From 03d1af16e7725527bbd5b5e80b417c05ddfd3108 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 15:59:38 -0700 Subject: [PATCH 01/11] better logging for exceptions around all plugins --- lemur/certificates/service.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 6d1bd2ac..9c544124 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -359,7 +359,12 @@ def create(**kwargs): try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: - current_app.logger.error("Exception minting certificate", exc_info=True) + log_data = { + "message": "Exception minting certificate", + "issuer": kwargs["authority"].name, + "cn": kwargs["common_name"], + } + current_app.logger.error(log_data, exc_info=True) sentry.captureException() raise kwargs["body"] = cert_body From c2fe2b5e0384ade0e0f2f2567e8cb1545b62ed85 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 15:59:59 -0700 Subject: [PATCH 02/11] improved logging for all responses --- lemur/plugins/lemur_entrust/plugin.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 515e2400..03919686 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -20,7 +20,13 @@ def log_status_code(r, *args, **kwargs): :param kwargs: :return: """ + log_data = { + "reason": (r.reason if r.reason else ""), + "status_code": r.status_code, + "url": (r.url if r.url else ""), + } metrics.send(f"entrust_status_code_{r.status_code}", "counter", 1) + current_app.logger.info(log_data) def determine_end_date(end_date): From c60645bec49f23d7c55276d1a17e7c316d683cf0 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:00:26 -0700 Subject: [PATCH 03/11] improved logging for all responses --- lemur/plugins/lemur_digicert/plugin.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index f28279a6..9a322371 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -37,7 +37,13 @@ def log_status_code(r, *args, **kwargs): :param kwargs: :return: """ + log_data = { + "reason": (r.reason if r.reason else ""), + "status_code": r.status_code, + "url": (r.url if r.url else ""), + } metrics.send("digicert_status_code_{}".format(r.status_code), "counter", 1) + current_app.logger.info(log_data) def signature_hash(signing_algorithm): From 8fa90a2ce54539853ee7ff2769b5f35ad3e2865f Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:01:09 -0700 Subject: [PATCH 04/11] digicert expects also seconds, though not yet honoring it --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9a322371..61a274fa 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -177,7 +177,7 @@ def map_cis_fields(options, csr): "csr": csr, "signature_hash": signature_hash(options.get("signing_algorithm")), "validity": { - "valid_to": validity_end.format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": validity_end.format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "organization": { "name": options["organization"], From 02c040865d6ca5a1c5fec2fe1e2cf039515bb08d Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:05:29 -0700 Subject: [PATCH 05/11] more meaningful message --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 61a274fa..574c8e8e 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -210,7 +210,7 @@ def handle_response(response): :return: """ if response.status_code > 399: - raise Exception(response.json()["errors"][0]["message"]) + raise Exception("DigiCert rejected certificate request with the following error:" + response.json()["errors"][0]["message"]) return response.json() From 1c96ea9ab1ee8f1e8c36331510e3866aace74bcf Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:10:32 -0700 Subject: [PATCH 06/11] better messaging of exceptions --- lemur/plugins/lemur_digicert/plugin.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 574c8e8e..a100954f 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -221,10 +221,13 @@ def handle_cis_response(response): :param response: :return: """ - if response.status_code > 399: - raise Exception(response.text) - return response.json() + if response.status_code == 404: + raise Exception("DigiCert: Order not in issued state.") + elif response.status_code == 406: + raise Exception("DigiCert: Wrong Header") + elif response.status_code > 399: + raise Exception("DigiCert rejected request with the error:" + response.text) @retry(stop_max_attempt_number=10, wait_fixed=10000) From 2e7652962cbbe4403ff44dc0df9550882e1e1b10 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:11:02 -0700 Subject: [PATCH 07/11] refactoring of the error handling --- lemur/plugins/lemur_digicert/plugin.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index a100954f..4143019e 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -221,7 +221,6 @@ def handle_cis_response(response): :param response: :return: """ - return response.json() if response.status_code == 404: raise Exception("DigiCert: Order not in issued state.") elif response.status_code == 406: @@ -229,6 +228,11 @@ def handle_cis_response(response): elif response.status_code > 399: raise Exception("DigiCert rejected request with the error:" + response.text) + if response.url.endswith("download"): + return response.content + else: + return response.json() + @retry(stop_max_attempt_number=10, wait_fixed=10000) def get_certificate_id(session, base_url, order_id): @@ -247,11 +251,9 @@ def get_cis_certificate(session, base_url, order_id): certificate_url = "{0}/platform/cis/certificate/{1}/download".format(base_url, order_id) session.headers.update({"Accept": "application/x-pkcs7-certificates"}) response = session.get(certificate_url) + response_content = handle_cis_response(response) - if response.status_code == 404: - raise Exception("Order not in issued state.") - - cert_chain_pem = convert_pkcs7_bytes_to_pem(response.content) + cert_chain_pem = convert_pkcs7_bytes_to_pem(response_content) if len(cert_chain_pem) < 3: raise Exception("Missing the certificate chain") return cert_chain_pem From ae1e9d120b8751c1de9fc7fee706cb79f3bf46d8 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:13:58 -0700 Subject: [PATCH 08/11] consistent messaging --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 4143019e..345bea72 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -210,7 +210,7 @@ def handle_response(response): :return: """ if response.status_code > 399: - raise Exception("DigiCert rejected certificate request with the following error:" + response.json()["errors"][0]["message"]) + raise Exception("DigiCert rejected request with the error:" + response.json()["errors"][0]["message"]) return response.json() From 9acd974b7451f63baf363b0f9e88e77cb2b82219 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:20:47 -0700 Subject: [PATCH 09/11] fixing the test to support seconds --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 34dcef71..fe47c5b8 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -123,7 +123,7 @@ def test_map_cis_fields_with_validity_years(mock_current_app, authority): "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "profile_name": None, } From 97f80b79dcea1601da700c06b77395e67ae2954a Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:23:33 -0700 Subject: [PATCH 10/11] adjusting digicert test to support seconds --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index fe47c5b8..059cdd82 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -159,7 +159,7 @@ def test_map_cis_fields_with_validity_end_and_start(mock_current_app, app, autho "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "profile_name": None, } From 8610af8b8368565c2e48976eb01168bb2ab21c90 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:54:46 -0700 Subject: [PATCH 11/11] more precise language --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 345bea72..ee917dac 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -222,9 +222,9 @@ def handle_cis_response(response): :return: """ if response.status_code == 404: - raise Exception("DigiCert: Order not in issued state.") + raise Exception("DigiCert: order not in issued state") elif response.status_code == 406: - raise Exception("DigiCert: Wrong Header") + raise Exception("DigiCert: wrong header request format") elif response.status_code > 399: raise Exception("DigiCert rejected request with the error:" + response.text)