From e300cf6e1b5dc1d8bb4d36c69881b74824db0e92 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Thu, 30 May 2019 13:34:44 -0700 Subject: [PATCH 01/10] Downgrade Kombu --- requirements-docs.txt | 2 +- requirements.in | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index fbd70c49..afd01a77 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -53,7 +53,7 @@ jinja2==2.10.1 jmespath==0.9.4 josepy==1.1.0 jsonlines==1.2.0 -kombu==4.6.0 +kombu==4.5.0 lockfile==0.12.2 logmatic-python==0.1.7 mako==1.0.10 diff --git a/requirements.in b/requirements.in index ae64c225..d766b7a9 100644 --- a/requirements.in +++ b/requirements.in @@ -28,7 +28,7 @@ gunicorn hvac # required for the vault destination plugin inflection jinja2 -kombu +kombu<4.6.0 # Bug with inspecting active tasks: https://github.com/celery/kombu/issues/1051 lockfile logmatic-python marshmallow-sqlalchemy diff --git a/requirements.txt b/requirements.txt index 7dde8a3d..4542d440 100644 --- a/requirements.txt +++ b/requirements.txt @@ -50,7 +50,7 @@ jinja2==2.10.1 jmespath==0.9.4 # via boto3, botocore josepy==1.1.0 # via acme jsonlines==1.2.0 # via cloudflare -kombu==4.6.0 +kombu==4.5.0 lockfile==0.12.2 logmatic-python==0.1.7 mako==1.0.10 # via alembic From 28b216273d6cb9e9f009816e6c9fc96362c39ab3 Mon Sep 17 00:00:00 2001 From: Kush Bavishi Date: Fri, 31 May 2019 14:07:26 -0700 Subject: [PATCH 02/10] Upgrading Gulp. If this is not necessary, we can remove it later. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index f47978db..fe1267a6 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,6 @@ "bower": "^1.8.2", "browser-sync": "^2.3.1", "del": "^2.2.2", - "gulp": "^3.8.11", "gulp-autoprefixer": "^3.1.1", "gulp-cache": "^0.4.5", "gulp-concat": "^2.4.1", @@ -60,6 +59,7 @@ "test": "gulp test" }, "devDependencies": { + "gulp": "^3.9.1", "jshint": "^2.8.0", "karma-chrome-launcher": "^2.0.0" } From 45231c2423a95fddbc9804fab99db61a817d43f7 Mon Sep 17 00:00:00 2001 From: Kush Bavishi Date: Fri, 31 May 2019 14:08:28 -0700 Subject: [PATCH 03/10] Added code to automatically add the common name as a DNS name while creating a certificate. --- .../certificate/tracking.tpl.html | 2 ++ .../app/angular/certificates/services.js | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index b64f6e3d..573510cd 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -33,6 +33,8 @@ uib-tooltip="If you need a certificate with multiple domains enter your primary domain here and the rest under 'Subject Alternate Names' by clicking 'More Options'" ng-model="certificate.commonName" placeholder="Common Name" class="form-control" ng-maxlength="64" + ng-blur="certificate.attachCommonName()" + ng-focus="certificate.removeCommonName()" required/>

diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index ecd7870f..3a23076d 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -18,6 +18,26 @@ angular.module('lemur') this.authority = authority; this.authority.maxDate = moment(this.authority.notAfter).subtract(1, 'days').format('YYYY/MM/DD'); }, + attachCommonName: function () { + if (this.extensions === undefined) { + this.extensions = {}; + } + + if (this.extensions.subAltNames === undefined) { + this.extensions.subAltNames = {'names': []}; + } + + if (angular.isString(this.commonName)) { + this.extensions.subAltNames.names.unshift({'nameType': 'DNSName', 'value': this.commonName}); + } + }, + removeCommonName: function () { + if (angular.isDefined(this.extensions) && angular.isDefined(this.extensions.subAltNames)) { + if (angular.equals(this.extensions.subAltNames.names[0].value, this.commonName)) { + this.extensions.subAltNames.names.shift(); + } + } + }, attachSubAltName: function () { if (this.extensions === undefined) { this.extensions = {}; From aeb32f4853a4ac0cdeeba85ba8ec561aebc97a18 Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Tue, 4 Jun 2019 08:21:52 -0700 Subject: [PATCH 04/10] Upgrade docker to 3.7 --- Dockerfile | 2 +- requirements-docs.txt | 14 +++++++------- requirements-tests.txt | 20 +++++++++++--------- requirements.txt | 12 ++++++------ 4 files changed, 25 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index b9d7335e..b9439be7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.5 +FROM python:3.7 RUN apt-get update RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - diff --git a/requirements-docs.txt b/requirements-docs.txt index afd01a77..c0fe427e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -10,15 +10,15 @@ alembic-autogenerate-enums==0.0.2 alembic==1.0.10 amqp==2.5.0 aniso8601==6.0.0 -arrow==0.13.2 +arrow==0.14.2 asn1crypto==0.24.0 asyncpool==1.0 babel==2.7.0 # via sphinx bcrypt==3.1.6 billiard==3.6.0.0 blinker==1.4 -boto3==1.9.158 -botocore==1.12.158 +boto3==1.9.160 +botocore==1.12.160 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -26,7 +26,7 @@ cffi==1.12.3 chardet==3.0.4 click==7.0 cloudflare==2.3.0 -cryptography==2.6.1 +cryptography==2.7 dnspython3==1.15.0 dnspython==1.15.0 docutils==0.14 @@ -36,7 +36,7 @@ flask-cors==3.0.7 flask-mail==0.9.1 flask-migrate==2.5.2 flask-principal==0.4.0 -flask-replicated==1.2 +flask-replicated==1.3 flask-restful==0.3.7 flask-script==2.0.6 flask-sqlalchemy==2.4.0 @@ -56,7 +56,7 @@ jsonlines==1.2.0 kombu==4.5.0 lockfile==0.12.2 logmatic-python==0.1.7 -mako==1.0.10 +mako==1.0.11 markupsafe==1.1.1 marshmallow-sqlalchemy==0.16.3 marshmallow==2.19.2 @@ -91,7 +91,7 @@ s3transfer==0.2.0 six==1.12.0 snowballstemmer==1.2.1 # via sphinx sphinx-rtd-theme==0.4.3 -sphinx==2.0.1 +sphinx==2.1.0 sphinxcontrib-applehelp==1.0.1 # via sphinx sphinxcontrib-devhelp==1.0.1 # via sphinx sphinxcontrib-htmlhelp==1.0.2 # via sphinx diff --git a/requirements-tests.txt b/requirements-tests.txt index cf53fa17..77bc92af 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,16 +12,16 @@ aws-sam-translator==1.11.0 # via cfn-lint aws-xray-sdk==2.4.2 # via moto bandit==1.6.0 black==19.3b0 -boto3==1.9.158 # via aws-sam-translator, moto +boto3==1.9.160 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.12.158 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.12.160 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2019.3.9 # via requests cffi==1.12.3 # via cryptography -cfn-lint==0.21.3 # via moto +cfn-lint==0.21.4 # via moto chardet==3.0.4 # via requests click==7.0 # via black, flask coverage==4.5.3 -cryptography==2.6.1 # via moto +cryptography==2.7 # via moto docker==4.0.1 # via moto docutils==0.14 # via botocore ecdsa==0.13.2 # via python-jose @@ -33,7 +33,7 @@ future==0.17.1 # via aws-xray-sdk, python-jose gitdb2==2.0.5 # via gitpython gitpython==2.1.11 # via bandit idna==2.8 # via moto, requests -importlib-metadata==0.17 # via pluggy +importlib-metadata==0.17 # via pluggy, pytest itsdangerous==1.1.0 # via flask jinja2==2.10.1 # via flask, moto jmespath==0.9.4 # via boto3, botocore @@ -47,30 +47,32 @@ mock==3.0.5 # via moto more-itertools==7.0.0 # via pytest moto==1.3.8 nose==1.3.7 +packaging==19.0 # via pytest pbr==5.2.1 # via stevedore pluggy==0.12.0 # via pytest py==1.8.0 # via pytest pyasn1==0.4.5 # via rsa pycparser==2.19 # via cffi pyflakes==2.1.1 +pyparsing==2.4.0 # via packaging pytest-flask==0.15.0 pytest-mock==1.10.4 -pytest==4.5.0 +pytest==4.6.2 python-dateutil==2.8.0 # via botocore, faker, freezegun, moto python-jose==3.0.1 # via moto pytz==2019.1 # via moto pyyaml==5.1 requests-mock==1.6.0 -requests==2.21.0 # via cfn-lint, docker, moto, requests-mock, responses +requests==2.22.0 # via cfn-lint, docker, moto, requests-mock, responses responses==0.10.6 # via moto rsa==4.0 # via python-jose s3transfer==0.2.0 # via boto3 -six==1.12.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, faker, freezegun, mock, moto, pytest, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client +six==1.12.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, faker, freezegun, mock, moto, packaging, pytest, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client smmap2==2.0.5 # via gitdb2 stevedore==1.30.1 # via bandit text-unidecode==1.2 # via faker toml==0.10.0 # via black -urllib3==1.24.3 # via botocore, requests +urllib3==1.25.3 # via botocore, requests wcwidth==0.1.7 # via pytest websocket-client==0.56.0 # via docker werkzeug==0.15.4 # via flask, moto, pytest-flask diff --git a/requirements.txt b/requirements.txt index 4542d440..c19c7b6e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,14 +9,14 @@ alembic-autogenerate-enums==0.0.2 alembic==1.0.10 # via flask-migrate amqp==2.5.0 # via kombu aniso8601==6.0.0 # via flask-restful -arrow==0.13.2 +arrow==0.14.2 asn1crypto==0.24.0 # via cryptography asyncpool==1.0 bcrypt==3.1.6 # via flask-bcrypt, paramiko billiard==3.6.0.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.9.158 -botocore==1.12.158 +boto3==1.9.160 +botocore==1.12.160 celery[redis]==4.3.0 certifi==2019.3.9 certsrv==2.1.1 @@ -24,7 +24,7 @@ cffi==1.12.3 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.0 # via flask cloudflare==2.3.0 -cryptography==2.6.1 +cryptography==2.7 dnspython3==1.15.0 dnspython==1.15.0 # via dnspython3 docutils==0.14 # via botocore @@ -34,7 +34,7 @@ flask-cors==3.0.7 flask-mail==0.9.1 flask-migrate==2.5.2 flask-principal==0.4.0 -flask-replicated==1.2 +flask-replicated==1.3 flask-restful==0.3.7 flask-script==2.0.6 flask-sqlalchemy==2.4.0 @@ -53,7 +53,7 @@ jsonlines==1.2.0 # via cloudflare kombu==4.5.0 lockfile==0.12.2 logmatic-python==0.1.7 -mako==1.0.10 # via alembic +mako==1.0.11 # via alembic markupsafe==1.1.1 # via jinja2, mako marshmallow-sqlalchemy==0.16.3 marshmallow==2.19.2 From 28e26a1bafe2636e52e2a1acbbe4de293b4e73d5 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 5 Jun 2019 17:57:11 -0700 Subject: [PATCH 05/10] to prevent duplicate emails, we might better remove owner and security email address from the notification recipient --- lemur/notifications/messaging.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lemur/notifications/messaging.py b/lemur/notifications/messaging.py index 919b73db..928febd6 100644 --- a/lemur/notifications/messaging.py +++ b/lemur/notifications/messaging.py @@ -140,12 +140,6 @@ def send_expiration_notifications(exclude): notification_data.append(cert_data) security_data.append(cert_data) - notification_recipient = get_plugin_option( - "recipients", notification.options - ) - if notification_recipient: - notification_recipient = notification_recipient.split(",") - if send_notification( "expiration", notification_data, [owner], notification ): @@ -153,10 +147,16 @@ def send_expiration_notifications(exclude): else: failure += 1 + notification_recipient = get_plugin_option( + "recipients", notification.options + ) + if notification_recipient: + notification_recipient = notification_recipient.split(",") + # removing owner and security_email from notification_recipient + notification_recipient = [i for i in notification_recipient if i not in security_email and i != owner] + if ( notification_recipient - and owner != notification_recipient - and security_email != notification_recipient ): if send_notification( "expiration", From 0446aea20e67452b7ecc3afaf408ef70c00f46e6 Mon Sep 17 00:00:00 2001 From: Curtis Date: Thu, 6 Jun 2019 13:35:45 -0700 Subject: [PATCH 06/10] Update messaging.py --- lemur/notifications/messaging.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/notifications/messaging.py b/lemur/notifications/messaging.py index 928febd6..82db7b6e 100644 --- a/lemur/notifications/messaging.py +++ b/lemur/notifications/messaging.py @@ -52,7 +52,7 @@ def get_certificates(exclude=None): certs = [] - for c in windowed_query(q, Certificate.id, 100): + for c in windowed_query(q, Certificate.id, 10000): if needs_notification(c): certs.append(c) From 491d048948be684e28904e4ccb23bd7e347d82c6 Mon Sep 17 00:00:00 2001 From: Kush Bavishi Date: Mon, 10 Jun 2019 09:47:29 -0700 Subject: [PATCH 07/10] Modified the behavior of Permalink to access a newer, faster API --- .../app/angular/certificates/view/view.js | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/lemur/static/app/angular/certificates/view/view.js b/lemur/static/app/angular/certificates/view/view.js index 0008dd64..619afffb 100644 --- a/lemur/static/app/angular/certificates/view/view.js +++ b/lemur/static/app/angular/certificates/view/view.js @@ -17,7 +17,7 @@ angular.module('lemur') }); }) - .controller('CertificatesViewController', function ($q, $scope, $uibModal, $stateParams, CertificateApi, CertificateService, MomentService, ngTableParams, toaster) { + .controller('CertificatesViewController', function ($q, $scope, $uibModal, $stateParams, $location, CertificateApi, CertificateService, MomentService, ngTableParams, toaster) { $scope.filter = $stateParams; $scope.certificateTable = new ngTableParams({ page: 1, // show first page @@ -29,11 +29,24 @@ angular.module('lemur') }, { total: 0, // length of data getData: function ($defer, params) { - CertificateApi.getList(params.url()) - .then(function (data) { - params.total(data.total); - $defer.resolve(data); - }); + $scope.path = $location.path(); + // Handle Permalink clicks through a separate API + // Clicking on Permalink adds the certificate name to the URL after "certificates/", which is used to identify the click + if ($scope.path.indexOf("certificates/") > -1 && $scope.path.split("/")[2].length > 0) { + $scope.certificateName = $scope.path.split("/")[2]; + CertificateApi.one('name').one($scope.certificateName).getList() + .then(function (data) { + params.total(data.total); + $defer.resolve(data); + }); + } + else { + CertificateApi.getList(params.url()) + .then(function (data) { + params.total(data.total); + $defer.resolve(data); + }); + } } }); From c0f8fbb24fe3426901665dd8eb5db793dde2031e Mon Sep 17 00:00:00 2001 From: Kush Bavishi Date: Tue, 11 Jun 2019 14:51:24 -0700 Subject: [PATCH 08/10] Modified Permalink behavior to access a newer, faster API --- lemur/static/app/angular/certificates/view/view.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/static/app/angular/certificates/view/view.js b/lemur/static/app/angular/certificates/view/view.js index 619afffb..6712e62a 100644 --- a/lemur/static/app/angular/certificates/view/view.js +++ b/lemur/static/app/angular/certificates/view/view.js @@ -32,8 +32,8 @@ angular.module('lemur') $scope.path = $location.path(); // Handle Permalink clicks through a separate API // Clicking on Permalink adds the certificate name to the URL after "certificates/", which is used to identify the click - if ($scope.path.indexOf("certificates/") > -1 && $scope.path.split("/")[2].length > 0) { - $scope.certificateName = $scope.path.split("/")[2]; + if ($scope.path.indexOf('certificates/') > -1 && $scope.path.split('/')[2].length > 0) { + $scope.certificateName = $scope.path.split('/')[2]; CertificateApi.one('name').one($scope.certificateName).getList() .then(function (data) { params.total(data.total); From 56917614a20a0a295d88c8a3fee03566fe9188c7 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Wed, 19 Jun 2019 09:46:44 -0400 Subject: [PATCH 09/10] fixing regex to be more flexable --- lemur/plugins/lemur_vault_dest/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 803b0a0c..21c6784e 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -69,14 +69,14 @@ class VaultSourcePlugin(SourcePlugin): 'name': 'vaultPath', 'type': 'str', 'required': True, - 'validation': '^([a-zA-Z0-9_-]+/?)+$', + 'validation': '^([a-zA-Z0-9._-]+/?)+$', 'helpMessage': 'Must be a valid Vault secrets path' }, { 'name': 'objectName', 'type': 'str', 'required': True, - 'validation': '[0-9a-zA-Z:_-]+', + 'validation': '[0-9a-zA-Z.:_-]+', 'helpMessage': 'Object Name to search' }, ] From bbf50cf0b05033f2e72c17413d6c7635697f5c73 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Thu, 20 Jun 2019 08:26:32 -0400 Subject: [PATCH 10/10] updated dest as well as src --- lemur/plugins/lemur_vault_dest/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index c7db9b58..b6d1ed75 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -177,14 +177,14 @@ class VaultDestinationPlugin(DestinationPlugin): "name": "vaultPath", "type": "str", "required": True, - "validation": "^([a-zA-Z0-9_-]+/?)+$", + "validation": "^([a-zA-Z0-9._-]+/?)+$", "helpMessage": "Must be a valid Vault secrets path", }, { "name": "objectName", "type": "str", "required": False, - "validation": "[0-9a-zA-Z:_-]+", + "validation": "[0-9a-zA-Z.:_-]+", "helpMessage": "Name to bundle certs under, if blank use cn", }, {