Merge branch 'master' into ADCS-plugin

2019-02-01 19:10:46 +01:00 · 2019-02-01 19:10:46 +01:00 · 36ab1c0bec
parent c77ccdf46e c60b712523
commit 36ab1c0bec
12 changed files with 94 additions and 49 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -227,6 +227,10 @@ class Certificate(db.Model):
    def location(self):
        return defaults.location(self.parsed_cert)

+    @property
+    def distinguished_name(self):
+        return self.parsed_cert.subject.rfc4514_string()
+
    @property
    def key_type(self):
        if isinstance(self.parsed_cert.public_key(), rsa.RSAPublicKey):
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -206,6 +206,7 @@ class CertificateOutputSchema(LemurOutputSchema):

    cn = fields.String()
    common_name = fields.String(attribute='cn')
+    distinguished_name = fields.String()

    not_after = fields.DateTime()
    validity_end = ArrowDateTime(attribute='not_after')
--- a/lemur/common/missing.py
+++ b/lemur/common/missing.py
@ -16,6 +16,7 @@ def convert_validity_years(data):
        data['validity_start'] = now.isoformat()

        end = now.replace(years=+int(data['validity_years']))
+
        if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
            if is_weekend(end):
                end = end.replace(days=-2)
--- a/lemur/manage.py
+++ b/lemur/manage.py
@ -273,10 +273,11 @@ class CreateUser(Command):
        Option('-u', '--username', dest='username', required=True),
        Option('-e', '--email', dest='email', required=True),
        Option('-a', '--active', dest='active', default=True),
-        Option('-r', '--roles', dest='roles', action='append', default=[])
+        Option('-r', '--roles', dest='roles', action='append', default=[]),
+        Option('-p', '--password', dest='password', default=None)
    )

-    def run(self, username, email, active, roles):
+    def run(self, username, email, active, roles, password):
        role_objs = []
        for r in roles:
            role_obj = role_service.get_by_name(r)
@ -286,14 +287,16 @@ class CreateUser(Command):
                sys.stderr.write("[!] Cannot find role {0}\n".format(r))
                sys.exit(1)

-        password1 = prompt_pass("Password")
-        password2 = prompt_pass("Confirm Password")
+        if not password:
+            password1 = prompt_pass("Password")
+            password2 = prompt_pass("Confirm Password")
+            password = password1

-        if password1 != password2:
-            sys.stderr.write("[!] Passwords do not match!\n")
-            sys.exit(1)
+            if password1 != password2:
+                sys.stderr.write("[!] Passwords do not match!\n")
+                sys.exit(1)

-        user_service.create(username, password1, email, active, None, role_objs)
+        user_service.create(username, password, email, active, None, role_objs)
        sys.stdout.write("[+] Created new user: {0}\n".format(username))


--- a/lemur/plugins/lemur_cfssl/plugin.py
+++ b/lemur/plugins/lemur_cfssl/plugin.py
@ -10,6 +10,9 @@

 import json
 import requests
+import base64
+import hmac
+import hashlib

 from flask import current_app

@ -48,6 +51,21 @@ class CfsslIssuerPlugin(IssuerPlugin):
        data = {'certificate_request': csr}
        data = json.dumps(data)

+        try:
+            hex_key = current_app.config.get('CFSSL_KEY')
+            key = bytes.fromhex(hex_key)
+        except (ValueError, NameError):
+            # unable to find CFSSL_KEY in config, continue using normal sign method
+            pass
+        else:
+            data = data.encode()
+
+            token = base64.b64encode(hmac.new(key, data, digestmod=hashlib.sha256).digest())
+            data = base64.b64encode(data)
+
+            data = json.dumps({'token': token.decode('utf-8'), 'request': data.decode('utf-8')})
+
+            url = "{0}{1}".format(current_app.config.get('CFSSL_URL'), '/api/v1/cfssl/authsign')
        response = self.session.post(url, data=data.encode(encoding='utf_8', errors='strict'))
        if response.status_code > 399:
            metrics.send('cfssl_create_certificate_failure', 'counter', 1)
--- a/lemur/plugins/lemur_verisign/plugin.py
+++ b/lemur/plugins/lemur_verisign/plugin.py
@ -111,10 +111,19 @@ def process_options(options):

    data['subject_alt_names'] = ",".join(get_additional_names(options))

+    if options.get('validity_end') > arrow.utcnow().replace(years=2):
+        raise Exception("Verisign issued certificates cannot exceed two years in validity")
+
    if options.get('validity_end'):
-        period = get_default_issuance(options)
-        data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
-        data['validityPeriod'] = period
+        # VeriSign (Symantec) only accepts strictly smaller than 2 year end date
+        if options.get('validity_end') < arrow.utcnow().replace(years=2).replace(days=-1):
+            period = get_default_issuance(options)
+            data['specificEndDate'] = options['validity_end'].format("MM/DD/YYYY")
+            data['validityPeriod'] = period
+        else:
+            # allowing Symantec website setting the end date, given the validity period
+            data['validityPeriod'] = str(get_default_issuance(options))
+            options.pop('validity_end', None)

    elif options.get('validity_years'):
        if options['validity_years'] in [1, 2]:
--- a/lemur/static/app/angular/certificates/view/view.tpl.html
+++ b/lemur/static/app/angular/certificates/view/view.tpl.html
@ -83,6 +83,8 @@
                    </div>
                    <!-- Certificate fields -->
                    <div class="list-group-item">
+                      <dt>Distinguished Name</dt>
+                      <dd>{{ certificate.distinguishedName }}</dd>
                      <dt>Certificate Authority</dt>
                      <dd>{{ certificate.authority ? certificate.authority.name : "Imported" }} <span class="text-muted">({{ certificate.issuer }})</span></dd>
                      <dt>Serial</dt>
--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@ -619,6 +619,12 @@ def test_certificate_get_body(client):
    response_body = client.get(api.url_for(Certificates, certificate_id=1), headers=VALID_USER_HEADER_TOKEN).json
    assert response_body['serial'] == '211983098819107449768450703123665283596'
    assert response_body['serialHex'] == '9F7A75B39DAE4C3F9524C68B06DA6A0C'
+    assert response_body['distinguishedName'] == ('CN=LemurTrust Unittests Class 1 CA 2018,'
+                                                  'O=LemurTrust Enterprises Ltd,'
+                                                  'OU=Unittesting Operations Center,'
+                                                  'C=EE,'
+                                                  'ST=N/A,'
+                                                  'L=Earth')


@pytest.mark.parametrize("token,status", [
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -4,16 +4,17 @@
 #
 #    pip-compile --no-index --output-file requirements-dev.txt requirements-dev.in
 #
-aspy.yaml==1.1.1          # via pre-commit
+aspy.yaml==1.1.2          # via pre-commit
 bleach==3.1.0             # via readme-renderer
 certifi==2018.11.29       # via requests
 cfgv==1.4.0               # via pre-commit
 chardet==3.0.4            # via requests
 docutils==0.14            # via readme-renderer
 flake8==3.5.0
-identify==1.1.8           # via pre-commit
+identify==1.2.1           # via pre-commit
 idna==2.8                 # via requests
 importlib-metadata==0.8   # via pre-commit
+importlib-resources==1.0.2  # via pre-commit
 invoke==1.2.0
 mccabe==0.6.1             # via flake8
 nodeenv==1.3.3
@ -24,13 +25,13 @@ pyflakes==1.6.0           # via flake8
 pygments==2.3.1           # via readme-renderer
 pyyaml==3.13              # via aspy.yaml, pre-commit
 readme-renderer==24.0     # via twine
-requests-toolbelt==0.8.0  # via twine
+requests-toolbelt==0.9.0  # via twine
 requests==2.21.0          # via requests-toolbelt, twine
 six==1.12.0               # via bleach, cfgv, pre-commit, readme-renderer
 toml==0.10.0              # via pre-commit
-tqdm==4.29.1              # via twine
+tqdm==4.30.0              # via twine
 twine==1.12.1
 urllib3==1.24.1           # via requests
-virtualenv==16.2.0        # via pre-commit
+virtualenv==16.3.0        # via pre-commit
 webencodings==0.5.1       # via bleach
 zipp==0.3.3               # via importlib-metadata
--- a/requirements-docs.txt
+++ b/requirements-docs.txt
@ -4,10 +4,10 @@
 #
 #    pip-compile --no-index --output-file requirements-docs.txt requirements-docs.in
 #
-acme==0.30.0
+acme==0.30.2
 alabaster==0.7.12         # via sphinx
 alembic-autogenerate-enums==0.0.2
-alembic==1.0.6
+alembic==1.0.7
 amqp==2.4.0
 aniso8601==4.1.0
 arrow==0.13.0
@ -17,15 +17,15 @@ babel==2.6.0              # via sphinx
 bcrypt==3.1.6
 billiard==3.5.0.5
 blinker==1.4
-boto3==1.9.80
-botocore==1.12.80
+boto3==1.9.86
+botocore==1.12.86
 celery[redis]==4.2.1
 certifi==2018.11.29
 cffi==1.11.5
 chardet==3.0.4
 click==7.0
 cloudflare==2.1.0
-cryptography==2.4.2
+cryptography==2.5
 dnspython3==1.15.0
 dnspython==1.15.0
 docutils==0.14
@ -57,18 +57,18 @@ marshmallow-sqlalchemy==0.15.0
 marshmallow==2.18.0
 mock==2.0.0
 ndg-httpsclient==0.5.1
-packaging==18.0           # via sphinx
+packaging==19.0           # via sphinx
 paramiko==2.4.2
 pbr==5.1.1
 pem==18.2.0
-psycopg2==2.7.6.1
-pyasn1-modules==0.2.3
+psycopg2==2.7.7
+pyasn1-modules==0.2.4
 pyasn1==0.4.5
 pycparser==2.19
 pygments==2.3.1           # via sphinx
 pyjwt==1.7.1
 pynacl==1.3.0
-pyopenssl==18.0.0
+pyopenssl==19.0.0
 pyparsing==2.3.1          # via packaging
 pyrfc3339==1.1
 python-dateutil==2.7.5
@ -77,7 +77,7 @@ pytz==2018.9
 pyyaml==3.13
 raven[flask]==6.10.0
 redis==2.10.6
-requests-toolbelt==0.8.0
+requests-toolbelt==0.9.0
 requests[security]==2.21.0
 retrying==1.3.3
 s3transfer==0.1.13
@ -88,8 +88,8 @@ sphinx==1.8.3
 sphinxcontrib-httpdomain==1.7.0
 sphinxcontrib-websupport==1.1.0  # via sphinx
 sqlalchemy-utils==0.33.11
-sqlalchemy==1.2.16
-tabulate==0.8.2
+sqlalchemy==1.2.17
+tabulate==0.8.3
 urllib3==1.24.1
 vine==1.2.0
 werkzeug==0.14.1
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@ -8,30 +8,30 @@ asn1crypto==0.24.0        # via cryptography
 atomicwrites==1.2.1       # via pytest
 attrs==18.2.0             # via pytest
 aws-xray-sdk==0.95        # via moto
-boto3==1.9.80             # via moto
+boto3==1.9.86             # via moto
 boto==2.49.0              # via moto
-botocore==1.12.80         # via boto3, moto, s3transfer
+botocore==1.12.86         # via boto3, moto, s3transfer
 certifi==2018.11.29       # via requests
 cffi==1.11.5              # via cryptography
 chardet==3.0.4            # via requests
 click==7.0                # via flask
 coverage==4.5.2
-cryptography==2.4.2       # via moto
+cryptography==2.5         # via moto
 docker-pycreds==0.4.0     # via docker
 docker==3.7.0             # via moto
 docutils==0.14            # via botocore
 ecdsa==0.13               # via python-jose
 factory-boy==2.11.1
-faker==1.0.1
+faker==1.0.2
 flask==1.0.2              # via pytest-flask
 freezegun==0.3.11
 future==0.17.1            # via python-jose
-idna==2.8                 # via cryptography, requests
+idna==2.8                 # via requests
 itsdangerous==1.1.0       # via flask
 jinja2==2.10              # via flask, moto
 jmespath==0.9.3           # via boto3, botocore
 jsondiff==1.1.1           # via moto
-jsonpickle==1.0           # via aws-xray-sdk
+jsonpickle==1.1           # via aws-xray-sdk
 markupsafe==1.1.0         # via jinja2
 mock==2.0.0               # via moto
 more-itertools==5.0.0     # via pytest
@ -42,8 +42,8 @@ pluggy==0.8.1             # via pytest
 py==1.7.0                 # via pytest
 pyaml==18.11.0            # via moto
 pycparser==2.19           # via cffi
-pycryptodome==3.7.2       # via python-jose
-pyflakes==2.0.0
+pycryptodome==3.7.3       # via python-jose
+pyflakes==2.1.0
 pytest-flask==0.14.0
 pytest-mock==1.10.0
 pytest==4.1.1
@ -60,5 +60,5 @@ text-unidecode==1.2       # via faker
 urllib3==1.24.1           # via botocore, requests
 websocket-client==0.54.0  # via docker
 werkzeug==0.14.1          # via flask, moto, pytest-flask
-wrapt==1.11.0             # via aws-xray-sdk
+wrapt==1.11.1             # via aws-xray-sdk
 xmltodict==0.11.0         # via moto
--- a/requirements.txt
+++ b/requirements.txt
@ -4,9 +4,9 @@
 #
 #    pip-compile --no-index --output-file requirements.txt requirements.in
 #
-acme==0.30.0
+acme==0.30.2
 alembic-autogenerate-enums==0.0.2
-alembic==1.0.6            # via flask-migrate
+alembic==1.0.7            # via flask-migrate
 amqp==2.4.0               # via kombu
 aniso8601==4.1.0          # via flask-restful
 arrow==0.13.0
@ -15,8 +15,8 @@ asyncpool==1.0
 bcrypt==3.1.6             # via flask-bcrypt, paramiko
 billiard==3.5.0.5         # via celery
 blinker==1.4              # via flask-mail, flask-principal, raven
-boto3==1.9.80
-botocore==1.12.80
+boto3==1.9.86
+botocore==1.12.86
 celery[redis]==4.2.1
 certifi==2018.11.29
 certsrv==2.1.0
@ -24,7 +24,7 @@ cffi==1.11.5              # via bcrypt, cryptography, pynacl
 chardet==3.0.4            # via requests
 click==7.0                # via flask
 cloudflare==2.1.0
-cryptography==2.4.2
+cryptography==2.5
 dnspython3==1.15.0
 dnspython==1.15.0         # via dnspython3
 docutils==0.14            # via botocore
@ -40,7 +40,7 @@ flask-sqlalchemy==2.3.2
 flask==1.0.2
 future==0.17.1
 gunicorn==19.9.0
-idna==2.8                 # via cryptography, requests
+idna==2.8                 # via requests
 inflection==0.3.1
 itsdangerous==1.1.0       # via flask
 jinja2==2.10
@ -58,13 +58,13 @@ ndg-httpsclient==0.5.1
 paramiko==2.4.2
 pbr==5.1.1                # via mock
 pem==18.2.0
-psycopg2==2.7.6.1
-pyasn1-modules==0.2.3     # via python-ldap
+psycopg2==2.7.7
+pyasn1-modules==0.2.4     # via python-ldap
 pyasn1==0.4.5             # via ndg-httpsclient, paramiko, pyasn1-modules, python-ldap
 pycparser==2.19           # via cffi
 pyjwt==1.7.1
 pynacl==1.3.0             # via paramiko
-pyopenssl==18.0.0
+pyopenssl==19.0.0
 pyrfc3339==1.1            # via acme
 python-dateutil==2.7.5    # via alembic, arrow, botocore
 python-editor==1.0.3      # via alembic
@ -73,14 +73,14 @@ pytz==2018.9              # via acme, celery, flask-restful, pyrfc3339
 pyyaml==3.13              # via cloudflare
 raven[flask]==6.10.0
 redis==2.10.6
-requests-toolbelt==0.8.0  # via acme
+requests-toolbelt==0.9.0  # via acme
 requests[security]==2.21.0
 retrying==1.3.3
 s3transfer==0.1.13        # via boto3
 six==1.12.0
 sqlalchemy-utils==0.33.11
-sqlalchemy==1.2.16        # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils
-tabulate==0.8.2
+sqlalchemy==1.2.17        # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils
+tabulate==0.8.3
 urllib3==1.24.1           # via botocore, requests
 vine==1.2.0               # via amqp
 werkzeug==0.14.1          # via flask