From 2578970f7d06a7bfadf4a6c43602f784f87d7a91 Mon Sep 17 00:00:00 2001 From: James Chuong Date: Thu, 22 Feb 2018 08:13:16 -0800 Subject: [PATCH] Async Certificate Issuing using Pending Certificates (#1037) * Add PendingCertificate model This change creates a DB table called pending_certificates and associated mapping relationship tables from pending certificate to roles, rotation policy, destination, sources, etc. The table is generated on initialization of Lemur. A pending certificate holds most of the information of a Certificate, while it has not be issued so that it can later backfill the information when the CA has issued the certificate. Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0 Tickets: PBL-36499 * Create a PendingCertificate if cert is empty IssuePlugins should return empty cert bodies if the request failed to complete immediately (such as Digicert). This way, we can immediately return the certificate, or if not just place into PendingCertificates for later processing. + Fix relation from Certificate to Pending Certificate, as view only. There is no real need for anything more than that since Pending cert only needs to know the cert to replace when it is issued later. + Made PendingCertificate private key be empty: UI does not allow private key on 'Create' but only on 'Import'. For Instart, we require the private key but upstream does not necessarily need it. Thus, if someone at Instart wants to create a CSR / key combo, they should manually issue the cert themselves and import later. Otherwise you should let Lemur generate that. This keeps the workflow transparent for upstream Lemur users. Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26 Tickets: PBL-36343 * Fix empty private_key when create Pending Cert On creation of a certificate with a CSR, there is no option for private key. In this case, we actually have a dictionary with private_key as key, but the value is None. This fixes the strip() called on NoneType. Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199 Tickets: PBL-36499 * Source sync finds and uses pending certificate When a source syncs certificates, it will check for a pending certificate. If that is found via external_id (given by digicert as order_id) then it will use the found Pending Certificate's fields to create a new certificate. Then the pending certificate is deleted. Tickets: PBL-36343 Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9 * Add Lemur static files and views for pending certs This adds the basic static files to view pending certificates in a table. Tickets: PBL-36343 Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9 * Add CLI and plugin based pending fetch This change uses the adds a new function to issuer plugins to fetch certificates like source, but for one order. This way, we can control which pending certificates to try and populate instead of getting all certificates from source. Tickets: PBL-36343 Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6 * Revert source using Pending Certificate Tickets: PBL-36343 Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51 * Fix PendingCertificate init getting authority id Should get authority id from authority.id instead of the authority_id key in kwargs. Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623 Tickets: n/a * Add fixtures and basic test for PendingCertificate Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34 Tickets: PBL-36343 * Add User to create_certificate parameters create_certificate now takes a User, which will be used to populate the 'creator' field in certificates.service.upload(). This allows the UI populate with the current user if the owner does not exist in Lemur. + Fix chain being replaced with version from pending certificate, which may be empty (depends on plugin implementation). Change-Id: I516027b36bc643c4978b9c4890060569e03f3049 Tickets: n/a * Fix permalink and filters to pending certs Fixes the permalink button to get a single pending certificate Add argument filter parsing for the pending certificate API Fix comment on API usage Added get_by_name for pending_certificate (currently unused, but useful for CLI, instead of using IDs) Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db Tickets: PBL-36910 * Update displayed fields for Pending Certificates There are a number of unused / unpopulated fields from Certificate UI that does apply to Pending Certificates. Those ones were removed, and added other useful fields: Owner, number of attempts to fetch and date created Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b Tickets: PBL-36910 * Add common name (cn) to Pending Certificate model Fixes the UI missing the CN for Pending Certificate, as it was originally being parsed from the generated certificate. In the case of pending certificate, the CN from the user generates the request, which means a pending cert can trust the original user putting in the CN instead of having to parse the not-yet-generated certificate. There is no real possibility to return a certificate from a pending certificate where the CN has changed since it was initially ordered. Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab Tickets: PBL-36910 * Fix missing imports for service filter + Removed duplicate get_by_name function from old merge Change-Id: I04ae6852533aa42988433338de74390e2868d69b Tickets: PBL-36910 * Add private key viewing to Pending Certificates Add private key API for Pending Certificates, with the same authorization as Certificates (only owner, creator or owner-roles can view private key). Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b Tickets: PBL-36910 * Add edit capability to pending certificates Like editing certificates, we should be able to modify some parts of a pending certificate so the resulting certificate has the right references, owner, etc. + Added API to update pending certificate + Fix UI to use pending certificate scope instead of reusing Certificate + Change pending_certificate.replaces to non-passive association, so that updates do affect it (similar to roles/notifications/etc) Tickets: PBL-36910 Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6 * Add common_name parsing instead using kwargs To fix tests where common name may not be passed in, use the CSR generated to find the official common name. Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4 Tickets: PBL-36343 * Add Cancel to pending certificates and plugins This allows pending certificates to be cancelled, which will be handled by the issuer plugin. Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9 Tickets: PBL-36910 * Add API for Cancelling Pending Certificate Added the DELETE handler for pending_certificates, which will cancel and delete the pending certificate from the pending certs table on successful cancellation via Issuer Plugin. + Add UT for testing cancel API Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4 Tickets: PBL-36910 * Remove Export from Pending Certificates Pending Certificates doesn't need an export since it should just be fetched by Lemur via plugins, and the CSR is viewable via the UI. Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae Tickets: PBL-36910 * Add cancel button functionality to UI This adds the Cancel option to the dropdown of pending certificates. + Adds modal window for Note (may not be required for all issuers, just Digicert) + Add schema for cancel input + Fix Digitcert plugin for non-existant orders When an order is actually issued, then attempting to cancel will return a 403 from Digicert. This is a case where it should only be done once we know the pending cert has been sitting for too long. Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0 Tickets: PBL-36910 * Fix test_pending_cancel UT This change creates and injects a pending cert, which will then be used for the ID so it can be canceled by the unit test. Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346 Tickets: PBL-36343 * Fix test_digicert on non-existent order cancelling a non-existent order is fine since we're cancelling it Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c Tickets: PBL-36343 * Add migrations for PendingCertificates Added revision for Pending Certificates table and foreign key mapping tables. Change-Id: Ife8202cef1e6b99db377851264639ba540b749db Tickets: n/a * Fix relationship copy from Pending to Certificate When a Pending Certificate is changed to a full Certificate, the relationship fields are not copied via vars() function, as it's not a column but mapped via association table. This adds an explicit copy for these relations. Which will properly copy them to the new Certificate, and thus also update destinations. Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685 Tickets: PBL-36343 * Fix renaming of certificates and unit tests The rename flag was not used to rename certificates on creation as expected. Fixed unit test, instead of expunging the session, just copy the pending_certificate so we don't have a weird reference to the object that can't be copied via vars() function. Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0 Tickets: PBL-36343 * Updated developer docs for async certs Added blurb for implementing new issuer functions. Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c Tickets: n/a --- docs/developer/plugins/index.rst | 21 +- lemur/__init__.py | 4 +- lemur/authorities/models.py | 3 + lemur/certificates/models.py | 7 +- lemur/certificates/service.py | 22 +- lemur/certificates/views.py | 5 +- lemur/common/utils.py | 13 + lemur/manage.py | 3 + lemur/migrations/versions/556ceb3e3c3e_.py | 103 +++++ lemur/models.py | 45 ++ lemur/notifications/models.py | 10 +- lemur/pending_certificates/__init__.py | 0 lemur/pending_certificates/cli.py | 48 ++ lemur/pending_certificates/models.py | 95 ++++ lemur/pending_certificates/schemas.py | 101 +++++ lemur/pending_certificates/service.py | 219 +++++++++ lemur/pending_certificates/views.py | 424 ++++++++++++++++++ lemur/plugins/bases/issuer.py | 6 + lemur/plugins/lemur_digicert/plugin.py | 33 ++ .../lemur_digicert/tests/test_digicert.py | 21 + lemur/roles/models.py | 4 +- .../pending_certificate/cancel.tpl.html | 25 ++ .../pending_certificate/destinations.tpl.html | 29 ++ .../pending_certificate/edit.tpl.html | 50 +++ .../notifications.tpl.html | 28 ++ .../pending_certificate.js | 72 +++ .../pending_certificate/replaces.tpl.html | 28 ++ .../angular/pending_certificates/services.js | 249 ++++++++++ .../angular/pending_certificates/view/view.js | 102 +++++ .../pending_certificates/view/view.tpl.html | 182 ++++++++ lemur/static/app/index.html | 1 + lemur/tests/conftest.py | 27 +- lemur/tests/factories.py | 103 ++++- lemur/tests/plugins/issuer_plugin.py | 26 ++ lemur/tests/test_certificates.py | 2 +- lemur/tests/test_pending_certificates.py | 51 +++ lemur/users/models.py | 1 + 37 files changed, 2148 insertions(+), 15 deletions(-) create mode 100644 lemur/migrations/versions/556ceb3e3c3e_.py create mode 100644 lemur/pending_certificates/__init__.py create mode 100644 lemur/pending_certificates/cli.py create mode 100644 lemur/pending_certificates/models.py create mode 100644 lemur/pending_certificates/schemas.py create mode 100644 lemur/pending_certificates/service.py create mode 100644 lemur/pending_certificates/views.py create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/cancel.tpl.html create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/destinations.tpl.html create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/edit.tpl.html create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/notifications.tpl.html create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/pending_certificate.js create mode 100644 lemur/static/app/angular/pending_certificates/pending_certificate/replaces.tpl.html create mode 100644 lemur/static/app/angular/pending_certificates/services.js create mode 100644 lemur/static/app/angular/pending_certificates/view/view.js create mode 100644 lemur/static/app/angular/pending_certificates/view/view.tpl.html create mode 100644 lemur/tests/test_pending_certificates.py diff --git a/docs/developer/plugins/index.rst b/docs/developer/plugins/index.rst index e9fc7936..8af5e1c8 100644 --- a/docs/developer/plugins/index.rst +++ b/docs/developer/plugins/index.rst @@ -100,10 +100,16 @@ If you have a third party or internal service that creates authorities (EJBCA, e it can treat any issuer plugin as both a source of creating new certificates as well as new authorities. -The `IssuerPlugin` exposes two functions:: +The `IssuerPlugin` exposes four functions functions:: def create_certificate(self, csr, issuer_options): # requests.get('a third party') + def revoke_certificate(self, certificate, comments): + # requests.put('a third party') + def get_ordered_certificate(self, order_id): + # requests.get('already existing certificate') + def canceled_ordered_certificate(self, pending_cert, **kwargs): + # requests.put('cancel an order that has yet to be issued') Lemur will pass a dictionary of all possible options for certificate creation. Including a valid CSR, and the raw options associated with the request. @@ -139,6 +145,19 @@ The `IssuerPlugin` doesn't have any options like Destination, Source, and Notifi any fields you might need to submit a request to a third party. If there are additional options you need in your plugin feel free to open an issue, or look into adding additional options to issuers yourself. +Asynchronous Certificates +^^^^^^^^^^^^^^^^^^^^^^^^^ +An issuer may take some time to actually issue a certificate for an order. In this case, a `PendingCertificate` is returned, which holds information to recreate a `Certificate` object at a later time. Then, `get_ordered_certificate()` should be run periodically via `python manage.py pending_certs fetch -i all` to attempt to retrieve an ordered certificate:: + + def get_ordered_ceriticate(self, order_id): + # order_id is the external id of the order, not the external_id of the certificate + # retrieve an order, and check if there is an issued certificate attached to it + +`cancel_ordered_certificate()` should be implemented to allow an ordered certificate to be canceled before it is issued:: + def cancel_ordered_certificate(self, pending_cert, **kwargs): + # pending_cert should contain the necessary information to match an order + # kwargs can be given to provide information to the issuer for canceling + Destination ----------- diff --git a/lemur/__init__.py b/lemur/__init__.py index 444ed56f..6f29733c 100644 --- a/lemur/__init__.py +++ b/lemur/__init__.py @@ -27,6 +27,7 @@ from lemur.sources.views import mod as sources_bp from lemur.endpoints.views import mod as endpoints_bp from lemur.logs.views import mod as logs_bp from lemur.api_keys.views import mod as api_key_bp +from lemur.pending_certificates.views import mod as pending_certificates_bp from lemur.__about__ import ( __author__, __copyright__, __email__, __license__, __summary__, __title__, @@ -53,7 +54,8 @@ LEMUR_BLUEPRINTS = ( sources_bp, endpoints_bp, logs_bp, - api_key_bp + api_key_bp, + pending_certificates_bp, ) diff --git a/lemur/authorities/models.py b/lemur/authorities/models.py index fc1302ad..45744144 100644 --- a/lemur/authorities/models.py +++ b/lemur/authorities/models.py @@ -32,6 +32,9 @@ class Authority(db.Model): authority_certificate = relationship("Certificate", backref='root_authority', uselist=False, foreign_keys='Certificate.root_authority_id') certificates = relationship("Certificate", backref='authority', foreign_keys='Certificate.authority_id') + authority_pending_certificate = relationship("PendingCertificate", backref='root_authority', uselist=False, foreign_keys='PendingCertificate.root_authority_id') + pending_certificates = relationship('PendingCertificate', backref='authority', foreign_keys='PendingCertificate.authority_id') + def __init__(self, **kwargs): self.owner = kwargs['owner'] self.roles = kwargs.get('roles', []) diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 433cb05a..81dfa8d3 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -37,7 +37,7 @@ from lemur.constants import SUCCESS_METRIC_STATUS, FAILURE_METRIC_STATUS from lemur.models import certificate_associations, certificate_source_associations, \ certificate_destination_associations, certificate_notification_associations, \ - certificate_replacement_associations, roles_certificates + certificate_replacement_associations, roles_certificates, pending_cert_replacement_associations from lemur.domains.models import Domain from lemur.policies.models import RotationPolicy @@ -129,6 +129,11 @@ class Certificate(db.Model): secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id, # noqa backref='replaced') + replaced_by_pending = relationship('PendingCertificate', + secondary=pending_cert_replacement_associations, + backref='pending_replace', + viewonly=True) + logs = relationship('Log', backref='certificate') endpoints = relationship('Endpoint', backref='certificate') rotation_policy = relationship("RotationPolicy") diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 48364652..64630d52 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -25,6 +25,7 @@ from lemur.authorities.models import Authority from lemur.destinations.models import Destination from lemur.certificates.models import Certificate from lemur.notifications.models import Notification +from lemur.pending_certificates.models import PendingCertificate from lemur.certificates.schemas import CertificateOutputSchema, CertificateInputSchema @@ -63,6 +64,9 @@ def get_by_serial(serial): :param serial: :return: """ + if isinstance(serial, int): + # although serial is a number, the DB column is String(128) + serial = str(serial) return Certificate.query.filter(Certificate.serial == serial).all() @@ -190,7 +194,7 @@ def mint(**kwargs): csr_imported.send(authority=authority, csr=csr) cert_body, cert_chain, external_id = issuer.create_certificate(csr, kwargs) - return cert_body, private_key, cert_chain, external_id + return cert_body, private_key, cert_chain, external_id, csr def import_certificate(**kwargs): @@ -243,11 +247,12 @@ def create(**kwargs): """ Creates a new certificate. """ - cert_body, private_key, cert_chain, external_id = mint(**kwargs) + cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) kwargs['body'] = cert_body kwargs['private_key'] = private_key kwargs['chain'] = cert_chain kwargs['external_id'] = external_id + kwargs['csr'] = csr roles = create_certificate_roles(**kwargs) @@ -256,15 +261,20 @@ def create(**kwargs): else: kwargs['roles'] = roles - cert = Certificate(**kwargs) + if cert_body: + cert = Certificate(**kwargs) + kwargs['creator'].certificates.append(cert) + else: + cert = PendingCertificate(**kwargs) + kwargs['creator'].pending_certificates.append(cert) - kwargs['creator'].certificates.append(cert) cert.authority = kwargs['authority'] - certificate_issued.send(certificate=cert, authority=cert.authority) database.commit() - metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) + if isinstance(cert, Certificate): + certificate_issued.send(certificate=cert, authority=cert.authority) + metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) return cert diff --git a/lemur/certificates/views.py b/lemur/certificates/views.py index 79edcd69..ed717b6e 100644 --- a/lemur/certificates/views.py +++ b/lemur/certificates/views.py @@ -18,6 +18,7 @@ from lemur.auth.service import AuthenticatedResource from lemur.auth.permissions import AuthorityPermission, CertificatePermission from lemur.certificates import service +from lemur.certificates.models import Certificate from lemur.plugins.base import plugins from lemur.certificates.schemas import ( certificate_input_schema, @@ -267,7 +268,9 @@ class CertificatesList(AuthenticatedResource): if authority_permission.can(): data['creator'] = g.user cert = service.create(**data) - log_service.create(g.user, 'create_cert', certificate=cert) + if isinstance(cert, Certificate): + # only log if created, not pending + log_service.create(g.user, 'create_cert', 'OK', certificate=cert) return cert return dict(message="You are not authorized to use the authority: {0}".format(data['authority'].name)), 403 diff --git a/lemur/common/utils.py b/lemur/common/utils.py index 04bb0d0c..621a2c39 100644 --- a/lemur/common/utils.py +++ b/lemur/common/utils.py @@ -53,6 +53,19 @@ def parse_certificate(body): return x509.load_pem_x509_certificate(body, default_backend()) +def parse_csr(csr): + """ + Helper function that parses a CSR. + + :param csr: + :return: + """ + if isinstance(csr, str): + csr = csr.encode('utf-8') + + return x509.load_pem_x509_csr(csr, default_backend()) + + def get_authority_key(body): """Returns the authority key for a given certificate in hex format""" parsed_cert = parse_certificate(body) diff --git a/lemur/manage.py b/lemur/manage.py index 57cd7b2c..308e6c30 100755 --- a/lemur/manage.py +++ b/lemur/manage.py @@ -21,6 +21,7 @@ from lemur.reporting.cli import manager as report_manager from lemur.endpoints.cli import manager as endpoint_manager from lemur.certificates.cli import manager as certificate_manager from lemur.notifications.cli import manager as notification_manager +from lemur.pending_certificates.cli import manager as pending_certificate_manager from lemur import database from lemur.users import service as user_service @@ -44,6 +45,7 @@ from lemur.sources.models import Source # noqa from lemur.logs.models import Log # noqa from lemur.endpoints.models import Endpoint # noqa from lemur.policies.models import RotationPolicy # noqa +from lemur.pending_certificates.models import PendingCertificate # noqa manager = Manager(create_app) @@ -542,6 +544,7 @@ def main(): manager.add_command("endpoint", endpoint_manager) manager.add_command("report", report_manager) manager.add_command("policy", policy_manager) + manager.add_command("pending_certs", pending_certificate_manager) manager.run() diff --git a/lemur/migrations/versions/556ceb3e3c3e_.py b/lemur/migrations/versions/556ceb3e3c3e_.py new file mode 100644 index 00000000..7b9045c2 --- /dev/null +++ b/lemur/migrations/versions/556ceb3e3c3e_.py @@ -0,0 +1,103 @@ +"""Add Pending Certificates models and relations + +Revision ID: 556ceb3e3c3e +Revises: 47baffaae1a7 +Create Date: 2018-01-05 01:18:45.571595 + +""" + +# revision identifiers, used by Alembic. +revision = '556ceb3e3c3e' +down_revision = '47baffaae1a7' + +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import postgresql + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.create_table('pending_certs', + sa.Column('id', sa.Integer(), nullable=False), + sa.Column('external_id', sa.String(length=128), nullable=True), + sa.Column('owner', sa.String(length=128), nullable=False), + sa.Column('name', sa.String(length=256), nullable=True), + sa.Column('description', sa.String(length=1024), nullable=True), + sa.Column('notify', sa.Boolean(), nullable=True), + sa.Column('number_attempts', sa.Integer(), nullable=True), + sa.Column('rename', sa.Boolean(), nullable=True), + sa.Column('cn', sa.String(length=128), nullable=True), + sa.Column('csr', sa.Text(), nullable=False), + sa.Column('chain', sa.Text(), nullable=True), + sa.Column('private_key', lemur.utils.Vault(), nullable=True), + sa.Column('date_created', sqlalchemy_utils.types.arrow.ArrowType(), server_default=sa.text('now()'), nullable=False), + sa.Column('status', sa.String(length=128), nullable=True), + sa.Column('rotation', sa.Boolean(), nullable=True), + sa.Column('user_id', sa.Integer(), nullable=True), + sa.Column('authority_id', sa.Integer(), nullable=True), + sa.Column('root_authority_id', sa.Integer(), nullable=True), + sa.Column('rotation_policy_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['authority_id'], ['authorities.id'], ondelete='CASCADE'), + sa.ForeignKeyConstraint(['root_authority_id'], ['authorities.id'], ondelete='CASCADE'), + sa.ForeignKeyConstraint(['rotation_policy_id'], ['rotation_policies.id'], ), + sa.ForeignKeyConstraint(['user_id'], ['users.id'], ), + sa.PrimaryKeyConstraint('id'), + sa.UniqueConstraint('name') + ) + op.create_table('pending_cert_destination_associations', + sa.Column('destination_id', sa.Integer(), nullable=True), + sa.Column('pending_cert_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['destination_id'], ['destinations.id'], ondelete='cascade'), + sa.ForeignKeyConstraint(['pending_cert_id'], ['pending_certs.id'], ondelete='cascade') + ) + op.create_index('pending_cert_destination_associations_ix', 'pending_cert_destination_associations', ['destination_id', 'pending_cert_id'], unique=False) + op.create_table('pending_cert_notification_associations', + sa.Column('notification_id', sa.Integer(), nullable=True), + sa.Column('pending_cert_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['notification_id'], ['notifications.id'], ondelete='cascade'), + sa.ForeignKeyConstraint(['pending_cert_id'], ['pending_certs.id'], ondelete='cascade') + ) + op.create_index('pending_cert_notification_associations_ix', 'pending_cert_notification_associations', ['notification_id', 'pending_cert_id'], unique=False) + op.create_table('pending_cert_replacement_associations', + sa.Column('replaced_certificate_id', sa.Integer(), nullable=True), + sa.Column('pending_cert_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['pending_cert_id'], ['pending_certs.id'], ondelete='cascade'), + sa.ForeignKeyConstraint(['replaced_certificate_id'], ['certificates.id'], ondelete='cascade') + ) + op.create_index('pending_cert_replacement_associations_ix', 'pending_cert_replacement_associations', ['replaced_certificate_id', 'pending_cert_id'], unique=False) + op.create_table('pending_cert_role_associations', + sa.Column('pending_cert_id', sa.Integer(), nullable=True), + sa.Column('role_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['pending_cert_id'], ['pending_certs.id'], ), + sa.ForeignKeyConstraint(['role_id'], ['roles.id'], ) + ) + op.create_index('pending_cert_role_associations_ix', 'pending_cert_role_associations', ['pending_cert_id', 'role_id'], unique=False) + op.create_table('pending_cert_source_associations', + sa.Column('source_id', sa.Integer(), nullable=True), + sa.Column('pending_cert_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['pending_cert_id'], ['pending_certs.id'], ondelete='cascade'), + sa.ForeignKeyConstraint(['source_id'], ['sources.id'], ondelete='cascade') + ) + op.create_index('pending_cert_source_associations_ix', 'pending_cert_source_associations', ['source_id', 'pending_cert_id'], unique=False) + op.create_table('roles_authorities', + sa.Column('authority_id', sa.Integer(), nullable=True), + sa.Column('role_id', sa.Integer(), nullable=True), + sa.ForeignKeyConstraint(['authority_id'], ['authorities.id'], ), + sa.ForeignKeyConstraint(['role_id'], ['roles.id'], ) + ) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.drop_index('pending_cert_source_associations_ix', table_name='pending_cert_source_associations') + op.drop_table('pending_cert_source_associations') + op.drop_index('pending_cert_role_associations_ix', table_name='pending_cert_role_associations') + op.drop_table('pending_cert_role_associations') + op.drop_index('pending_cert_replacement_associations_ix', table_name='pending_cert_replacement_associations') + op.drop_table('pending_cert_replacement_associations') + op.drop_index('pending_cert_notification_associations_ix', table_name='pending_cert_notification_associations') + op.drop_table('pending_cert_notification_associations') + op.drop_index('pending_cert_destination_associations_ix', table_name='pending_cert_destination_associations') + op.drop_table('pending_cert_destination_associations') + op.drop_table('pending_certs') + # ### end Alembic commands ### diff --git a/lemur/models.py b/lemur/models.py index f189d76c..aa94901e 100644 --- a/lemur/models.py +++ b/lemur/models.py @@ -83,3 +83,48 @@ policies_ciphers = db.Table('policies_ciphers', Column('policy_id', Integer, ForeignKey('policy.id'))) Index('policies_ciphers_ix', policies_ciphers.c.cipher_id, policies_ciphers.c.policy_id) + + +pending_cert_destination_associations = db.Table('pending_cert_destination_associations', + Column('destination_id', Integer, + ForeignKey('destinations.id', ondelete='cascade')), + Column('pending_cert_id', Integer, + ForeignKey('pending_certs.id', ondelete='cascade')) + ) + +Index('pending_cert_destination_associations_ix', pending_cert_destination_associations.c.destination_id, pending_cert_destination_associations.c.pending_cert_id) + + +pending_cert_notification_associations = db.Table('pending_cert_notification_associations', + Column('notification_id', Integer, + ForeignKey('notifications.id', ondelete='cascade')), + Column('pending_cert_id', Integer, + ForeignKey('pending_certs.id', ondelete='cascade')) + ) + +Index('pending_cert_notification_associations_ix', pending_cert_notification_associations.c.notification_id, pending_cert_notification_associations.c.pending_cert_id) + +pending_cert_source_associations = db.Table('pending_cert_source_associations', + Column('source_id', Integer, + ForeignKey('sources.id', ondelete='cascade')), + Column('pending_cert_id', Integer, + ForeignKey('pending_certs.id', ondelete='cascade')) + ) + +Index('pending_cert_source_associations_ix', pending_cert_source_associations.c.source_id, pending_cert_source_associations.c.pending_cert_id) + +pending_cert_replacement_associations = db.Table('pending_cert_replacement_associations', + Column('replaced_certificate_id', Integer, + ForeignKey('certificates.id', ondelete='cascade')), + Column('pending_cert_id', Integer, + ForeignKey('pending_certs.id', ondelete='cascade')) + ) + +Index('pending_cert_replacement_associations_ix', pending_cert_replacement_associations.c.replaced_certificate_id, pending_cert_replacement_associations.c.pending_cert_id) + +pending_cert_role_associations = db.Table('pending_cert_role_associations', + Column('pending_cert_id', Integer, ForeignKey('pending_certs.id')), + Column('role_id', Integer, ForeignKey('roles.id')) + ) + +Index('pending_cert_role_associations_ix', pending_cert_role_associations.c.pending_cert_id, pending_cert_role_associations.c.role_id) diff --git a/lemur/notifications/models.py b/lemur/notifications/models.py index c2cb4ffc..79a3df1c 100644 --- a/lemur/notifications/models.py +++ b/lemur/notifications/models.py @@ -11,7 +11,8 @@ from sqlalchemy_utils import JSONType from lemur.database import db from lemur.plugins.base import plugins -from lemur.models import certificate_notification_associations +from lemur.models import certificate_notification_associations, \ + pending_cert_notification_associations class Notification(db.Model): @@ -29,6 +30,13 @@ class Notification(db.Model): backref="notification", cascade='all,delete' ) + pending_certificates = relationship( + "PendingCertificate", + secondary=pending_cert_notification_associations, + passive_deletes=True, + backref="notification", + cascade='all,delete' + ) @property def plugin(self): diff --git a/lemur/pending_certificates/__init__.py b/lemur/pending_certificates/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/lemur/pending_certificates/cli.py b/lemur/pending_certificates/cli.py new file mode 100644 index 00000000..ff846fe1 --- /dev/null +++ b/lemur/pending_certificates/cli.py @@ -0,0 +1,48 @@ +""" +.. module: lemur.pending_certificates.cli + +.. moduleauthor:: James Chuong +""" + +from flask_script import Manager + +from lemur.pending_certificates import service as pending_certificate_service +from lemur.plugins.base import plugins +from lemur.users import service as user_service + +manager = Manager(usage="Handles pending certificate related tasks.") + + +@manager.option('-i', dest='ids', action='append', help='IDs of pending certificates to fetch') +def fetch(ids): + """ + Attempt to get full certificates for each pending certificate listed. + + Args: + ids: a list of ids of PendingCertificates (passed in by manager options when run as CLI) + `python manager.py pending_certs fetch -i 123 321 all` + """ + new = 0 + failed = 0 + pending_certs = pending_certificate_service.get_pending_certs(ids) + user = user_service.get_by_username('lemur') + + for cert in pending_certs: + authority = plugins.get(cert.authority.plugin_name) + real_cert = authority.get_ordered_certificate(cert.external_id) + if real_cert: + # If a real certificate was returned from issuer, then create it in Lemur and delete + # the pending certificate + pending_certificate_service.create_certificate(cert, real_cert, user) + pending_certificate_service.delete(cert) + # add metrics to metrics extension + new += 1 + else: + pending_certificate_service.increment_attempt(cert) + failed += 1 + print( + "[+] Certificates: New: {new} Failed: {failed}".format( + new=new, + failed=failed + ) + ) diff --git a/lemur/pending_certificates/models.py b/lemur/pending_certificates/models.py new file mode 100644 index 00000000..0e841968 --- /dev/null +++ b/lemur/pending_certificates/models.py @@ -0,0 +1,95 @@ +""" +.. module: lemur.pending_certificates.models + Copyright (c) 2017 and onwards Instart Logic, Inc. All rights reserved. +.. moduleauthor:: James Chuong +""" +from datetime import datetime as dt + +from sqlalchemy.orm import relationship +from sqlalchemy import Integer, ForeignKey, String, PassiveDefault, func, Column, Text, Boolean +from sqlalchemy_utils.types.arrow import ArrowType + +import lemur.common.utils +from lemur.certificates.models import get_or_increase_name +from lemur.common import defaults +from lemur.database import db +from lemur.utils import Vault + +from lemur.models import pending_cert_source_associations, \ + pending_cert_destination_associations, pending_cert_notification_associations, \ + pending_cert_replacement_associations, pending_cert_role_associations + + +class PendingCertificate(db.Model): + __tablename__ = 'pending_certs' + id = Column(Integer, primary_key=True) + external_id = Column(String(128)) + owner = Column(String(128), nullable=False) + name = Column(String(256), unique=True) + description = Column(String(1024)) + notify = Column(Boolean, default=True) + number_attempts = Column(Integer) + rename = Column(Boolean, default=True) + + cn = Column(String(128)) + csr = Column(Text(), nullable=False) + chain = Column(Text()) + private_key = Column(Vault, nullable=True) + + date_created = Column(ArrowType, PassiveDefault(func.now()), nullable=False) + + status = Column(String(128)) + + rotation = Column(Boolean, default=False) + user_id = Column(Integer, ForeignKey('users.id')) + authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE")) + root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE")) + rotation_policy_id = Column(Integer, ForeignKey('rotation_policies.id')) + + notifications = relationship('Notification', secondary=pending_cert_notification_associations, backref='pending_cert', passive_deletes=True) + destinations = relationship('Destination', secondary=pending_cert_destination_associations, backref='pending_cert', passive_deletes=True) + sources = relationship('Source', secondary=pending_cert_source_associations, backref='pending_cert', passive_deletes=True) + roles = relationship('Role', secondary=pending_cert_role_associations, backref='pending_cert', passive_deletes=True) + replaces = relationship('Certificate', + secondary=pending_cert_replacement_associations, + backref='pending_cert', + passive_deletes=True) + + rotation_policy = relationship("RotationPolicy") + + sensitive_fields = ('private_key',) + + def __init__(self, **kwargs): + self.csr = kwargs.get('csr') + self.private_key = kwargs.get('private_key', "") + if self.private_key: + # If the request does not send private key, the key exists but the value is None + self.private_key = self.private_key.strip() + self.external_id = kwargs.get('external_id') + + # when destinations are appended they require a valid name. + if kwargs.get('name'): + self.name = get_or_increase_name(defaults.text_to_slug(kwargs['name']), 0) + self.rename = False + else: + # TODO: Fix auto-generated name, it should be renamed on creation + self.name = get_or_increase_name( + defaults.certificate_name(kwargs['common_name'], kwargs['authority'].name, + dt.now(), dt.now(), False), self.external_id) + self.rename = True + + self.cn = defaults.common_name(lemur.common.utils.parse_csr(self.csr)) + self.owner = kwargs['owner'] + self.number_attempts = 0 + + if kwargs.get('chain'): + self.chain = kwargs['chain'].strip() + + self.notify = kwargs.get('notify', True) + self.destinations = kwargs.get('destinations', []) + self.notifications = kwargs.get('notifications', []) + self.description = kwargs.get('description') + self.roles = list(set(kwargs.get('roles', []))) + self.replaces = kwargs.get('replaces', []) + self.rotation = kwargs.get('rotation') + self.rotation_policy = kwargs.get('rotation_policy') diff --git a/lemur/pending_certificates/schemas.py b/lemur/pending_certificates/schemas.py new file mode 100644 index 00000000..35a4c18a --- /dev/null +++ b/lemur/pending_certificates/schemas.py @@ -0,0 +1,101 @@ +from marshmallow import fields, post_load + +from lemur.schemas import ( + AssociatedCertificateSchema, + AssociatedDestinationSchema, + AssociatedNotificationSchema, + AssociatedRoleSchema, + EndpointNestedOutputSchema, + ExtensionSchema +) + +from lemur.common.schema import LemurInputSchema, LemurOutputSchema +from lemur.users.schemas import UserNestedOutputSchema +from lemur.authorities.schemas import AuthorityNestedOutputSchema +from lemur.certificates.schemas import CertificateNestedOutputSchema +from lemur.destinations.schemas import DestinationNestedOutputSchema +from lemur.domains.schemas import DomainNestedOutputSchema +from lemur.notifications.schemas import NotificationNestedOutputSchema +from lemur.roles.schemas import RoleNestedOutputSchema +from lemur.policies.schemas import RotationPolicyNestedOutputSchema + +from lemur.notifications import service as notification_service + + +class PendingCertificateSchema(LemurInputSchema): + owner = fields.Email(required=True) + description = fields.String(missing='', allow_none=True) + + +class PendingCertificateOutputSchema(LemurOutputSchema): + id = fields.Integer() + external_id = fields.String() + csr = fields.String() + chain = fields.String() + deleted = fields.Boolean(default=False) + description = fields.String() + issuer = fields.String() + name = fields.String() + number_attempts = fields.Integer() + date_created = fields.Date() + + rotation = fields.Boolean() + + # Note aliasing is the first step in deprecating these fields. + notify = fields.Boolean() + active = fields.Boolean(attribute='notify') + + cn = fields.String() + common_name = fields.String(attribute='cn') + + owner = fields.Email() + + status = fields.String() + user = fields.Nested(UserNestedOutputSchema) + + extensions = fields.Nested(ExtensionSchema) + + # associated objects + domains = fields.Nested(DomainNestedOutputSchema, many=True) + destinations = fields.Nested(DestinationNestedOutputSchema, many=True) + notifications = fields.Nested(NotificationNestedOutputSchema, many=True) + replaces = fields.Nested(CertificateNestedOutputSchema, many=True) + authority = fields.Nested(AuthorityNestedOutputSchema) + roles = fields.Nested(RoleNestedOutputSchema, many=True) + endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[]) + replaced_by = fields.Nested(CertificateNestedOutputSchema, many=True, attribute='replaced') + rotation_policy = fields.Nested(RotationPolicyNestedOutputSchema) + + +class PendingCertificateEditInputSchema(PendingCertificateSchema): + owner = fields.String() + + notify = fields.Boolean() + rotation = fields.Boolean() + + destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True) + notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True) + replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True) + roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True) + + @post_load + def enforce_notifications(self, data): + """ + Ensures that when an owner changes, default notifications are added for the new owner. + Old owner notifications are retained unless explicitly removed. + :param data: + :return: + """ + if data['owner']: + notification_name = "DEFAULT_{0}".format(data['owner'].split('@')[0].upper()) + data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, [data['owner']]) + return data + + +class PendingCertificateCancelSchema(LemurInputSchema): + note = fields.String() + + +pending_certificate_output_schema = PendingCertificateOutputSchema() +pending_certificate_edit_input_schema = PendingCertificateEditInputSchema() +pending_certificate_cancel_schema = PendingCertificateCancelSchema() diff --git a/lemur/pending_certificates/service.py b/lemur/pending_certificates/service.py new file mode 100644 index 00000000..fed2ddd4 --- /dev/null +++ b/lemur/pending_certificates/service.py @@ -0,0 +1,219 @@ +""" +.. module: lemur.pending_certificates.service + Copyright (c) 2017 and onwards Instart Logic, Inc. All rights reserved. +.. moduleauthor:: James Chuong +""" +import arrow + +from sqlalchemy import or_, cast, Boolean, Integer + +from lemur import database +from lemur.plugins.base import plugins + +from lemur.roles.models import Role +from lemur.domains.models import Domain +from lemur.authorities.models import Authority +from lemur.destinations.models import Destination +from lemur.notifications.models import Notification +from lemur.pending_certificates.models import PendingCertificate + +from lemur.certificates import service as certificate_service +from lemur.users import service as user_service + +from lemur.certificates.schemas import CertificateUploadInputSchema + + +def get(pending_cert_id): + """ + Retrieve pending certificate by ID + """ + return database.get(PendingCertificate, pending_cert_id) + + +def get_by_external_id(issuer, external_id): + """ + Retrieves a pending certificate by its issuer and external_id + Since external_id is not necessarily unique between CAs + + :param issuer: + :param external_id: + :return: PendingCertificate or None + """ + if isinstance(external_id, int): + external_id = str(external_id) + return PendingCertificate.query \ + .filter(PendingCertificate.authority_id == issuer.id) \ + .filter(PendingCertificate.external_id == external_id) \ + .one_or_none() + + +def get_by_name(pending_cert_name): + """ + Retrieve pending certificate by name + """ + return database.get(PendingCertificate, pending_cert_name, field='name') + + +def delete(pending_certificate): + database.delete(pending_certificate) + + +def get_pending_certs(pending_ids): + """ + Retrieve a list of pending certs given a list of ids + Filters out non-existing pending certs + """ + pending_certs = [] + if 'all' in pending_ids: + query = database.session_query(PendingCertificate) + return database.find_all(query, PendingCertificate, {}).all() + else: + for pending_id in pending_ids: + pending_cert = get(pending_id) + if pending_cert: + pending_certs.append(pending_cert) + return pending_certs + + +def create_certificate(pending_certificate, certificate, user): + """ + Create and store a certificate with pending certificate's info + Args: + pending_certificate: PendingCertificate which will populate the certificate + certificate: dict from Authority, which contains the body, chain and external id + user: User that called this function, used as 'creator' of the certificate if it does + not have an owner + """ + certificate['owner'] = pending_certificate.owner + data, errors = CertificateUploadInputSchema().load(certificate) + if errors: + raise Exception("Unable to create certificate: {reasons}".format(reasons=errors)) + + data.update(vars(pending_certificate)) + # Copy relationships, vars doesn't copy this without explicit fields + data['notifications'] = list(pending_certificate.notifications) + data['destinations'] = list(pending_certificate.destinations) + data['sources'] = list(pending_certificate.sources) + data['roles'] = list(pending_certificate.roles) + data['replaces'] = list(pending_certificate.replaces) + data['rotation_policy'] = pending_certificate.rotation_policy + + # Replace external id and chain with the one fetched from source + data['external_id'] = certificate['external_id'] + data['chain'] = certificate['chain'] + creator = user_service.get_by_email(pending_certificate.owner) + if not creator: + # Owner of the pending certificate is not the creator, so use the current user who called + # this as the creator (usually lemur) + creator = user + + if pending_certificate.rename: + # If generating name from certificate, remove the one from pending certificate + del data['name'] + data['creator'] = creator + cert = certificate_service.import_certificate(**data) + database.update(cert) + return cert + + +def increment_attempt(pending_certificate): + """ + Increments pending certificate attempt counter and updates it in the database. + """ + pending_certificate.number_attempts += 1 + database.update(pending_certificate) + return pending_certificate.number_attempts + + +def update(pending_cert_id, **kwargs): + """ + Updates a pending certificate. The allowed fields are validated by + PendingCertificateEditInputSchema. + """ + pending_cert = get(pending_cert_id) + for key, value in kwargs.items(): + setattr(pending_cert, key, value) + return database.update(pending_cert) + + +def cancel(pending_certificate, **kwargs): + """ + Cancel a pending certificate. A check should be done prior to this function to decide to + revoke the certificate or just abort cancelling. + Args: + pending_certificate: PendingCertificate to be cancelled + Returns: the pending certificate if successful, raises Exception if there was an issue + """ + plugin = plugins.get(pending_certificate.authority.plugin_name) + plugin.cancel_ordered_certificate(pending_certificate, **kwargs) + pending_certificate.status = 'Cancelled' + database.update(pending_certificate) + return pending_certificate + + +def render(args): + query = database.session_query(PendingCertificate) + time_range = args.pop('time_range') + destination_id = args.pop('destination_id') + notification_id = args.pop('notification_id', None) + show = args.pop('show') + # owner = args.pop('owner') + # creator = args.pop('creator') # TODO we should enabling filtering by owner + + filt = args.pop('filter') + + if filt: + terms = filt.split(';') + + if 'issuer' in terms: + # we can't rely on issuer being correct in the cert directly so we combine queries + sub_query = database.session_query(Authority.id)\ + .filter(Authority.name.ilike('%{0}%'.format(terms[1])))\ + .subquery() + + query = query.filter( + or_( + PendingCertificate.issuer.ilike('%{0}%'.format(terms[1])), + PendingCertificate.authority_id.in_(sub_query) + ) + ) + + elif 'destination' in terms: + query = query.filter(PendingCertificate.destinations.any(Destination.id == terms[1])) + elif 'notify' in filt: + query = query.filter(PendingCertificate.notify == cast(terms[1], Boolean)) + elif 'active' in filt: + query = query.filter(PendingCertificate.active == terms[1]) + elif 'cn' in terms: + query = query.filter( + or_( + PendingCertificate.cn.ilike('%{0}%'.format(terms[1])), + PendingCertificate.domains.any(Domain.name.ilike('%{0}%'.format(terms[1]))) + ) + ) + elif 'id' in terms: + query = query.filter(PendingCertificate.id == cast(terms[1], Integer)) + else: + query = database.filter(query, PendingCertificate, terms) + + if show: + sub_query = database.session_query(Role.name).filter(Role.user_id == args['user'].id).subquery() + query = query.filter( + or_( + PendingCertificate.user_id == args['user'].id, + PendingCertificate.owner.in_(sub_query) + ) + ) + + if destination_id: + query = query.filter(PendingCertificate.destinations.any(Destination.id == destination_id)) + + if notification_id: + query = query.filter(PendingCertificate.notifications.any(Notification.id == notification_id)) + + if time_range: + to = arrow.now().replace(weeks=+time_range).format('YYYY-MM-DD') + now = arrow.now().format('YYYY-MM-DD') + query = query.filter(PendingCertificate.not_after <= to).filter(PendingCertificate.not_after >= now) + + return database.sort_and_page(query, PendingCertificate, args) diff --git a/lemur/pending_certificates/views.py b/lemur/pending_certificates/views.py new file mode 100644 index 00000000..81b0671e --- /dev/null +++ b/lemur/pending_certificates/views.py @@ -0,0 +1,424 @@ +""" +.. module: lemur.pending_certificates.views + :platform: Unix + :license: Apache, see LICENSE for more details. +.. moduleauthor:: James Chuong +""" +from flask import Blueprint, g, make_response, jsonify +from flask_restful import Api, reqparse + +from lemur.auth.service import AuthenticatedResource +from lemur.auth.permissions import CertificatePermission + +from lemur.common.schema import validate_schema +from lemur.common.utils import paginated_parser + +from lemur.pending_certificates import service +from lemur.roles import service as role_service + +from lemur.pending_certificates.schemas import ( + pending_certificate_output_schema, + pending_certificate_edit_input_schema, + pending_certificate_cancel_schema, +) + +mod = Blueprint('pending_certificates', __name__) +api = Api(mod) + + +class PendingCertificatesList(AuthenticatedResource): + def __init__(self): + self.reqparse = reqparse.RequestParser() + super(PendingCertificatesList, self).__init__() + + @validate_schema(None, pending_certificate_output_schema) + def get(self): + """ + .. http:get:: /pending_certificates + + List of pending certificates + + **Example request**: + + .. sourcecode:: http + + GET /pending_certificates HTTP/1.1 + Host: example.com + Accept: application/json, text/javascript + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + Vary: Accept + Content-Type: text/javascript + + { + "status": null, + "cn": "*.test.example.net", + "chain": "", + "authority": { + "active": true, + "owner": "secure@example.com", + "id": 1, + "description": "verisign test authority", + "name": "verisign" + }, + "owner": "joe@example.com", + "serial": "82311058732025924142789179368889309156", + "id": 2288, + "issuer": "SymantecCorporation", + "notBefore": "2016-06-03T00:00:00+00:00", + "notAfter": "2018-01-12T23:59:59+00:00", + "destinations": [], + "description": null, + "deleted": null, + "notifications": [{ + "id": 1 + }], + "signingAlgorithm": "sha256", + "user": { + "username": "jane", + "active": true, + "email": "jane@example.com", + "id": 2 + }, + "active": true, + "domains": [{ + "sensitive": false, + "id": 1090, + "name": "*.test.example.net" + }], + "rotation": true, + "rotationPolicy": {"name": "default"}, + "replaces": [], + "replaced": [], + "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", + "roles": [{ + "id": 464, + "description": "This is a google group based role created by Lemur", + "name": "joe@example.com" + }], + "san": null + } + + :reqheader Authorization: OAuth token to authenticate + :statuscode 200: no error + :statuscode 403: unauthenticated + + """ + parser = paginated_parser.copy() + parser.add_argument('timeRange', type=int, dest='time_range', location='args') + parser.add_argument('owner', type=bool, location='args') + parser.add_argument('id', type=str, location='args') + parser.add_argument('active', type=bool, location='args') + parser.add_argument('destinationId', type=int, dest="destination_id", location='args') + parser.add_argument('creator', type=str, location='args') + parser.add_argument('show', type=str, location='args') + args = parser.parse_args() + args['user'] = g.user + return service.render(args) + + +class PendingCertificates(AuthenticatedResource): + def __init__(self): + self.reqparse = reqparse.RequestParser() + super(PendingCertificates, self).__init__() + + @validate_schema(None, pending_certificate_output_schema) + def get(self, pending_certificate_id): + """ + .. http:get:: /pending_certificates/1 + + One pending certificate + + **Example request**: + + .. sourcecode:: http + + GET /pending_certificates/1 HTTP/1.1 + Host: example.com + Accept: application/json, text/javascript + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + Vary: Accept + Content-Type: text/javascript + + { + "status": null, + "cn": "*.test.example.net", + "chain": "", + "authority": { + "active": true, + "owner": "secure@example.com", + "id": 1, + "description": "verisign test authority", + "name": "verisign" + }, + "owner": "joe@example.com", + "serial": "82311058732025924142789179368889309156", + "id": 1, + "issuer": "SymantecCorporation", + "notBefore": "2016-06-03T00:00:00+00:00", + "notAfter": "2018-01-12T23:59:59+00:00", + "destinations": [], + "description": null, + "deleted": null, + "notifications": [{ + "id": 1 + }], + "signingAlgorithm": "sha256", + "user": { + "username": "jane", + "active": true, + "email": "jane@example.com", + "id": 2 + }, + "active": true, + "domains": [{ + "sensitive": false, + "id": 1090, + "name": "*.test.example.net" + }], + "rotation": true, + "rotationPolicy": {"name": "default"}, + "replaces": [], + "replaced": [], + "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", + "roles": [{ + "id": 464, + "description": "This is a google group based role created by Lemur", + "name": "joe@example.com" + }], + "san": null + } + + :reqheader Authorization: OAuth token to authenticate + :statuscode 200: no error + :statuscode 403: unauthenticated + + """ + return service.get(pending_certificate_id) + + @validate_schema(pending_certificate_edit_input_schema, pending_certificate_output_schema) + def put(self, pending_certificate_id, data=None): + """ + .. http:put:: /pending_certificates/1 + + Update a pending certificate + + **Example request**: + + .. sourcecode:: http + + PUT /pending certificates/1 HTTP/1.1 + Host: example.com + Accept: application/json, text/javascript + + { + "owner": "jimbob@example.com", + "active": false + "notifications": [], + "destinations": [], + "replacements": [] + } + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + Vary: Accept + Content-Type: text/javascript + + { + "status": null, + "cn": "*.test.example.net", + "chain": "", + "authority": { + "active": true, + "owner": "secure@example.com", + "id": 1, + "description": "verisign test authority", + "name": "verisign" + }, + "owner": "joe@example.com", + "serial": "82311058732025924142789179368889309156", + "id": 2288, + "issuer": "SymantecCorporation", + "destinations": [], + "description": null, + "deleted": null, + "notifications": [{ + "id": 1 + }] + "user": { + "username": "jane", + "active": true, + "email": "jane@example.com", + "id": 2 + }, + "active": true, + "number_attempts": 1, + "csr": "-----BEGIN CERTIFICATE REQUEST-----...", + "external_id": 12345, + "domains": [{ + "sensitive": false, + "id": 1090, + "name": "*.test.example.net" + }], + "replaces": [], + "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", + "roles": [{ + "id": 464, + "description": "This is a google group based role created by Lemur", + "name": "joe@example.com" + }], + "rotation": true, + "rotationPolicy": {"name": "default"}, + } + + :reqheader Authorization: OAuth token to authenticate + :statuscode 200: no error + :statuscode 403: unauthenticated + + """ + pending_cert = service.get(pending_certificate_id) + + if not pending_cert: + return dict(message="Cannot find specified pending certificate"), 404 + + # allow creators + if g.current_user != pending_cert.user: + owner_role = role_service.get_by_name(pending_cert.owner) + permission = CertificatePermission(owner_role, [x.name for x in pending_cert.roles]) + + if not permission.can(): + return dict(message='You are not authorized to update this certificate'), 403 + + for destination in data['destinations']: + if destination.plugin.requires_key: + if not pending_cert.private_key: + return dict( + message='Unable to add destination: {0}. Certificate does not have required private key.'.format( + destination.label + ) + ), 400 + + pending_cert = service.update(pending_certificate_id, **data) + return pending_cert + + @validate_schema(pending_certificate_cancel_schema, None) + def delete(self, pending_certificate_id, data=None): + """ + .. http:delete:: /pending_certificates/1 + + Cancel and delete a pending certificate + + **Example request**: + + .. sourcecode:: http + + DELETE /pending certificates/1 HTTP/1.1 + Host: example.com + Accept: application/json, text/javascript + + { + "note": "Why I am cancelling this order" + } + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 204 No Content + + :reqheader Authorization: OAuth token to authenticate + :statuscode 204: no error + :statuscode 401: unauthenticated + :statuscode 403: unauthorized + :statuscode 404: pending certificate id not found + :statuscode 500: internal error + """ + pending_cert = service.get(pending_certificate_id) + + if not pending_cert: + return dict(message="Cannot find specified pending certificate"), 404 + + # allow creators + if g.current_user != pending_cert.user: + owner_role = role_service.get_by_name(pending_cert.owner) + permission = CertificatePermission(owner_role, [x.name for x in pending_cert.roles]) + + if not permission.can(): + return dict(message='You are not authorized to update this certificate'), 403 + + if service.cancel(pending_cert, **data): + service.delete(pending_cert) + return('', 204) + else: + # service.cancel raises exception if there was an issue, but this will ensure something + # is relayed to user in case of something unexpected (unsuccessful update somehow). + return dict(message="Unexpected error occurred while trying to cancel this certificate"), 500 + + +class PendingCertificatePrivateKey(AuthenticatedResource): + def __init__(self): + super(PendingCertificatePrivateKey, self).__init__() + + def get(self, pending_certificate_id): + """ + .. http:get:: /pending_certificates/1/key + + Retrieves the private key for a given pneding certificate + + **Example request**: + + .. sourcecode:: http + + GET /pending_certificates/1/key HTTP/1.1 + Host: example.com + Accept: application/json, text/javascript + + **Example response**: + + .. sourcecode:: http + + HTTP/1.1 200 OK + Vary: Accept + Content-Type: text/javascript + + { + "key": "-----BEGIN ..." + } + + :reqheader Authorization: OAuth token to authenticate + :statuscode 200: no error + :statuscode 403: unauthenticated + """ + cert = service.get(pending_certificate_id) + if not cert: + return dict(message="Cannot find specified pending certificate"), 404 + + # allow creators + if g.current_user != cert.user: + owner_role = role_service.get_by_name(cert.owner) + permission = CertificatePermission(owner_role, [x.name for x in cert.roles]) + + if not permission.can(): + return dict(message='You are not authorized to view this key'), 403 + + response = make_response(jsonify(key=cert.private_key), 200) + response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store' + response.headers['pragma'] = 'no-cache' + return response + + +api.add_resource(PendingCertificatesList, '/pending_certificates', endpoint='pending_certificates') +api.add_resource(PendingCertificates, '/pending_certificates/', endpoint='pending_certificate') +api.add_resource(PendingCertificatePrivateKey, '/pending_certificates//key', endpoint='privateKeyPendingCertificates') diff --git a/lemur/plugins/bases/issuer.py b/lemur/plugins/bases/issuer.py index add16a16..1cca60d7 100644 --- a/lemur/plugins/bases/issuer.py +++ b/lemur/plugins/bases/issuer.py @@ -24,3 +24,9 @@ class IssuerPlugin(Plugin): def revoke_certificate(self, certificate, comments): raise NotImplementedError + + def get_ordered_certificate(self, order_id): + raise NotImplementedError + + def cancel_ordered_certificate(self, pending_cert, **kwargs): + raise NotImplementedError diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 16d0b34e..3b0c5355 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -326,6 +326,39 @@ class DigiCertIssuerPlugin(IssuerPlugin): response = self.session.put(create_url, data=json.dumps({'comments': comments})) return handle_response(response) + def get_ordered_certificate(self, order_id): + """ Retrieve a certificate via order id """ + base_url = current_app.config.get('DIGICERT_URL') + try: + certificate_id = get_certificate_id(self.session, base_url, order_id) + except Exception as ex: + return None + certificate_url = "{0}/services/v2/certificate/{1}/download/format/pem_all".format(base_url, certificate_id) + end_entity, intermediate, root = pem.parse(self.session.get(certificate_url).content) + cert = {'body': "\n".join(str(end_entity).splitlines()), + 'chain': "\n".join(str(intermediate).splitlines()), + 'external_id': str(certificate_id)} + return cert + + def cancel_ordered_certificate(self, pending_cert, **kwargs): + """ Set the certificate order to canceled """ + base_url = current_app.config.get('DIGICERT_URL') + api_url = "{0}/services/v2/order/certificate/{1}/status".format(base_url, pending_cert.external_id) + payload = { + 'status': 'CANCELED', + 'note': kwargs.get('note') + } + response = self.session.put(api_url, data=json.dumps(payload)) + if response.status_code == 404: + # not well documented by Digicert, but either the certificate does not exist or we + # don't own that order (someone else's order id!). Either way, we can just ignore it + # and have it removed from Lemur + current_app.logger.warning( + "Digicert Plugin tried to cancel pending certificate {0} but it does not exist!".format(pending_cert.name)) + elif response.status_code != 204: + current_app.logger.debug("{0} code {1}".format(response.status_code, response.content)) + raise Exception("Failed to cancel pending certificate {0}".format(pending_cert.name)) + @staticmethod def create_authority(options): """Create an authority. diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 5448db9c..dca24892 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -1,6 +1,8 @@ import pytest import arrow import json +from unittest.mock import patch + from freezegun import freeze_time from lemur.tests.vectors import CSR_STR @@ -175,3 +177,22 @@ ghi assert cert == "-----BEGIN CERTIFICATE-----\nabc\n-----END CERTIFICATE-----" assert intermediate == "-----BEGIN CERTIFICATE-----\ndef\n-----END CERTIFICATE-----" + + +@patch("lemur.pending_certificates.models.PendingCertificate") +def test_cancel_ordered_certificate(mock_pending_cert): + import requests_mock + from lemur.plugins.lemur_digicert.plugin import DigiCertIssuerPlugin + + mock_pending_cert.external_id = 1234 + subject = DigiCertIssuerPlugin() + adapter = requests_mock.Adapter() + adapter.register_uri('PUT', 'mock://www.digicert.com/services/v2/order/certificate/1234/status', status_code=204) + adapter.register_uri('PUT', 'mock://www.digicert.com/services/v2/order/certificate/111/status', status_code=404) + subject.session.mount('mock', adapter) + data = {'note': 'Test'} + subject.cancel_ordered_certificate(mock_pending_cert, **data) + + # A non-existing order id, does not raise exception because if it doesn't exist, then it doesn't matter + mock_pending_cert.external_id = 111 + subject.cancel_ordered_certificate(mock_pending_cert, **data) diff --git a/lemur/roles/models.py b/lemur/roles/models.py index 3ecd9188..21a40be2 100644 --- a/lemur/roles/models.py +++ b/lemur/roles/models.py @@ -14,7 +14,8 @@ from sqlalchemy import Boolean, Column, Integer, String, Text, ForeignKey from lemur.database import db from lemur.utils import Vault -from lemur.models import roles_users, roles_authorities, roles_certificates +from lemur.models import roles_users, roles_authorities, roles_certificates, \ + pending_cert_role_associations class Role(db.Model): @@ -30,6 +31,7 @@ class Role(db.Model): third_party = Column(Boolean) users = relationship("User", secondary=roles_users, passive_deletes=True, backref="role") certificates = relationship("Certificate", secondary=roles_certificates, backref="role") + pending_certificates = relationship("PendingCertificate", secondary=pending_cert_role_associations, backref="role") sensitive_fields = ('password',) diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/cancel.tpl.html b/lemur/static/app/angular/pending_certificates/pending_certificate/cancel.tpl.html new file mode 100644 index 00000000..4b6b12fc --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/cancel.tpl.html @@ -0,0 +1,25 @@ +
+ +

Cancel {{ pendingCertificate.name }}

+
+
+
+
+ +
+ +

You must give a + reason for cancelling a pending certificate order.

+
+
+
+
+ + +
diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/destinations.tpl.html b/lemur/static/app/angular/pending_certificates/pending_certificate/destinations.tpl.html new file mode 100644 index 00000000..5f497ccd --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/destinations.tpl.html @@ -0,0 +1,29 @@ +
+ +
+
+ + + + +
+ + + + + + +
{{ destination.label }}{{ destination.description }} + +
+
+
diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/edit.tpl.html b/lemur/static/app/angular/pending_certificates/pending_certificate/edit.tpl.html new file mode 100644 index 00000000..a1063b18 --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/edit.tpl.html @@ -0,0 +1,50 @@ +
+ +

Edit {{ pendingCertificate.name }}

+
+
+
+
+ +
+ + +

Enter a valid + email.

+
+
+
+ +
+ +

You must give a + short description about this authority will be used for, this description should only include alphanumeric + characters

+
+
+
+ +
+
+
+
+ +
+
+
+
+ + +
diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/notifications.tpl.html b/lemur/static/app/angular/pending_certificates/pending_certificate/notifications.tpl.html new file mode 100644 index 00000000..8750719e --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/notifications.tpl.html @@ -0,0 +1,28 @@ +
+ +
+
+ + + + +
+ + + + + + +
{{ notification.label }}{{ notification.description }} + +
+
+
diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/pending_certificate.js b/lemur/static/app/angular/pending_certificates/pending_certificate/pending_certificate.js new file mode 100644 index 00000000..997a206f --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/pending_certificate.js @@ -0,0 +1,72 @@ +'use strict'; + +angular.module('lemur') +.controller('PendingCertificateEditController', function ($scope, $uibModalInstance, PendingCertificateApi, PendingCertificateService, CertificateService, DestinationService, NotificationService, toaster, editId) { + PendingCertificateApi.get(editId).then(function (pendingCertificate) { + $scope.pendingCertificate = pendingCertificate; + }); + + $scope.cancel = function () { + $uibModalInstance.dismiss('cancel'); + }; + + $scope.save = function (pendingCertificate) { + PendingCertificateService.update(pendingCertificate).then( + function () { + toaster.pop({ + type: 'success', + title: pendingCertificate.name, + body: 'Successfully updated!' + }); + $uibModalInstance.close(); + }, + function (response) { + toaster.pop({ + type: 'error', + title: pendingCertificate.name, + body: 'lemur-bad-request', + bodyOutputType: 'directive', + directiveData: response.data, + timeout: 100000 + }); + }); + }; + + $scope.pendingCertificateService = PendingCertificateService; + $scope.certificateService = CertificateService; + $scope.destinationService = DestinationService; + $scope.notificationService = NotificationService; +}) +.controller('PendingCertificateCancelController', function ($scope, $uibModalInstance, PendingCertificateApi, PendingCertificateService, toaster, cancelId) { + PendingCertificateApi.get(cancelId).then(function (pendingCertificate) { + $scope.pendingCertificate = pendingCertificate; + }); + + $scope.exit = function () { + $uibModalInstance.dismiss('cancel'); + }; + + $scope.cancel = function (pendingCertificate, cancelOptions) { + PendingCertificateService.cancel(pendingCertificate, cancelOptions).then( + function () { + toaster.pop({ + type: 'success', + title: pendingCertificate.name, + body: 'Successfully cancelled pending certificate!' + }); + $uibModalInstance.close(); + }, + function (response) { + toaster.pop({ + type: 'error', + title: pendingCertificate.name, + body: 'lemur-bad-request', + bodyOutputType: 'directive', + directiveData: response.data, + timeout: 100000 + }); + }); + }; + + +}); diff --git a/lemur/static/app/angular/pending_certificates/pending_certificate/replaces.tpl.html b/lemur/static/app/angular/pending_certificates/pending_certificate/replaces.tpl.html new file mode 100644 index 00000000..2ae8ff78 --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/pending_certificate/replaces.tpl.html @@ -0,0 +1,28 @@ +
+ +
+
+ + + + +
+ + + + + + +
{{ replaces.name }}{{ replaces.description }} + +
+
+
diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js new file mode 100644 index 00000000..32b335ac --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -0,0 +1,249 @@ +'use strict'; + +angular.module('lemur') + .service('PendingCertificateApi', function (LemurRestangular, DomainService) { + LemurRestangular.extendModel('pending_certificates', function (obj) { + return angular.extend(obj, { + attachRole: function (role) { + this.selectedRole = null; + if (this.roles === undefined) { + this.roles = []; + } + this.roles.push(role); + }, + removeRole: function (index) { + this.roles.splice(index, 1); + }, + attachAuthority: function (authority) { + this.authority = authority; + this.authority.maxDate = moment(this.authority.notAfter).subtract(1, 'days').format('YYYY/MM/DD'); + }, + attachSubAltName: function () { + if (this.extensions === undefined) { + this.extensions = {}; + } + + if (this.extensions.subAltNames === undefined) { + this.extensions.subAltNames = {'names': []}; + } + + if (!angular.isString(this.subAltType)) { + this.subAltType = 'DNSName'; + } + + if (angular.isString(this.subAltValue) && angular.isString(this.subAltType)) { + this.extensions.subAltNames.names.push({'nameType': this.subAltType, 'value': this.subAltValue}); + //this.findDuplicates(); + } + + this.subAltType = null; + this.subAltValue = null; + }, + removeSubAltName: function (index) { + this.extensions.subAltNames.names.splice(index, 1); + //this.findDuplicates(); + }, + attachCustom: function () { + if (this.extensions === undefined) { + this.extensions = {}; + } + + if (this.extensions.custom === undefined) { + this.extensions.custom = []; + } + + if (angular.isString(this.customOid) && angular.isString(this.customEncoding) && angular.isString(this.customValue)) { + this.extensions.custom.push( + { + 'oid': this.customOid, + 'isCritical': this.customIsCritical || false, + 'encoding': this.customEncoding, + 'value': this.customValue + } + ); + } + + this.customOid = null; + this.customIsCritical = null; + this.customEncoding = null; + this.customValue = null; + }, + removeCustom: function (index) { + this.extensions.custom.splice(index, 1); + }, + attachDestination: function (destination) { + this.selectedDestination = null; + if (this.destinations === undefined) { + this.destinations = []; + } + this.destinations.push(destination); + }, + removeDestination: function (index) { + this.destinations.splice(index, 1); + }, + attachReplaces: function (replaces) { + this.selectedReplaces = null; + if (this.replaces === undefined) { + this.replaces = []; + } + this.replaces.push(replaces); + }, + removeReplaces: function (index) { + this.replaces.splice(index, 1); + }, + attachNotification: function (notification) { + this.selectedNotification = null; + if (this.notifications === undefined) { + this.notifications = []; + } + this.notifications.push(notification); + }, + removeNotification: function (index) { + this.notifications.splice(index, 1); + }, + findDuplicates: function () { + DomainService.findDomainByName(this.extensions.subAltNames[0]).then(function (domains) { //We should do a better job of searching for multiple domains + this.duplicates = domains.total; + }); + }, + useTemplate: function () { + if (this.extensions === undefined) { + this.extensions = {}; + } + + if (this.extensions.subAltNames === undefined) { + this.extensions.subAltNames = {'names': []}; + } + + var saveSubAltNames = this.extensions.subAltNames; + this.extensions = this.template.extensions; + this.extensions.subAltNames = saveSubAltNames; + }, + setEncipherOrDecipher: function (value) { + if (this.extensions === undefined) { + this.extensions = {}; + } + if (this.extensions.keyUsage === undefined) { + this.extensions.keyUsage = {}; + } + var existingValue = this.extensions.keyUsage[value]; + if (existingValue) { + // Clicked on the already-selected value + this.extensions.keyUsage.useDecipherOnly = false; + this.extensions.keyUsage.useEncipherOnly = false; + // Uncheck both radio buttons + this.encipherOrDecipher = false; + } else { + // Clicked a different value + this.extensions.keyUsage.useKeyAgreement = true; + if (value === 'useEncipherOnly') { + this.extensions.keyUsage.useDecipherOnly = false; + this.extensions.keyUsage.useEncipherOnly = true; + } else { + this.extensions.keyUsage.useEncipherOnly = false; + this.extensions.keyUsage.useDecipherOnly = true; + } + } + } + }); + }); + return LemurRestangular.all('pending_certificates'); + }) + .service('PendingCertificateService', function ($location, PendingCertificateApi, AuthorityService, AuthorityApi, LemurRestangular, DefaultService) { + var PendingCertificateService = this; + PendingCertificateService.findPendingCertificatesByName = function (filterValue) { + return PendingCertificateApi.getList({'filter[name]': filterValue}) + .then(function (pendingCertificates) { + return pendingCertificates; + }); + }; + + PendingCertificateService.update = function (pendingCertificate) { + return LemurRestangular.copy(pendingCertificate).put(); + }; + + PendingCertificateService.getAuthority = function (certificate) { + return certificate.customGET('authority').then(function (authority) { + certificate.authority = authority; + }); + }; + + PendingCertificateService.getCreator = function (certificate) { + return certificate.customGET('creator').then(function (creator) { + certificate.creator = creator; + }); + }; + + PendingCertificateService.getDestinations = function (certificate) { + return certificate.getList('destinations').then(function (destinations) { + certificate.destinations = destinations; + }); + }; + + PendingCertificateService.getNotifications = function (certificate) { + return certificate.getList('notifications').then(function (notifications) { + certificate.notifications = notifications; + }); + }; + + PendingCertificateService.getDomains = function (certificate) { + return certificate.getList('domains').then(function (domains) { + certificate.domains = domains; + }); + }; + + PendingCertificateService.getReplaces = function (certificate) { + return certificate.getList('replaces').then(function (replaces) { + certificate.replaces = replaces; + }); + }; + + PendingCertificateService.getDefaults = function (certificate) { + return DefaultService.get().then(function (defaults) { + if (!certificate.country) { + certificate.country = defaults.country; + } + + if (!certificate.state) { + certificate.state = defaults.state; + } + + if (!certificate.location) { + certificate.location = defaults.location; + } + + if (!certificate.organization) { + certificate.organization = defaults.organization; + } + + if (!certificate.organizationalUnit) { + certificate.organizationalUnit = defaults.organizationalUnit; + } + + if (!certificate.authority) { + if (!defaults.authority) { + // set the default authority + AuthorityApi.getList().then(function(authorities) { + certificate.authority = authorities[0]; + }); + } else { + certificate.authority = defaults.authority; + } + } + }); + }; + + PendingCertificateService.loadPrivateKey = function (certificate) { + return certificate.customGET('key'); + }; + + PendingCertificateService.updateNotify = function (certificate) { + return certificate.put(); + }; + + PendingCertificateService.cancel = function (pending_certificate, options) { + return pending_certificate.customOperation('remove', null, {}, {'Content-Type': 'application/json'}, options); + }; + + return PendingCertificateService; + }); diff --git a/lemur/static/app/angular/pending_certificates/view/view.js b/lemur/static/app/angular/pending_certificates/view/view.js new file mode 100644 index 00000000..9ada8845 --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/view/view.js @@ -0,0 +1,102 @@ +'use strict'; + +angular.module('lemur') + + .config(function config($stateProvider) { + $stateProvider + .state('pending_certificates', { + url: '/pending_certificates', + templateUrl: '/angular/pending_certificates/view/view.tpl.html', + controller: 'PendingCertificatesViewController' + }) + .state('pending_certificate', { + url: '/pending_certificates/:name', + templateUrl: '/angular/pending_certificates/view/view.tpl.html', + controller: 'PendingCertificatesViewController' + }); + }) + + .controller('PendingCertificatesViewController', function ($q, $scope, $uibModal, $stateParams, PendingCertificateApi, PendingCertificateService, ngTableParams, toaster) { + $scope.filter = $stateParams; + $scope.pendingCertificateTable = new ngTableParams({ + page: 1, // show first page + count: 10, // count per page + sorting: { + id: 'desc' // initial sorting + }, + filter: $scope.filter + }, { + total: 0, // length of data + getData: function ($defer, params) { + PendingCertificateApi.getList(params.url()) + .then(function (data) { + params.total(data.total); + $defer.resolve(data); + }); + } + }); + + $scope.edit = function (pendingCertificateId) { + var uibModalInstance = $uibModal.open({ + animation: true, + controller: 'PendingCertificateEditController', + templateUrl: '/angular/pending_certificates/pending_certificate/edit.tpl.html', + size: 'lg', + backdrop: 'static', + resolve: { + editId: function () { + return pendingCertificateId; + } + } + }); + + uibModalInstance.result.then(function () { + $scope.pendingCertificateTable.reload(); + }); + }; + + $scope.loadPrivateKey = function (pendingCertificate) { + if (pendingCertificate.privateKey !== undefined) { + return; + } + + PendingCertificateService.loadPrivateKey(pendingCertificate).then( + function (response) { + if (response.key === null) { + toaster.pop({ + type: 'warning', + title: pendingCertificate.name, + body: 'No private key found!' + }); + } else { + pendingCertificate.privateKey = response.key; + } + }, + function () { + toaster.pop({ + type: 'error', + title: pendingCertificate.name, + body: 'You do not have permission to view this key!', + timeout: 100000 + }); + }); + }; + + $scope.cancel = function (pendingCertificateId) { + var uibModalInstance = $uibModal.open({ + animation: true, + controller: 'PendingCertificateCancelController', + templateUrl: '/angular/pending_certificates/pending_certificate/cancel.tpl.html', + size: 'lg', + backdrop: 'static', + resolve: { + cancelId: function () { + return pendingCertificateId; + } + } + }); + uibModalInstance.result.then(function () { + $scope.pendingCertificateTable.reload(); + }); + }; + }); diff --git a/lemur/static/app/angular/pending_certificates/view/view.tpl.html b/lemur/static/app/angular/pending_certificates/view/view.tpl.html new file mode 100644 index 00000000..8aaf9f47 --- /dev/null +++ b/lemur/static/app/angular/pending_certificates/view/view.tpl.html @@ -0,0 +1,182 @@ +
+
+

Pending Certificates + Certificates that almost made it

+
+
+
+ +
+ +
+
+
+ + + + + + + + + + + + + + +
+ {{ pendingCertificate.id }} + +
    +
  • {{ pendingCertificate.name }}
    • +
  • {{ pendingCertificate.owner }}
    • +
+ 		+
+ +
+ 		+ {{ pendingCertificate.authority.name || pendingCertificate.issuer }} + + {{ pendingCertificate.cn }} + +
+ Permalink + +
+ + +
+
+
+ + + Basic Info +
    +
  • + Creator + + {{ pendingCertificate.user.email }} + +
    • +
  • + Owner + + {{ pendingCertificate.owner }} + +
    • +
  • + Number of Attempts to Fetch + + {{ pendingCertificate.numberAttempts }} + +
    • +
  • + Date Created + + {{ pendingCertificate.dateCreated | date:'yyyy-MM-dd HH:mm:ss Z' }} + +
    • + +
  • + Description +

    {{ pendingCertificate.description }}

    +
    • +
+ + + Endpoints +
    +
  • + +
      +
    • {{ endpoint.name }}
      • +
    • {{ endpoint.dnsname }}
      • +
    +
    • +
+ + + Notifications +
    +
  • + {{ notification.label }} + {{ notification.description}} +
    • +
+ + + Roles +
    +
  • + {{ role.name }} + {{ role.description}} +
    • +
+ + + Destinations +
    +
  • + {{ destination.label }} + {{ destination.description }} +
    • +
+ + + Domains +
+ {{ domain.name }} +
+ + + Replaces +
    +
  • + {{ replaces.name }} +

    {{ replaces.description }}

    +
    • +
+ + + + + + Chain + + + 
{{ pendingCertificate.chain }}
+ + + + Certificate Signing Request + + + 
{{ pendingCertificate.csr }}
+ + + + Private Key + + + 
{{ pendingCertificate.privateKey }}
+ + +
+
+
+
+
diff --git a/lemur/static/app/index.html b/lemur/static/app/index.html index 010b1b4b..0320ea69 100644 --- a/lemur/static/app/index.html +++ b/lemur/static/app/index.html @@ -50,6 +50,7 @@
  • Dashboard
  • Certificates
    • +
  • Pending Certificates
  • Authorities
  • Endpoints
  • Notifications
    • diff --git a/lemur/tests/conftest.py b/lemur/tests/conftest.py index c0a3149e..69b33a9f 100644 --- a/lemur/tests/conftest.py +++ b/lemur/tests/conftest.py @@ -14,7 +14,8 @@ from lemur.auth.service import create_token from lemur.tests.vectors import PRIVATE_KEY_STR from .factories import ApiKeyFactory, AuthorityFactory, NotificationFactory, DestinationFactory, \ - CertificateFactory, UserFactory, RoleFactory, SourceFactory, EndpointFactory, RotationPolicyFactory + CertificateFactory, UserFactory, RoleFactory, SourceFactory, EndpointFactory, \ + RotationPolicyFactory, PendingCertificateFactory, AsyncAuthorityFactory def pytest_runtest_setup(item): @@ -90,6 +91,13 @@ def authority(session): return a +@pytest.fixture +def async_authority(session): + a = AsyncAuthorityFactory() + session.commit() + return a + + @pytest.fixture def destination(session): d = DestinationFactory() @@ -144,6 +152,15 @@ def user(session): return {'user': u, 'token': token} +@pytest.fixture +def pending_certificate(session): + u = UserFactory() + a = AsyncAuthorityFactory() + p = PendingCertificateFactory(user=u, authority=a) + session.commit() + return p + + @pytest.fixture def admin_user(session): u = UserFactory() @@ -155,6 +172,14 @@ def admin_user(session): return {'user': u, 'token': token} +@pytest.fixture +def async_issuer_plugin(): + from lemur.plugins.base import register + from .plugins.issuer_plugin import TestAsyncIssuerPlugin + register(TestAsyncIssuerPlugin) + return TestAsyncIssuerPlugin + + @pytest.fixture def issuer_plugin(): from lemur.plugins.base import register diff --git a/lemur/tests/factories.py b/lemur/tests/factories.py index 50570c09..815c958d 100644 --- a/lemur/tests/factories.py +++ b/lemur/tests/factories.py @@ -12,13 +12,14 @@ from lemur.certificates.models import Certificate from lemur.destinations.models import Destination from lemur.sources.models import Source from lemur.notifications.models import Notification +from lemur.pending_certificates.models import PendingCertificate from lemur.users.models import User from lemur.roles.models import Role from lemur.endpoints.models import Policy, Endpoint from lemur.policies.models import RotationPolicy from lemur.api_keys.models import ApiKey -from .vectors import INTERNAL_VALID_SAN_STR, PRIVATE_KEY_STR +from .vectors import INTERNAL_VALID_SAN_STR, PRIVATE_KEY_STR, CSR_STR class BaseFactory(SQLAlchemyModelFactory): @@ -140,6 +141,15 @@ class AuthorityFactory(BaseFactory): self.roles.append(role) +class AsyncAuthorityFactory(AuthorityFactory): + """Async Authority factory.""" + name = Sequence(lambda n: 'authority{0}'.format(n)) + owner = 'joe@example.com' + plugin = {'slug': 'test-issuer-async'} + description = FuzzyText(length=128) + authority_certificate = SubFactory(CertificateFactory) + + class RotationPolicyFactory(BaseFactory): """Rotation Factory.""" name = Sequence(lambda n: 'policy{0}'.format(n)) @@ -204,6 +214,7 @@ class UserFactory(BaseFactory): email = Sequence(lambda n: 'user{0}@example.com'.format(n)) active = True password = FuzzyText(length=24) + certificates = [] class Meta: """Factory Configuration.""" @@ -281,3 +292,93 @@ class ApiKeyFactory(BaseFactory): if extracted: self.userId = extracted.id + + +class PendingCertificateFactory(BaseFactory): + """PendingCertificate factory.""" + name = Sequence(lambda n: 'pending_certificate{0}'.format(n)) + external_id = 12345 + csr = CSR_STR + chain = INTERNAL_VALID_SAN_STR + private_key = PRIVATE_KEY_STR + owner = 'joe@example.com' + status = FuzzyChoice(['valid', 'revoked', 'unknown']) + deleted = False + description = FuzzyText(length=128) + date_created = FuzzyDate(date(2016, 1, 1), date(2020, 1, 1)) + number_attempts = 0 + rename = False + + class Meta: + """Factory Configuration.""" + model = PendingCertificate + + @post_generation + def user(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + self.user_id = extracted.id + + @post_generation + def authority(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + self.authority_id = extracted.id + + @post_generation + def notifications(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for notification in extracted: + self.notifications.append(notification) + + @post_generation + def destinations(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for destination in extracted: + self.destintations.append(destination) + + @post_generation + def replaces(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for replace in extracted: + self.replaces.append(replace) + + @post_generation + def sources(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for source in extracted: + self.sources.append(source) + + @post_generation + def domains(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for domain in extracted: + self.domains.append(domain) + + @post_generation + def roles(self, create, extracted, **kwargs): + if not create: + return + + if extracted: + for domain in extracted: + self.roles.append(domain) diff --git a/lemur/tests/plugins/issuer_plugin.py b/lemur/tests/plugins/issuer_plugin.py index c131de2e..ee760954 100644 --- a/lemur/tests/plugins/issuer_plugin.py +++ b/lemur/tests/plugins/issuer_plugin.py @@ -21,3 +21,29 @@ class TestIssuerPlugin(IssuerPlugin): def create_authority(options): role = {'username': '', 'password': '', 'name': 'test'} return INTERNAL_VALID_SAN_STR, "", [role] + + +class TestAsyncIssuerPlugin(IssuerPlugin): + title = 'Test Async' + slug = 'test-issuer-async' + description = 'Enables testing with pending certificates' + + author = 'James Chuong' + author_url = 'https://github.com/jchuong' + + def __init__(self, *args, **kwargs): + super(TestAsyncIssuerPlugin, self).__init__(*args, **kwargs) + + def create_certificate(self, csr, issuer_options): + return "", "", 12345 + + def get_ordered_certificate(self, order_id): + return INTERNAL_VALID_LONG_STR, INTERNAL_VALID_SAN_STR, 54321 + + @staticmethod + def create_authority(options): + role = {'username': '', 'password': '', 'name': 'test'} + return INTERNAL_VALID_SAN_STR, "", [role] + + def cancel_ordered_certificate(self, pending_certificate, **kwargs): + return True diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py index 6cba8b78..f2b1f7e9 100644 --- a/lemur/tests/test_certificates.py +++ b/lemur/tests/test_certificates.py @@ -436,7 +436,7 @@ def test_get_account_number(client): def test_mint_certificate(issuer_plugin, authority): from lemur.certificates.service import mint - cert_body, private_key, chain, external_id = mint(authority=authority, csr=CSR_STR) + cert_body, private_key, chain, external_id, csr = mint(authority=authority, csr=CSR_STR) assert cert_body == INTERNAL_VALID_LONG_STR, INTERNAL_VALID_SAN_STR diff --git a/lemur/tests/test_pending_certificates.py b/lemur/tests/test_pending_certificates.py new file mode 100644 index 00000000..c90ecb35 --- /dev/null +++ b/lemur/tests/test_pending_certificates.py @@ -0,0 +1,51 @@ +import json + +import pytest + +from .vectors import CSR_STR, INTERNAL_VALID_LONG_STR, VALID_ADMIN_API_TOKEN, VALID_ADMIN_HEADER_TOKEN, VALID_USER_HEADER_TOKEN + +from lemur.pending_certificates.views import * # noqa + + +def test_increment_attempt(pending_certificate): + from lemur.pending_certificates.service import increment_attempt + initial_attempt = pending_certificate.number_attempts + attempts = increment_attempt(pending_certificate) + assert attempts == initial_attempt + 1 + + +def test_create_pending_certificate(async_issuer_plugin, async_authority, user): + from lemur.certificates.service import create + pending_cert = create(authority=async_authority, csr=CSR_STR, owner='joe@example.com', creator=user['user'], common_name='ACommonName') + assert pending_cert.external_id == '12345' + + +def test_create_pending(pending_certificate, user, session): + import copy + from lemur.pending_certificates.service import create_certificate, get + cert = {'body': INTERNAL_VALID_LONG_STR, + 'chain': None, + 'external_id': 54321} + + # Weird copy because the session behavior. pending_certificate is a valid object but the + # return of vars(pending_certificate) is a sessionobject, and so nothing from the pending_cert + # is used to create the certificate. Maybe a bug due to using vars(), and should copy every + # field explicitly. + pending_certificate = copy.copy(get(pending_certificate.id)) + real_cert = create_certificate(pending_certificate, cert, user['user']) + assert real_cert.owner == pending_certificate.owner + assert real_cert.notify == pending_certificate.notify + assert real_cert.private_key == pending_certificate.private_key + assert real_cert.external_id == '54321' + + +@pytest.mark.parametrize("token,status", [ + (VALID_USER_HEADER_TOKEN, 403), + (VALID_ADMIN_HEADER_TOKEN, 204), + (VALID_ADMIN_API_TOKEN, 204), + ('', 401) +]) +def test_pending_cancel(client, pending_certificate, token, status): + assert client.delete(api.url_for(PendingCertificates, pending_certificate_id=pending_certificate.id), + data=json.dumps({'note': "unit test", 'send_email': False}), + headers=token).status_code == status diff --git a/lemur/users/models.py b/lemur/users/models.py index 16d4eda1..35197f9b 100644 --- a/lemur/users/models.py +++ b/lemur/users/models.py @@ -43,6 +43,7 @@ class User(db.Model): profile_picture = Column(String(255)) roles = relationship('Role', secondary=roles_users, passive_deletes=True, backref=db.backref('user'), lazy='dynamic') certificates = relationship('Certificate', backref=db.backref('user'), lazy='dynamic') + pending_certificates = relationship('PendingCertificate', backref=db.backref('user'), lazy='dynamic') authorities = relationship('Authority', backref=db.backref('user'), lazy='dynamic') keys = relationship('ApiKey', backref=db.backref('user'), lazy='dynamic') logs = relationship('Log', backref=db.backref('user'), lazy='dynamic')