Merge branch 'master' into entrust-cross-signed-subCA

2021-01-19 16:28:35 -08:00 · 2021-01-19 16:28:35 -08:00 · 3403ba89f1
parent 0a37e8a275 2240ace825
commit 3403ba89f1
2 changed files with 32 additions and 16 deletions
--- a/docs/administration.rst
+++ b/docs/administration.rst
@ -941,12 +941,20 @@ The following parameters have to be set in the configuration files.

        If there is a config variable ENTRUST_PRODUCT_<upper(authority.name)> take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names.

+
 .. data:: ENTRUST_CROSS_SIGNED_RSA
    :noindex:

        This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA.


+.. data:: ENTRUST_USE_DEFAULT_CLIENT_ID
+    :noindex:
+
+        If set to True, Entrust will use the primary client ID of 1, which applies to most use-case.
+        Otherwise, Entrust will first lookup the clientId before ordering the certificate.
+
+
 Verisign Issuer Plugin
 ~~~~~~~~~~~~~~~~~~~~~~

--- a/lemur/plugins/lemur_entrust/plugin.py
+++ b/lemur/plugins/lemur_entrust/plugin.py
@ -80,7 +80,6 @@ def process_options(options, client_id):
        "eku": "SERVER_AND_CLIENT_AUTH",
        "certType": product_type,
        "certExpiryDate": validity_end,
-        # "keyType": "RSA", Entrust complaining about this parameter
        "tracking": tracking_data,
        "org": options.get("organization"),
        "clientId": client_id
@ -88,14 +87,28 @@ def process_options(options, client_id):
    return data


-def get_client_id(my_response, organization):
+@retry(stop_max_attempt_number=5, wait_fixed=1000)
+def get_client_id(session, organization):
    """
-    Helper function for parsing responses from the Entrust API.
-    :param content:
-    :return: :raise Exception:
+    Helper function for looking up clientID pased on Organization and parsing the response.
+    :param session:
+    :param organization: the validated org with Entrust, for instance "Company, Inc."
+    :return: ClientID
+    :raise Exception:
    """
+
+    # get the organization ID
+    url = current_app.config.get("ENTRUST_URL") + "/organizations"
    try:
-        d = json.loads(my_response.content)
+        response = session.get(url, timeout=(15, 40))
+    except requests.exceptions.Timeout:
+        raise Exception("Timeout for Getting Organizations")
+    except requests.exceptions.RequestException as e:
+        raise Exception(f"Error for Getting Organization {e}")
+
+    # parse the response
+    try:
+        d = json.loads(response.content)
    except ValueError:
        # catch an empty json object here
        d = {'response': 'No detailed message'}
@ -220,16 +233,11 @@ class EntrustIssuerPlugin(IssuerPlugin):
        }
        current_app.logger.info(log_data)

-        # firstly we need the organization ID
-        url = current_app.config.get("ENTRUST_URL") + "/organizations"
-        try:
-            response = self.session.get(url, timeout=(15, 40))
-        except requests.exceptions.Timeout:
-            raise Exception("Timeout for Getting Organizations")
-        except requests.exceptions.RequestException as e:
-            raise Exception(f"Error for Getting Organization {e}")
-
-        client_id = get_client_id(response, issuer_options.get("organization"))
+        if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"):
+            # The ID of the primary client is 1.
+            client_id = 1
+        else:
+            client_id = get_client_id(self.session, issuer_options.get("organization"))
        log_data = {
            "function": f"{__name__}.{sys._getframe().f_code.co_name}",
            "message": f"Organization id: {client_id}"