Security fixes

This commit is contained in:
Jasmine Schladen 2021-03-17 10:51:21 -07:00
parent c1168399a4
commit 2da9754ffa
5 changed files with 47 additions and 2 deletions

View File

@ -117,6 +117,12 @@ def create(**kwargs):
"""
Creates a new authority.
"""
ca_name = kwargs.get("name")
if get_by_name(ca_name):
raise Exception(f"Authority with name {ca_name} already exists")
if role_service.get_by_name(f"{ca_name}_admin") or role_service.get_by_name(f"{ca_name}_operator"):
raise Exception(f"Admin and/or operator roles for authority {ca_name} already exist")
body, private_key, chain, roles = mint(**kwargs)
kwargs["creator"].roles = list(set(list(kwargs["creator"].roles) + roles))

View File

@ -10,9 +10,9 @@ class DnsProvidersNestedOutputSchema(LemurOutputSchema):
name = fields.String()
provider_type = fields.String()
description = fields.String()
credentials = fields.String()
api_endpoint = fields.String()
date_created = ArrowDateTime()
# credentials are intentionally omitted (they are input-only)
class DnsProvidersNestedInputSchema(LemurInputSchema):

View File

@ -36,6 +36,7 @@ from .factories import (
InvalidCertificateFactory,
CryptoAuthorityFactory,
CACertificateFactory,
DnsProviderFactory,
)
@ -183,6 +184,13 @@ def user(session):
return {"user": u, "token": token}
@pytest.fixture
def dns_provider(session):
d = DnsProviderFactory()
session.commit()
return d
@pytest.fixture
def pending_certificate(session):
u = UserFactory()

View File

@ -1,14 +1,15 @@
import json
from datetime import date
from factory import Sequence, post_generation, SubFactory
from factory.alchemy import SQLAlchemyModelFactory
from factory.fuzzy import FuzzyChoice, FuzzyText, FuzzyDate, FuzzyInteger
from lemur.database import db
from lemur.authorities.models import Authority
from lemur.certificates.models import Certificate
from lemur.destinations.models import Destination
from lemur.dns_providers.models import DnsProvider
from lemur.sources.models import Source
from lemur.notifications.models import Notification
from lemur.pending_certificates.models import PendingCertificate
@ -435,3 +436,17 @@ class PendingCertificateFactory(BaseFactory):
if extracted:
for domain in extracted:
self.roles.append(domain)
class DnsProviderFactory(BaseFactory):
"""DnsProvider Factory."""
name = Sequence(lambda n: f"dnsProvider{n}")
description = FuzzyText(length=128)
provider_type = FuzzyText(length=128)
credentials = json.dumps({"account_id": f"{FuzzyInteger(100000, 999999).fuzz()}"})
class Meta:
"""Factory Configuration."""
model = DnsProvider

View File

@ -1,5 +1,7 @@
import json
import unittest
from lemur.dns_providers import util as dnsutil
from lemur.dns_providers.schemas import dns_provider_output_schema
class TestDNSProvider(unittest.TestCase):
@ -21,3 +23,17 @@ class TestDNSProvider(unittest.TestCase):
self.assertFalse(dnsutil.is_valid_domain('example..io'))
self.assertFalse(dnsutil.is_valid_domain('exa mple.io'))
self.assertFalse(dnsutil.is_valid_domain('-'))
def test_output_schema(dns_provider):
# no credentials using the output schema dump
assert dns_provider.credentials
assert json.loads(dns_provider.credentials)["account_id"]
dump = dns_provider_output_schema.dump(dns_provider).data
assert 'name' in dump
assert 'credentials' not in dump
def test_json(dns_provider):
# we can still get credentials using json.load
assert 'account_id' in json.loads(dns_provider.credentials)