From 4afdc13b0362a5aa103fd3c99be2e2246db38cd8 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 15 Jan 2021 16:44:05 -0800 Subject: [PATCH 1/4] adding config to use the default clientID --- lemur/plugins/lemur_entrust/plugin.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 903bd7a9..bc7a8689 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -80,7 +80,6 @@ def process_options(options, client_id): "eku": "SERVER_AND_CLIENT_AUTH", "certType": product_type, "certExpiryDate": validity_end, - # "keyType": "RSA", Entrust complaining about this parameter "tracking": tracking_data, "org": options.get("organization"), "clientId": client_id @@ -229,7 +228,11 @@ class EntrustIssuerPlugin(IssuerPlugin): except requests.exceptions.RequestException as e: raise Exception(f"Error for Getting Organization {e}") - client_id = get_client_id(response, issuer_options.get("organization")) + if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"): + # The ID of the primary client is 1. + client_id = 1 + else: + client_id = get_client_id(response, issuer_options.get("organization")) log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": f"Organization id: {client_id}" From 45dfb1beb34f5a77d019d8c387417a498e23117b Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 15 Jan 2021 16:44:23 -0800 Subject: [PATCH 2/4] documentation --- docs/administration.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/administration.rst b/docs/administration.rst index 59611c0f..025b47b1 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -941,6 +941,12 @@ The following parameters have to be set in the configuration files. If there is a config variable ENTRUST_PRODUCT_ take the value as cert product name else default to "STANDARD_SSL". Refer to the API documentation for valid products names. +.. data:: ENTRUST_USE_DEFAULT_CLIENT_ID + :noindex: + + If set to True, Entrust will use the primary client ID of 1, which applies to most use-case. + Otherwise, Entrust will first lookup the clientId before ordering the certificate. + Verisign Issuer Plugin ~~~~~~~~~~~~~~~~~~~~~~ From 3df63469e623ba23057679f2aff6e61bd1b57a64 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 18 Jan 2021 11:57:49 -0800 Subject: [PATCH 3/4] retry --- lemur/plugins/lemur_entrust/plugin.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index bc7a8689..422bd4fb 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -87,6 +87,7 @@ def process_options(options, client_id): return data +@retry(stop_max_attempt_number=5, wait_fixed=1000) def get_client_id(my_response, organization): """ Helper function for parsing responses from the Entrust API. From e6a414a069d819b2cc593de7f9f2ad999239b219 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 18 Jan 2021 14:04:01 -0800 Subject: [PATCH 4/4] moving clientID logic into the respective method, that we want to bypass. --- lemur/plugins/lemur_entrust/plugin.py | 34 +++++++++++++++------------ 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 422bd4fb..1efc350e 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -88,14 +88,27 @@ def process_options(options, client_id): @retry(stop_max_attempt_number=5, wait_fixed=1000) -def get_client_id(my_response, organization): +def get_client_id(session, organization): """ - Helper function for parsing responses from the Entrust API. - :param content: - :return: :raise Exception: + Helper function for looking up clientID pased on Organization and parsing the response. + :param session: + :param organization: the validated org with Entrust, for instance "Company, Inc." + :return: ClientID + :raise Exception: """ + + # get the organization ID + url = current_app.config.get("ENTRUST_URL") + "/organizations" try: - d = json.loads(my_response.content) + response = session.get(url, timeout=(15, 40)) + except requests.exceptions.Timeout: + raise Exception("Timeout for Getting Organizations") + except requests.exceptions.RequestException as e: + raise Exception(f"Error for Getting Organization {e}") + + # parse the response + try: + d = json.loads(response.content) except ValueError: # catch an empty json object here d = {'response': 'No detailed message'} @@ -220,20 +233,11 @@ class EntrustIssuerPlugin(IssuerPlugin): } current_app.logger.info(log_data) - # firstly we need the organization ID - url = current_app.config.get("ENTRUST_URL") + "/organizations" - try: - response = self.session.get(url, timeout=(15, 40)) - except requests.exceptions.Timeout: - raise Exception("Timeout for Getting Organizations") - except requests.exceptions.RequestException as e: - raise Exception(f"Error for Getting Organization {e}") - if current_app.config.get("ENTRUST_USE_DEFAULT_CLIENT_ID"): # The ID of the primary client is 1. client_id = 1 else: - client_id = get_client_id(response, issuer_options.get("organization")) + client_id = get_client_id(self.session, issuer_options.get("organization")) log_data = { "function": f"{__name__}.{sys._getframe().f_code.co_name}", "message": f"Organization id: {client_id}"