Merge branch 'master' into get_by_attributes

2019-02-05 10:31:35 -08:00 · 2019-02-05 10:31:35 -08:00 · 2107d58050
parent 1d2771b014 eebee9e523
commit 2107d58050
8 changed files with 154 additions and 28 deletions
--- a/lemur/plugins/lemur_adcs/init.py
+++ b/lemur/plugins/lemur_adcs/init.py
@ -0,0 +1,6 @@
+"""Set the version information."""
+try:
+    VERSION = __import__('pkg_resources') \
+        .get_distribution(__name__).version
+except Exception as e:
+    VERSION = 'unknown'
--- a/lemur/plugins/lemur_adcs/plugin.py
+++ b/lemur/plugins/lemur_adcs/plugin.py
@ -0,0 +1,116 @@
+from lemur.plugins.bases import IssuerPlugin, SourcePlugin
+import requests
+from lemur.plugins import lemur_adcs as ADCS
+from certsrv import Certsrv
+from OpenSSL import crypto
+from flask import current_app
+
+
+class ADCSIssuerPlugin(IssuerPlugin):
+    title = 'ADCS'
+    slug = 'adcs-issuer'
+    description = 'Enables the creation of certificates by ADCS (Active Directory Certificate Services)'
+    version = ADCS.VERSION
+
+    author = 'sirferl'
+    author_url = 'https://github.com/sirferl/lemur'
+
+    def __init__(self, *args, **kwargs):
+        """Initialize the issuer with the appropriate details."""
+        self.session = requests.Session()
+        super(ADCSIssuerPlugin, self).__init__(*args, **kwargs)
+
+    @staticmethod
+    def create_authority(options):
+        """Create an authority.
+        Creates an authority, this authority is then used by Lemur to
+        allow a user to specify which Certificate Authority they want
+        to sign their certificate.
+
+        :param options:
+        :return:
+        """
+        adcs_root = current_app.config.get('ADCS_ROOT')
+        adcs_issuing = current_app.config.get('ADCS_ISSUING')
+        role = {'username': '', 'password': '', 'name': 'adcs'}
+        return adcs_root, adcs_issuing, [role]
+
+    def create_certificate(self, csr, issuer_options):
+        adcs_server = current_app.config.get('ADCS_SERVER')
+        adcs_user = current_app.config.get('ADCS_USER')
+        adcs_pwd = current_app.config.get('ADCS_PWD')
+        adcs_auth_method = current_app.config.get('ADCS_AUTH_METHOD')
+        adcs_template = current_app.config.get('ADCS_TEMPLATE')
+        ca_server = Certsrv(adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method)
+        current_app.logger.info("Requesting CSR: {0}".format(csr))
+        current_app.logger.info("Issuer options: {0}".format(issuer_options))
+        cert, req_id = ca_server.get_cert(csr, adcs_template, encoding='b64').decode('utf-8').replace('\r\n', '\n')
+        chain = ca_server.get_ca_cert(encoding='b64').decode('utf-8').replace('\r\n', '\n')
+        return cert, chain, req_id
+
+    def revoke_certificate(self, certificate, comments):
+        raise NotImplementedError('Not implemented\n', self, certificate, comments)
+
+    def get_ordered_certificate(self, order_id):
+        raise NotImplementedError('Not implemented\n', self, order_id)
+
+    def canceled_ordered_certificate(self, pending_cert, **kwargs):
+        raise NotImplementedError('Not implemented\n', self, pending_cert, **kwargs)
+
+
+class ADCSSourcePlugin(SourcePlugin):
+    title = 'ADCS'
+    slug = 'adcs-source'
+    description = 'Enables the collecion of certificates'
+    version = ADCS.VERSION
+
+    author = 'sirferl'
+    author_url = 'https://github.com/sirferl/lemur'
+    options = [
+        {
+            'name': 'dummy',
+            'type': 'str',
+            'required': False,
+            'validation': '/^[0-9]{12,12}$/',
+            'helpMessage': 'Just to prevent error'
+        }
+    ]
+
+    def get_certificates(self, options, **kwargs):
+        adcs_server = current_app.config.get('ADCS_SERVER')
+        adcs_user = current_app.config.get('ADCS_USER')
+        adcs_pwd = current_app.config.get('ADCS_PWD')
+        adcs_auth_method = current_app.config.get('ADCS_AUTH_METHOD')
+        adcs_start = current_app.config.get('ADCS_START')
+        adcs_stop = current_app.config.get('ADCS_STOP')
+        ca_server = Certsrv(adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method)
+        out_certlist = []
+        for id in range(adcs_start, adcs_stop):
+            try:
+                cert = ca_server.get_existing_cert(id, encoding='b64').decode('utf-8').replace('\r\n', '\n')
+            except Exception as err:
+                if '{0}'.format(err).find("CERTSRV_E_PROPERTY_EMPTY"):
+                    # this error indicates end of certificate list(?), so we stop
+                    break
+                else:
+                    # We do nothing in case there is no certificate returned for other reasons
+                    current_app.logger.info("Error with id {0}: {1}".format(id, err))
+            else:
+                # we have a certificate
+                pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+                # loop through extensions to see if we find "TLS Web Server Authentication"
+                for e_id in range(0, pubkey.get_extension_count() - 1):
+                    try:
+                        extension = '{0}'.format(pubkey.get_extension(e_id))
+                    except Exception:
+                        extensionn = ''
+                    if extension.find("TLS Web Server Authentication") != -1:
+                        out_certlist.append({
+                            'name': format(pubkey.get_subject().CN),
+                            'body': cert})
+                        break
+        return out_certlist
+
+    def get_endpoints(self, options, **kwargs):
+        # There are no endpoints in the ADCS
+        raise NotImplementedError('Not implemented\n', self, options, **kwargs)
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -19,13 +19,13 @@ invoke==1.2.0
 mccabe==0.6.1             # via flake8
 nodeenv==1.3.3
 pkginfo==1.5.0.1          # via twine
-pre-commit==1.14.2
+pre-commit==1.14.3
 pycodestyle==2.3.1        # via flake8
 pyflakes==1.6.0           # via flake8
 pygments==2.3.1           # via readme-renderer
 pyyaml==3.13              # via aspy.yaml, pre-commit
 readme-renderer==24.0     # via twine
-requests-toolbelt==0.9.0  # via twine
+requests-toolbelt==0.9.1  # via twine
 requests==2.21.0          # via requests-toolbelt, twine
 six==1.12.0               # via bleach, cfgv, pre-commit, readme-renderer
 toml==0.10.0              # via pre-commit
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@ -8,7 +8,7 @@ acme==0.30.2
 alabaster==0.7.12         # via sphinx
 alembic-autogenerate-enums==0.0.2
 alembic==1.0.7
-amqp==2.4.0
+amqp==2.4.1
 aniso8601==4.1.0
 arrow==0.13.0
 asn1crypto==0.24.0
@ -17,8 +17,8 @@ babel==2.6.0              # via sphinx
 bcrypt==3.1.6
 billiard==3.5.0.5
 blinker==1.4
-boto3==1.9.86
-botocore==1.12.86
+boto3==1.9.87
+botocore==1.12.87
 celery[redis]==4.2.1
 certifi==2018.11.29
 cffi==1.11.5
@ -53,13 +53,13 @@ kombu==4.2.2.post1
 lockfile==0.12.2
 mako==1.0.7
 markupsafe==1.1.0
-marshmallow-sqlalchemy==0.15.0
+marshmallow-sqlalchemy==0.16.0
 marshmallow==2.18.0
 mock==2.0.0
 ndg-httpsclient==0.5.1
 packaging==19.0           # via sphinx
 paramiko==2.4.2
-pbr==5.1.1
+pbr==5.1.2
 pem==18.2.0
 psycopg2==2.7.7
 pyasn1-modules==0.2.4
@ -71,20 +71,20 @@ pynacl==1.3.0
 pyopenssl==19.0.0
 pyparsing==2.3.1          # via packaging
 pyrfc3339==1.1
-python-dateutil==2.7.5
-python-editor==1.0.3
+python-dateutil==2.8.0
+python-editor==1.0.4
 pytz==2018.9
 pyyaml==3.13
 raven[flask]==6.10.0
 redis==2.10.6
-requests-toolbelt==0.9.0
+requests-toolbelt==0.9.1
 requests[security]==2.21.0
 retrying==1.3.3
 s3transfer==0.1.13
 six==1.12.0
 snowballstemmer==1.2.1    # via sphinx
 sphinx-rtd-theme==0.4.2
-sphinx==1.8.3
+sphinx==1.8.4
 sphinxcontrib-httpdomain==1.7.0
 sphinxcontrib-websupport==1.1.0  # via sphinx
 sqlalchemy-utils==0.33.11
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@ -5,12 +5,12 @@
 #    pip-compile --no-index --output-file requirements-tests.txt requirements-tests.in
 #
 asn1crypto==0.24.0        # via cryptography
-atomicwrites==1.2.1       # via pytest
+atomicwrites==1.3.0       # via pytest
 attrs==18.2.0             # via pytest
 aws-xray-sdk==0.95        # via moto
-boto3==1.9.86             # via moto
+boto3==1.9.87             # via moto
 boto==2.49.0              # via moto
-botocore==1.12.86         # via boto3, moto, s3transfer
+botocore==1.12.87         # via boto3, moto, s3transfer
 certifi==2018.11.29       # via requests
 cffi==1.11.5              # via cryptography
 chardet==3.0.4            # via requests
@ -37,7 +37,7 @@ mock==2.0.0               # via moto
 more-itertools==5.0.0     # via pytest
 moto==1.3.7
 nose==1.3.7
-pbr==5.1.1                # via mock
+pbr==5.1.2                # via mock
 pluggy==0.8.1             # via pytest
 py==1.7.0                 # via pytest
 pyaml==18.11.0            # via moto
@ -45,9 +45,9 @@ pycparser==2.19           # via cffi
 pycryptodome==3.7.3       # via python-jose
 pyflakes==2.1.0
 pytest-flask==0.14.0
-pytest-mock==1.10.0
-pytest==4.1.1
-python-dateutil==2.7.5    # via botocore, faker, freezegun, moto
+pytest-mock==1.10.1
+pytest==4.2.0
+python-dateutil==2.8.0    # via botocore, faker, freezegun, moto
 python-jose==2.0.2        # via moto
 pytz==2018.9              # via moto
 pyyaml==3.13              # via pyaml
--- a/requirements.in
+++ b/requirements.in
@ -8,6 +8,7 @@ boto3
 botocore
 celery[redis]
 certifi
+certsrv
 CloudFlare
 cryptography
 dnspython3
@ -42,4 +43,4 @@ retrying
 six
 SQLAlchemy-Utils
 tabulate
-xmltodict
+xmltodict
--- a/requirements.txt
+++ b/requirements.txt
@ -7,7 +7,7 @@
 acme==0.30.2
 alembic-autogenerate-enums==0.0.2
 alembic==1.0.7            # via flask-migrate
-amqp==2.4.0               # via kombu
+amqp==2.4.1               # via kombu
 aniso8601==4.1.0          # via flask-restful
 arrow==0.13.0
 asn1crypto==0.24.0        # via cryptography
@ -15,10 +15,11 @@ asyncpool==1.0
 bcrypt==3.1.6             # via flask-bcrypt, paramiko
 billiard==3.5.0.5         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
-boto3==1.9.86
-botocore==1.12.86
+boto3==1.9.87
+botocore==1.12.87
 celery[redis]==4.2.1
 certifi==2018.11.29
+certsrv==2.1.0
 cffi==1.11.5              # via bcrypt, cryptography, pynacl
 chardet==3.0.4            # via requests
 click==7.0                # via flask
@ -50,12 +51,12 @@ kombu==4.2.2.post1        # via celery
 lockfile==0.12.2
 mako==1.0.7               # via alembic
 markupsafe==1.1.0         # via jinja2, mako
-marshmallow-sqlalchemy==0.15.0
+marshmallow-sqlalchemy==0.16.0
 marshmallow==2.18.0
 mock==2.0.0               # via acme
 ndg-httpsclient==0.5.1
 paramiko==2.4.2
-pbr==5.1.1                # via mock
+pbr==5.1.2                # via mock
 pem==18.2.0
 psycopg2==2.7.7
 pyasn1-modules==0.2.4     # via python-ldap
@ -65,14 +66,14 @@ pyjwt==1.7.1
 pynacl==1.3.0             # via paramiko
 pyopenssl==19.0.0
 pyrfc3339==1.1            # via acme
-python-dateutil==2.7.5    # via alembic, arrow, botocore
-python-editor==1.0.3      # via alembic
+python-dateutil==2.8.0    # via alembic, arrow, botocore
+python-editor==1.0.4      # via alembic
 python-ldap==3.1.0
 pytz==2018.9              # via acme, celery, flask-restful, pyrfc3339
 pyyaml==3.13              # via cloudflare
 raven[flask]==6.10.0
 redis==2.10.6
-requests-toolbelt==0.9.0  # via acme
+requests-toolbelt==0.9.1  # via acme
 requests[security]==2.21.0
 retrying==1.3.3
 s3transfer==0.1.13        # via boto3
--- a/setup.py
+++ b/setup.py
@ -154,7 +154,9 @@ setup(
            'digicert_cis_issuer = lemur.plugins.lemur_digicert.plugin:DigiCertCISIssuerPlugin',
            'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
            'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
-            'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin'
+            'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin',
+            'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin',
+            'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin'
        ],
    },
    classifiers=[