diff --git a/lemur/plugins/lemur_acme/acme_handlers.py b/lemur/plugins/lemur_acme/acme_handlers.py index ebc2b2b4..6d0ac5f4 100644 --- a/lemur/plugins/lemur_acme/acme_handlers.py +++ b/lemur/plugins/lemur_acme/acme_handlers.py @@ -27,7 +27,7 @@ from flask import current_app from lemur.common.utils import generate_private_key from lemur.dns_providers import service as dns_provider_service -from lemur.exceptions import InvalidAuthority, UnknownProvider +from lemur.exceptions import InvalidAuthority, UnknownProvider, InvalidConfiguration from lemur.extensions import metrics, sentry from lemur.plugins.lemur_acme import cloudflare, dyn, route53, ultradns, powerdns @@ -216,6 +216,27 @@ class AcmeHandler(object): current_app.logger.debug("Got these domains: {0}".format(domains)) return domains + def revoke_certificate(self, certificate): + if not self.reuse_account(certificate.authority): + raise InvalidConfiguration("There is no ACME account saved, unable to revoke the certificate.") + acme_client, _ = self.acme.setup_acme_client(certificate.authority) + + fullchain_com = jose.ComparableX509( + OpenSSL.crypto.load_certificate( + OpenSSL.crypto.FILETYPE_PEM, certificate.body)) + + try: + acme_client.revoke(fullchain_com, 0) # revocation reason = 0 + except (errors.ConflictError, errors.ClientError, errors.Error) as e: + # Certificate already revoked. + current_app.logger.error("Certificate revocation failed with message: " + e.detail) + metrics.send("acme_revoke_certificate_failure", "counter", 1) + return False + + current_app.logger.warning("Certificate succesfully revoked: " + certificate.name) + metrics.send("acme_revoke_certificate_success", "counter", 1) + return True + class AcmeDnsHandler(AcmeHandler): diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 7dc7af25..4763a2fa 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -12,9 +12,6 @@ .. moduleauthor:: Curtis Castrapel """ -import OpenSSL.crypto -import josepy as jose -from acme import errors from acme.errors import PollError, WildcardUnsupportedError from acme.messages import Error as AcmeError from botocore.exceptions import ClientError @@ -272,25 +269,7 @@ class ACMEIssuerPlugin(IssuerPlugin): def revoke_certificate(self, certificate, comments): self.acme = AcmeDnsHandler() - if not self.acme.reuse_account(certificate.authority): - raise InvalidConfiguration("There is no ACME account saved, unable to revoke the certificate.") - acme_client, _ = self.acme.setup_acme_client(certificate.authority) - - fullchain_com = jose.ComparableX509( - OpenSSL.crypto.load_certificate( - OpenSSL.crypto.FILETYPE_PEM, certificate.body)) - - try: - acme_client.revoke(fullchain_com, 0) # revocation reason = 0 - except (errors.ConflictError, errors.ClientError, errors.Error) as e: - # Certificate already revoked. - current_app.logger.error("Certificate revocation failed with message: " + e.detail) - metrics.send("acme_revoke_certificate_failure", "counter", 1) - return False - - current_app.logger.warning("Certificate succesfully revoked: " + certificate.name) - metrics.send("acme_revoke_certificate_success", "counter", 1) - return True + return self.acme.revoke_certificate(certificate) class ACMEHttpIssuerPlugin(IssuerPlugin): @@ -391,22 +370,4 @@ class ACMEHttpIssuerPlugin(IssuerPlugin): def revoke_certificate(self, certificate, comments): self.acme = AcmeHandler() - if not self.acme.reuse_account(certificate.authority): - raise InvalidConfiguration("There is no ACME account saved, unable to revoke the certificate.") - acme_client, _ = self.acme.setup_acme_client(certificate.authority) - - fullchain_com = jose.ComparableX509( - OpenSSL.crypto.load_certificate( - OpenSSL.crypto.FILETYPE_PEM, certificate.body)) - - try: - acme_client.revoke(fullchain_com, 0) # revocation reason = 0 - except (errors.ConflictError, errors.ClientError, errors.Error) as e: - # Certificate already revoked. - current_app.logger.error("Certificate revocation failed with message: " + e.detail) - metrics.send("acme_revoke_certificate_failure", "counter", 1) - return False - - current_app.logger.warning("Certificate succesfully revoked: " + certificate.name) - metrics.send("acme_revoke_certificate_success", "counter", 1) - return True + return self.acme.revoke_certificate(certificate) diff --git a/lemur/plugins/lemur_acme/tests/test_acme_dns.py b/lemur/plugins/lemur_acme/tests/test_acme_dns.py index acedf977..0d0feb35 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme_dns.py +++ b/lemur/plugins/lemur_acme/tests/test_acme_dns.py @@ -168,7 +168,7 @@ class TestAcmeDns(unittest.TestCase): with self.assertRaises(Exception): self.acme.setup_acme_client(mock_authority) - @patch("lemur.plugins.lemur_acme.plugin.jose.JWK.json_loads") + @patch("lemur.plugins.lemur_acme.acme_handlers.jose.JWK.json_loads") @patch("lemur.plugins.lemur_acme.acme_handlers.BackwardsCompatibleClientV2") @patch("lemur.plugins.lemur_acme.acme_handlers.current_app") def test_setup_acme_client_success_load_account_from_authority(self, mock_current_app, mock_acme, mock_key_json_load): @@ -190,7 +190,7 @@ class TestAcmeDns(unittest.TestCase): assert result_client assert not result_registration - @patch("lemur.plugins.lemur_acme.plugin.jose.JWKRSA.fields_to_partial_json") + @patch("lemur.plugins.lemur_acme.acme_handlers.jose.JWKRSA.fields_to_partial_json") @patch("lemur.plugins.lemur_acme.acme_handlers.authorities_service") @patch("lemur.plugins.lemur_acme.acme_handlers.BackwardsCompatibleClientV2") @patch("lemur.plugins.lemur_acme.acme_handlers.current_app")