["extensions"]["subAltNames"]["names"]: - data["extensions"]["subAltNames"]["names"] += csr_sans + data["extensions"]["subAltNames"]["names"] = csr_sans return missing.convert_validity_years(data)