From e0ac7497348183d19e82afd4019651540ab922d6 Mon Sep 17 00:00:00 2001 From: Ronald Moesbergen Date: Thu, 6 Dec 2018 16:47:53 +0100 Subject: [PATCH 1/4] When parsing SAN's, ignore unknown san_types, because in some cases they can contain unparsable/serializable values, resulting in a TypeError(repr(o) + " is not JSON serializable") --- lemur/common/fields.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/common/fields.py b/lemur/common/fields.py index 9a0198e9..5ab0c6f0 100644 --- a/lemur/common/fields.py +++ b/lemur/common/fields.py @@ -350,6 +350,7 @@ class SubjectAlternativeNameExtension(Field): value = value.dotted_string else: current_app.logger.warning('Unknown SubAltName type: {name}'.format(name=name)) + continue general_names.append({'nameType': name_type, 'value': value}) From 437d918cf795516142d5f7c6f0f385b2d4716bfa Mon Sep 17 00:00:00 2001 From: Wesley Hartford Date: Mon, 10 Dec 2018 12:04:16 -0800 Subject: [PATCH 2/4] Fix textarea and validation on destination page The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that. --- lemur/plugins/lemur_aws/plugin.py | 7 +++---- .../angular/destinations/destination/destination.tpl.html | 6 +++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lemur/plugins/lemur_aws/plugin.py b/lemur/plugins/lemur_aws/plugin.py index c563eac8..1c2607a5 100644 --- a/lemur/plugins/lemur_aws/plugin.py +++ b/lemur/plugins/lemur_aws/plugin.py @@ -163,7 +163,7 @@ class AWSDestinationPlugin(DestinationPlugin): 'name': 'accountNumber', 'type': 'str', 'required': True, - 'validation': '/^[0-9]{12,12}$/', + 'validation': '[0-9]{12}', 'helpMessage': 'Must be a valid AWS account number!', }, { @@ -279,14 +279,14 @@ class S3DestinationPlugin(ExportDestinationPlugin): 'name': 'bucket', 'type': 'str', 'required': True, - 'validation': '/^$|\s+/', + 'validation': '[0-9a-z.-]{3,63}', 'helpMessage': 'Must be a valid S3 bucket name!', }, { 'name': 'accountNumber', 'type': 'str', 'required': True, - 'validation': '/^[0-9]{12,12}$/', + 'validation': '[0-9]{12}', 'helpMessage': 'A valid AWS account number with permission to access S3', }, { @@ -308,7 +308,6 @@ class S3DestinationPlugin(ExportDestinationPlugin): 'name': 'prefix', 'type': 'str', 'required': False, - 'validation': '/^$|\s+/', 'helpMessage': 'Must be a valid S3 object prefix!', } ] diff --git a/lemur/static/app/angular/destinations/destination/destination.tpl.html b/lemur/static/app/angular/destinations/destination/destination.tpl.html index 1d240dbb..f2771b49 100644 --- a/lemur/static/app/angular/destinations/destination/destination.tpl.html +++ b/lemur/static/app/angular/destinations/destination/destination.tpl.html @@ -47,7 +47,9 @@ - + +
+

{{ item.helpMessage }}

From a50d80992c41ff5ba4a6ac6248212fd2b5719c4f Mon Sep 17 00:00:00 2001 From: sirferl Date: Wed, 12 Dec 2018 12:45:48 +0100 Subject: [PATCH 3/4] updated query to ignore empty parameters --- lemur/certificates/cli.py | 52 +++++++++++++++------------------------ 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index 7a46138c..c4a95187 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -238,17 +238,7 @@ def reissue(old_certificate_name, commit): if not old_cert: for certificate in get_all_pending_reissue(): - try: - request_reissue(certificate, commit) - except Exception as e: - sentry.captureException() - current_app.logger.exception( - "Error reissuing certificate: {}".format(certificate.name), exc_info=True) - print( - "[!] Failed to reissue certificates. Reason: {}".format( - e - ) - ) + request_reissue(certificate, commit) else: request_reissue(old_cert, commit) @@ -275,30 +265,31 @@ def query(fqdns, issuer, owner, expired): table = [] q = database.session_query(Certificate) + if issuer: + sub_query = database.session_query(Authority.id) \ + .filter(Authority.name.ilike('%{0}%'.format(issuer))) \ + .subquery() - sub_query = database.session_query(Authority.id) \ - .filter(Authority.name.ilike('%{0}%'.format(issuer))) \ - .subquery() - - q = q.filter( - or_( - Certificate.issuer.ilike('%{0}%'.format(issuer)), - Certificate.authority_id.in_(sub_query) + q = q.filter( + or_( + Certificate.issuer.ilike('%{0}%'.format(issuer)), + Certificate.authority_id.in_(sub_query) + ) ) - ) - - q = q.filter(Certificate.owner.ilike('%{0}%'.format(owner))) + if owner: + q = q.filter(Certificate.owner.ilike('%{0}%'.format(owner))) if not expired: q = q.filter(Certificate.expired == False) # noqa - for f in fqdns.split(','): - q = q.filter( - or_( - Certificate.cn.ilike('%{0}%'.format(f)), - Certificate.domains.any(Domain.name.ilike('%{0}%'.format(f))) + if fqdns: + for f in fqdns.split(','): + q = q.filter( + or_( + Certificate.cn.ilike('%{0}%'.format(f)), + Certificate.domains.any(Domain.name.ilike('%{0}%'.format(f))) + ) ) - ) for c in q.all(): table.append([c.id, c.name, c.owner, c.issuer]) @@ -373,10 +364,7 @@ def check_revoked(): else: status = verify_string(cert.body, "") - if status is None: - cert.status = 'unknown' - else: - cert.status = 'valid' if status else 'revoked' + cert.status = 'valid' if status else 'revoked' except Exception as e: sentry.captureException() From b35d494f2d6d6fc54498e88192555ad580764e47 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Tue, 18 Dec 2018 12:29:12 -0800 Subject: [PATCH 4/4] Update requirements --- requirements-dev.txt | 9 ++++----- requirements-docs.txt | 18 +++++++++--------- requirements-tests.txt | 16 ++++++++-------- requirements.txt | 18 +++++++++--------- 4 files changed, 30 insertions(+), 31 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index d74b07f9..7b427b20 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -13,9 +13,8 @@ chardet==3.0.4 # via requests docutils==0.14 # via readme-renderer flake8==3.5.0 identify==1.1.7 # via pre-commit -idna==2.7 # via requests +idna==2.8 # via requests importlib-metadata==0.7 # via pre-commit -importlib-resources==1.0.2 # via pre-commit invoke==1.2.0 mccabe==0.6.1 # via flake8 nodeenv==1.3.3 @@ -23,12 +22,12 @@ pkginfo==1.4.2 # via twine pre-commit==1.12.0 pycodestyle==2.3.1 # via flake8 pyflakes==1.6.0 # via flake8 -pygments==2.3.0 # via readme-renderer +pygments==2.3.1 # via readme-renderer pyyaml==3.13 # via aspy.yaml, pre-commit readme-renderer==24.0 # via twine requests-toolbelt==0.8.0 # via twine -requests==2.20.1 # via requests-toolbelt, twine -six==1.11.0 # via bleach, cfgv, pre-commit, readme-renderer +requests==2.21.0 # via requests-toolbelt, twine +six==1.12.0 # via bleach, cfgv, pre-commit, readme-renderer toml==0.10.0 # via pre-commit tqdm==4.28.1 # via twine twine==1.12.1 diff --git a/requirements-docs.txt b/requirements-docs.txt index 35ca4322..3f036915 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file requirements-docs.txt requirements-docs.in # -acme==0.28.0 +acme==0.29.1 alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 alembic==1.0.5 @@ -15,12 +15,12 @@ asn1crypto==0.24.0 asyncpool==1.0 babel==2.6.0 # via sphinx bcrypt==3.1.4 -billiard==3.5.0.4 +billiard==3.5.0.5 blinker==1.4 -boto3==1.9.53 -botocore==1.12.53 +boto3==1.9.60 +botocore==1.12.60 celery[redis]==4.2.1 -certifi==2018.10.15 +certifi==2018.11.29 cffi==1.11.5 chardet==3.0.4 click==7.0 @@ -49,7 +49,7 @@ jinja2==2.10 jmespath==0.9.3 josepy==1.1.0 jsonlines==1.2.0 -kombu==4.2.1 +kombu==4.2.2 lockfile==0.12.2 mako==1.0.7 markupsafe==1.1.0 @@ -65,8 +65,8 @@ psycopg2==2.7.6.1 pyasn1-modules==0.2.2 pyasn1==0.4.4 pycparser==2.19 -pygments==2.3.0 # via sphinx -pyjwt==1.6.4 +pygments==2.3.1 # via sphinx +pyjwt==1.7.0 pynacl==1.3.0 pyopenssl==18.0.0 pyparsing==2.3.0 # via packaging @@ -87,7 +87,7 @@ sphinx-rtd-theme==0.4.2 sphinx==1.8.2 sphinxcontrib-httpdomain==1.7.0 sphinxcontrib-websupport==1.1.0 # via sphinx -sqlalchemy-utils==0.33.8 +sqlalchemy-utils==0.33.9 sqlalchemy==1.2.14 tabulate==0.8.2 urllib3==1.24.1 diff --git a/requirements-tests.txt b/requirements-tests.txt index e328b38a..59c626f7 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -8,9 +8,9 @@ asn1crypto==0.24.0 # via cryptography atomicwrites==1.2.1 # via pytest attrs==18.2.0 # via pytest aws-xray-sdk==0.95 # via moto -boto3==1.9.60 # via moto +boto3==1.9.67 # via moto boto==2.49.0 # via moto -botocore==1.12.60 # via boto3, moto, s3transfer +botocore==1.12.67 # via boto3, moto, s3transfer certifi==2018.11.29 # via requests cffi==1.11.5 # via cryptography chardet==3.0.4 # via requests @@ -22,11 +22,11 @@ docker==3.6.0 # via moto docutils==0.14 # via botocore ecdsa==0.13 # via python-jose factory-boy==2.11.1 -faker==1.0.0 +faker==1.0.1 flask==1.0.2 # via pytest-flask freezegun==0.3.11 future==0.17.1 # via python-jose -idna==2.7 # via cryptography, requests +idna==2.8 # via cryptography, requests itsdangerous==1.1.0 # via flask jinja2==2.10 # via flask, moto jmespath==0.9.3 # via boto3, botocore @@ -46,16 +46,16 @@ pycryptodome==3.7.2 # via python-jose pyflakes==2.0.0 pytest-flask==0.14.0 pytest-mock==1.10.0 -pytest==4.0.1 +pytest==4.0.2 python-dateutil==2.7.5 # via botocore, faker, freezegun, moto python-jose==2.0.2 # via moto pytz==2018.7 # via moto pyyaml==3.13 # via pyaml requests-mock==1.5.2 -requests==2.20.1 # via aws-xray-sdk, docker, moto, requests-mock, responses -responses==0.10.4 # via moto +requests==2.21.0 # via aws-xray-sdk, docker, moto, requests-mock, responses +responses==0.10.5 # via moto s3transfer==0.1.13 # via boto3 -six==1.11.0 # via cryptography, docker, docker-pycreds, faker, freezegun, mock, more-itertools, moto, pytest, python-dateutil, python-jose, requests-mock, responses, websocket-client +six==1.12.0 # via cryptography, docker, docker-pycreds, faker, freezegun, mock, more-itertools, moto, pytest, python-dateutil, python-jose, requests-mock, responses, websocket-client text-unidecode==1.2 # via faker urllib3==1.24.1 # via botocore, requests websocket-client==0.54.0 # via docker diff --git a/requirements.txt b/requirements.txt index fadcfe4b..7ee9a167 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,11 +12,11 @@ aniso8601==4.0.1 # via flask-restful arrow==0.12.1 asn1crypto==0.24.0 # via cryptography asyncpool==1.0 -bcrypt==3.1.4 # via flask-bcrypt, paramiko +bcrypt==3.1.5 # via flask-bcrypt, paramiko billiard==3.5.0.5 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.9.60 -botocore==1.12.60 +boto3==1.9.67 +botocore==1.12.67 celery[redis]==4.2.1 certifi==2018.11.29 cffi==1.11.5 # via bcrypt, cryptography, pynacl @@ -33,13 +33,13 @@ flask-cors==3.0.7 flask-mail==0.9.1 flask-migrate==2.3.1 flask-principal==0.4.0 -flask-restful==0.3.6 +flask-restful==0.3.7 flask-script==2.0.6 flask-sqlalchemy==2.3.2 flask==1.0.2 future==0.17.1 gunicorn==19.9.0 -idna==2.7 # via cryptography, requests +idna==2.8 # via cryptography, requests inflection==0.3.1 itsdangerous==1.1.0 # via flask jinja2==2.10 @@ -61,7 +61,7 @@ psycopg2==2.7.6.1 pyasn1-modules==0.2.2 # via python-ldap pyasn1==0.4.4 # via ndg-httpsclient, paramiko, pyasn1-modules, python-ldap pycparser==2.19 # via cffi -pyjwt==1.7.0 +pyjwt==1.7.1 pynacl==1.3.0 # via paramiko pyopenssl==18.0.0 pyrfc3339==1.1 # via acme @@ -73,12 +73,12 @@ pyyaml==3.13 # via cloudflare raven[flask]==6.9.0 redis==2.10.6 requests-toolbelt==0.8.0 # via acme -requests[security]==2.20.1 +requests[security]==2.21.0 retrying==1.3.3 s3transfer==0.1.13 # via boto3 -six==1.11.0 +six==1.12.0 sqlalchemy-utils==0.33.9 -sqlalchemy==1.2.14 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils +sqlalchemy==1.2.15 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.2 urllib3==1.24.1 # via botocore, requests vine==1.1.4 # via amqp