From 5b3f40467b3675ffab2f0a6672b5136ab024c763 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:12:07 -0700 Subject: [PATCH 1/6] Make Organizational Unit optional --- .../angular/authorities/authority/distinguishedName.tpl.html | 3 +-- .../certificates/certificate/distinguishedName.tpl.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html index 33b0ba4b..c6a7d312 100644 --- a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html +++ b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html @@ -46,8 +46,7 @@ Organizational Unit
- -

You must enter a organizational unit

+
diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index 19102b03..72f168a0 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -62,9 +62,7 @@
-

You must - enter a organizational unit

+ class="form-control"/>
From bc5579e9bfdec597a2acf62735d1890a8faff2db Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:47:55 -0700 Subject: [PATCH 2/6] max date on UI as per max validity configs --- docs/administration.rst | 11 +++++++++++ lemur/authorities/schemas.py | 2 ++ lemur/certificates/models.py | 10 ++++++++++ .../certificates/certificate/tracking.tpl.html | 4 ++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 9f377119..df027f70 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,6 +172,17 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 +.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is + not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of + 365 days and sets it to 90 days. + + :: + + INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + + .. data:: DEBUG_DUMP :noindex: diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index c78aec94..135f4f3d 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,6 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() + max_issuance_date = fields.DateTime() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -134,6 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 58630ee6..9ea45409 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -311,6 +311,16 @@ class Certificate(db.Model): def validity_range(self): return self.not_after - self.not_before + @property + def max_issuance_date(self): + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) + if self.name.lower() in [ca.lower() for ca in public_CA]: + default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + else: + default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year + issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) + return arrow.utcnow().shift(days=issuance_validity_days) + @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 027add0f..47de640e 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -154,7 +154,7 @@ is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,7 +174,7 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="End Date" From cab1216cb711db4a2bfdafe3615c0fe45bc0ebdd Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 15:14:34 -0700 Subject: [PATCH 3/6] Updating LEMUR_DEFAULT_ORGANIZATIONAL_UNIT to empty string --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index df027f70..83747636 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -240,7 +240,7 @@ and are used when Lemur creates the CSR for your certificates. :: - LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations" + LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "" .. data:: LEMUR_DEFAULT_ISSUER_PLUGIN From 240f0b99c8963066dd86fe09a78f8767d9d0baad Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:34:59 -0700 Subject: [PATCH 4/6] Max end date as per start date + default validity 3 years --- lemur/authorities/schemas.py | 4 ++-- lemur/certificates/models.py | 10 ++++------ .../certificates/certificate/tracking.tpl.html | 7 ++++--- .../static/app/angular/certificates/services.js | 16 ++++++++++++++++ .../app/angular/pending_certificates/services.js | 15 +++++++++++++++ 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 135f4f3d..0700c15b 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,7 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() - max_issuance_date = fields.DateTime() + max_issuance_days = fields.Integer() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -135,7 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() - authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 9ea45409..5f6c4ba9 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -312,14 +312,12 @@ class Certificate(db.Model): return self.not_after - self.not_before @property - def max_issuance_date(self): + def max_issuance_days(self): public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if self.name.lower() in [ca.lower() for ca in public_CA]: - default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - else: - default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year - issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) - return arrow.utcnow().shift(days=issuance_validity_days) + return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + + return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default @property def subject(self): diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 47de640e..07d6b0f4 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -151,10 +151,11 @@ uib-tooltip="yyyy/MM/dd" uib-datepicker-popup="yyyy/MM/dd" ng-model="certificate.validityStart" + ng-change="certificate.setValidityEndDateRange(certificate.validityStart)" is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" + max-date="certificate.authority.authorityCertificate.notAfter" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,8 +175,8 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" - min-date="certificate.authority.authorityCertificate.notBefore" + max-date="certificate.authority.authorityCertificate.maxValidityEnd" + min-date="certificate.authority.authorityCertificate.minValidityEnd" alt-input-formats="altInputFormats" placeholder="End Date" /> diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 3a23076d..7d46f4ca 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -164,6 +164,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -264,6 +276,9 @@ angular.module('lemur') } } + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; + if (certificate.dnsProviderId) { certificate.dnsProvider = {id: certificate.dnsProviderId}; } @@ -292,3 +307,4 @@ angular.module('lemur') return CertificateService; }); + diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index 4e1b23e4..a9bb8079 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -144,6 +144,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -230,6 +242,9 @@ angular.module('lemur') certificate.authority = defaults.authority; } } + + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; }); }; From d41227327e84a0134bccee200d889e8c5d8b0cc7 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:47:38 -0700 Subject: [PATCH 5/6] doc update DEFAULT_MAX_VALIDITY_DAYS --- docs/administration.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 83747636..846a4c34 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,15 +172,15 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 -.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS +.. data:: DEFAULT_MAX_VALIDITY_DAYS :noindex: - Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is - not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of - 365 days and sets it to 90 days. + Use this config to override the default limit of 1095 days (3 years) of validity. Any CA which is not listed in + PUBLIC_CA_AUTHORITY_NAMES will be using this validity to display date range on UI. Below example overrides the + default validity of 1095 days and sets it to 365 days. :: - INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + DEFAULT_MAX_VALIDITY_DAYS = 365 .. data:: DEBUG_DUMP From 5b96b3a0320d6e446a952ad97c51bd3ad0addd3e Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 20:03:15 -0700 Subject: [PATCH 6/6] Lint error fix --- lemur/static/app/angular/certificates/services.js | 6 ++++-- lemur/static/app/angular/pending_certificates/services.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 7d46f4ca..881a443a 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -167,8 +167,10 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; - + if(this.validityEnd) { + this.validityEnd = ''; + } + // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index a9bb8079..2f99eb7d 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -147,7 +147,9 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; + if(this.validityEnd) { + this.validityEnd = ''; + } // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value;