From d5ae45a0d0e6f07297c7b26c81fb4b88bfbd6c51 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 14 Jul 2020 17:35:13 -0700 Subject: [PATCH 001/141] Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore. https://letsencrypt.org/certificates/ Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems. --- lemur/plugins/lemur_acme/plugin.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3fc1df61..16d61a0f 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -205,9 +205,15 @@ class AcmeHandler(object): OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem ), ).decode() - pem_certificate_chain = orderr.fullchain_pem[ - len(pem_certificate) : # noqa - ].lstrip() + + if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \ + and datetime.datetime.now() < datetime.datetime.strptime( + current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): + pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA") + else: + pem_certificate_chain = orderr.fullchain_pem[ + len(pem_certificate) : # noqa + ].lstrip() current_app.logger.debug( "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)) From 231796780256b91cf29e78c19909252ea234fe65 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 15 Jul 2020 17:04:49 -0700 Subject: [PATCH 002/141] lack of an empty config file was resulting into this error ``` Traceback (most recent call last): File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/tests/test_acme.py", line 159, in test_request_certificate self.acme.request_certificate(mock_acme, [], mock_order) File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/plugin.py", line 211, in request_certificate current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): TypeError: strptime() argument 1 must be str, not MagicMock ``` --- lemur/plugins/lemur_acme/tests/test_acme.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py index 94949a74..8320a2de 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme.py +++ b/lemur/plugins/lemur_acme/tests/test_acme.py @@ -156,6 +156,7 @@ class TestAcme(unittest.TestCase): mock_acme.fetch_chain = Mock(return_value="mock_chain") mock_crypto.dump_certificate = Mock(return_value=b"chain") mock_order = Mock() + mock_current_app.config = {} self.acme.request_certificate(mock_acme, [], mock_order) def test_setup_acme_client_fail(self): From 4752e1047234c99f8334e7a8c2ceaa4efee9fd01 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 27 Jul 2020 18:40:59 +0000 Subject: [PATCH 003/141] Bump cryptography from 2.9.2 to 3.0 Bumps [cryptography](https://github.com/pyca/cryptography) from 2.9.2 to 3.0. - [Release notes](https://github.com/pyca/cryptography/releases) - [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/2.9.2...3.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 6c8df1e4..2299848e 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -11,7 +11,7 @@ cffi==1.14.0 # via cryptography cfgv==3.1.0 # via pre-commit chardet==3.0.4 # via requests colorama==0.4.3 # via twine -cryptography==2.9.2 # via secretstorage +cryptography==3.0 # via secretstorage distlib==0.3.0 # via virtualenv docutils==0.16 # via readme-renderer filelock==3.0.12 # via virtualenv diff --git a/requirements-docs.txt b/requirements-docs.txt index 32ffc73e..4f70314f 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -26,7 +26,7 @@ cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynac chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask cloudflare==2.8.8 # via -r requirements.txt -cryptography==2.9.2 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests +cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 docutils==0.15.2 # via -r requirements.txt, botocore, sphinx diff --git a/requirements-tests.txt b/requirements-tests.txt index d6e149cc..cd625630 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -19,7 +19,7 @@ cfn-lint==0.29.5 # via moto chardet==3.0.4 # via requests click==7.1.1 # via black, flask coverage==5.2.1 # via -r requirements-tests.in -cryptography==2.9.2 # via moto, sshpubkeys +cryptography==3.0 # via moto, sshpubkeys decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore diff --git a/requirements.txt b/requirements.txt index afb04ddb..a57f6205 100644 --- a/requirements.txt +++ b/requirements.txt @@ -24,7 +24,7 @@ cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask cloudflare==2.8.8 # via -r requirements.in -cryptography==2.9.2 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests +cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 docutils==0.15.2 # via botocore From e7c684724abbb00c072d88a67afb9df6e447765e Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Fri, 31 Jul 2020 17:54:18 -0700 Subject: [PATCH 004/141] fixing Dockerfile, Lemur builds now --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fc83a034..a7f8c878 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - RUN apt-get update RUN apt-get install -y npm libldap2-dev libsasl2-dev libldap2-dev libssl-dev +RUN pip install pip==20.0.2 RUN pip install -U setuptools RUN pip install coveralls bandit WORKDIR /app From 57e06cf1db7aed6d1062fbfffa2bc7435331a3c6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 13:36:46 +0000 Subject: [PATCH 005/141] Bump pytest from 5.4.3 to 6.0.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 5.4.3 to 6.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/5.4.3...6.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index cd625630..3d5c4318 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -34,6 +34,7 @@ gitdb==4.0.4 # via gitpython gitpython==3.1.1 # via bandit idna==2.8 # via moto, requests importlib-metadata==1.6.0 # via jsonpickle +iniconfig==1.0.1 # via pytest itsdangerous==1.1.0 # via flask jinja2==2.11.2 # via flask, moto jmespath==0.9.5 # via boto3, botocore @@ -52,7 +53,7 @@ packaging==20.3 # via pytest pathspec==0.8.0 # via black pbr==5.4.5 # via stevedore pluggy==0.13.1 # via pytest -py==1.8.1 # via pytest +py==1.9.0 # via pytest pyasn1==0.4.8 # via python-jose, rsa pycparser==2.20 # via cffi pyflakes==2.2.0 # via -r requirements-tests.in @@ -60,7 +61,7 @@ pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.2.0 # via -r requirements-tests.in -pytest==5.4.3 # via -r requirements-tests.in, pytest-flask, pytest-mock +pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto pytz==2019.3 # via moto @@ -78,10 +79,9 @@ sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto stevedore==1.32.0 # via bandit text-unidecode==1.3 # via faker -toml==0.10.0 # via black +toml==0.10.0 # via black, pytest typed-ast==1.4.1 # via black urllib3==1.25.8 # via botocore, requests -wcwidth==0.1.9 # via pytest websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask wrapt==1.12.1 # via aws-xray-sdk From c80a3390e77ed826e8b81c816c2f315c51dca714 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:27:26 +0000 Subject: [PATCH 006/141] Bump botocore from 1.17.28 to 1.17.33 Bumps [botocore](https://github.com/boto/botocore) from 1.17.28 to 1.17.33. - [Release notes](https://github.com/boto/botocore/releases) - [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/botocore/compare/1.17.28...1.17.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 4f70314f..63af4e4a 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -18,7 +18,7 @@ beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.txt -botocore==1.17.28 # via -r requirements.txt, boto3, s3transfer +botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 3d5c4318..3212f033 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,7 +12,7 @@ bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in boto3==1.14.28 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.28 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index a57f6205..eb4be2fd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.in -botocore==1.17.28 # via -r requirements.in, boto3, s3transfer +botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 117c0bab044db58c74afcf863392d7c2f55fe059 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:38:07 +0000 Subject: [PATCH 007/141] Bump boto3 from 1.14.28 to 1.14.33 Bumps [boto3](https://github.com/boto/boto3) from 1.14.28 to 1.14.33. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.28...1.14.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 63af4e4a..3d1ed54c 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,7 +17,7 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.txt +boto3==1.14.33 # via -r requirements.txt botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests diff --git a/requirements-tests.txt b/requirements-tests.txt index 3212f033..7fd13f76 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,7 +10,7 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.28 # via aws-sam-translator, moto +boto3==1.14.33 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests diff --git a/requirements.txt b/requirements.txt index eb4be2fd..46723b0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.in +boto3==1.14.33 # via -r requirements.in botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests From 084f9a14f4177e5576304d83597cc74694a1a0e2 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 3 Aug 2020 16:14:14 -0700 Subject: [PATCH 008/141] updating documentation for cross-signed ICA --- docs/production/index.rst | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/production/index.rst b/docs/production/index.rst index b91ed6bd..67e97dae 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -451,3 +451,53 @@ LetsEncrypt flow to function. However, Lemur will attempt to automatically deter possible. To enable this functionality, periodically (or through Cron/Celery) run `lemur dns_providers get_all_zones`. This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to Lemur's database (in the dns_providers table). Alternatively, you can manually input this data. + + +LetsEncrypt: pinning to cross-signed ICA +---------------------------------------- + +Let's Encrypt has been using a `cross-signed `_ intermediate CA by DST Root CA X3, +which is included in many older devices' TrustStore. + + +Let's Encrypt is `transitioning `_ to use +the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. +This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. + + +Lemur can temporarily pin to the cross-signed intermediate CA (same public/private key pair as the ICA signed by ISRG X1). +This will prolong support for incompatible devices. + +The following must be added to the config file to activate the pinning (the pinning will be removed by September 2021):: + + # remove or update after Mar 17 16:40:46 2021 GMT + IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE = "17/03/21" + IDENTRUST_CROSS_SIGNED_LE_ICA = """ + -----BEGIN CERTIFICATE----- + MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow + SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT + GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC + AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF + q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 + SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 + Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA + a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj + /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T + AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG + CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv + bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k + c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw + VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC + ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz + MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu + Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF + AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo + uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ + wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu + X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG + PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 + KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== + -----END CERTIFICATE----- + """ From c15a2c62d11e2402460a21db7ca5a76dee17269b Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:22:13 -0700 Subject: [PATCH 009/141] Honor selected algorithm during certificate cloning --- .../static/app/angular/certificates/certificate/certificate.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 21f61f22..83b0cfe8 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -212,12 +212,14 @@ angular.module('lemur') }) .controller('CertificateCloneController', function ($scope, $uibModalInstance, CertificateApi, CertificateService, DestinationService, AuthorityService, AuthorityApi, PluginService, MomentService, WizardHandler, LemurRestangular, NotificationService, toaster, editId) { + $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; + $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone CertificateService.getDefaults($scope.certificate); }); From c3d8501401ef2d59af115055c4ab3046acc64811 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:23:24 -0700 Subject: [PATCH 010/141] Do not inherit replacement info during cert clone --- .../static/app/angular/certificates/certificate/certificate.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 83b0cfe8..bb4e7db6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -215,11 +215,14 @@ angular.module('lemur') $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; + // prepare the certificate for cloning $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.replacedBy = []; // should not clone 'replaced by' info + $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); }); From 817a4c3d9081cf7d30056328c45d677b92422c2c Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:24:06 -0700 Subject: [PATCH 011/141] Modified cert description to have cert id being cloned --- lemur/static/app/angular/certificates/certificate/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index bb4e7db6..155658e6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -221,6 +221,7 @@ angular.module('lemur') $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.description = 'Cloning from cert ID ' + editId; $scope.certificate.replacedBy = []; // should not clone 'replaced by' info $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); From 914c0291382debbf9faab7a96c1f69b014a80569 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 012/141] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 7a83799bcd9fe9292dc9bd3fe91b8d629aae3585 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 17:30:34 -0700 Subject: [PATCH 013/141] Cert validity should not exceed 397 days for publicly trusted issuers --- lemur/common/validators.py | 12 ++++++++++++ lemur/plugins/lemur_digicert/plugin.py | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..4aecb97e 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,6 +152,18 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) + # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity + # for certs issued by public CA + # The list of public issuers can be managed through a config named PUBLIC_CA + public_CA = current_app.config.get("PUBLIC_CA", []) + if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: + max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + if ( + (data.get("validity_end").date() - data.get("validity_start").date()).days + > max_validity_days + ): + raise ValidationError("Certificate cannot be valid for more than " + + str(max_validity_days) + " days") return data diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index e5c4b2ce..32a5375a 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -82,11 +82,11 @@ def determine_end_date(end_date): :param end_date: :return: validity_end """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) + default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397) + max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days)) if not end_date: - end_date = arrow.utcnow().shift(years=default_years) + end_date = arrow.utcnow().shift(days=default_days) if end_date > max_validity_end: end_date = max_validity_end From 18a3514974a7bd40c971e303df7ffd573b484c69 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:06:45 -0700 Subject: [PATCH 014/141] Renaming PUBLIC_CA to PUBLIC_CA_AUTHORITY_NAMES --- lemur/common/validators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 4aecb97e..74095255 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -155,7 +155,7 @@ def dates(data): # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity # for certs issued by public CA # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA", []) + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) if ( From 682991c02277d899aa43763c20a5e999a6713529 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:07:46 -0700 Subject: [PATCH 015/141] Updating Lemur docs to capture Digicert validity config changes --- docs/administration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 157af478..a6d93af7 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -729,16 +729,16 @@ The following configuration properties are required to use the Digicert issuer p This is the root to be used for your CA chain -.. data:: DIGICERT_DEFAULT_VALIDITY +.. data:: DIGICERT_DEFAULT_VALIDITY_DAYS :noindex: - This is the default validity (in years), if no end date is specified. (Default: 1) + This is the default validity (in days), if no end date is specified. (Default: 397) -.. data:: DIGICERT_MAX_VALIDITY +.. data:: DIGICERT_MAX_VALIDITY_DAYS :noindex: - This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY) + This is the maximum validity (in days). (Default: value of DIGICERT_DEFAULT_VALIDITY_DAYS) .. data:: DIGICERT_PRIVATE From 9d3b7ac5ddfc4c9d7cfcff942d04fbe853d95221 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 016/141] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From 0d1798b0e0a2bc96bea5635093db96f8cd658fa4 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 017/141] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 226a62d338c89e7111759370b6616778798b830d Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 018/141] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From bde2829e720f31129347db281ba2984eea7a5b4f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 17:10:29 -0700 Subject: [PATCH 019/141] Modify unit test test_determine_end_date to match new config --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 8bfd1dcf..ca2ddf68 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -32,11 +32,11 @@ def test_determine_validity_years(mock_current_app): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_end_date(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) + mock_current_app.config.get = Mock(return_value=397) # 397 days validity with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime): - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(0) - assert arrow.get(2018, 5, 7) == plugin.determine_end_date(arrow.get(2018, 5, 7)) - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(arrow.get(2020, 5, 7)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(0) # 397 days from (2016, 11, 3) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2017, 12, 5)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2020, 5, 7)) @patch("lemur.plugins.lemur_digicert.plugin.current_app") From d7ca1570beb44a62ac79ac96052a420ade5ba028 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:02:42 -0700 Subject: [PATCH 020/141] maximum 1 year validity for digicert --- lemur/plugins/lemur_digicert/plugin.py | 18 ++++++++---------- .../lemur_digicert/tests/test_digicert.py | 11 ++++------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 32a5375a..9b3d4429 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -61,18 +61,16 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): - """Given an end date determine how many years into the future that date is. - :param years: - :return: validity in years """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years) + Considering maximum allowed certificate validity period of 398 days, this method should not return + more than 1 year of validity. Thus changing it to return 1. + Lemur will change this method in future to handle validity in months (determine_validity_months) + instead of years. This will allow flexibility to handle short-lived certificates. - if years > max_years: - return max_years - if years not in [1, 2, 3]: - return default_years - return years + :param years: + :return: 1 + """ + return 1 def determine_end_date(end_date): diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index ca2ddf68..4abfcf54 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -14,8 +14,6 @@ def config_mock(*args): "DIGICERT_ORG_ID": 111111, "DIGICERT_PRIVATE": False, "DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256", - "DIGICERT_DEFAULT_VALIDITY": 1, - "DIGICERT_MAX_VALIDITY": 2, "DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'}, "DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'}, } @@ -24,10 +22,9 @@ def config_mock(*args): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_validity_years(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) assert plugin.determine_validity_years(1) == 1 - assert plugin.determine_validity_years(0) == 2 - assert plugin.determine_validity_years(3) == 2 + assert plugin.determine_validity_years(0) == 1 + assert plugin.determine_validity_years(3) == 1 @patch("lemur.plugins.lemur_digicert.plugin.current_app") @@ -52,7 +49,7 @@ def test_map_fields_with_validity_years(mock_current_app): "owner": "bob@example.com", "description": "test certificate", "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}}, - "validity_years": 2 + "validity_years": 1 } expected = { "certificate": { @@ -62,7 +59,7 @@ def test_map_fields_with_validity_years(mock_current_app): "signature_hash": "sha256", }, "organization": {"id": 111111}, - "validity_years": 2, + "validity_years": 1, } assert expected == plugin.map_fields(options, CSR_STR) From acb04638440a5b191ac4015212adfae58934f78c Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:51:41 -0700 Subject: [PATCH 021/141] Add new configs to the doc --- docs/administration.rst | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index a6d93af7..9f377119 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -66,7 +66,7 @@ Basic Configuration .. data:: SQLALCHEMY_POOL_SIZE -:noindex: + :noindex: The default connection pool size is 5 for sqlalchemy managed connections. Depending on the number of Lemur instances, please specify per instance connection pool size. Below is an example to set connection pool size to 10. @@ -80,7 +80,7 @@ Basic Configuration This is an optional setting but important to review and set for optimal database connection usage and for overall database performance. .. data:: SQLALCHEMY_MAX_OVERFLOW -:noindex: + :noindex: This setting allows to create connections in addition to specified number of connections in pool size. By default, sqlalchemy allows 10 connections to create in addition to the pool size. This is also an optional setting. If `SQLALCHEMY_POOL_SIZE` and @@ -155,6 +155,22 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s='] +.. data:: PUBLIC_CA_AUTHORITY_NAMES + :noindex: + A list of public issuers which would be checked against to determine whether limit of max validity of 397 days + should be applied to the certificate. Configure public CA authority names in this list to enforce validity check. + This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive + string comparision. + +.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured + using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days. + + :: + + PUBLIC_CA_MAX_VALIDITY_DAYS = 365 + .. data:: DEBUG_DUMP :noindex: From 6ff8910f873051298a99d88ee9c586cb508a2594 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:53:19 -0700 Subject: [PATCH 022/141] mention 397 for digicert plugin --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9b3d4429..fd8c4e2d 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -62,8 +62,8 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): """ - Considering maximum allowed certificate validity period of 398 days, this method should not return - more than 1 year of validity. Thus changing it to return 1. + Considering maximum allowed certificate validity period of 397 days, this method should not return + more than 1 year of validity. Thus changing it to always return 1. Lemur will change this method in future to handle validity in months (determine_validity_months) instead of years. This will allow flexibility to handle short-lived certificates. From 5b3f40467b3675ffab2f0a6672b5136ab024c763 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:12:07 -0700 Subject: [PATCH 023/141] Make Organizational Unit optional --- .../angular/authorities/authority/distinguishedName.tpl.html | 3 +-- .../certificates/certificate/distinguishedName.tpl.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html index 33b0ba4b..c6a7d312 100644 --- a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html +++ b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html @@ -46,8 +46,7 @@ Organizational Unit
- -

You must enter a organizational unit

+
diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index 19102b03..72f168a0 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -62,9 +62,7 @@
-

You must - enter a organizational unit

+ class="form-control"/>
From bc5579e9bfdec597a2acf62735d1890a8faff2db Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:47:55 -0700 Subject: [PATCH 024/141] max date on UI as per max validity configs --- docs/administration.rst | 11 +++++++++++ lemur/authorities/schemas.py | 2 ++ lemur/certificates/models.py | 10 ++++++++++ .../certificates/certificate/tracking.tpl.html | 4 ++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 9f377119..df027f70 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,6 +172,17 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 +.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is + not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of + 365 days and sets it to 90 days. + + :: + + INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + + .. data:: DEBUG_DUMP :noindex: diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index c78aec94..135f4f3d 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,6 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() + max_issuance_date = fields.DateTime() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -134,6 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 58630ee6..9ea45409 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -311,6 +311,16 @@ class Certificate(db.Model): def validity_range(self): return self.not_after - self.not_before + @property + def max_issuance_date(self): + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) + if self.name.lower() in [ca.lower() for ca in public_CA]: + default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + else: + default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year + issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) + return arrow.utcnow().shift(days=issuance_validity_days) + @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 027add0f..47de640e 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -154,7 +154,7 @@ is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,7 +174,7 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="End Date" From cab1216cb711db4a2bfdafe3615c0fe45bc0ebdd Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 15:14:34 -0700 Subject: [PATCH 025/141] Updating LEMUR_DEFAULT_ORGANIZATIONAL_UNIT to empty string --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index df027f70..83747636 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -240,7 +240,7 @@ and are used when Lemur creates the CSR for your certificates. :: - LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations" + LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "" .. data:: LEMUR_DEFAULT_ISSUER_PLUGIN From 240f0b99c8963066dd86fe09a78f8767d9d0baad Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:34:59 -0700 Subject: [PATCH 026/141] Max end date as per start date + default validity 3 years --- lemur/authorities/schemas.py | 4 ++-- lemur/certificates/models.py | 10 ++++------ .../certificates/certificate/tracking.tpl.html | 7 ++++--- .../static/app/angular/certificates/services.js | 16 ++++++++++++++++ .../app/angular/pending_certificates/services.js | 15 +++++++++++++++ 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 135f4f3d..0700c15b 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,7 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() - max_issuance_date = fields.DateTime() + max_issuance_days = fields.Integer() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -135,7 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() - authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 9ea45409..5f6c4ba9 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -312,14 +312,12 @@ class Certificate(db.Model): return self.not_after - self.not_before @property - def max_issuance_date(self): + def max_issuance_days(self): public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if self.name.lower() in [ca.lower() for ca in public_CA]: - default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - else: - default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year - issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) - return arrow.utcnow().shift(days=issuance_validity_days) + return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + + return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default @property def subject(self): diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 47de640e..07d6b0f4 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -151,10 +151,11 @@ uib-tooltip="yyyy/MM/dd" uib-datepicker-popup="yyyy/MM/dd" ng-model="certificate.validityStart" + ng-change="certificate.setValidityEndDateRange(certificate.validityStart)" is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" + max-date="certificate.authority.authorityCertificate.notAfter" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,8 +175,8 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" - min-date="certificate.authority.authorityCertificate.notBefore" + max-date="certificate.authority.authorityCertificate.maxValidityEnd" + min-date="certificate.authority.authorityCertificate.minValidityEnd" alt-input-formats="altInputFormats" placeholder="End Date" /> diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 3a23076d..7d46f4ca 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -164,6 +164,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -264,6 +276,9 @@ angular.module('lemur') } } + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; + if (certificate.dnsProviderId) { certificate.dnsProvider = {id: certificate.dnsProviderId}; } @@ -292,3 +307,4 @@ angular.module('lemur') return CertificateService; }); + diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index 4e1b23e4..a9bb8079 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -144,6 +144,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -230,6 +242,9 @@ angular.module('lemur') certificate.authority = defaults.authority; } } + + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; }); }; From d41227327e84a0134bccee200d889e8c5d8b0cc7 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:47:38 -0700 Subject: [PATCH 027/141] doc update DEFAULT_MAX_VALIDITY_DAYS --- docs/administration.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 83747636..846a4c34 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,15 +172,15 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 -.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS +.. data:: DEFAULT_MAX_VALIDITY_DAYS :noindex: - Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is - not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of - 365 days and sets it to 90 days. + Use this config to override the default limit of 1095 days (3 years) of validity. Any CA which is not listed in + PUBLIC_CA_AUTHORITY_NAMES will be using this validity to display date range on UI. Below example overrides the + default validity of 1095 days and sets it to 365 days. :: - INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + DEFAULT_MAX_VALIDITY_DAYS = 365 .. data:: DEBUG_DUMP From 5b96b3a0320d6e446a952ad97c51bd3ad0addd3e Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 20:03:15 -0700 Subject: [PATCH 028/141] Lint error fix --- lemur/static/app/angular/certificates/services.js | 6 ++++-- lemur/static/app/angular/pending_certificates/services.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 7d46f4ca..881a443a 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -167,8 +167,10 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; - + if(this.validityEnd) { + this.validityEnd = ''; + } + // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index a9bb8079..2f99eb7d 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -147,7 +147,9 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; + if(this.validityEnd) { + this.validityEnd = ''; + } // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; From c2116df6526fc6e50bb797bb1a2960602a5b66de Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Wed, 19 Aug 2020 12:25:52 +0200 Subject: [PATCH 029/141] Extended ADCS_TEMPLATE_ Variable If there is a config variable ADCS_TEMPLATE_ take the value as Cert template else default to ADCS_TEMPLATE to be compatible with former versions --- lemur/plugins/lemur_adcs/plugin.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_adcs/plugin.py b/lemur/plugins/lemur_adcs/plugin.py index a69afc90..4b4eb20c 100644 --- a/lemur/plugins/lemur_adcs/plugin.py +++ b/lemur/plugins/lemur_adcs/plugin.py @@ -40,7 +40,10 @@ class ADCSIssuerPlugin(IssuerPlugin): adcs_user = current_app.config.get("ADCS_USER") adcs_pwd = current_app.config.get("ADCS_PWD") adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD") - adcs_template = current_app.config.get("ADCS_TEMPLATE") + # if there is a config variable ADCS_TEMPLATE_ take the value as Cert template + # else default to ADCS_TEMPLATE to be compatible with former versions + authority = issuer_options.get("authority").name.upper() + adcs_template = current_app.config.get("ADCS_TEMPLATE_{0}".format(authority), current_app.config.get("ADCS_TEMPLATE")) ca_server = Certsrv( adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method ) From 3e8ca982a10e525d1ad45b24de4c28af4af2cc25 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:41:17 +0000 Subject: [PATCH 030/141] Bump acme from 1.6.0 to 1.7.0 Bumps [acme](https://github.com/letsencrypt/letsencrypt) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/letsencrypt/letsencrypt/releases) - [Commits](https://github.com/letsencrypt/letsencrypt/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 7e187213..a70fc3ea 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # -acme==1.6.0 # via -r requirements.txt +acme==1.7.0 # via -r requirements.txt alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate diff --git a/requirements.txt b/requirements.txt index d9e86d97..86650ced 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements.txt requirements.in # -acme==1.6.0 # via -r requirements.in +acme==1.7.0 # via -r requirements.in alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu From 7b2b3911bc181759e17bd71bc8d6bf29cf45dca6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:19:48 +0000 Subject: [PATCH 031/141] Bump fakeredis from 1.4.1 to 1.4.3 Bumps [fakeredis](https://github.com/jamesls/fakeredis) from 1.4.1 to 1.4.3. - [Release notes](https://github.com/jamesls/fakeredis/releases) - [Commits](https://github.com/jamesls/fakeredis/compare/1.4.1...1.4.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 7fd13f76..10c3209b 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -26,7 +26,7 @@ docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==2.12.0 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy -fakeredis==1.4.1 # via -r requirements-tests.in +fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in future==0.18.2 # via aws-xray-sdk From 553b7fab8d7780b16a011db3378df67f5ac3c545 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:28:39 +0000 Subject: [PATCH 032/141] Bump factory-boy from 2.12.0 to 3.0.1 Bumps [factory-boy](https://github.com/FactoryBoy/factory_boy) from 2.12.0 to 3.0.1. - [Release notes](https://github.com/FactoryBoy/factory_boy/releases) - [Changelog](https://github.com/FactoryBoy/factory_boy/blob/master/docs/changelog.rst) - [Commits](https://github.com/FactoryBoy/factory_boy/compare/2.12.0...3.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 10c3209b..4893d4e3 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -24,7 +24,7 @@ decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys -factory-boy==2.12.0 # via -r requirements-tests.in +factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask From 660a09e4c92ef4874bc2e20783cec02f21ef1494 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:41:18 +0000 Subject: [PATCH 033/141] Bump pre-commit from 2.6.0 to 2.7.1 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.6.0 to 2.7.1. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.6.0...v2.7.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 2299848e..97ec82d1 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -24,7 +24,7 @@ keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine -pre-commit==2.6.0 # via -r requirements-dev.in +pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 pycparser==2.20 # via cffi pyflakes==1.6.0 # via flake8 From ad0e469e92c797c66dc86f12d51c34a2a5707365 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:54:14 +0000 Subject: [PATCH 034/141] Bump nodeenv from 1.4.0 to 1.5.0 Bumps [nodeenv](https://github.com/ekalinin/nodeenv) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/ekalinin/nodeenv/releases) - [Changelog](https://github.com/ekalinin/nodeenv/blob/master/CHANGES) - [Commits](https://github.com/ekalinin/nodeenv/compare/1.4.0...1.5.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 97ec82d1..a029d4ae 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -22,7 +22,7 @@ invoke==1.4.1 # via -r requirements-dev.in jeepney==0.4.3 # via keyring, secretstorage keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 -nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit +nodeenv==1.5.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 From 61eac2aada6d54f822d443d3dd4f66670da7b6a0 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:03:20 +0000 Subject: [PATCH 035/141] Bump faker from 4.1.1 to 4.1.2 Bumps [faker](https://github.com/joke2k/faker) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/joke2k/faker/releases) - [Changelog](https://github.com/joke2k/faker/blob/master/CHANGELOG.rst) - [Commits](https://github.com/joke2k/faker/compare/v4.1.1...v4.1.2) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 4893d4e3..ee406105 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -25,7 +25,7 @@ docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in -faker==4.1.1 # via -r requirements-tests.in, factory-boy +faker==4.1.2 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in From 1a8e96ed329a77d0a6727fe48706900226ebe44f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:12:28 +0000 Subject: [PATCH 036/141] Bump sphinx from 3.2.0 to 3.2.1 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.2.0 to 3.2.1. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.2.0...v3.2.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a70fc3ea..202e0700 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.1 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From 88a043cfecf0e65d3651855588418f52cac1be6b Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:28:42 +0000 Subject: [PATCH 037/141] Bump inflection from 0.5.0 to 0.5.1 Bumps [inflection](https://github.com/jpvanhal/inflection) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/jpvanhal/inflection/releases) - [Commits](https://github.com/jpvanhal/inflection/compare/0.5.0...0.5.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 202e0700..1a2986d5 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -46,7 +46,7 @@ gunicorn==20.0.4 # via -r requirements.txt hvac==0.10.5 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx -inflection==0.5.0 # via -r requirements.txt +inflection==0.5.1 # via -r requirements.txt itsdangerous==1.1.0 # via -r requirements.txt, flask javaobj-py3==0.4.0.1 # via -r requirements.txt, pyjks jinja2==2.11.2 # via -r requirements.txt, flask, sphinx diff --git a/requirements.txt b/requirements.txt index 86650ced..9a0a521c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ future==0.18.2 # via -r requirements.in gunicorn==20.0.4 # via -r requirements.in hvac==0.10.5 # via -r requirements.in idna==2.9 # via requests -inflection==0.5.0 # via -r requirements.in +inflection==0.5.1 # via -r requirements.in itsdangerous==1.1.0 # via flask javaobj-py3==0.4.0.1 # via pyjks jinja2==2.11.2 # via -r requirements.in, flask From ad5416e441366a756c19992e61b4eb00591e2d4c Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:42:38 +0000 Subject: [PATCH 038/141] Bump pytest-mock from 3.2.0 to 3.3.0 Bumps [pytest-mock](https://github.com/pytest-dev/pytest-mock) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/pytest-dev/pytest-mock/releases) - [Changelog](https://github.com/pytest-dev/pytest-mock/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-mock/compare/v3.2.0...v3.3.0) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index ee406105..1dc1f48d 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -60,7 +60,7 @@ pyflakes==2.2.0 # via -r requirements-tests.in pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in -pytest-mock==3.2.0 # via -r requirements-tests.in +pytest-mock==3.3.0 # via -r requirements-tests.in pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto From a4a83dda72ace6f697a10a02ccc01fde47ce923f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:55:27 +0000 Subject: [PATCH 039/141] Bump cloudflare from 2.8.9 to 2.8.13 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.9 to 2.8.13. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.9...2.8.13) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 1a2986d5..69679ebf 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.9 # via -r requirements.txt +cloudflare==2.8.13 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 9a0a521c..9a0a2833 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.9 # via -r requirements.in +cloudflare==2.8.13 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 939c41a70eff246ac1a83cee97e9ab6135aee466 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:04:47 +0000 Subject: [PATCH 040/141] Bump arrow from 0.15.8 to 0.16.0 Bumps [arrow](https://github.com/arrow-py/arrow) from 0.15.8 to 0.16.0. - [Release notes](https://github.com/arrow-py/arrow/releases) - [Changelog](https://github.com/arrow-py/arrow/blob/master/CHANGELOG.rst) - [Commits](https://github.com/arrow-py/arrow/compare/0.15.8...0.16.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 69679ebf..045c1832 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -10,7 +10,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate amqp==2.5.2 # via -r requirements.txt, kombu aniso8601==8.0.0 # via -r requirements.txt, flask-restful -arrow==0.15.8 # via -r requirements.txt +arrow==0.16.0 # via -r requirements.txt asyncpool==1.0 # via -r requirements.txt babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko diff --git a/requirements.txt b/requirements.txt index 9a0a2833..2ecb1f9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,7 +9,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu aniso8601==8.0.0 # via flask-restful -arrow==0.15.8 # via -r requirements.in +arrow==0.16.0 # via -r requirements.in asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare From 0f463d5f13ef75100aa04a416722425f0fbec038 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:17:13 +0000 Subject: [PATCH 041/141] Bump boto3 from 1.14.33 to 1.14.48 Bumps [boto3](https://github.com/boto/boto3) from 1.14.33 to 1.14.48. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.33...1.14.48) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 045c1832..0ee5d42e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.txt -botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.48 # via -r requirements.txt +botocore==1.17.48 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 1dc1f48d..303338c1 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.33 # via aws-sam-translator, moto +boto3==1.14.48 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 2ecb1f9c..c79ec23d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.in -botocore==1.17.33 # via -r requirements.in, boto3, s3transfer +boto3==1.14.48 # via -r requirements.in +botocore==1.17.48 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 3efe14c43f6efac50ed59a1bcd942c57345ed360 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 25 Aug 2020 16:26:20 -0700 Subject: [PATCH 042/141] Remove 397 days validation as it causes error in API calls More to come in future --- lemur/common/validators.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 74095255..e1dfe3c1 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,18 +152,6 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) - # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity - # for certs issued by public CA - # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) - if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: - max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - if ( - (data.get("validity_end").date() - data.get("validity_start").date()).days - > max_validity_days - ): - raise ValidationError("Certificate cannot be valid for more than " + - str(max_validity_days) + " days") return data From 6aedd3b0d821adaf04b89cb7c958622c47d4f61f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 25 Aug 2020 18:40:36 -0700 Subject: [PATCH 043/141] Datepicker enhancements --- lemur/certificates/models.py | 2 -- .../certificates/certificate/tracking.tpl.html | 4 +++- .../app/angular/certificates/services.js | 18 ++++++++++-------- .../angular/pending_certificates/services.js | 16 +++++++++------- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 5f6c4ba9..9d4cda34 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -317,8 +317,6 @@ class Certificate(db.Model): if self.name.lower() in [ca.lower() for ca in public_CA]: return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default - @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 07d6b0f4..6b2edee6 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -96,7 +96,7 @@ Certificate Authority
- + {{$select.selected.name}} -
- +
@@ -20,7 +20,7 @@ Key Type
-
diff --git a/lemur/tests/test_authorities.py b/lemur/tests/test_authorities.py index 9649e949..6090d0b6 100644 --- a/lemur/tests/test_authorities.py +++ b/lemur/tests/test_authorities.py @@ -34,6 +34,29 @@ def test_authority_input_schema(client, role, issuer_plugin, logged_in_user): assert not errors +def test_authority_input_schema_ecc(client, role, issuer_plugin, logged_in_user): + from lemur.authorities.schemas import AuthorityInputSchema + + input_data = { + "name": "Example Authority", + "owner": "jim@example.com", + "description": "An example authority.", + "commonName": "An Example Authority", + "plugin": { + "slug": "test-issuer", + "plugin_options": [{"name": "test", "value": "blah"}], + }, + "type": "root", + "signingAlgorithm": "sha256WithECDSA", + "keyType": "EC256", + "sensitivity": "medium", + } + + data, errors = AuthorityInputSchema().load(input_data) + + assert not errors + + def test_user_authority(session, client, authority, role, user, issuer_plugin): u = user["user"] u.roles.append(role) From 5a6e4e5b43628558c931d15e7eb8529e22b1f093 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 14 Jul 2020 17:35:13 -0700 Subject: [PATCH 048/141] Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore. https://letsencrypt.org/certificates/ Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems. --- lemur/plugins/lemur_acme/plugin.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3fc1df61..16d61a0f 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -205,9 +205,15 @@ class AcmeHandler(object): OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem ), ).decode() - pem_certificate_chain = orderr.fullchain_pem[ - len(pem_certificate) : # noqa - ].lstrip() + + if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \ + and datetime.datetime.now() < datetime.datetime.strptime( + current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): + pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA") + else: + pem_certificate_chain = orderr.fullchain_pem[ + len(pem_certificate) : # noqa + ].lstrip() current_app.logger.debug( "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)) From f4bcd1cf304c1a9eada8b5f9f82fd565e404efd2 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 15 Jul 2020 17:04:49 -0700 Subject: [PATCH 049/141] lack of an empty config file was resulting into this error ``` Traceback (most recent call last): File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/tests/test_acme.py", line 159, in test_request_certificate self.acme.request_certificate(mock_acme, [], mock_order) File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/plugin.py", line 211, in request_certificate current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): TypeError: strptime() argument 1 must be str, not MagicMock ``` --- lemur/plugins/lemur_acme/tests/test_acme.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py index 94949a74..8320a2de 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme.py +++ b/lemur/plugins/lemur_acme/tests/test_acme.py @@ -156,6 +156,7 @@ class TestAcme(unittest.TestCase): mock_acme.fetch_chain = Mock(return_value="mock_chain") mock_crypto.dump_certificate = Mock(return_value=b"chain") mock_order = Mock() + mock_current_app.config = {} self.acme.request_certificate(mock_acme, [], mock_order) def test_setup_acme_client_fail(self): From bc8eda2a6bd39f74410c7df78e6a610142a15f01 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Fri, 31 Jul 2020 17:54:18 -0700 Subject: [PATCH 050/141] fixing Dockerfile, Lemur builds now --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fc83a034..a7f8c878 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - RUN apt-get update RUN apt-get install -y npm libldap2-dev libsasl2-dev libldap2-dev libssl-dev +RUN pip install pip==20.0.2 RUN pip install -U setuptools RUN pip install coveralls bandit WORKDIR /app From 85f18afa8102b588f5d52e8f47d1c824e802ab07 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 13:36:46 +0000 Subject: [PATCH 051/141] Bump pytest from 5.4.3 to 6.0.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 5.4.3 to 6.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/5.4.3...6.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index cd625630..3d5c4318 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -34,6 +34,7 @@ gitdb==4.0.4 # via gitpython gitpython==3.1.1 # via bandit idna==2.8 # via moto, requests importlib-metadata==1.6.0 # via jsonpickle +iniconfig==1.0.1 # via pytest itsdangerous==1.1.0 # via flask jinja2==2.11.2 # via flask, moto jmespath==0.9.5 # via boto3, botocore @@ -52,7 +53,7 @@ packaging==20.3 # via pytest pathspec==0.8.0 # via black pbr==5.4.5 # via stevedore pluggy==0.13.1 # via pytest -py==1.8.1 # via pytest +py==1.9.0 # via pytest pyasn1==0.4.8 # via python-jose, rsa pycparser==2.20 # via cffi pyflakes==2.2.0 # via -r requirements-tests.in @@ -60,7 +61,7 @@ pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.2.0 # via -r requirements-tests.in -pytest==5.4.3 # via -r requirements-tests.in, pytest-flask, pytest-mock +pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto pytz==2019.3 # via moto @@ -78,10 +79,9 @@ sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto stevedore==1.32.0 # via bandit text-unidecode==1.3 # via faker -toml==0.10.0 # via black +toml==0.10.0 # via black, pytest typed-ast==1.4.1 # via black urllib3==1.25.8 # via botocore, requests -wcwidth==0.1.9 # via pytest websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask wrapt==1.12.1 # via aws-xray-sdk From 5c5e53b8ec635e6c8bb54bf35bee3ad5a58742eb Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:27:26 +0000 Subject: [PATCH 052/141] Bump botocore from 1.17.28 to 1.17.33 Bumps [botocore](https://github.com/boto/botocore) from 1.17.28 to 1.17.33. - [Release notes](https://github.com/boto/botocore/releases) - [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/botocore/compare/1.17.28...1.17.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 4f70314f..63af4e4a 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -18,7 +18,7 @@ beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.txt -botocore==1.17.28 # via -r requirements.txt, boto3, s3transfer +botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 3d5c4318..3212f033 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,7 +12,7 @@ bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in boto3==1.14.28 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.28 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index a57f6205..eb4be2fd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.in -botocore==1.17.28 # via -r requirements.in, boto3, s3transfer +botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From de0e646cf9d7a02e1b660b942270f01568f24783 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:38:07 +0000 Subject: [PATCH 053/141] Bump boto3 from 1.14.28 to 1.14.33 Bumps [boto3](https://github.com/boto/boto3) from 1.14.28 to 1.14.33. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.28...1.14.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 63af4e4a..3d1ed54c 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,7 +17,7 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.txt +boto3==1.14.33 # via -r requirements.txt botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests diff --git a/requirements-tests.txt b/requirements-tests.txt index 3212f033..7fd13f76 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,7 +10,7 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.28 # via aws-sam-translator, moto +boto3==1.14.33 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests diff --git a/requirements.txt b/requirements.txt index eb4be2fd..46723b0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.in +boto3==1.14.33 # via -r requirements.in botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests From d07464f3b1245b521da7ded21cfd8af66d34ec21 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 3 Aug 2020 16:14:14 -0700 Subject: [PATCH 054/141] updating documentation for cross-signed ICA --- docs/production/index.rst | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/production/index.rst b/docs/production/index.rst index b91ed6bd..67e97dae 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -451,3 +451,53 @@ LetsEncrypt flow to function. However, Lemur will attempt to automatically deter possible. To enable this functionality, periodically (or through Cron/Celery) run `lemur dns_providers get_all_zones`. This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to Lemur's database (in the dns_providers table). Alternatively, you can manually input this data. + + +LetsEncrypt: pinning to cross-signed ICA +---------------------------------------- + +Let's Encrypt has been using a `cross-signed `_ intermediate CA by DST Root CA X3, +which is included in many older devices' TrustStore. + + +Let's Encrypt is `transitioning `_ to use +the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. +This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. + + +Lemur can temporarily pin to the cross-signed intermediate CA (same public/private key pair as the ICA signed by ISRG X1). +This will prolong support for incompatible devices. + +The following must be added to the config file to activate the pinning (the pinning will be removed by September 2021):: + + # remove or update after Mar 17 16:40:46 2021 GMT + IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE = "17/03/21" + IDENTRUST_CROSS_SIGNED_LE_ICA = """ + -----BEGIN CERTIFICATE----- + MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow + SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT + GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC + AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF + q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 + SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 + Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA + a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj + /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T + AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG + CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv + bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k + c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw + VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC + ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz + MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu + Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF + AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo + uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ + wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu + X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG + PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 + KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== + -----END CERTIFICATE----- + """ From 69b64c63ea8670f479afe73bace1921cb7a9fc24 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:22:13 -0700 Subject: [PATCH 055/141] Honor selected algorithm during certificate cloning --- .../static/app/angular/certificates/certificate/certificate.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 21f61f22..83b0cfe8 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -212,12 +212,14 @@ angular.module('lemur') }) .controller('CertificateCloneController', function ($scope, $uibModalInstance, CertificateApi, CertificateService, DestinationService, AuthorityService, AuthorityApi, PluginService, MomentService, WizardHandler, LemurRestangular, NotificationService, toaster, editId) { + $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; + $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone CertificateService.getDefaults($scope.certificate); }); From e75e472a1acd95989bdc87d36b14b4b050a280fb Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:23:24 -0700 Subject: [PATCH 056/141] Do not inherit replacement info during cert clone --- .../static/app/angular/certificates/certificate/certificate.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 83b0cfe8..bb4e7db6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -215,11 +215,14 @@ angular.module('lemur') $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; + // prepare the certificate for cloning $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.replacedBy = []; // should not clone 'replaced by' info + $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); }); From 404d213e8f83fa254bea43f60581cce4a9c413c3 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:24:06 -0700 Subject: [PATCH 057/141] Modified cert description to have cert id being cloned --- lemur/static/app/angular/certificates/certificate/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index bb4e7db6..155658e6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -221,6 +221,7 @@ angular.module('lemur') $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.description = 'Cloning from cert ID ' + editId; $scope.certificate.replacedBy = []; // should not clone 'replaced by' info $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); From a7082f7332f999f47901cdba803163c8f7fba130 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 058/141] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 25125f32576cb7ac47d063d3f0a1c8cd7446a495 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 17:30:34 -0700 Subject: [PATCH 059/141] Cert validity should not exceed 397 days for publicly trusted issuers --- lemur/common/validators.py | 12 ++++++++++++ lemur/plugins/lemur_digicert/plugin.py | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..4aecb97e 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,6 +152,18 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) + # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity + # for certs issued by public CA + # The list of public issuers can be managed through a config named PUBLIC_CA + public_CA = current_app.config.get("PUBLIC_CA", []) + if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: + max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + if ( + (data.get("validity_end").date() - data.get("validity_start").date()).days + > max_validity_days + ): + raise ValidationError("Certificate cannot be valid for more than " + + str(max_validity_days) + " days") return data diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index e5c4b2ce..32a5375a 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -82,11 +82,11 @@ def determine_end_date(end_date): :param end_date: :return: validity_end """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) + default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397) + max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days)) if not end_date: - end_date = arrow.utcnow().shift(years=default_years) + end_date = arrow.utcnow().shift(days=default_days) if end_date > max_validity_end: end_date = max_validity_end From d7d483fa9b2f4b84993ced286c0b3d0e40c3627d Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:06:45 -0700 Subject: [PATCH 060/141] Renaming PUBLIC_CA to PUBLIC_CA_AUTHORITY_NAMES --- lemur/common/validators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 4aecb97e..74095255 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -155,7 +155,7 @@ def dates(data): # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity # for certs issued by public CA # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA", []) + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) if ( From 8a1563db547ea098855bb39edc2db20567107aae Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:07:46 -0700 Subject: [PATCH 061/141] Updating Lemur docs to capture Digicert validity config changes --- docs/administration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 157af478..a6d93af7 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -729,16 +729,16 @@ The following configuration properties are required to use the Digicert issuer p This is the root to be used for your CA chain -.. data:: DIGICERT_DEFAULT_VALIDITY +.. data:: DIGICERT_DEFAULT_VALIDITY_DAYS :noindex: - This is the default validity (in years), if no end date is specified. (Default: 1) + This is the default validity (in days), if no end date is specified. (Default: 397) -.. data:: DIGICERT_MAX_VALIDITY +.. data:: DIGICERT_MAX_VALIDITY_DAYS :noindex: - This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY) + This is the maximum validity (in days). (Default: value of DIGICERT_DEFAULT_VALIDITY_DAYS) .. data:: DIGICERT_PRIVATE From 747df683a9292561710e5a5c426640317590f4b0 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 062/141] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From e06dea106fbcb704b59bcefea5646bd816a8a368 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 17:10:29 -0700 Subject: [PATCH 063/141] Modify unit test test_determine_end_date to match new config --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 8bfd1dcf..ca2ddf68 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -32,11 +32,11 @@ def test_determine_validity_years(mock_current_app): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_end_date(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) + mock_current_app.config.get = Mock(return_value=397) # 397 days validity with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime): - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(0) - assert arrow.get(2018, 5, 7) == plugin.determine_end_date(arrow.get(2018, 5, 7)) - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(arrow.get(2020, 5, 7)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(0) # 397 days from (2016, 11, 3) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2017, 12, 5)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2020, 5, 7)) @patch("lemur.plugins.lemur_digicert.plugin.current_app") From 3cb386cc0f5d1db7bdd6376530dd18f1f901dc54 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:02:42 -0700 Subject: [PATCH 064/141] maximum 1 year validity for digicert --- lemur/plugins/lemur_digicert/plugin.py | 18 ++++++++---------- .../lemur_digicert/tests/test_digicert.py | 11 ++++------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 32a5375a..9b3d4429 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -61,18 +61,16 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): - """Given an end date determine how many years into the future that date is. - :param years: - :return: validity in years """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years) + Considering maximum allowed certificate validity period of 398 days, this method should not return + more than 1 year of validity. Thus changing it to return 1. + Lemur will change this method in future to handle validity in months (determine_validity_months) + instead of years. This will allow flexibility to handle short-lived certificates. - if years > max_years: - return max_years - if years not in [1, 2, 3]: - return default_years - return years + :param years: + :return: 1 + """ + return 1 def determine_end_date(end_date): diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index ca2ddf68..4abfcf54 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -14,8 +14,6 @@ def config_mock(*args): "DIGICERT_ORG_ID": 111111, "DIGICERT_PRIVATE": False, "DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256", - "DIGICERT_DEFAULT_VALIDITY": 1, - "DIGICERT_MAX_VALIDITY": 2, "DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'}, "DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'}, } @@ -24,10 +22,9 @@ def config_mock(*args): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_validity_years(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) assert plugin.determine_validity_years(1) == 1 - assert plugin.determine_validity_years(0) == 2 - assert plugin.determine_validity_years(3) == 2 + assert plugin.determine_validity_years(0) == 1 + assert plugin.determine_validity_years(3) == 1 @patch("lemur.plugins.lemur_digicert.plugin.current_app") @@ -52,7 +49,7 @@ def test_map_fields_with_validity_years(mock_current_app): "owner": "bob@example.com", "description": "test certificate", "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}}, - "validity_years": 2 + "validity_years": 1 } expected = { "certificate": { @@ -62,7 +59,7 @@ def test_map_fields_with_validity_years(mock_current_app): "signature_hash": "sha256", }, "organization": {"id": 111111}, - "validity_years": 2, + "validity_years": 1, } assert expected == plugin.map_fields(options, CSR_STR) From 8d2fffba87e1de3086abc8b1a4b549d9b9b75675 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:51:41 -0700 Subject: [PATCH 065/141] Add new configs to the doc --- docs/administration.rst | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index a6d93af7..9f377119 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -66,7 +66,7 @@ Basic Configuration .. data:: SQLALCHEMY_POOL_SIZE -:noindex: + :noindex: The default connection pool size is 5 for sqlalchemy managed connections. Depending on the number of Lemur instances, please specify per instance connection pool size. Below is an example to set connection pool size to 10. @@ -80,7 +80,7 @@ Basic Configuration This is an optional setting but important to review and set for optimal database connection usage and for overall database performance. .. data:: SQLALCHEMY_MAX_OVERFLOW -:noindex: + :noindex: This setting allows to create connections in addition to specified number of connections in pool size. By default, sqlalchemy allows 10 connections to create in addition to the pool size. This is also an optional setting. If `SQLALCHEMY_POOL_SIZE` and @@ -155,6 +155,22 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s='] +.. data:: PUBLIC_CA_AUTHORITY_NAMES + :noindex: + A list of public issuers which would be checked against to determine whether limit of max validity of 397 days + should be applied to the certificate. Configure public CA authority names in this list to enforce validity check. + This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive + string comparision. + +.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured + using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days. + + :: + + PUBLIC_CA_MAX_VALIDITY_DAYS = 365 + .. data:: DEBUG_DUMP :noindex: From 2645c4a82d0ff299d007e6db221801d780313366 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:53:19 -0700 Subject: [PATCH 066/141] mention 397 for digicert plugin --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9b3d4429..fd8c4e2d 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -62,8 +62,8 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): """ - Considering maximum allowed certificate validity period of 398 days, this method should not return - more than 1 year of validity. Thus changing it to return 1. + Considering maximum allowed certificate validity period of 397 days, this method should not return + more than 1 year of validity. Thus changing it to always return 1. Lemur will change this method in future to handle validity in months (determine_validity_months) instead of years. This will allow flexibility to handle short-lived certificates. From 4d7c6844e5217ae9d7c583a2ba33be88fb897410 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:12:07 -0700 Subject: [PATCH 067/141] Make Organizational Unit optional --- .../angular/authorities/authority/distinguishedName.tpl.html | 3 +-- .../certificates/certificate/distinguishedName.tpl.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html index 33b0ba4b..c6a7d312 100644 --- a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html +++ b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html @@ -46,8 +46,7 @@ Organizational Unit
- -

You must enter a organizational unit

+
diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index 19102b03..72f168a0 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -62,9 +62,7 @@
-

You must - enter a organizational unit

+ class="form-control"/>
From 7011a4df8b8bfed11baaad7cc21f02f43c0b6f58 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:47:55 -0700 Subject: [PATCH 068/141] max date on UI as per max validity configs --- docs/administration.rst | 11 +++++++++++ lemur/authorities/schemas.py | 2 ++ lemur/certificates/models.py | 10 ++++++++++ .../certificates/certificate/tracking.tpl.html | 4 ++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 9f377119..df027f70 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,6 +172,17 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 +.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is + not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of + 365 days and sets it to 90 days. + + :: + + INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + + .. data:: DEBUG_DUMP :noindex: diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 9f9d4686..e77c6456 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -110,6 +110,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() + max_issuance_date = fields.DateTime() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -135,6 +136,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 58630ee6..9ea45409 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -311,6 +311,16 @@ class Certificate(db.Model): def validity_range(self): return self.not_after - self.not_before + @property + def max_issuance_date(self): + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) + if self.name.lower() in [ca.lower() for ca in public_CA]: + default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + else: + default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year + issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) + return arrow.utcnow().shift(days=issuance_validity_days) + @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 027add0f..47de640e 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -154,7 +154,7 @@ is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,7 +174,7 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="End Date" From 599a6943e2aaa366c012dd2286eeb84b21f31e58 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 15:14:34 -0700 Subject: [PATCH 069/141] Updating LEMUR_DEFAULT_ORGANIZATIONAL_UNIT to empty string --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index df027f70..83747636 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -240,7 +240,7 @@ and are used when Lemur creates the CSR for your certificates. :: - LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations" + LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "" .. data:: LEMUR_DEFAULT_ISSUER_PLUGIN From 5ed109e998c3a10e30657910154dbae7b87aeec3 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:34:59 -0700 Subject: [PATCH 070/141] Max end date as per start date + default validity 3 years --- lemur/authorities/schemas.py | 4 ++-- lemur/certificates/models.py | 10 ++++------ .../certificates/certificate/tracking.tpl.html | 7 ++++--- .../static/app/angular/certificates/services.js | 16 ++++++++++++++++ .../app/angular/pending_certificates/services.js | 15 +++++++++++++++ 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index e77c6456..34ad1564 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -110,7 +110,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() - max_issuance_date = fields.DateTime() + max_issuance_days = fields.Integer() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -136,7 +136,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() - authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 9ea45409..5f6c4ba9 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -312,14 +312,12 @@ class Certificate(db.Model): return self.not_after - self.not_before @property - def max_issuance_date(self): + def max_issuance_days(self): public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if self.name.lower() in [ca.lower() for ca in public_CA]: - default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - else: - default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year - issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) - return arrow.utcnow().shift(days=issuance_validity_days) + return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + + return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default @property def subject(self): diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 47de640e..07d6b0f4 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -151,10 +151,11 @@ uib-tooltip="yyyy/MM/dd" uib-datepicker-popup="yyyy/MM/dd" ng-model="certificate.validityStart" + ng-change="certificate.setValidityEndDateRange(certificate.validityStart)" is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" + max-date="certificate.authority.authorityCertificate.notAfter" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,8 +175,8 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" - min-date="certificate.authority.authorityCertificate.notBefore" + max-date="certificate.authority.authorityCertificate.maxValidityEnd" + min-date="certificate.authority.authorityCertificate.minValidityEnd" alt-input-formats="altInputFormats" placeholder="End Date" /> diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 3a23076d..7d46f4ca 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -164,6 +164,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -264,6 +276,9 @@ angular.module('lemur') } } + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; + if (certificate.dnsProviderId) { certificate.dnsProvider = {id: certificate.dnsProviderId}; } @@ -292,3 +307,4 @@ angular.module('lemur') return CertificateService; }); + diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index 4e1b23e4..a9bb8079 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -144,6 +144,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -230,6 +242,9 @@ angular.module('lemur') certificate.authority = defaults.authority; } } + + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; }); }; From e79dda338452cbe8507cdd3bc8ced8814270748b Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:47:38 -0700 Subject: [PATCH 071/141] doc update DEFAULT_MAX_VALIDITY_DAYS --- docs/administration.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 83747636..846a4c34 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,15 +172,15 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 -.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS +.. data:: DEFAULT_MAX_VALIDITY_DAYS :noindex: - Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is - not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of - 365 days and sets it to 90 days. + Use this config to override the default limit of 1095 days (3 years) of validity. Any CA which is not listed in + PUBLIC_CA_AUTHORITY_NAMES will be using this validity to display date range on UI. Below example overrides the + default validity of 1095 days and sets it to 365 days. :: - INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + DEFAULT_MAX_VALIDITY_DAYS = 365 .. data:: DEBUG_DUMP From 7a9500eee0919c2340f172d37dce6aa77f18c521 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 20:03:15 -0700 Subject: [PATCH 072/141] Lint error fix --- lemur/static/app/angular/certificates/services.js | 6 ++++-- lemur/static/app/angular/pending_certificates/services.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 7d46f4ca..881a443a 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -167,8 +167,10 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; - + if(this.validityEnd) { + this.validityEnd = ''; + } + // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index a9bb8079..2f99eb7d 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -147,7 +147,9 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; + if(this.validityEnd) { + this.validityEnd = ''; + } // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; From ab4cda2298d90b2805eed8d61bb335696cb1b0a6 Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Wed, 19 Aug 2020 12:25:52 +0200 Subject: [PATCH 073/141] Extended ADCS_TEMPLATE_ Variable If there is a config variable ADCS_TEMPLATE_ take the value as Cert template else default to ADCS_TEMPLATE to be compatible with former versions --- lemur/plugins/lemur_adcs/plugin.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_adcs/plugin.py b/lemur/plugins/lemur_adcs/plugin.py index a69afc90..4b4eb20c 100644 --- a/lemur/plugins/lemur_adcs/plugin.py +++ b/lemur/plugins/lemur_adcs/plugin.py @@ -40,7 +40,10 @@ class ADCSIssuerPlugin(IssuerPlugin): adcs_user = current_app.config.get("ADCS_USER") adcs_pwd = current_app.config.get("ADCS_PWD") adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD") - adcs_template = current_app.config.get("ADCS_TEMPLATE") + # if there is a config variable ADCS_TEMPLATE_ take the value as Cert template + # else default to ADCS_TEMPLATE to be compatible with former versions + authority = issuer_options.get("authority").name.upper() + adcs_template = current_app.config.get("ADCS_TEMPLATE_{0}".format(authority), current_app.config.get("ADCS_TEMPLATE")) ca_server = Certsrv( adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method ) From 07f1d751c45552fa777f8416d224f009445e29de Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:41:17 +0000 Subject: [PATCH 074/141] Bump acme from 1.6.0 to 1.7.0 Bumps [acme](https://github.com/letsencrypt/letsencrypt) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/letsencrypt/letsencrypt/releases) - [Commits](https://github.com/letsencrypt/letsencrypt/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 7e187213..a70fc3ea 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # -acme==1.6.0 # via -r requirements.txt +acme==1.7.0 # via -r requirements.txt alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate diff --git a/requirements.txt b/requirements.txt index d9e86d97..86650ced 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements.txt requirements.in # -acme==1.6.0 # via -r requirements.in +acme==1.7.0 # via -r requirements.in alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu From c5106f5fa461cd5f867102a734ca543c86d08bec Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:19:48 +0000 Subject: [PATCH 075/141] Bump fakeredis from 1.4.1 to 1.4.3 Bumps [fakeredis](https://github.com/jamesls/fakeredis) from 1.4.1 to 1.4.3. - [Release notes](https://github.com/jamesls/fakeredis/releases) - [Commits](https://github.com/jamesls/fakeredis/compare/1.4.1...1.4.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 7fd13f76..10c3209b 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -26,7 +26,7 @@ docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==2.12.0 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy -fakeredis==1.4.1 # via -r requirements-tests.in +fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in future==0.18.2 # via aws-xray-sdk From cbc328d0735583818021751a4851226a8b188868 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:28:39 +0000 Subject: [PATCH 076/141] Bump factory-boy from 2.12.0 to 3.0.1 Bumps [factory-boy](https://github.com/FactoryBoy/factory_boy) from 2.12.0 to 3.0.1. - [Release notes](https://github.com/FactoryBoy/factory_boy/releases) - [Changelog](https://github.com/FactoryBoy/factory_boy/blob/master/docs/changelog.rst) - [Commits](https://github.com/FactoryBoy/factory_boy/compare/2.12.0...3.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 10c3209b..4893d4e3 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -24,7 +24,7 @@ decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys -factory-boy==2.12.0 # via -r requirements-tests.in +factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask From d4dfa63cf563dcfc313c659193d430d69494bcdf Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:41:18 +0000 Subject: [PATCH 077/141] Bump pre-commit from 2.6.0 to 2.7.1 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.6.0 to 2.7.1. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.6.0...v2.7.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 2299848e..97ec82d1 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -24,7 +24,7 @@ keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine -pre-commit==2.6.0 # via -r requirements-dev.in +pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 pycparser==2.20 # via cffi pyflakes==1.6.0 # via flake8 From f7abfff51d3f83553d5f4d26cea2b368e8303256 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:54:14 +0000 Subject: [PATCH 078/141] Bump nodeenv from 1.4.0 to 1.5.0 Bumps [nodeenv](https://github.com/ekalinin/nodeenv) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/ekalinin/nodeenv/releases) - [Changelog](https://github.com/ekalinin/nodeenv/blob/master/CHANGES) - [Commits](https://github.com/ekalinin/nodeenv/compare/1.4.0...1.5.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 97ec82d1..a029d4ae 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -22,7 +22,7 @@ invoke==1.4.1 # via -r requirements-dev.in jeepney==0.4.3 # via keyring, secretstorage keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 -nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit +nodeenv==1.5.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 From 54ca1315cab536a6de33c7fc494c0292b55ed92a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:03:20 +0000 Subject: [PATCH 079/141] Bump faker from 4.1.1 to 4.1.2 Bumps [faker](https://github.com/joke2k/faker) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/joke2k/faker/releases) - [Changelog](https://github.com/joke2k/faker/blob/master/CHANGELOG.rst) - [Commits](https://github.com/joke2k/faker/compare/v4.1.1...v4.1.2) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 4893d4e3..ee406105 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -25,7 +25,7 @@ docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in -faker==4.1.1 # via -r requirements-tests.in, factory-boy +faker==4.1.2 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in From 50d5c15a69632e14c35ef1a77ed3f391b2893043 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:12:28 +0000 Subject: [PATCH 080/141] Bump sphinx from 3.2.0 to 3.2.1 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.2.0 to 3.2.1. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.2.0...v3.2.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a70fc3ea..202e0700 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.1 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From ced9696322ec0fad63022de83ec9d730a6d4e523 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:28:42 +0000 Subject: [PATCH 081/141] Bump inflection from 0.5.0 to 0.5.1 Bumps [inflection](https://github.com/jpvanhal/inflection) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/jpvanhal/inflection/releases) - [Commits](https://github.com/jpvanhal/inflection/compare/0.5.0...0.5.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 202e0700..1a2986d5 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -46,7 +46,7 @@ gunicorn==20.0.4 # via -r requirements.txt hvac==0.10.5 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx -inflection==0.5.0 # via -r requirements.txt +inflection==0.5.1 # via -r requirements.txt itsdangerous==1.1.0 # via -r requirements.txt, flask javaobj-py3==0.4.0.1 # via -r requirements.txt, pyjks jinja2==2.11.2 # via -r requirements.txt, flask, sphinx diff --git a/requirements.txt b/requirements.txt index 86650ced..9a0a521c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ future==0.18.2 # via -r requirements.in gunicorn==20.0.4 # via -r requirements.in hvac==0.10.5 # via -r requirements.in idna==2.9 # via requests -inflection==0.5.0 # via -r requirements.in +inflection==0.5.1 # via -r requirements.in itsdangerous==1.1.0 # via flask javaobj-py3==0.4.0.1 # via pyjks jinja2==2.11.2 # via -r requirements.in, flask From 4955ec8541b28ea88297a09ae4e7aef1b8357e7a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:42:38 +0000 Subject: [PATCH 082/141] Bump pytest-mock from 3.2.0 to 3.3.0 Bumps [pytest-mock](https://github.com/pytest-dev/pytest-mock) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/pytest-dev/pytest-mock/releases) - [Changelog](https://github.com/pytest-dev/pytest-mock/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-mock/compare/v3.2.0...v3.3.0) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index ee406105..1dc1f48d 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -60,7 +60,7 @@ pyflakes==2.2.0 # via -r requirements-tests.in pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in -pytest-mock==3.2.0 # via -r requirements-tests.in +pytest-mock==3.3.0 # via -r requirements-tests.in pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto From beea47fd0934b76035302c9cb5830eaf67daa65f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:55:27 +0000 Subject: [PATCH 083/141] Bump cloudflare from 2.8.9 to 2.8.13 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.9 to 2.8.13. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.9...2.8.13) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 1a2986d5..69679ebf 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.9 # via -r requirements.txt +cloudflare==2.8.13 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 9a0a521c..9a0a2833 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.9 # via -r requirements.in +cloudflare==2.8.13 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 9d37f8018a178fec7d2e7de78fc98edc671dda6b Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:04:47 +0000 Subject: [PATCH 084/141] Bump arrow from 0.15.8 to 0.16.0 Bumps [arrow](https://github.com/arrow-py/arrow) from 0.15.8 to 0.16.0. - [Release notes](https://github.com/arrow-py/arrow/releases) - [Changelog](https://github.com/arrow-py/arrow/blob/master/CHANGELOG.rst) - [Commits](https://github.com/arrow-py/arrow/compare/0.15.8...0.16.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 69679ebf..045c1832 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -10,7 +10,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate amqp==2.5.2 # via -r requirements.txt, kombu aniso8601==8.0.0 # via -r requirements.txt, flask-restful -arrow==0.15.8 # via -r requirements.txt +arrow==0.16.0 # via -r requirements.txt asyncpool==1.0 # via -r requirements.txt babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko diff --git a/requirements.txt b/requirements.txt index 9a0a2833..2ecb1f9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,7 +9,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu aniso8601==8.0.0 # via flask-restful -arrow==0.15.8 # via -r requirements.in +arrow==0.16.0 # via -r requirements.in asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare From 1577f9956702e1b294840a9aa8fb4e6ca28941b4 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:17:13 +0000 Subject: [PATCH 085/141] Bump boto3 from 1.14.33 to 1.14.48 Bumps [boto3](https://github.com/boto/boto3) from 1.14.33 to 1.14.48. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.33...1.14.48) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 045c1832..0ee5d42e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.txt -botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.48 # via -r requirements.txt +botocore==1.17.48 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 1dc1f48d..303338c1 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.33 # via aws-sam-translator, moto +boto3==1.14.48 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 2ecb1f9c..c79ec23d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.in -botocore==1.17.33 # via -r requirements.in, boto3, s3transfer +boto3==1.14.48 # via -r requirements.in +botocore==1.17.48 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 1fc2e29ab8308dad99c5d235e41d84ee6f6b8788 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 25 Aug 2020 16:26:20 -0700 Subject: [PATCH 086/141] Remove 397 days validation as it causes error in API calls More to come in future --- lemur/common/validators.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 74095255..e1dfe3c1 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,18 +152,6 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) - # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity - # for certs issued by public CA - # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) - if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: - max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - if ( - (data.get("validity_end").date() - data.get("validity_start").date()).days - > max_validity_days - ): - raise ValidationError("Certificate cannot be valid for more than " + - str(max_validity_days) + " days") return data From 75eaea3aad8d566bde91350cc8f12be0f0726e09 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:38:17 -0700 Subject: [PATCH 087/141] fixing setup-git so build continues if ./git/hooks does not exist. --- Makefile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 069eb29b..fb8b9afa 100644 --- a/Makefile +++ b/Makefile @@ -49,10 +49,13 @@ reset-db: cd lemur && lemur db upgrade setup-git: - @echo "--> Installing git hooks" - git config branch.autosetuprebase always - cd .git/hooks && ln -sf ../../hooks/* ./ - @echo "" + if [ -d .git/hooks ]; then \ + @echo "--> Installing git hooks"; \ + git config branch.autosetuprebase always; \ + cd .git/hooks && ln -sf ../../hooks/* ./; \ + @echo ""; \ + fi + clean: @echo "--> Cleaning static cache" From 91c2976bfc17f11cd2f5b1245a6a09d8654ddf86 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:47:17 -0700 Subject: [PATCH 088/141] fixing Makefile build issue with @echo --- Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index fb8b9afa..3312a41d 100644 --- a/Makefile +++ b/Makefile @@ -49,13 +49,12 @@ reset-db: cd lemur && lemur db upgrade setup-git: + @echo "--> Installing git hooks" if [ -d .git/hooks ]; then \ - @echo "--> Installing git hooks"; \ git config branch.autosetuprebase always; \ cd .git/hooks && ln -sf ../../hooks/* ./; \ - @echo ""; \ fi - + @echo "" clean: @echo "--> Cleaning static cache" From 9671b344859e5417a68a4fec1af646f1176dff25 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 27 Aug 2020 14:15:01 -0700 Subject: [PATCH 089/141] adding support for all type of ECC curves which existing CA plugins might support --- lemur/authorities/schemas.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 34ad1564..6bbeddd6 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -23,6 +23,7 @@ from lemur.common.schema import LemurInputSchema, LemurOutputSchema from lemur.common import validators, missing from lemur.common.fields import ArrowDateTime +from lemur.constants import CERTIFICATE_KEY_TYPES class AuthorityInputSchema(LemurInputSchema): @@ -61,7 +62,7 @@ class AuthorityInputSchema(LemurInputSchema): missing="sha256WithRSA", ) key_type = fields.String( - validate=validate.OneOf(["RSA2048", "RSA4096", "EC256"]), missing="RSA2048" + validate=validate.OneOf(CERTIFICATE_KEY_TYPES + ["EC256"]), missing="RSA2048" ) key_name = fields.String() sensitivity = fields.String( From 9a7a6324896c601f7e56c94b4ca693be489f65d4 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 28 Aug 2020 09:48:35 -0700 Subject: [PATCH 090/141] using a standard curve for testing --- lemur/tests/test_authorities.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/tests/test_authorities.py b/lemur/tests/test_authorities.py index 6090d0b6..fade39e8 100644 --- a/lemur/tests/test_authorities.py +++ b/lemur/tests/test_authorities.py @@ -48,7 +48,7 @@ def test_authority_input_schema_ecc(client, role, issuer_plugin, logged_in_user) }, "type": "root", "signingAlgorithm": "sha256WithECDSA", - "keyType": "EC256", + "keyType": "ECCPRIME256V1", "sensitivity": "medium", } From d478def98cc85adfc8040c4144c31c03228a14a5 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 31 Aug 2020 16:35:47 -0700 Subject: [PATCH 091/141] removing the custom key Type and doing the conversion in the backend --- lemur/authorities/schemas.py | 2 +- lemur/static/app/angular/authorities/authority/options.tpl.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 6bbeddd6..7f9f57d4 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -62,7 +62,7 @@ class AuthorityInputSchema(LemurInputSchema): missing="sha256WithRSA", ) key_type = fields.String( - validate=validate.OneOf(CERTIFICATE_KEY_TYPES + ["EC256"]), missing="RSA2048" + validate=validate.OneOf(CERTIFICATE_KEY_TYPES), missing="RSA2048" ) key_name = fields.String() sensitivity = fields.String( diff --git a/lemur/static/app/angular/authorities/authority/options.tpl.html b/lemur/static/app/angular/authorities/authority/options.tpl.html index 7ba858a7..bf1ad70c 100644 --- a/lemur/static/app/angular/authorities/authority/options.tpl.html +++ b/lemur/static/app/angular/authorities/authority/options.tpl.html @@ -20,7 +20,7 @@ Key Type
-
From 9c4fb85dc3b513ec5f7051028845fbe70581f384 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 31 Aug 2020 18:19:32 -0700 Subject: [PATCH 092/141] Calculate dates from defaultDays in js --- docs/administration.rst | 7 +- .../certificates/certificate/certificate.js | 69 +++++++++++++++---- .../certificate/tracking.tpl.html | 12 ++-- 3 files changed, 65 insertions(+), 23 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 35a9677d..2f71c0bf 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -174,9 +174,10 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c .. data:: DEFAULT_VALIDITY_DAYS :noindex: - Use this config to override the default validity of certificates offered through Lemur UI. Any CA which is not listed - in PUBLIC_CA_AUTHORITY_NAMES will be using this value as default validity to be displayed on UI. Below example overrides the - default validity of 365 days and sets it to 1095 days (3 years). + Use this config to override the default validity of 365 days for certificates offered through Lemur UI. Any CA which + is not listed in PUBLIC_CA_AUTHORITY_NAMES will be using this value as default validity to be displayed on UI. Please + note that this config is used for cert issuance only through Lemur UI. Below example overrides the default validity + of 365 days and sets it to 1095 days (3 years). :: diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 028377c5..6b275328 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -139,11 +139,13 @@ angular.module('lemur') ); $scope.create = function (certificate) { - if(certificate.validityType === 'dates' && + if(certificate.validityType === 'customDates' && (!certificate.validityStart || !certificate.validityEnd)) { // these are not mandatory fields in schema, thus handling validation in js return showMissingDateError(); } - delete certificate.validityType; + if(certificate.validityType === 'defaultDays') { + populateValidityDateAsPerDefault(certificate); + } WizardHandler.wizard().context.loading = true; CertificateService.create(certificate).then( @@ -171,19 +173,26 @@ angular.module('lemur') function showMissingDateError() { let error = {}; - error.message = ''; - error.reasons = {}; - error.reasons.validityRange = 'Valid start and end dates are needed, else select Default option'; + error.message = ''; + error.reasons = {}; + error.reasons.validityRange = 'Valid start and end dates are needed, else select Default option'; - toaster.pop({ - type: 'error', - title: 'Validation Error', - body: 'lemur-bad-request', - bodyOutputType: 'directive', - directiveData: error, - timeout: 100000 - }); - return; + toaster.pop({ + type: 'error', + title: 'Validation Error', + body: 'lemur-bad-request', + bodyOutputType: 'directive', + directiveData: error, + timeout: 100000 + }); + } + + function populateValidityDateAsPerDefault(certificate) { + // calculate start and end date as per default validity + let startDate = new Date(), endDate = new Date(); + endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays); + certificate.validityStart = startDate; + certificate.validityEnd = endDate; } $scope.templates = [ @@ -299,6 +308,14 @@ angular.module('lemur') }; $scope.create = function (certificate) { + if(certificate.validityType === 'customDates' && + (!certificate.validityStart || !certificate.validityEnd)) { // these are not mandatory fields in schema, thus handling validation in js + return showMissingDateError(); + } + if(certificate.validityType === 'defaultDays') { + populateValidityDateAsPerDefault(certificate); + } + WizardHandler.wizard().context.loading = true; CertificateService.create(certificate).then( function () { @@ -323,6 +340,30 @@ angular.module('lemur') }); }; + function showMissingDateError() { + let error = {}; + error.message = ''; + error.reasons = {}; + error.reasons.validityRange = 'Valid start and end dates are needed, else select Default option'; + + toaster.pop({ + type: 'error', + title: 'Validation Error', + body: 'lemur-bad-request', + bodyOutputType: 'directive', + directiveData: error, + timeout: 100000 + }); + } + + function populateValidityDateAsPerDefault(certificate) { + // calculate start and end date as per default validity + let startDate = new Date(), endDate = new Date(); + endDate.setDate(startDate.getDate() + certificate.authority.authorityCertificate.defaultValidityDays); + certificate.validityStart = startDate; + certificate.validityEnd = endDate; + } + $scope.templates = [ { 'name': 'Client Certificate', diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 26a167e5..e024972b 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -133,17 +133,17 @@
-
-
-
+
-
+
Date: Mon, 31 Aug 2020 18:20:32 -0700 Subject: [PATCH 093/141] Logs during cert validity truncate for digicert --- lemur/plugins/lemur_digicert/plugin.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index fd8c4e2d..4bd11bc8 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -18,8 +18,9 @@ import json import arrow import pem import requests +import sys from cryptography import x509 -from flask import current_app +from flask import current_app, g from lemur.common.utils import validate_conf from lemur.extensions import metrics from lemur.plugins import lemur_digicert as digicert @@ -129,6 +130,9 @@ def map_fields(options, csr): data["validity_years"] = determine_validity_years(options.get("validity_years")) elif options.get("validity_end"): data["custom_expiration_date"] = determine_end_date(options.get("validity_end")).format("YYYY-MM-DD") + # check if validity got truncated. If resultant validity is not equal to requested validity, it just got truncated + if data["custom_expiration_date"] != options.get("validity_end"): + log_validity_truncation(options, f"{__name__}.{sys._getframe().f_code.co_name}") else: data["validity_years"] = determine_validity_years(0) @@ -154,6 +158,9 @@ def map_cis_fields(options, csr): validity_end = determine_end_date(arrow.utcnow().shift(years=options["validity_years"])) elif options.get("validity_end"): validity_end = determine_end_date(options.get("validity_end")) + # check if validity got truncated. If resultant validity is not equal to requested validity, it just got truncated + if validity_end != options.get("validity_end"): + log_validity_truncation(options, f"{__name__}.{sys._getframe().f_code.co_name}") else: validity_end = determine_end_date(False) @@ -178,6 +185,16 @@ def map_cis_fields(options, csr): return data +def log_validity_truncation(options, function): + log_data = { + "cn": options["common_name"], + "creator": g.user.username + } + metrics.send("digicert_validity_truncated", "counter", 1, metric_tags=log_data) + + log_data["function"] = function + log_data["message"] = "Digicert Plugin truncated the validity of certificate, cn = {0}".format(options["common_name"]) + current_app.logger.info(log_data) def handle_response(response): """ From 8ad4448c85d7e1c15ab4dba404aa92c00bfe8fbf Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 1 Sep 2020 12:44:49 -0700 Subject: [PATCH 094/141] Match date format for comparison + expected new lines --- lemur/plugins/lemur_digicert/plugin.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 4bd11bc8..ad4272dc 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -131,7 +131,7 @@ def map_fields(options, csr): elif options.get("validity_end"): data["custom_expiration_date"] = determine_end_date(options.get("validity_end")).format("YYYY-MM-DD") # check if validity got truncated. If resultant validity is not equal to requested validity, it just got truncated - if data["custom_expiration_date"] != options.get("validity_end"): + if data["custom_expiration_date"] != options.get("validity_end").format("YYYY-MM-DD"): log_validity_truncation(options, f"{__name__}.{sys._getframe().f_code.co_name}") else: data["validity_years"] = determine_validity_years(0) @@ -185,6 +185,7 @@ def map_cis_fields(options, csr): return data + def log_validity_truncation(options, function): log_data = { "cn": options["common_name"], @@ -196,6 +197,7 @@ def log_validity_truncation(options, function): log_data["message"] = "Digicert Plugin truncated the validity of certificate, cn = {0}".format(options["common_name"]) current_app.logger.info(log_data) + def handle_response(response): """ Handle the DigiCert API response and any errors it might have experienced. From 0077452e103bfe91ac6e15740101abb72eae1fa7 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 15:26:23 -0700 Subject: [PATCH 095/141] fixing import order to fix travis builds --- setup.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup.py b/setup.py index 4ce03d70..471c5358 100644 --- a/setup.py +++ b/setup.py @@ -14,12 +14,12 @@ import json import os.path import datetime -from distutils import log -from distutils.core import Command from setuptools.command.develop import develop from setuptools.command.install import install from setuptools.command.sdist import sdist from setuptools import setup, find_packages +from distutils import log +from distutils.core import Command from subprocess import check_output import pip From 77b67f613f0d1fe491b4cca365b2ffd2935d7e38 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 16:07:47 -0700 Subject: [PATCH 096/141] removing dependency on distutils from setup.py --- setup.py | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/setup.py b/setup.py index 471c5358..e6624198 100644 --- a/setup.py +++ b/setup.py @@ -9,20 +9,20 @@ Is a TLS management and orchestration tool. """ from __future__ import absolute_import -import sys -import json -import os.path import datetime - -from setuptools.command.develop import develop -from setuptools.command.install import install -from setuptools.command.sdist import sdist -from setuptools import setup, find_packages -from distutils import log -from distutils.core import Command +import json +import logging +import os.path +import sys from subprocess import check_output import pip +from setuptools import Command +from setuptools import setup, find_packages +from setuptools.command.develop import develop +from setuptools.command.install import install +from setuptools.command.sdist import sdist + if tuple(map(int, pip.__version__.split('.'))) >= (19, 3, 0): from pip._internal.network.session import PipSession from pip._internal.req import parse_requirements @@ -105,16 +105,16 @@ class BuildStatic(Command): pass def run(self): - log.info("running [npm install --quiet] in {0}".format(ROOT)) + logging.info("running [npm install --quiet] in {0}".format(ROOT)) try: check_output(['npm', 'install', '--quiet'], cwd=ROOT) - log.info("running [gulp build]") + logging.info("running [gulp build]") check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'build'], cwd=ROOT) - log.info("running [gulp package]") + logging.info("running [gulp package]") check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'package'], cwd=ROOT) except Exception as e: - log.warn("Unable to build static content") + logging.warn("Unable to build static content") setup( From 079e8ccf3b4590ba140712b0915826300e975dc7 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 16:35:54 -0700 Subject: [PATCH 097/141] removing explicit dependencies on `import pip` and moving to pkg_resources --- setup.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup.py b/setup.py index e6624198..94774bc4 100644 --- a/setup.py +++ b/setup.py @@ -16,18 +16,18 @@ import os.path import sys from subprocess import check_output -import pip +import pkg_resources from setuptools import Command from setuptools import setup, find_packages from setuptools.command.develop import develop from setuptools.command.install import install from setuptools.command.sdist import sdist -if tuple(map(int, pip.__version__.split('.'))) >= (19, 3, 0): +if tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (19, 3, 0): from pip._internal.network.session import PipSession - from pip._internal.req import parse_requirements + from pip._internal.req.req_file import parse_requirements -elif tuple(map(int, pip.__version__.split('.'))) >= (10, 0, 0): +elif tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (10, 0, 0): from pip._internal.download import PipSession from pip._internal.req import parse_requirements else: @@ -49,7 +49,7 @@ tests_require_g = parse_requirements("requirements-tests.txt", session=PipSessio docs_require_g = parse_requirements("requirements-docs.txt", session=PipSession()) dev_requires_g = parse_requirements("requirements-dev.txt", session=PipSession()) -if tuple(map(int, pip.__version__.split('.'))) >= (20, 1): +if tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (20, 1): install_requires = [str(ir.requirement) for ir in install_requires_g] tests_require = [str(ir.requirement) for ir in tests_require_g] docs_require = [str(ir.requirement) for ir in docs_require_g] From 4ec0430a61c412878e1d78c75a5d8a6eb93b9dd4 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 16:41:09 -0700 Subject: [PATCH 098/141] adding SETUP_TOOLS_USE_DISTUTILS to travis build file --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index f1abf3f3..b610a3dd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,6 +20,7 @@ cache: env: global: - PIP_DOWNLOAD_CACHE=".pip_download_cache" + - SETUPTOOLS_USE_DISTUTILS=stdlib # do not load /etc/boto.cfg with Python 3 incompatible plugin # https://github.com/travis-ci/travis-ci/issues/5246#issuecomment-166460882 - BOTO_CONFIG=/doesnotexist From beba785b09f630731e3d2ec3dca7127e0bf236f6 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 17:16:18 -0700 Subject: [PATCH 099/141] cleaning up requirements imports and adding comments to change to .travis.yml --- .travis.yml | 1 + setup.py | 46 ++++++++++++++++------------------------------ 2 files changed, 17 insertions(+), 30 deletions(-) diff --git a/.travis.yml b/.travis.yml index b610a3dd..f38555a0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,6 +20,7 @@ cache: env: global: - PIP_DOWNLOAD_CACHE=".pip_download_cache" + # The following line is a temporary workaround for this issue: https://github.com/pypa/setuptools/issues/2230 - SETUPTOOLS_USE_DISTUTILS=stdlib # do not load /etc/boto.cfg with Python 3 incompatible plugin # https://github.com/travis-ci/travis-ci/issues/5246#issuecomment-166460882 diff --git a/setup.py b/setup.py index 94774bc4..a612cd18 100644 --- a/setup.py +++ b/setup.py @@ -16,24 +16,12 @@ import os.path import sys from subprocess import check_output -import pkg_resources from setuptools import Command from setuptools import setup, find_packages from setuptools.command.develop import develop from setuptools.command.install import install from setuptools.command.sdist import sdist -if tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (19, 3, 0): - from pip._internal.network.session import PipSession - from pip._internal.req.req_file import parse_requirements - -elif tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (10, 0, 0): - from pip._internal.download import PipSession - from pip._internal.req import parse_requirements -else: - from pip.download import PipSession - from pip.req import parse_requirements - ROOT = os.path.realpath(os.path.join(os.path.dirname(__file__))) # When executing the setup.py, we need to be able to import ourselves, this @@ -44,21 +32,18 @@ about = {} with open(os.path.join(ROOT, 'lemur', '__about__.py')) as f: exec(f.read(), about) # nosec: about file is benign -install_requires_g = parse_requirements("requirements.txt", session=PipSession()) -tests_require_g = parse_requirements("requirements-tests.txt", session=PipSession()) -docs_require_g = parse_requirements("requirements-docs.txt", session=PipSession()) -dev_requires_g = parse_requirements("requirements-dev.txt", session=PipSession()) +# Parse requirements files +with open('requirements.txt') as f: + install_requirements = f.read().splitlines() -if tuple(map(int, pkg_resources.require("pip")[0].version.split('.'))) >= (20, 1): - install_requires = [str(ir.requirement) for ir in install_requires_g] - tests_require = [str(ir.requirement) for ir in tests_require_g] - docs_require = [str(ir.requirement) for ir in docs_require_g] - dev_requires = [str(ir.requirement) for ir in dev_requires_g] -else: - install_requires = [str(ir.req) for ir in install_requires_g] - tests_require = [str(ir.req) for ir in tests_require_g] - docs_require = [str(ir.req) for ir in docs_require_g] - dev_requires = [str(ir.req) for ir in dev_requires_g] +with open('requirements-tests.txt') as f: + tests_requirements = f.read().splitlines() + +with open('requirements-docs.txt') as f: + docs_requirements = f.read().splitlines() + +with open('requirements-dev.txt') as f: + dev_requirements = f.read().splitlines() class SmartInstall(install): @@ -67,6 +52,7 @@ class SmartInstall(install): If the package indicator is missing, this will also force a run of `build_static` which is required for JavaScript assets and other things. """ + def _needs_static(self): return not os.path.exists(os.path.join(ROOT, 'lemur/static/dist')) @@ -128,11 +114,11 @@ setup( packages=find_packages(), include_package_data=True, zip_safe=False, - install_requires=install_requires, + install_requires=install_requirements, extras_require={ - 'tests': tests_require, - 'docs': docs_require, - 'dev': dev_requires, + 'tests': tests_requirements, + 'docs': docs_requirements, + 'dev': dev_requirements, }, cmdclass={ 'build_static': BuildStatic, From d5e51b3fc31c9d3138b1d3e035bdb7852610ca3e Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 17:20:34 -0700 Subject: [PATCH 100/141] Remove changes to .travis.yml, moving them to new PR --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index f38555a0..f1abf3f3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,8 +20,6 @@ cache: env: global: - PIP_DOWNLOAD_CACHE=".pip_download_cache" - # The following line is a temporary workaround for this issue: https://github.com/pypa/setuptools/issues/2230 - - SETUPTOOLS_USE_DISTUTILS=stdlib # do not load /etc/boto.cfg with Python 3 incompatible plugin # https://github.com/travis-ci/travis-ci/issues/5246#issuecomment-166460882 - BOTO_CONFIG=/doesnotexist From af4bb72be3ee7cd4e747265c0856060df0f1fd44 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Tue, 1 Sep 2020 17:28:42 -0700 Subject: [PATCH 101/141] adding SETUPTOOLS_USE_DISTUTILS environment variable to fix travis build issue --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index f1abf3f3..f38555a0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -20,6 +20,8 @@ cache: env: global: - PIP_DOWNLOAD_CACHE=".pip_download_cache" + # The following line is a temporary workaround for this issue: https://github.com/pypa/setuptools/issues/2230 + - SETUPTOOLS_USE_DISTUTILS=stdlib # do not load /etc/boto.cfg with Python 3 incompatible plugin # https://github.com/travis-ci/travis-ci/issues/5246#issuecomment-166460882 - BOTO_CONFIG=/doesnotexist From 9af887cf954b5f59292a542a58482dbf332454d1 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 2 Sep 2020 17:13:23 +0000 Subject: [PATCH 102/141] Bump paramiko from 2.7.1 to 2.7.2 Bumps [paramiko](https://github.com/paramiko/paramiko) from 2.7.1 to 2.7.2. - [Release notes](https://github.com/paramiko/paramiko/releases) - [Changelog](https://github.com/paramiko/paramiko/blob/master/NEWS) - [Commits](https://github.com/paramiko/paramiko/compare/2.7.1...2.7.2) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 0ee5d42e..6a6afce8 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -62,7 +62,7 @@ marshmallow-sqlalchemy==0.23.1 # via -r requirements.txt marshmallow==2.20.4 # via -r requirements.txt, marshmallow-sqlalchemy ndg-httpsclient==0.5.1 # via -r requirements.txt packaging==20.3 # via sphinx -paramiko==2.7.1 # via -r requirements.txt +paramiko==2.7.2 # via -r requirements.txt pem==20.1.0 # via -r requirements.txt psycopg2==2.8.5 # via -r requirements.txt pyasn1-modules==0.2.8 # via -r requirements.txt, pyjks, python-ldap diff --git a/requirements.txt b/requirements.txt index c79ec23d..08f170b1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -58,7 +58,7 @@ markupsafe==1.1.1 # via jinja2, mako marshmallow-sqlalchemy==0.23.1 # via -r requirements.in marshmallow==2.20.4 # via -r requirements.in, marshmallow-sqlalchemy ndg-httpsclient==0.5.1 # via -r requirements.in -paramiko==2.7.1 # via -r requirements.in +paramiko==2.7.2 # via -r requirements.in pem==20.1.0 # via -r requirements.in psycopg2==2.8.5 # via -r requirements.in pyasn1-modules==0.2.8 # via pyjks, python-ldap From 26dfe5f654eee9e6a33af5d7d7806ce6bc83dc9f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 00:59:57 +0000 Subject: [PATCH 103/141] Bump cryptography from 3.0 to 3.1 Bumps [cryptography](https://github.com/pyca/cryptography) from 3.0 to 3.1. - [Release notes](https://github.com/pyca/cryptography/releases) - [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/3.0...3.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index a029d4ae..166722e8 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -11,7 +11,7 @@ cffi==1.14.0 # via cryptography cfgv==3.1.0 # via pre-commit chardet==3.0.4 # via requests colorama==0.4.3 # via twine -cryptography==3.0 # via secretstorage +cryptography==3.1 # via secretstorage distlib==0.3.0 # via virtualenv docutils==0.16 # via readme-renderer filelock==3.0.12 # via virtualenv diff --git a/requirements-docs.txt b/requirements-docs.txt index 6a6afce8..d6827e27 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -26,7 +26,7 @@ cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynac chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask cloudflare==2.8.13 # via -r requirements.txt -cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests +cryptography==3.1 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 docutils==0.15.2 # via -r requirements.txt, botocore, sphinx diff --git a/requirements-tests.txt b/requirements-tests.txt index 303338c1..5d7e4971 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -19,7 +19,7 @@ cfn-lint==0.29.5 # via moto chardet==3.0.4 # via requests click==7.1.1 # via black, flask coverage==5.2.1 # via -r requirements-tests.in -cryptography==3.0 # via moto, sshpubkeys +cryptography==3.1 # via moto, sshpubkeys decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore diff --git a/requirements.txt b/requirements.txt index 08f170b1..a7152a82 100644 --- a/requirements.txt +++ b/requirements.txt @@ -24,7 +24,7 @@ cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask cloudflare==2.8.13 # via -r requirements.in -cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests +cryptography==3.1 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 docutils==0.15.2 # via botocore From b9a30a2188df97913b07aaeb5c45567e039fd210 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 04:34:55 +0000 Subject: [PATCH 104/141] Bump pytest-mock from 3.3.0 to 3.3.1 Bumps [pytest-mock](https://github.com/pytest-dev/pytest-mock) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/pytest-dev/pytest-mock/releases) - [Changelog](https://github.com/pytest-dev/pytest-mock/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-mock/compare/v3.3.0...v3.3.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 5d7e4971..93efcfa8 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -60,7 +60,7 @@ pyflakes==2.2.0 # via -r requirements-tests.in pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in -pytest-mock==3.3.0 # via -r requirements-tests.in +pytest-mock==3.3.1 # via -r requirements-tests.in pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto From 0d95d77a109bc0ff53efb09e1584274536e746e7 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 05:04:07 +0000 Subject: [PATCH 105/141] Bump black from 19.10b0 to 20.8b1 Bumps [black](https://github.com/psf/black) from 19.10b0 to 20.8b1. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/master/CHANGES.md) - [Commits](https://github.com/psf/black/commits) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 93efcfa8..c38f532b 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -5,11 +5,11 @@ # pip-compile --no-index --output-file=requirements-tests.txt requirements-tests.in # appdirs==1.4.3 # via black -attrs==19.3.0 # via black, jsonschema, pytest +attrs==19.3.0 # via jsonschema, pytest aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in -black==19.10b0 # via -r requirements-tests.in +black==20.8b1 # via -r requirements-tests.in boto3==1.14.48 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer @@ -17,7 +17,7 @@ certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto chardet==3.0.4 # via requests -click==7.1.1 # via black, flask +click==7.1.2 # via black, flask coverage==5.2.1 # via -r requirements-tests.in cryptography==3.1 # via moto, sshpubkeys decorator==4.4.2 # via networkx @@ -47,6 +47,7 @@ markupsafe==1.1.1 # via jinja2 mock==4.0.2 # via moto more-itertools==8.2.0 # via pytest moto==1.3.14 # via -r requirements-tests.in +mypy-extensions==0.4.3 # via black networkx==2.4 # via cfn-lint nose==1.3.7 # via -r requirements-tests.in packaging==20.3 # via pytest @@ -79,8 +80,9 @@ sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto stevedore==1.32.0 # via bandit text-unidecode==1.3 # via faker -toml==0.10.0 # via black, pytest +toml==0.10.1 # via black, pytest typed-ast==1.4.1 # via black +typing-extensions==3.7.4.3 # via black urllib3==1.25.8 # via botocore, requests websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask From 2fd05eed3dff8afaaf38fc0fb0b92f6158caf792 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 05:13:48 +0000 Subject: [PATCH 106/141] Bump flask-cors from 3.0.8 to 3.0.9 Bumps [flask-cors](https://github.com/corydolphin/flask-cors) from 3.0.8 to 3.0.9. - [Release notes](https://github.com/corydolphin/flask-cors/releases) - [Changelog](https://github.com/corydolphin/flask-cors/blob/master/CHANGELOG.md) - [Commits](https://github.com/corydolphin/flask-cors/compare/3.0.8...3.0.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index d6827e27..0bef8bf8 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -32,7 +32,7 @@ dnspython==1.15.0 # via -r requirements.txt, dnspython3 docutils==0.15.2 # via -r requirements.txt, botocore, sphinx dyn==1.8.1 # via -r requirements.txt flask-bcrypt==0.7.1 # via -r requirements.txt -flask-cors==3.0.8 # via -r requirements.txt +flask-cors==3.0.9 # via -r requirements.txt flask-mail==0.9.1 # via -r requirements.txt flask-migrate==2.5.3 # via -r requirements.txt flask-principal==0.4.0 # via -r requirements.txt diff --git a/requirements.txt b/requirements.txt index a7152a82..5fbadd86 100644 --- a/requirements.txt +++ b/requirements.txt @@ -30,7 +30,7 @@ dnspython==1.15.0 # via dnspython3 docutils==0.15.2 # via botocore dyn==1.8.1 # via -r requirements.in flask-bcrypt==0.7.1 # via -r requirements.in -flask-cors==3.0.8 # via -r requirements.in +flask-cors==3.0.9 # via -r requirements.in flask-mail==0.9.1 # via -r requirements.in flask-migrate==2.5.3 # via -r requirements.in flask-principal==0.4.0 # via -r requirements.in From 86d37ced172e41a61d30812336de5ecedfc7af2c Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Thu, 3 Sep 2020 05:27:42 +0000 Subject: [PATCH 107/141] Bump boto3 from 1.14.48 to 1.14.54 Bumps [boto3](https://github.com/boto/boto3) from 1.14.48 to 1.14.54. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.48...1.14.54) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 0bef8bf8..25727e8b 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.48 # via -r requirements.txt -botocore==1.17.48 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.54 # via -r requirements.txt +botocore==1.17.54 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index c38f532b..55756963 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==20.8b1 # via -r requirements-tests.in -boto3==1.14.48 # via aws-sam-translator, moto +boto3==1.14.54 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.54 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 5fbadd86..1042d1b9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.48 # via -r requirements.in -botocore==1.17.48 # via -r requirements.in, boto3, s3transfer +boto3==1.14.54 # via -r requirements.in +botocore==1.17.54 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 458b4b062cfe47fc59a46237b38ddb9dd4230c24 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 8 Sep 2020 06:13:59 +0000 Subject: [PATCH 108/141] Bump botocore from 1.17.54 to 1.17.56 Bumps [botocore](https://github.com/boto/botocore) from 1.17.54 to 1.17.56. - [Release notes](https://github.com/boto/botocore/releases) - [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/botocore/compare/1.17.54...1.17.56) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 25727e8b..436347b3 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -18,7 +18,7 @@ beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven boto3==1.14.54 # via -r requirements.txt -botocore==1.17.54 # via -r requirements.txt, boto3, s3transfer +botocore==1.17.56 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 55756963..97a5f63f 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,7 +12,7 @@ bandit==1.6.2 # via -r requirements-tests.in black==20.8b1 # via -r requirements-tests.in boto3==1.14.54 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.54 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.56 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 1042d1b9..f71f1d3c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven boto3==1.14.54 # via -r requirements.in -botocore==1.17.54 # via -r requirements.in, boto3, s3transfer +botocore==1.17.56 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From e0ba90d672b3eb52d9dcf35651665704e6f62974 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 8 Sep 2020 16:38:36 +0000 Subject: [PATCH 109/141] Bump freezegun from 0.3.15 to 1.0.0 Bumps [freezegun](https://github.com/spulec/freezegun) from 0.3.15 to 1.0.0. - [Release notes](https://github.com/spulec/freezegun/releases) - [Changelog](https://github.com/spulec/freezegun/blob/master/CHANGELOG) - [Commits](https://github.com/spulec/freezegun/compare/0.3.15...1.0.0) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 97a5f63f..74142869 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -28,7 +28,7 @@ factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.2 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask -freezegun==0.3.15 # via -r requirements-tests.in +freezegun==1.0.0 # via -r requirements-tests.in future==0.18.2 # via aws-xray-sdk gitdb==4.0.4 # via gitpython gitpython==3.1.1 # via bandit @@ -74,7 +74,7 @@ requests==2.24.0 # via docker, moto, requests-mock, responses responses==0.10.12 # via moto rsa==4.0 # via python-jose s3transfer==0.3.3 # via boto3 -six==1.15.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, freezegun, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client +six==1.15.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client smmap==3.0.2 # via gitdb sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto From 6ef6fe40e6ebed1550241220ddb67ae6e82b2c2d Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 8 Sep 2020 16:46:51 +0000 Subject: [PATCH 110/141] Bump psycopg2 from 2.8.5 to 2.8.6 Bumps [psycopg2](https://github.com/psycopg/psycopg2) from 2.8.5 to 2.8.6. - [Release notes](https://github.com/psycopg/psycopg2/releases) - [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS) - [Commits](https://github.com/psycopg/psycopg2/commits) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 436347b3..785fe42a 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -64,7 +64,7 @@ ndg-httpsclient==0.5.1 # via -r requirements.txt packaging==20.3 # via sphinx paramiko==2.7.2 # via -r requirements.txt pem==20.1.0 # via -r requirements.txt -psycopg2==2.8.5 # via -r requirements.txt +psycopg2==2.8.6 # via -r requirements.txt pyasn1-modules==0.2.8 # via -r requirements.txt, pyjks, python-ldap pyasn1==0.4.8 # via -r requirements.txt, ndg-httpsclient, pyasn1-modules, pyjks, python-ldap pycparser==2.20 # via -r requirements.txt, cffi diff --git a/requirements.txt b/requirements.txt index f71f1d3c..d3f3035e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -60,7 +60,7 @@ marshmallow==2.20.4 # via -r requirements.in, marshmallow-sqlalchemy ndg-httpsclient==0.5.1 # via -r requirements.in paramiko==2.7.2 # via -r requirements.in pem==20.1.0 # via -r requirements.in -psycopg2==2.8.5 # via -r requirements.in +psycopg2==2.8.6 # via -r requirements.in pyasn1-modules==0.2.8 # via pyjks, python-ldap pyasn1==0.4.8 # via ndg-httpsclient, pyasn1-modules, pyjks, python-ldap pycparser==2.20 # via cffi From aeead5363bb25ce595e68dcc1cc68acfb379adc6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 8 Sep 2020 16:58:54 +0000 Subject: [PATCH 111/141] Bump boto3 from 1.14.54 to 1.14.56 Bumps [boto3](https://github.com/boto/boto3) from 1.14.54 to 1.14.56. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.54...1.14.56) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 785fe42a..37d50804 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,7 +17,7 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.54 # via -r requirements.txt +boto3==1.14.56 # via -r requirements.txt botocore==1.17.56 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests diff --git a/requirements-tests.txt b/requirements-tests.txt index 74142869..e9106767 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,7 +10,7 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==20.8b1 # via -r requirements-tests.in -boto3==1.14.54 # via aws-sam-translator, moto +boto3==1.14.56 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.56 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests diff --git a/requirements.txt b/requirements.txt index d3f3035e..64e41b3c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.54 # via -r requirements.in +boto3==1.14.56 # via -r requirements.in botocore==1.17.56 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests From de0c38e9ba90a6709a1e5a3e88ea36f2dd1de2f2 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:47:51 -0700 Subject: [PATCH 112/141] mapping of curve name to key_type --- lemur/common/utils.py | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/lemur/common/utils.py b/lemur/common/utils.py index c33722b2..528a6a57 100644 --- a/lemur/common/utils.py +++ b/lemur/common/utils.py @@ -114,6 +114,41 @@ def get_authority_key(body): return authority_key.hex() +def get_key_type_from_ec_curve(curve_name): + """ + Give an EC curve name, return the matching key_type. + + :param: curve_name + :return: key_type + """ + + _CURVE_TYPES = { + ec.SECP192R1().name: "ECCPRIME192V1", + ec.SECP256R1().name: "ECCPRIME256V1", + ec.SECP192R1().name: "ECCSECP192R1", + ec.SECP224R1().name: "ECCSECP224R1", + ec.SECP256R1().name: "ECCSECP256R1", + ec.SECP384R1().name: "ECCSECP384R1", + ec.SECP521R1().name: "ECCSECP521R1", + ec.SECP256K1().name: "ECCSECP256K1", + ec.SECT163K1().name: "ECCSECT163K1", + ec.SECT233K1().name: "ECCSECT233K1", + ec.SECT283K1().name: "ECCSECT283K1", + ec.SECT409K1().name: "ECCSECT409K1", + ec.SECT571K1().name: "ECCSECT571K1", + ec.SECT163R2().name: "ECCSECT163R2", + ec.SECT233R1().name: "ECCSECT233R1", + ec.SECT283R1().name: "ECCSECT283R1", + ec.SECT409R1().name: "ECCSECT409R1", + ec.SECT571R1().name: "ECCSECT571R2", + } + + if curve_name in _CURVE_TYPES.keys(): + return _CURVE_TYPES[curve_name] + else: + return None + + def generate_private_key(key_type): """ Generates a new private key based on key_type. From 6fa15c4cb3b9f4387ba7d93614e238c706e1bd91 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:48:21 -0700 Subject: [PATCH 113/141] methods to extract cn and key_type from csr --- lemur/certificates/utils.py | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/lemur/certificates/utils.py b/lemur/certificates/utils.py index 4e6cc4f1..e642e058 100644 --- a/lemur/certificates/utils.py +++ b/lemur/certificates/utils.py @@ -12,6 +12,8 @@ Utils to parse certificate data. from cryptography import x509 from cryptography.hazmat.backends import default_backend from marshmallow.exceptions import ValidationError +from cryptography.hazmat.primitives.asymmetric import rsa, ec +from lemur.common.utils import get_key_type_from_ec_curve def get_sans_from_csr(data): @@ -39,3 +41,45 @@ def get_sans_from_csr(data): pass return sub_alt_names + + +def get_cn_from_csr(data): + """ + Fetches common name (CN) from CSR. + Works with any kind of SubjectAlternativeName + :param data: PEM-encoded string with CSR + :return: the common name + """ + try: + request = x509.load_pem_x509_csr(data.encode("utf-8"), default_backend()) + except Exception: + raise ValidationError("CSR presented is not valid.") + + common_name = request.subject.get_attributes_for_oid(x509.NameOID.COMMON_NAME) + return common_name[0].value + + +def get_key_type_from_csr(data): + """ + Fetches key_type from CSR. + Works with any kind of SubjectAlternativeName + :param data: PEM-encoded string with CSR + :return: key_type + """ + try: + request = x509.load_pem_x509_csr(data.encode("utf-8"), default_backend()) + except Exception: + raise ValidationError("CSR presented is not valid.") + + try: + if isinstance(request.public_key(), rsa.RSAPublicKey): + return "RSA{key_size}".format( + key_size=request.public_key().key_size + ) + elif isinstance(request.public_key(), ec.EllipticCurvePublicKey): + return get_key_type_from_ec_curve(request.public_key().curve.name) + else: + raise Exception("Unsupported key type") + + except NotImplemented: + raise NotImplemented() From 5ab9626cbd67c4fee01b41ecc8a5e2a288e63f39 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:52:59 -0700 Subject: [PATCH 114/141] overwriting cn and key_type values from CSR, as they take precedence --- lemur/certificates/schemas.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 42e444bc..56c91196 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -148,6 +148,13 @@ class CertificateInputSchema(CertificateCreationSchema): data["extensions"]["subAltNames"]["names"] = [] data["extensions"]["subAltNames"]["names"] = csr_sans + + common_name = cert_utils.get_cn_from_csr(data["csr"]) + if common_name: + data["common_name"] = common_name + key_type = cert_utils.get_key_type_from_csr(data["csr"]) + if key_type: + data["key_type"] = key_type return missing.convert_validity_years(data) From 60fd2134ca3913a712a801fb5748cdc95d24a6e8 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:53:35 -0700 Subject: [PATCH 115/141] removing duplicate curves, and marking them in existing mapping --- lemur/common/utils.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/lemur/common/utils.py b/lemur/common/utils.py index 528a6a57..01cc64ae 100644 --- a/lemur/common/utils.py +++ b/lemur/common/utils.py @@ -125,9 +125,7 @@ def get_key_type_from_ec_curve(curve_name): _CURVE_TYPES = { ec.SECP192R1().name: "ECCPRIME192V1", ec.SECP256R1().name: "ECCPRIME256V1", - ec.SECP192R1().name: "ECCSECP192R1", ec.SECP224R1().name: "ECCSECP224R1", - ec.SECP256R1().name: "ECCSECP256R1", ec.SECP384R1().name: "ECCSECP384R1", ec.SECP521R1().name: "ECCSECP521R1", ec.SECP256K1().name: "ECCSECP256K1", @@ -163,11 +161,11 @@ def generate_private_key(key_type): """ _CURVE_TYPES = { - "ECCPRIME192V1": ec.SECP192R1(), - "ECCPRIME256V1": ec.SECP256R1(), - "ECCSECP192R1": ec.SECP192R1(), + "ECCPRIME192V1": ec.SECP192R1(), # duplicate + "ECCPRIME256V1": ec.SECP256R1(), # duplicate + "ECCSECP192R1": ec.SECP192R1(), # duplicate "ECCSECP224R1": ec.SECP224R1(), - "ECCSECP256R1": ec.SECP256R1(), + "ECCSECP256R1": ec.SECP256R1(), # duplicate "ECCSECP384R1": ec.SECP384R1(), "ECCSECP521R1": ec.SECP521R1(), "ECCSECP256K1": ec.SECP256K1(), From aff7ad7ea250fd3e20fdb490946f2e0e31e8a05c Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:53:59 -0700 Subject: [PATCH 116/141] testing --- lemur/tests/test_utils.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/tests/test_utils.py b/lemur/tests/test_utils.py index 2e117d25..1dac39bb 100644 --- a/lemur/tests/test_utils.py +++ b/lemur/tests/test_utils.py @@ -11,6 +11,12 @@ from lemur.tests.vectors import ( ) +def test_get_key_type_from_ec_curve(): + from lemur.common.utils import get_key_type_from_ec_curve + + assert get_key_type_from_ec_curve("secp256r1") == "ECCPRIME256V1" + + def test_generate_private_key(): from lemur.common.utils import generate_private_key From 4923157dc21759edc929b6eab968b94dbdceebfa Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:54:20 -0700 Subject: [PATCH 117/141] expanding key_type to with EC support --- lemur/certificates/models.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 5f6c4ba9..a52ec1a8 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -9,9 +9,10 @@ from datetime import timedelta import arrow from cryptography import x509 -from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives.asymmetric import rsa, ec from flask import current_app from idna.core import InvalidCodepoint +from lemur.common.utils import get_key_type_from_ec_curve from sqlalchemy import ( event, Integer, @@ -302,6 +303,8 @@ class Certificate(db.Model): return "RSA{key_size}".format( key_size=self.parsed_cert.public_key().key_size ) + elif isinstance(self.parsed_cert.public_key(), ec.EllipticCurvePublicKey): + return get_key_type_from_ec_curve(self.parsed_cert.public_key().curve.name) @property def validity_remaining(self): From a7be8b6dceb1e71c2db93cea3e298ad849fe69d6 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 9 Sep 2020 19:54:53 -0700 Subject: [PATCH 118/141] adding support for different types of CSR encodings --- .../app/angular/certificates/certificate/options.tpl.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/static/app/angular/certificates/certificate/options.tpl.html b/lemur/static/app/angular/certificates/certificate/options.tpl.html index 7e47cf18..7e6ad428 100644 --- a/lemur/static/app/angular/certificates/certificate/options.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/options.tpl.html @@ -20,7 +20,7 @@ name="certificate signing request" ng-model="certificate.csr" placeholder="PEM encoded string..." class="form-control" - ng-pattern="/^-----BEGIN CERTIFICATE REQUEST-----/"> + ng-pattern="/(^-----BEGIN CERTIFICATE REQUEST-----[\S\s]*-----END CERTIFICATE REQUEST-----)|(^-----BEGIN NEW CERTIFICATE REQUEST-----[\S\s]*-----END NEW CERTIFICATE REQUEST-----)/">

Enter a valid certificate signing request.

From f47f108f43e0e9d452db0ff9185a4c9fc6306ee1 Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 10 Sep 2020 16:03:29 +0200 Subject: [PATCH 119/141] ientrust plgin - first version --- lemur/plugins/lemur_entrust/plugin.py | 172 ++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 lemur/plugins/lemur_entrust/plugin.py diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py new file mode 100644 index 00000000..d1f4a301 --- /dev/null +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -0,0 +1,172 @@ +from lemur.plugins.bases import IssuerPlugin, SourcePlugin +import arrow +import requests +import json +from lemur.plugins import lemur_entrust as ENTRUST +from OpenSSL import crypto +from flask import current_app +from lemur.extensions import metrics, sentry + + + +def log_status_code(r, *args, **kwargs): + """ + Is a request hook that logs all status codes to the ENTRUST api. + + :param r: + :param args: + :param kwargs: + :return: + """ + metrics.send("ENTRUST_status_code_{}".format(r.status_code), "counter", 1) + +def process_options(options): + """ + Processes and maps the incoming issuer options to fields/options that + Entrust understands + + :param options: + :return: dict of valid entrust options + """ + # if there is a config variable ENTRUST_PRODUCT_ + # take the value as Cert product-type + # else default to "STANDARD_SSL" + authority = options.get("authority").name.upper() + product_type = current_app.config.get("ENTRUST_PRODUCT_{0}".format(authority), "STANDARD_SSL") + expiry_date = arrow.utcnow().shift(years=1, days=+10).format('YYYY-MM-DD') + + tracking_data = { + "requesterName": current_app.config.get("ENTRUST_NAME"), + "requesterEmail": current_app.config.get("ENTRUST_EMAIL"), + "requesterPhone": current_app.config.get("ENTRUST_PHONE") + } + + data = { + "signingAlg": "SHA-2", + "eku": "SERVER_AND_CLIENT_AUTH", + "certType": product_type, + "certExpiryDate" : expiry_date, + "tracking": tracking_data + } + return data + +class EntrustIssuerPlugin(IssuerPlugin): + title = "ENTRUST" + slug = "entrust-issuer" + description = "Enables the creation of certificates by ENTRUST" + version = ENTRUST.VERSION + + author = "sirferl" + author_url = "https://github.com/sirferl/lemur" + + def __init__(self, *args, **kwargs): + """Initialize the issuer with the appropriate details.""" + self.session = requests.Session() + cert_file_path = current_app.config.get("ENTRUST_API_CERT") + key_file_path = current_app.config.get("ENTRUST_API_KEY") + user = current_app.config.get("ENTRUST_API_USER") + passw = current_app.config.get("ENTRUST_API_PASS") + self.session.cert = (cert_file_path, key_file_path) + self.session.auth = (user,passw) + self.session.hooks = dict(response=log_status_code) + # self.session.config['keep_alive'] = False + super(EntrustIssuerPlugin, self).__init__(*args, **kwargs) + + def create_certificate(self, csr, issuer_options): + """ + Creates an Entrust certificate. + + :param csr: + :param issuer_options: + :return: :raise Exception: + """ + current_app.logger.info( + "Requesting options: {0}".format(issuer_options) + ) + + url = current_app.config.get("ENTRUST_URL") + "/certificates" + + data = process_options(issuer_options) + data["csr"] = csr + current_req = arrow.utcnow().format('YYYY-MM-DD HH:mm:ss') + current_app.logger.info( + "Entrust-Request Data (id: {1}) : {0}".format(data, current_req) + ) + + + try: + response = self.session.post(url, json=data, timeout=(15, 40)) + except requests.exceptions.Timeout: + raise Exception("Timeout Error while posting to ENTRUST (ID: {0})".format(current_req)) + except requests.exceptions.RequestException as e: + raise Exception("Error while posting to ENTRUST (ID: {1}): {0}".format(e,current_req)) + + current_app.logger.info( + "After Post and Errorhandling (ID: {1}) : {0}".format(response.status_code, current_req) + ) + + response_dict = json.loads(response.content) + if response.status_code != 201: + raise Exception("Error with ENTRUST (ID: {1}): {0}".format(response_dict['errors'], current_req)) + current_app.logger.info("Response: {0}, {1} ".format(response.status_code, response_dict)) + external_id = response_dict['trackingId'] + cert = response_dict['endEntityCert'] + chain = response_dict['chainCerts'][1] + current_app.logger.info( + "Received Chain: {0}".format(chain) + ) + + return cert, chain, external_id + + @staticmethod + def create_authority(options): + """Create an authority. + Creates an authority, this authority is then used by Lemur to + allow a user to specify which Certificate Authority they want + to sign their certificate. + + :param options: + :return: + """ + entrust_root = current_app.config.get("ENTRUST_ROOT") + entrust_issuing = current_app.config.get("ENTRUST_ISSUING") + role = {"username": "", "password": "", "name": "entrust"} + current_app.logger.info("Creating Auth: {0} {1}".format(options, entrust_issuing)) + return entrust_root, "" , [role] + + + def revoke_certificate(self, certificate, comments): + raise NotImplementedError("Not implemented\n", self, certificate, comments) + + def get_ordered_certificate(self, order_id): + raise NotImplementedError("Not implemented\n", self, order_id) + + def canceled_ordered_certificate(self, pending_cert, **kwargs): + raise NotImplementedError("Not implemented\n", self, pending_cert, **kwargs) + + +class EntrustSourcePlugin(SourcePlugin): + title = "ENTRUST" + slug = "entrust-source" + description = "Enables the collecion of certificates" + version = ENTRUST.VERSION + + author = "sirferl" + author_url = "https://github.com/sirferl/lemur" + options = [ + { + "name": "dummy", + "type": "str", + "required": False, + "validation": "/^[0-9]{12,12}$/", + "helpMessage": "Just to prevent error", + } + ] + + def get_certificates(self, options, **kwargs): + #Not needed for ENTRUST + raise NotImplementedError("Not implemented\n", self, options, **kwargs) + def get_endpoints(self, options, **kwargs): + # There are no endpoints in ENTRUST + raise NotImplementedError("Not implemented\n", self, options, **kwargs) + From a99a84b0b2c222920ccc6e8779cbe2fdfc15d7c0 Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 10 Sep 2020 16:04:31 +0200 Subject: [PATCH 120/141] entrust plugin inital edit --- lemur/plugins/lemur_entrust/__init__.py | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 lemur/plugins/lemur_entrust/__init__.py diff --git a/lemur/plugins/lemur_entrust/__init__.py b/lemur/plugins/lemur_entrust/__init__.py new file mode 100644 index 00000000..9186ef13 --- /dev/null +++ b/lemur/plugins/lemur_entrust/__init__.py @@ -0,0 +1,6 @@ +"""Set the version information.""" +try: + VERSION = __import__("pkg_resources").get_distribution(__name__).version +except Exception as e: + VERSION = "unknown" + From aa0a31f90e5ae5ad8bc5d75bae8875fb366fe7f5 Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Fri, 11 Sep 2020 11:16:23 +0200 Subject: [PATCH 121/141] Added entrust plugin --- setup.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index a612cd18..4da14c3d 100644 --- a/setup.py +++ b/setup.py @@ -153,7 +153,9 @@ setup( 'vault_source = lemur.plugins.lemur_vault_dest.plugin:VaultSourcePlugin', 'vault_desination = lemur.plugins.lemur_vault_dest.plugin:VaultDestinationPlugin', 'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin', - 'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin' + 'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin', + 'entrust_issuer = lemur.plugins.lemur_entrust.plugin:EntrustIssuerPlugin', + 'entrust_source = lemur.plugins.lemur_entrust.plugin:EntrustSourcePlugin' ], }, classifiers=[ From 3487ecbaa7d667e2792928be64cb0ddea177f50b Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:04:02 +0200 Subject: [PATCH 122/141] Added entrust plugin doc and amended ADCS --- docs/administration.rst | 69 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/docs/administration.rst b/docs/administration.rst index 846a4c34..fe6a5581 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -652,13 +652,20 @@ Active Directory Certificate Services Plugin :noindex: Template to be used for certificate issuing. Usually display name w/o spaces + +.. data:: ADCS_TEMPLATE_ + :noindex: + If there is a config variable ADCS_TEMPLATE_ take the value as Cert template else default to ADCS_TEMPLATE to be compatible with former versions. Template to be used for certificate issuing. Usually display name w/o spaces .. data:: ADCS_START :noindex: + Used in ADCS-Sourceplugin. Minimum id of the first certificate to be returned. ID is increased by one until ADCS_STOP. Missing cert-IDs are ignored .. data:: ADCS_STOP :noindex: + Used for ADCS-Sourceplugin. Maximum id of the certificates returned. + .. data:: ADCS_ISSUING :noindex: @@ -671,6 +678,68 @@ Active Directory Certificate Services Plugin Contains the root cert of the CA +Entrust Plugin +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Enables the creation of Entrust certificates. You need to set the API access up with Entrust support. Check the information in the Entrust Portal as well. +Certificates are created as "SERVER_AND_CLIENT_AUTH". +Caution: Sometimes the entrust API does not respond in a timely manner. This error is handled and reported by the plugin. Should this happen you just have to hit the create button again after to create a valid certificate. +The following parameters have to be set in the configuration files. + +.. data:: ENTRUST_URL + :noindex: + + This is the url for the Entrust API. Refer to the API documentation. + +.. data:: ENTRUST_API_CERT + :noindex: + + Path to the certificate file in PEM format. This certificate is created in the onboarding process. Refer to the API documentation. + +.. data:: ENTRUST_API_KEY + :noindex: + + Path to the key file in RSA format. This certificate is created in the onboarding process. Refer to the API documentation. Caution: the request library cannot handle encrypted keys. The keyfile therefore has to contain the unencrypted key. Please put this in a secure location on the server. + +.. data:: ENTRUST_API_USER + :noindex: + + String with the API user. This user is created in the onboarding process. Refer to the API documentation. + +.. data:: ENTRUST_API_PASS + :noindex: + + String with the password for the API user. This password is created in the onboarding process. Refer to the API documentation. + +.. data:: ENTRUST_NAME + :noindex: + + String with the name that should appear as certificate owner in the Entrust portal. Refer to the API documentation. + +.. data:: ENTRUST_EMAIL + :noindex: + + String with the email address that should appear as certificate contact email in the Entrust portal. Refer to the API documentation. + +.. data:: ENTRUST_PHONE + :noindex: + + String with the phone number that should appear as certificate contact in the Entrust portal. Refer to the API documentation. + +.. data:: ENTRUST_ISSUING + :noindex: + + Contains the issuing cert of the CA + +.. data:: ENTRUST_ROOT + :noindex: + + Contains the root cert of the CA + +.. data:: ENTRUST_PRODUCT_ + :noindex: + + If there is a config variable ENTRUST_PRODUCT_ take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. Verisign Issuer Plugin ~~~~~~~~~~~~~~~~~~~~~~ From de9ad82011e1c101dc9454b19da07cb5f4ddf39a Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:24:33 +0200 Subject: [PATCH 123/141] Fixed Lint complaints --- lemur/plugins/lemur_entrust/plugin.py | 36 +++++++++++++-------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index d1f4a301..b1ba723d 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -3,10 +3,8 @@ import arrow import requests import json from lemur.plugins import lemur_entrust as ENTRUST -from OpenSSL import crypto from flask import current_app -from lemur.extensions import metrics, sentry - +from lemur.extensions import metrics def log_status_code(r, *args, **kwargs): @@ -20,6 +18,7 @@ def log_status_code(r, *args, **kwargs): """ metrics.send("ENTRUST_status_code_{}".format(r.status_code), "counter", 1) + def process_options(options): """ Processes and maps the incoming issuer options to fields/options that @@ -28,13 +27,13 @@ def process_options(options): :param options: :return: dict of valid entrust options """ - # if there is a config variable ENTRUST_PRODUCT_ + # if there is a config variable ENTRUST_PRODUCT_ # take the value as Cert product-type # else default to "STANDARD_SSL" authority = options.get("authority").name.upper() product_type = current_app.config.get("ENTRUST_PRODUCT_{0}".format(authority), "STANDARD_SSL") expiry_date = arrow.utcnow().shift(years=1, days=+10).format('YYYY-MM-DD') - + tracking_data = { "requesterName": current_app.config.get("ENTRUST_NAME"), "requesterEmail": current_app.config.get("ENTRUST_EMAIL"), @@ -44,12 +43,13 @@ def process_options(options): data = { "signingAlg": "SHA-2", "eku": "SERVER_AND_CLIENT_AUTH", - "certType": product_type, - "certExpiryDate" : expiry_date, + "certType": product_type, + "certExpiryDate": expiry_date, "tracking": tracking_data } return data + class EntrustIssuerPlugin(IssuerPlugin): title = "ENTRUST" slug = "entrust-issuer" @@ -67,7 +67,7 @@ class EntrustIssuerPlugin(IssuerPlugin): user = current_app.config.get("ENTRUST_API_USER") passw = current_app.config.get("ENTRUST_API_PASS") self.session.cert = (cert_file_path, key_file_path) - self.session.auth = (user,passw) + self.session.auth = (user, passw) self.session.hooks = dict(response=log_status_code) # self.session.config['keep_alive'] = False super(EntrustIssuerPlugin, self).__init__(*args, **kwargs) @@ -93,13 +93,12 @@ class EntrustIssuerPlugin(IssuerPlugin): "Entrust-Request Data (id: {1}) : {0}".format(data, current_req) ) - try: - response = self.session.post(url, json=data, timeout=(15, 40)) + response = self.session.post(url, json=data, timeout=(15, 40)) except requests.exceptions.Timeout: - raise Exception("Timeout Error while posting to ENTRUST (ID: {0})".format(current_req)) + raise Exception("Timeout Error while posting to ENTRUST (ID: {0})".format(current_req)) except requests.exceptions.RequestException as e: - raise Exception("Error while posting to ENTRUST (ID: {1}): {0}".format(e,current_req)) + raise Exception("Error while posting to ENTRUST (ID: {1}): {0}".format(e, current_req)) current_app.logger.info( "After Post and Errorhandling (ID: {1}) : {0}".format(response.status_code, current_req) @@ -107,7 +106,7 @@ class EntrustIssuerPlugin(IssuerPlugin): response_dict = json.loads(response.content) if response.status_code != 201: - raise Exception("Error with ENTRUST (ID: {1}): {0}".format(response_dict['errors'], current_req)) + raise Exception("Error with ENTRUST (ID: {1}): {0}".format(response_dict['errors'], current_req)) current_app.logger.info("Response: {0}, {1} ".format(response.status_code, response_dict)) external_id = response_dict['trackingId'] cert = response_dict['endEntityCert'] @@ -116,7 +115,7 @@ class EntrustIssuerPlugin(IssuerPlugin): "Received Chain: {0}".format(chain) ) - return cert, chain, external_id + return cert, chain, external_id @staticmethod def create_authority(options): @@ -132,8 +131,7 @@ class EntrustIssuerPlugin(IssuerPlugin): entrust_issuing = current_app.config.get("ENTRUST_ISSUING") role = {"username": "", "password": "", "name": "entrust"} current_app.logger.info("Creating Auth: {0} {1}".format(options, entrust_issuing)) - return entrust_root, "" , [role] - + return entrust_root, "", [role] def revoke_certificate(self, certificate, comments): raise NotImplementedError("Not implemented\n", self, certificate, comments) @@ -164,9 +162,9 @@ class EntrustSourcePlugin(SourcePlugin): ] def get_certificates(self, options, **kwargs): - #Not needed for ENTRUST - raise NotImplementedError("Not implemented\n", self, options, **kwargs) + # Not needed for ENTRUST + raise NotImplementedError("Not implemented\n", self, options, **kwargs + def get_endpoints(self, options, **kwargs): # There are no endpoints in ENTRUST raise NotImplementedError("Not implemented\n", self, options, **kwargs) - From fd52438d61a7489963da968b32607d1e575feaeb Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:30:53 +0200 Subject: [PATCH 124/141] yet lint errors --- lemur/plugins/lemur_entrust/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index b1ba723d..d8466513 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -33,7 +33,7 @@ def process_options(options): authority = options.get("authority").name.upper() product_type = current_app.config.get("ENTRUST_PRODUCT_{0}".format(authority), "STANDARD_SSL") expiry_date = arrow.utcnow().shift(years=1, days=+10).format('YYYY-MM-DD') - + tracking_data = { "requesterName": current_app.config.get("ENTRUST_NAME"), "requesterEmail": current_app.config.get("ENTRUST_EMAIL"), @@ -163,7 +163,7 @@ class EntrustSourcePlugin(SourcePlugin): def get_certificates(self, options, **kwargs): # Not needed for ENTRUST - raise NotImplementedError("Not implemented\n", self, options, **kwargs + raise NotImplementedError("Not implemented\n", self, options, **kwargs) def get_endpoints(self, options, **kwargs): # There are no endpoints in ENTRUST From 1c9c377751e6ff591fb1197f8511126ecda158e6 Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Fri, 11 Sep 2020 12:31:15 +0200 Subject: [PATCH 125/141] Lint errors --- lemur/plugins/lemur_entrust/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/__init__.py b/lemur/plugins/lemur_entrust/__init__.py index 9186ef13..b902ed7a 100644 --- a/lemur/plugins/lemur_entrust/__init__.py +++ b/lemur/plugins/lemur_entrust/__init__.py @@ -3,4 +3,3 @@ try: VERSION = __import__("pkg_resources").get_distribution(__name__).version except Exception as e: VERSION = "unknown" - From 09a2a8fc76801c1a04b0ace0265bf31345f58a1c Mon Sep 17 00:00:00 2001 From: sayali Date: Fri, 11 Sep 2020 15:53:05 -0700 Subject: [PATCH 126/141] Log message change PR comments --- lemur/plugins/lemur_digicert/plugin.py | 2 +- .../app/angular/certificates/certificate/tracking.tpl.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index ad4272dc..3948acbb 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -194,7 +194,7 @@ def log_validity_truncation(options, function): metrics.send("digicert_validity_truncated", "counter", 1, metric_tags=log_data) log_data["function"] = function - log_data["message"] = "Digicert Plugin truncated the validity of certificate, cn = {0}".format(options["common_name"]) + log_data["message"] = "Digicert Plugin truncated the validity of certificate" current_app.logger.info(log_data) diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index e024972b..d60a1a6a 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -133,7 +133,7 @@
From b217a68512d819b7f6dc423d9ee6be199fb59ea8 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 08:53:17 +0200 Subject: [PATCH 127/141] added entrust to setup.py --- setup.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup.py b/setup.py index a612cd18..467a3d8f 100644 --- a/setup.py +++ b/setup.py @@ -153,7 +153,10 @@ setup( 'vault_source = lemur.plugins.lemur_vault_dest.plugin:VaultSourcePlugin', 'vault_desination = lemur.plugins.lemur_vault_dest.plugin:VaultDestinationPlugin', 'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin', - 'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin' + 'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin', + 'entrust_issuer = lemur.plugins.lemur_entrust.plugin:EntrustIssuerPlugin', + 'entrust_source = lemur.plugins.lemur_entrust.plugin:EntrustSourcePlugin' + ], }, classifiers=[ From 01678a714f47153e094c0b28365226659b45667f Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 09:50:55 +0200 Subject: [PATCH 128/141] added required vars check --- lemur/plugins/lemur_entrust/plugin.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index d8466513..d5216caa 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -5,6 +5,7 @@ import json from lemur.plugins import lemur_entrust as ENTRUST from flask import current_app from lemur.extensions import metrics +from lemur.common.utils import validate_conf def log_status_code(r, *args, **kwargs): @@ -61,6 +62,20 @@ class EntrustIssuerPlugin(IssuerPlugin): def __init__(self, *args, **kwargs): """Initialize the issuer with the appropriate details.""" + required_vars = [ + "ENTRUST_API_CERT", + "ENTRUST_API_KEY", + "ENTRUST_API_USER", + "ENTRUST_API_PASS", + "ENTRUST_URL", + "ENTRUST_ROOT", + "ENTRUST_NAME", + "ENTRUST_EMAIL", + "ENTRUST_PHONE", + "ENTRUST_ISSUING", + ] + validate_conf(current_app, required_vars) + self.session = requests.Session() cert_file_path = current_app.config.get("ENTRUST_API_CERT") key_file_path = current_app.config.get("ENTRUST_API_KEY") From b337b271469f3a762368e999d12095523d756c19 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 12:23:58 +0200 Subject: [PATCH 129/141] added response handler --- lemur/plugins/lemur_entrust/plugin.py | 42 +++++++++++++++++---------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index d5216caa..e6a51d3f 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -50,6 +50,27 @@ def process_options(options): } return data +def handle_response(my_response): + """ + Helper function for parsing responses from the Entrust API. + :param content: + :return: :raise Exception: + """ + msg = { + 200: "The request had the validateOnly flag set to true and validation was successful.", + 201: "Certificate created", + 202: "Request accepted and queued for approval", + 400: "Invalid request parameters", + 404: "Unknown jobId", + 429: "Too many requests" + } + d = json.loads(my_response.content) + s = my_response.status_code + if s != 201: + raise Exception("ENTRUST error : {0}\n{1}".format(msg.get(s,"unknown"),d['errors'])) + current_app.logger.info("Response: {0}, {1} ".format(s, d)) + return d + class EntrustIssuerPlugin(IssuerPlugin): title = "ENTRUST" @@ -66,12 +87,12 @@ class EntrustIssuerPlugin(IssuerPlugin): "ENTRUST_API_CERT", "ENTRUST_API_KEY", "ENTRUST_API_USER", - "ENTRUST_API_PASS", + "ENTRUST_API_PASS", "ENTRUST_URL", "ENTRUST_ROOT", "ENTRUST_NAME", "ENTRUST_EMAIL", - "ENTRUST_PHONE", + "ENTRUST_PHONE", "ENTRUST_ISSUING", ] validate_conf(current_app, required_vars) @@ -103,26 +124,15 @@ class EntrustIssuerPlugin(IssuerPlugin): data = process_options(issuer_options) data["csr"] = csr - current_req = arrow.utcnow().format('YYYY-MM-DD HH:mm:ss') - current_app.logger.info( - "Entrust-Request Data (id: {1}) : {0}".format(data, current_req) - ) try: response = self.session.post(url, json=data, timeout=(15, 40)) except requests.exceptions.Timeout: - raise Exception("Timeout Error while posting to ENTRUST (ID: {0})".format(current_req)) + raise Exception("Timeout for POST") except requests.exceptions.RequestException as e: - raise Exception("Error while posting to ENTRUST (ID: {1}): {0}".format(e, current_req)) + raise Exception("Error for POST {0}".format(e)) - current_app.logger.info( - "After Post and Errorhandling (ID: {1}) : {0}".format(response.status_code, current_req) - ) - - response_dict = json.loads(response.content) - if response.status_code != 201: - raise Exception("Error with ENTRUST (ID: {1}): {0}".format(response_dict['errors'], current_req)) - current_app.logger.info("Response: {0}, {1} ".format(response.status_code, response_dict)) + response_dict = handle_response(response) external_id = response_dict['trackingId'] cert = response_dict['endEntityCert'] chain = response_dict['chainCerts'][1] From b8e3162c5f690a932f18bee7927e0fbb9a0b09d1 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 14:20:11 +0200 Subject: [PATCH 130/141] added revoke functionality --- lemur/plugins/lemur_entrust/plugin.py | 28 +++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index e6a51d3f..e0fd1c2a 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -50,6 +50,7 @@ def process_options(options): } return data + def handle_response(my_response): """ Helper function for parsing responses from the Entrust API. @@ -64,10 +65,13 @@ def handle_response(my_response): 404: "Unknown jobId", 429: "Too many requests" } - d = json.loads(my_response.content) + try: + d = json.loads(my_response.content) + except: + d = {'errors': 'No error message'} s = my_response.status_code - if s != 201: - raise Exception("ENTRUST error : {0}\n{1}".format(msg.get(s,"unknown"),d['errors'])) + if s > 399: + raise Exception("ENTRUST error: {0}\n{1}".format(msg.get(s, s), d['errors'])) current_app.logger.info("Response: {0}, {1} ".format(s, d)) return d @@ -142,6 +146,21 @@ class EntrustIssuerPlugin(IssuerPlugin): return cert, chain, external_id + def revoke_certificate(self, certificate, comments): + """Revoke a Digicert certificate.""" + base_url = current_app.config.get("ENTRUST_URL") + + # make certificate revoke request + create_url = "{0}/certificates/{1}/revocations".format( + base_url, certificate.external_id + ) + metrics.send("entrust_revoke_certificate", "counter", 1) + response = self.session.put(create_url, + data=json.dumps({"crlReason": "superseded", "comments": comments})) + + data = handle_response(response) + + @staticmethod def create_authority(options): """Create an authority. @@ -158,9 +177,6 @@ class EntrustIssuerPlugin(IssuerPlugin): current_app.logger.info("Creating Auth: {0} {1}".format(options, entrust_issuing)) return entrust_root, "", [role] - def revoke_certificate(self, certificate, comments): - raise NotImplementedError("Not implemented\n", self, certificate, comments) - def get_ordered_certificate(self, order_id): raise NotImplementedError("Not implemented\n", self, order_id) From 84496b0f553e8ae9c1b82cbb86bdb6ec9a24bed4 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 15:18:46 +0200 Subject: [PATCH 131/141] fixed a few problems --- lemur/plugins/lemur_entrust/plugin.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index e0fd1c2a..64219774 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -68,7 +68,7 @@ def handle_response(my_response): try: d = json.loads(my_response.content) except: - d = {'errors': 'No error message'} + d = {'errors': 'No detailled message'} s = my_response.status_code if s > 399: raise Exception("ENTRUST error: {0}\n{1}".format(msg.get(s, s), d['errors'])) @@ -151,12 +151,17 @@ class EntrustIssuerPlugin(IssuerPlugin): base_url = current_app.config.get("ENTRUST_URL") # make certificate revoke request - create_url = "{0}/certificates/{1}/revocations".format( + revoke_url = "{0}/certificates/{1}/revocations".format( base_url, certificate.external_id ) metrics.send("entrust_revoke_certificate", "counter", 1) - response = self.session.put(create_url, - data=json.dumps({"crlReason": "superseded", "comments": comments})) + if comments == '' or comments == None: + comments = "revoked via API" + data = { + "crlReason": "superseded", + "revocationComment": comments + } + response = self.session.post(revoke_url, json = data) data = handle_response(response) From 5bb0143da4af632e1471969e93837b1204d58971 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 15:42:36 +0200 Subject: [PATCH 132/141] lint errors and removed _path from the API-Cert variables --- lemur/plugins/lemur_entrust/plugin.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 64219774..c28e8350 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -67,7 +67,8 @@ def handle_response(my_response): } try: d = json.loads(my_response.content) - except: + except Exception as e: + # catch an empty jason object here d = {'errors': 'No detailled message'} s = my_response.status_code if s > 399: @@ -102,12 +103,12 @@ class EntrustIssuerPlugin(IssuerPlugin): validate_conf(current_app, required_vars) self.session = requests.Session() - cert_file_path = current_app.config.get("ENTRUST_API_CERT") - key_file_path = current_app.config.get("ENTRUST_API_KEY") + cert_file = current_app.config.get("ENTRUST_API_CERT") + key_file = current_app.config.get("ENTRUST_API_KEY") user = current_app.config.get("ENTRUST_API_USER") - passw = current_app.config.get("ENTRUST_API_PASS") + password = current_app.config.get("ENTRUST_API_PASS") self.session.cert = (cert_file_path, key_file_path) - self.session.auth = (user, passw) + self.session.auth = (user, password) self.session.hooks = dict(response=log_status_code) # self.session.config['keep_alive'] = False super(EntrustIssuerPlugin, self).__init__(*args, **kwargs) @@ -155,16 +156,15 @@ class EntrustIssuerPlugin(IssuerPlugin): base_url, certificate.external_id ) metrics.send("entrust_revoke_certificate", "counter", 1) - if comments == '' or comments == None: + if comments == '' or not comments: comments = "revoked via API" data = { "crlReason": "superseded", "revocationComment": comments } - response = self.session.post(revoke_url, json = data) + response = self.session.post(revoke_url, json=data) data = handle_response(response) - @staticmethod def create_authority(options): From 9778eb7b25d85ba453a3b0b2f89aa53fadfe276e Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 15:56:02 +0200 Subject: [PATCH 133/141] fixed lint errors --- lemur/plugins/lemur_entrust/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index c28e8350..ae0dbc66 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -68,7 +68,7 @@ def handle_response(my_response): try: d = json.loads(my_response.content) except Exception as e: - # catch an empty jason object here + # catch an empty jason object here d = {'errors': 'No detailled message'} s = my_response.status_code if s > 399: @@ -107,7 +107,7 @@ class EntrustIssuerPlugin(IssuerPlugin): key_file = current_app.config.get("ENTRUST_API_KEY") user = current_app.config.get("ENTRUST_API_USER") password = current_app.config.get("ENTRUST_API_PASS") - self.session.cert = (cert_file_path, key_file_path) + self.session.cert = (cert_file, key_file) self.session.auth = (user, password) self.session.hooks = dict(response=log_status_code) # self.session.config['keep_alive'] = False From e011cc92514267e8e0cc7c5c5ecc239898119b83 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 16:24:53 +0200 Subject: [PATCH 134/141] added several enhancements following advice from peer --- lemur/plugins/lemur_entrust/plugin.py | 32 ++++++++++++++++++--------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index ae0dbc66..75658305 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -19,6 +19,21 @@ def log_status_code(r, *args, **kwargs): """ metrics.send("ENTRUST_status_code_{}".format(r.status_code), "counter", 1) +def determine_end_date(end_date): + """ + Determine appropriate end date + :param end_date: + :return: validity_end + """ + #ENTRUST only allows 13 months of max certificate duration + max_validity_end = arrow.utcnow().shift(years=1, months=+1).format('YYYY-MM-DD') + + if not end_date: + end_date = max_validity_end + + if end_date > max_validity_end: + end_date = max_validity_end + return end_date def process_options(options): """ @@ -33,7 +48,11 @@ def process_options(options): # else default to "STANDARD_SSL" authority = options.get("authority").name.upper() product_type = current_app.config.get("ENTRUST_PRODUCT_{0}".format(authority), "STANDARD_SSL") - expiry_date = arrow.utcnow().shift(years=1, days=+10).format('YYYY-MM-DD') + + if options.get("validity_end"): + validity_end = determine_end_date(options.get("validity_end")) + else: + validity_end = determine_end_date(False) tracking_data = { "requesterName": current_app.config.get("ENTRUST_NAME"), @@ -45,7 +64,7 @@ def process_options(options): "signingAlg": "SHA-2", "eku": "SERVER_AND_CLIENT_AUTH", "certType": product_type, - "certExpiryDate": expiry_date, + "certExpiryDate": validity_end, "tracking": tracking_data } return data @@ -197,15 +216,6 @@ class EntrustSourcePlugin(SourcePlugin): author = "sirferl" author_url = "https://github.com/sirferl/lemur" - options = [ - { - "name": "dummy", - "type": "str", - "required": False, - "validation": "/^[0-9]{12,12}$/", - "helpMessage": "Just to prevent error", - } - ] def get_certificates(self, options, **kwargs): # Not needed for ENTRUST From 02c7a5ca7c03fc80b15786ae94e6a8259ff2dc63 Mon Sep 17 00:00:00 2001 From: sirferl Date: Mon, 14 Sep 2020 16:34:56 +0200 Subject: [PATCH 135/141] another round of lint errors --- lemur/plugins/lemur_entrust/plugin.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 75658305..315da8bd 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -19,22 +19,24 @@ def log_status_code(r, *args, **kwargs): """ metrics.send("ENTRUST_status_code_{}".format(r.status_code), "counter", 1) + def determine_end_date(end_date): """ Determine appropriate end date :param end_date: :return: validity_end """ - #ENTRUST only allows 13 months of max certificate duration + # ENTRUST only allows 13 months of max certificate duration max_validity_end = arrow.utcnow().shift(years=1, months=+1).format('YYYY-MM-DD') if not end_date: - end_date = max_validity_end + end_date = max_validity_end if end_date > max_validity_end: end_date = max_validity_end return end_date + def process_options(options): """ Processes and maps the incoming issuer options to fields/options that From f5228407c2495e9ba6d72d0b35b5a8164867e065 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 16:51:01 +0000 Subject: [PATCH 136/141] Bump pytest from 6.0.1 to 6.0.2 Bumps [pytest](https://github.com/pytest-dev/pytest) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/6.0.1...6.0.2) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index e9106767..57791eba 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -62,7 +62,7 @@ pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.3.1 # via -r requirements-tests.in -pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock +pytest==6.0.2 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto pytz==2019.3 # via moto From 51fbd6a8714786d43c3b5cb8b309e44d1b024ebe Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 17:04:29 +0000 Subject: [PATCH 137/141] Bump faker from 4.1.2 to 4.1.3 Bumps [faker](https://github.com/joke2k/faker) from 4.1.2 to 4.1.3. - [Release notes](https://github.com/joke2k/faker/releases) - [Changelog](https://github.com/joke2k/faker/blob/master/CHANGELOG.rst) - [Commits](https://github.com/joke2k/faker/compare/v4.1.2...v4.1.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 57791eba..643dcebc 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -25,7 +25,7 @@ docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in -faker==4.1.2 # via -r requirements-tests.in, factory-boy +faker==4.1.3 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==1.0.0 # via -r requirements-tests.in From dc675311f07743e479001029f76e4eb443fbb3c9 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 17:13:55 +0000 Subject: [PATCH 138/141] Bump coverage from 5.2.1 to 5.3 Bumps [coverage](https://github.com/nedbat/coveragepy) from 5.2.1 to 5.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/coverage-5.2.1...coverage-5.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 643dcebc..c18cb2a3 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -18,7 +18,7 @@ cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto chardet==3.0.4 # via requests click==7.1.2 # via black, flask -coverage==5.2.1 # via -r requirements-tests.in +coverage==5.3 # via -r requirements-tests.in cryptography==3.1 # via moto, sshpubkeys decorator==4.4.2 # via networkx docker==4.2.0 # via moto From 1ceafc593a0c677a017c32b9e2cf1f7ebef1735e Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 17:22:55 +0000 Subject: [PATCH 139/141] Bump moto from 1.3.14 to 1.3.16 Bumps [moto](https://github.com/spulec/moto) from 1.3.14 to 1.3.16. - [Release notes](https://github.com/spulec/moto/releases) - [Changelog](https://github.com/spulec/moto/blob/master/CHANGELOG.md) - [Commits](https://github.com/spulec/moto/compare/1.3.14...1.3.16) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index c18cb2a3..bb25b5e5 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -19,11 +19,11 @@ cfn-lint==0.29.5 # via moto chardet==3.0.4 # via requests click==7.1.2 # via black, flask coverage==5.3 # via -r requirements-tests.in -cryptography==3.1 # via moto, sshpubkeys +cryptography==3.1 # via moto, python-jose, sshpubkeys decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore -ecdsa==0.15 # via python-jose, sshpubkeys +ecdsa==0.14.1 # via moto, python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.3 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in @@ -43,10 +43,10 @@ jsonpatch==1.25 # via cfn-lint jsonpickle==1.4 # via aws-xray-sdk jsonpointer==2.0 # via jsonpatch jsonschema==3.2.0 # via aws-sam-translator, cfn-lint -markupsafe==1.1.1 # via jinja2 +markupsafe==1.1.1 # via jinja2, moto mock==4.0.2 # via moto -more-itertools==8.2.0 # via pytest -moto==1.3.14 # via -r requirements-tests.in +more-itertools==8.2.0 # via moto, pytest +moto==1.3.16 # via -r requirements-tests.in mypy-extensions==0.4.3 # via black networkx==2.4 # via cfn-lint nose==1.3.7 # via -r requirements-tests.in @@ -64,7 +64,7 @@ pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.3.1 # via -r requirements-tests.in pytest==6.0.2 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto -python-jose==3.1.0 # via moto +python-jose[cryptography]==3.1.0 # via moto pytz==2019.3 # via moto pyyaml==5.3.1 # via -r requirements-tests.in, bandit, cfn-lint, moto redis==3.5.3 # via fakeredis @@ -88,7 +88,7 @@ websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask wrapt==1.12.1 # via aws-xray-sdk xmltodict==0.12.0 # via moto -zipp==3.1.0 # via importlib-metadata +zipp==3.1.0 # via importlib-metadata, moto # The following packages are considered to be unsafe in a requirements file: # setuptools From 8022efe32e5a4630e607b7d02ede6b2473378b6e Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 17:35:46 +0000 Subject: [PATCH 140/141] Bump acme from 1.7.0 to 1.8.0 Bumps [acme](https://github.com/letsencrypt/letsencrypt) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/letsencrypt/letsencrypt/releases) - [Commits](https://github.com/letsencrypt/letsencrypt/compare/v1.7.0...v1.8.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 37d50804..3ee96dd7 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # -acme==1.7.0 # via -r requirements.txt +acme==1.8.0 # via -r requirements.txt alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate diff --git a/requirements.txt b/requirements.txt index 64e41b3c..fcb06cd9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements.txt requirements.in # -acme==1.7.0 # via -r requirements.in +acme==1.8.0 # via -r requirements.in alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu From f5e71bb431dce204c0e96054f00335956cd0fa5f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 15 Sep 2020 17:45:52 +0000 Subject: [PATCH 141/141] Bump boto3 from 1.14.56 to 1.14.61 Bumps [boto3](https://github.com/boto/boto3) from 1.14.56 to 1.14.61. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.56...1.14.61) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3ee96dd7..f3f417bf 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.56 # via -r requirements.txt -botocore==1.17.56 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.61 # via -r requirements.txt +botocore==1.17.61 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index bb25b5e5..20453852 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==20.8b1 # via -r requirements-tests.in -boto3==1.14.56 # via aws-sam-translator, moto +boto3==1.14.61 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.56 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.61 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index fcb06cd9..27a37a8c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.56 # via -r requirements.in -botocore==1.17.56 # via -r requirements.in, boto3, s3transfer +boto3==1.14.61 # via -r requirements.in +botocore==1.17.61 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in