Remove certificate from AWS and cleanup after cert revoke

lemur/certificates/service.py

@@ -21,6 +21,7 @@ from lemur.certificates.schemas import CertificateOutputSchema, CertificateInput
 from lemur.common.utils import generate_private_key, truthiness
 from lemur.destinations.models import Destination
 from lemur.domains.models import Domain
+from lemur.endpoints import service as endpoint_service
 from lemur.extensions import metrics, sentry, signals
 from lemur.models import certificate_associations
 from lemur.notifications.models import Notification
@@ -797,3 +798,61 @@ def reissue_certificate(certificate, replace=None, user=None):
     new_cert = create(**primitives)
 
     return new_cert
+
+
+def is_attached_to_endpoint(certificate_name, endpoint_name):
+    """
+    Find if given certificate is attached to the endpoint. Both, certificate and endpoint, are identified by name.
+    This method talks to elb and finds the real time information.
+    :param certificate_name:
+    :param endpoint_name:
+    :return: True if certificate is attached to the given endpoint, False otherwise
+    """
+    endpoint = endpoint_service.get_by_name(endpoint_name)
+    attached_certificates = endpoint.source.plugin.get_endpoint_certificate_names(endpoint)
+    return certificate_name in attached_certificates
+
+
+def remove_from_destination(certificate, destination):
+    """
+    Remove the certificate from given destination if clean() is implemented
+    :param certificate:
+    :param destination:
+    :return:
+    """
+    plugin = plugins.get(destination.plugin_name)
+    if not hasattr(plugin, "clean"):
+        info_text = f"Cannot clean certificate {certificate.name}, {destination.plugin_name} plugin does not implement 'clean()'"
+        current_app.logger.warning(info_text)
+    else:
+        plugin.clean(certificate=certificate, options=destination.options)
+
+
+def cleanup_after_revoke(certificate):
+    """
+    Perform the needed cleanup for a revoked certificate. This includes -
+    1. Disabling notification
+    2. Disabling auto-rotation
+    3. Update certificate status to 'revoked'
+    4. Remove from AWS
+    :param certificate: Certificate object to modify and update in DB
+    :return: None
+    """
+    certificate.notify = False
+    certificate.rotation = False
+    certificate.status = 'revoked'
+
+    error_message = ""
+
+    for destination in list(certificate.destinations):
+        try:
+            remove_from_destination(certificate, destination)
+            certificate.destinations.remove(destination)
+        except Exception as e:
+            # This cleanup is the best-effort since certificate is already revoked at this point.
+            # We will capture the exception and move on to the next destination
+            sentry.captureException()
+            error_message = error_message + f"Failed to remove destination: {destination.label}. {str(e)}. "
+
+    database.update(certificate)
+    return error_message

lemur/certificates/views.py

@@ -19,6 +19,7 @@ from lemur.auth.permissions import AuthorityPermission, CertificatePermission
 
 from lemur.certificates import service
 from lemur.certificates.models import Certificate
+from lemur.extensions import sentry
 from lemur.plugins.base import plugins
 from lemur.certificates.schemas import (
     certificate_input_schema,
@@ -888,8 +889,24 @@ class Certificates(AuthenticatedResource):
         if cert.owner != data["owner"]:
             service.cleanup_owner_roles_notification(cert.owner, data)
 
+        error_message = ""
+        # if destination is removed, cleanup the certificate from AWS
+        for destination in cert.destinations:
+            if destination not in data["destinations"]:
+                try:
+                    service.remove_from_destination(cert, destination)
+                except Exception as e:
+                    sentry.captureException()
+                    # Add the removed destination back
+                    data["destinations"].append(destination)
+                    error_message = error_message + f"Failed to remove destination: {destination.label}. {str(e)}. "
+
+        # go ahead with DB update
         cert = service.update(certificate_id, **data)
         log_service.create(g.current_user, "update_cert", certificate=cert)
+
+        if error_message:
+            return dict(message=f"Edit Successful except -\n\n {error_message}"), 400
         return cert
 
     @validate_schema(certificate_edit_input_schema, certificate_output_schema)
@@ -1429,20 +1446,28 @@ class CertificateRevoke(AuthenticatedResource):
                     403,
                 )
 
-        if not cert.external_id:
-            return dict(message="Cannot revoke certificate. No external id found."), 400
+        # if not cert.external_id:
+        #    return dict(message="Cannot revoke certificate. No external id found."), 400
 
         if cert.endpoints:
-            return (
-                dict(
-                    message="Cannot revoke certificate. Endpoints are deployed with the given certificate."
-                ),
-                403,
-            )
+            for endpoint in cert.endpoints:
+                if service.is_attached_to_endpoint(cert.name, endpoint.name):
+                    return (
+                        dict(
+                            message="Cannot revoke certificate. Endpoints are deployed with the given certificate."
+                        ),
+                        403,
+                    )
 
         plugin = plugins.get(cert.authority.plugin_name)
         plugin.revoke_certificate(cert, data)
+
         log_service.create(g.current_user, "revoke_cert", certificate=cert)
+
+        # Perform cleanup after revoke
+        error_message = service.cleanup_after_revoke(cert)
+        if error_message:
+            return dict(message=f"Certificate (id:{cert.id}) is revoked - {error_message}"), 400
         return dict(id=cert.id)