Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' into re-enable-gulp-backend-proxy

This commit is contained in:
Curtis 2019-05-08 07:19:51 -07:00 committed by GitHub
parent 1492890ac7 3500be39aa
commit 34640e009b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docs/administration.rst
View File

@ -642,7 +642,7 @@ for those plugins.
Digicert Issuer Plugin Digicert Issuer Plugin
~~~~~~~~~~~~~~~~~~~~~~ ^^^^^^^^^^^^^^^^^^^^^^
The following configuration properties are required to use the Digicert issuer plugin. The following configuration properties are required to use the Digicert issuer plugin.
@ -709,6 +709,33 @@ The following configuration properties are required to use the CFSSL issuer plug
This is the intermediate to be used for your CA chain This is the intermediate to be used for your CA chain
.. data:: CFSSL_KEY
:noindex:
This is the hmac key to authenticate to the CFSSL service. (Optional)
Hashicorp Vault Source/Destination Plugin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Lemur can import and export certificate data to and from a Hashicorp Vault secrets store. Lemur can connect to a different Vault service per source/destination.
.. note:: This plugin does not supersede or overlap the 3rd party Vault Issuer plugin.
.. note:: Vault does not have any configuration properties however it does read from a file on disk for a vault access token. The Lemur service account needs read access to this file.
Vault Source
""""""""""""
The Vault Source Plugin will read from one Vault object location per source defined. There is expected to be one or more certificates defined in each object in Vault.
Vault Destination
"""""""""""""""""
A Vault destination can be one object in Vault or a directory where all certificates will be stored as their own object by CN.
Vault Destination supports a regex filter to prevent certificates with SAN that do not match the regex filter from being deployed. This is an optional feature per destination defined.
AWS Source/Destination Plugin AWS Source/Destination Plugin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -1194,6 +1221,26 @@ CFSSL
:Description: :Description:
Basic support for generating certificates from the private certificate authority CFSSL Basic support for generating certificates from the private certificate authority CFSSL
Vault
-----
:Authors:
Christopher Jolley <chris@alwaysjolley.com>
:Type:
Source
:Description:
Source plugin imports certificates from Hashicorp Vault secret store.
Vault
-----
:Authors:
Christopher Jolley <chris@alwaysjolley.com>
:Type:
Destination
:Description:
Destination plugin to deploy certificates to Hashicorp Vault secret store.
3rd Party Plugins 3rd Party Plugins
================= =================

8
lemur/auth/views.py
View File

@ -112,11 +112,17 @@ def retrieve_user(user_api_url, access_token):
""" """
user_params = dict(access_token=access_token, schema='profile') user_params = dict(access_token=access_token, schema='profile')
headers = {}
if current_app.config.get('PING_INCLUDE_BEARER_TOKEN'):
headers = {'Authorization': f'Bearer {access_token}'}
# retrieve information about the current user. # retrieve information about the current user.
r = requests.get( r = requests.get(
user_api_url, user_api_url,
params=user_params, params=user_params,
headers={'Authorization': 'Bearer {}'.format(access_token)}) headers=headers,
)
profile = r.json() profile = r.json()
user = user_service.get_by_email(profile['email']) user = user_service.get_by_email(profile['email'])