PR feedback: add config option to enable rotation emails, add cert count and type to email

2020-12-03 16:10:36 -08:00 · 2020-12-03 16:10:36 -08:00 · 42957cffc7
parent 4c2227f23c
commit 42957cffc7
5 changed files with 30 additions and 5 deletions
--- a/docs/administration.rst
+++ b/docs/administration.rst
@ -286,7 +286,7 @@ Supported types:

 * CA certificate expiration
 * Pending ACME certificate failure
-* Certificate rotation (currently disabled in code)
+* Certificate rotation

 **Default notifications**

@ -352,6 +352,12 @@ Whenever a pending ACME certificate fails to be issued, Lemur will send a notifi
 and security team (as specified by the ``LEMUR_SECURITY_TEAM_EMAIL`` configuration parameter). This email is not sent if
 the pending certificate had notifications disabled.

+**Certificate rotation**
+
+Whenever a cert is rotated, Lemur will send a notification via email to the certificate owner. This notification is
+disabled by default; to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
+``ENABLE_ROTATION_NOTIFICATION`` (when using celery).
+
 **Email notifications**

 Templates for emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs.
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -864,3 +864,13 @@ def cleanup_after_revoke(certificate):

    database.update(certificate)
    return error_message
+
+
+def get_issued_cert_count_for_authority(authority):
+    """
+    Returns the count of certs issued by the specified authority.
+
+    :return:
+    """
+    query = database.session_query(Certificate.id).filter(Authority.id == authority.id)
+    return database.get_count(query)
--- a/lemur/common/celery.py
+++ b/lemur/common/celery.py
@ -656,11 +656,12 @@ def certificate_rotate(**kwargs):

    current_app.logger.debug(log_data)
    try:
+        notify = current_app.config.get("ENABLE_ROTATION_NOTIFICATION", None)
        if region:
            log_data["region"] = region
-            cli_certificate.rotate_region(None, None, None, None, True, region)
+            cli_certificate.rotate_region(None, None, None, notify, True, region)
        else:
-            cli_certificate.rotate(None, None, None, None, True)
+            cli_certificate.rotate(None, None, None, notify, True)
    except SoftTimeLimitExceeded:
        log_data["message"] = "Certificate rotate: Time limit exceeded."
        current_app.logger.error(log_data)
--- a/lemur/notifications/messaging.py
+++ b/lemur/notifications/messaging.py
@ -19,9 +19,10 @@ from sqlalchemy import and_
 from sqlalchemy.sql.expression import false, true

 from lemur import database
+from lemur.certificates import service as certificates_service
 from lemur.certificates.models import Certificate
 from lemur.certificates.schemas import certificate_notification_output_schema
-from lemur.common.utils import windowed_query
+from lemur.common.utils import windowed_query, is_selfsigned
 from lemur.constants import FAILURE_METRIC_STATUS, SUCCESS_METRIC_STATUS
 from lemur.extensions import metrics, sentry
 from lemur.pending_certificates.schemas import pending_certificate_output_schema
@ -241,6 +242,8 @@ def send_authority_expiration_notifications():
                cert_data = certificate_notification_output_schema.dump(
                    certificate
                ).data
+                cert_data['self_signed'] = is_selfsigned(certificate.parsed_cert)
+                cert_data['issued_cert_count'] = certificates_service.get_issued_cert_count_for_authority(certificate.root_authority)
                notification_data.append(cert_data)

            email_recipients = security_email + [owner]
--- a/lemur/plugins/lemur_email/templates/authority_expiration.html
+++ b/lemur/plugins/lemur_email/templates/authority_expiration.html
@ -91,7 +91,12 @@
                                                                    <span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:20px;color:#202020">{{ certificate.name }}</span>
                                                                    <br>
                                                                    <span style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#727272">
-                                                                        {{ certificate.endpoints | length }} Endpoints
+                                                                       {% if certificate.self_signed %}
+                                                                           <b>Root</b>
+                                                                       {% else %}
+                                                                           Subordinate
+                                                                       {% endif %} CA
+                                                                        <br>{{ certificate.issued_cert_count }} issued certificates
                                                                        <br>{{ certificate.owner }}
                                                                        <br>{{ certificate.validityEnd | time }}
                                                                        <a href="https://{{ hostname }}/#/certificates/{{ certificate.name }}" target="_blank">Details</a>