diff --git a/docs/administration.rst b/docs/administration.rst index 15cff1f8..9af08407 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -941,12 +941,20 @@ The following parameters have to be set in the configuration files. If there is a config variable ENTRUST_PRODUCT_ take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. + .. data:: ENTRUST_CROSS_SIGNED_RSA :noindex: This is optional. Entrust provides support for cross-signed subCAS. One can set ENTRUST_CROSS_SIGNED_RSA to the respective cross-signed subCA PEM, such as L1K, Lemur will replace the retrieved subCA with ENTRUST_CROSS_SIGNED_RSA. +.. data:: ENTRUST_USE_DEFAULT_CLIENT_ID + :noindex: + + If set to True, Entrust will use the primary client ID of 1, which applies to most use-case. + Otherwise, Entrust will first lookup the clientId before ordering the certificate. + + Verisign Issuer Plugin ~~~~~~~~~~~~~~~~~~~~~~ diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index cf7d2307..14bf9646 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -80,7 +80,6 @@ def process_options(options, client_id): "eku": "SERVER_AND_CLIENT_AUTH", "certType": product_type, "certExpiryDate": validity_end, - # "keyType": "RSA", Entrust complaining about this parameter "tracking": tracking_data, "org": options.get("organization"), "clientId": client_id @@ -88,14 +87,28 @@ def process_options(options, client_id): return data -def get_client_id(my_response, organization): +@retry(stop_max_attempt_number=5, wait_fixed=1000) +def get_client_id(session, organization): """ - Helper function for parsing responses from the Entrust API. - :param content: - :return: :raise Exception: + Helper function for looking up clientID pased on Organization and parsing the response. + :param session: + :param organization: the validated org with Entrust, for instance "Company, Inc." + :return: ClientID + :raise Exception: """ + + # get the organization ID + url = current_app.config.get("ENTRUST_URL") + "/organizations" try: - d = json.loads(my_response.content) + response = session.get(url, timeout=(15, 40)) + except requests.exceptions.Timeout: + raise Exception("Timeout for Getting Organizations") + except requests.exceptions.RequestException as e: + raise Exception(f"Error for Getting Organization {e}") + + # parse the response + try: + d = json.loads(response.content) except ValueError: # catch an empty json object here d = {'response': 'No detailed message'} @@ -220,16 +233,11 @@ class EntrustIssuerPlugin(IssuerPlugin): } current_app.logger.info(log_data) - # firstly we need the organization ID - url = current_app.config.get("ENTRUST_URL") + "/organizations" - try: - response = self.session.get(url, timeout=(15, 40)) - except requests.exceptions.Timeout: - raise Exception("Timeout for Getting Organizations") - except requests.exceptions.RequestException as e: - raise Exception(f"Error for Getting Organization {e}") - - client_id = get_client_id(response, issuer_options.get("organization")) + if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"): + # The ID of the primary client is 1. + client_id = 1 + else: + client_id = get_client_id(self.session, issuer_options.get("organization")) log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": f"Organization id: {client_id}"