Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR feedback: add config option to enable rotation emails, add cert count and type to email

This commit is contained in:
Jasmine Schladen 2020-12-03 16:10:36 -08:00
parent 4c2227f23c
commit 42957cffc7
5 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/administration.rst
View File

@ -286,7 +286,7 @@ Supported types:
* CA certificate expiration * CA certificate expiration
* Pending ACME certificate failure * Pending ACME certificate failure
* Certificate rotation (currently disabled in code) * Certificate rotation
**Default notifications** **Default notifications**
@ -352,6 +352,12 @@ Whenever a pending ACME certificate fails to be issued, Lemur will send a notifi
and security team (as specified by the ``LEMUR_SECURITY_TEAM_EMAIL`` configuration parameter). This email is not sent if and security team (as specified by the ``LEMUR_SECURITY_TEAM_EMAIL`` configuration parameter). This email is not sent if
the pending certificate had notifications disabled. the pending certificate had notifications disabled.
**Certificate rotation**
Whenever a cert is rotated, Lemur will send a notification via email to the certificate owner. This notification is
disabled by default; to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
``ENABLE_ROTATION_NOTIFICATION`` (when using celery).
**Email notifications** **Email notifications**
Templates for emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs. Templates for emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs.

10
lemur/certificates/service.py
View File

@ -864,3 +864,13 @@ def cleanup_after_revoke(certificate):
database.update(certificate) database.update(certificate)
return error_message return error_message
def get_issued_cert_count_for_authority(authority):
"""
Returns the count of certs issued by the specified authority.
:return:
"""
query = database.session_query(Certificate.id).filter(Authority.id == authority.id)
return database.get_count(query)

5
lemur/common/celery.py
View File

@ -656,11 +656,12 @@ def certificate_rotate(**kwargs):
current_app.logger.debug(log_data) current_app.logger.debug(log_data)
try: try:
notify = current_app.config.get("ENABLE_ROTATION_NOTIFICATION", None)
if region: if region:
log_data["region"] = region log_data["region"] = region
cli_certificate.rotate_region(None, None, None, None, True, region) cli_certificate.rotate_region(None, None, None, notify, True, region)
else: else:
cli_certificate.rotate(None, None, None, None, True) cli_certificate.rotate(None, None, None, notify, True)
except SoftTimeLimitExceeded: except SoftTimeLimitExceeded:
log_data["message"] = "Certificate rotate: Time limit exceeded." log_data["message"] = "Certificate rotate: Time limit exceeded."
current_app.logger.error(log_data) current_app.logger.error(log_data)

5
lemur/notifications/messaging.py
View File

@ -19,9 +19,10 @@ from sqlalchemy import and_
from sqlalchemy.sql.expression import false, true from sqlalchemy.sql.expression import false, true
from lemur import database from lemur import database
from lemur.certificates import service as certificates_service
from lemur.certificates.models import Certificate from lemur.certificates.models import Certificate
from lemur.certificates.schemas import certificate_notification_output_schema from lemur.certificates.schemas import certificate_notification_output_schema
from lemur.common.utils import windowed_query from lemur.common.utils import windowed_query, is_selfsigned
from lemur.constants import FAILURE_METRIC_STATUS, SUCCESS_METRIC_STATUS from lemur.constants import FAILURE_METRIC_STATUS, SUCCESS_METRIC_STATUS
from lemur.extensions import metrics, sentry from lemur.extensions import metrics, sentry
from lemur.pending_certificates.schemas import pending_certificate_output_schema from lemur.pending_certificates.schemas import pending_certificate_output_schema
@ -241,6 +242,8 @@ def send_authority_expiration_notifications():
cert_data = certificate_notification_output_schema.dump( cert_data = certificate_notification_output_schema.dump(
certificate certificate
).data ).data
cert_data['self_signed'] = is_selfsigned(certificate.parsed_cert)
cert_data['issued_cert_count'] = certificates_service.get_issued_cert_count_for_authority(certificate.root_authority)
notification_data.append(cert_data) notification_data.append(cert_data)
email_recipients = security_email + [owner] email_recipients = security_email + [owner]

7
lemur/plugins/lemur_email/templates/authority_expiration.html
View File

@ -91,7 +91,12 @@
<span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:20px;color:#202020">{{ certificate.name }}</span> <span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:20px;color:#202020">{{ certificate.name }}</span>
<br> <br>
<span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#727272"> <span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#727272">
{{ certificate.endpoints | length }} Endpoints {% if certificate.self_signed %}
<b>Root</b>
{% else %}
Subordinate
{% endif %} CA
<br>{{ certificate.issued_cert_count }} issued certificates
<br>{{ certificate.owner }} <br>{{ certificate.owner }}
<br>{{ certificate.validityEnd | time }} <br>{{ certificate.validityEnd | time }}
<a href="https://{{ hostname }}/#/certificates/{{ certificate.name }}" target="_blank">Details</a> <a href="https://{{ hostname }}/#/certificates/{{ certificate.name }}" target="_blank">Details</a>