From 42957cffc7e08f2830a844e3006946f7e9b413f6 Mon Sep 17 00:00:00 2001 From: Jasmine Schladen Date: Thu, 3 Dec 2020 16:10:36 -0800 Subject: [PATCH] PR feedback: add config option to enable rotation emails, add cert count and type to email --- docs/administration.rst | 8 +++++++- lemur/certificates/service.py | 10 ++++++++++ lemur/common/celery.py | 5 +++-- lemur/notifications/messaging.py | 5 ++++- .../lemur_email/templates/authority_expiration.html | 7 ++++++- 5 files changed, 30 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index ae393ac0..1415e598 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -286,7 +286,7 @@ Supported types: * CA certificate expiration * Pending ACME certificate failure -* Certificate rotation (currently disabled in code) +* Certificate rotation **Default notifications** @@ -352,6 +352,12 @@ Whenever a pending ACME certificate fails to be issued, Lemur will send a notifi and security team (as specified by the ``LEMUR_SECURITY_TEAM_EMAIL`` configuration parameter). This email is not sent if the pending certificate had notifications disabled. +**Certificate rotation** + +Whenever a cert is rotated, Lemur will send a notification via email to the certificate owner. This notification is +disabled by default; to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter +``ENABLE_ROTATION_NOTIFICATION`` (when using celery). + **Email notifications** Templates for emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs. diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 3d3e2ca0..f205da3f 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -864,3 +864,13 @@ def cleanup_after_revoke(certificate): database.update(certificate) return error_message + + +def get_issued_cert_count_for_authority(authority): + """ + Returns the count of certs issued by the specified authority. + + :return: + """ + query = database.session_query(Certificate.id).filter(Authority.id == authority.id) + return database.get_count(query) diff --git a/lemur/common/celery.py b/lemur/common/celery.py index f428927e..9dc4bd0a 100644 --- a/lemur/common/celery.py +++ b/lemur/common/celery.py @@ -656,11 +656,12 @@ def certificate_rotate(**kwargs): current_app.logger.debug(log_data) try: + notify = current_app.config.get("ENABLE_ROTATION_NOTIFICATION", None) if region: log_data["region"] = region - cli_certificate.rotate_region(None, None, None, None, True, region) + cli_certificate.rotate_region(None, None, None, notify, True, region) else: - cli_certificate.rotate(None, None, None, None, True) + cli_certificate.rotate(None, None, None, notify, True) except SoftTimeLimitExceeded: log_data["message"] = "Certificate rotate: Time limit exceeded." current_app.logger.error(log_data) diff --git a/lemur/notifications/messaging.py b/lemur/notifications/messaging.py index 5aa6b3ee..75d829b1 100644 --- a/lemur/notifications/messaging.py +++ b/lemur/notifications/messaging.py @@ -19,9 +19,10 @@ from sqlalchemy import and_ from sqlalchemy.sql.expression import false, true from lemur import database +from lemur.certificates import service as certificates_service from lemur.certificates.models import Certificate from lemur.certificates.schemas import certificate_notification_output_schema -from lemur.common.utils import windowed_query +from lemur.common.utils import windowed_query, is_selfsigned from lemur.constants import FAILURE_METRIC_STATUS, SUCCESS_METRIC_STATUS from lemur.extensions import metrics, sentry from lemur.pending_certificates.schemas import pending_certificate_output_schema @@ -241,6 +242,8 @@ def send_authority_expiration_notifications(): cert_data = certificate_notification_output_schema.dump( certificate ).data + cert_data['self_signed'] = is_selfsigned(certificate.parsed_cert) + cert_data['issued_cert_count'] = certificates_service.get_issued_cert_count_for_authority(certificate.root_authority) notification_data.append(cert_data) email_recipients = security_email + [owner] diff --git a/lemur/plugins/lemur_email/templates/authority_expiration.html b/lemur/plugins/lemur_email/templates/authority_expiration.html index 984a7483..7c343417 100644 --- a/lemur/plugins/lemur_email/templates/authority_expiration.html +++ b/lemur/plugins/lemur_email/templates/authority_expiration.html @@ -91,7 +91,12 @@ {{ certificate.name }}
- {{ certificate.endpoints | length }} Endpoints + {% if certificate.self_signed %} + Root + {% else %} + Subordinate + {% endif %} CA +
{{ certificate.issued_cert_count }} issued certificates
{{ certificate.owner }}
{{ certificate.validityEnd | time }} Details