More stuff. Will prioritize this more next week

lemur/plugins/lemur_acme/plugin.py

@@ -9,6 +9,7 @@
 
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 .. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
+.. moduleauthor:: Curtis Castrapel <ccastrapel@netflix.com>
 """
 import josepy as jose
 import json
@@ -23,7 +24,6 @@ from lemur.common.utils import generate_private_key
 
 import OpenSSL.crypto
 
-from lemur.common.utils import validate_conf
 from lemur.plugins.bases import IssuerPlugin
 from lemur.plugins import lemur_acme as acme
 
@@ -97,20 +97,26 @@ def request_certificate(acme_client, authorizations, csr):
         OpenSSL.crypto.FILETYPE_PEM, cert_response.body
     ).decode('utf-8')
 
-    pem_certificate_chain = "\n".join(
-        OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert.decode("utf-8"))
-        for cert in acme_client.fetch_chain(cert_response)
-    ).decode('utf-8')
+    full_chain = []
+    for cert in acme_client.fetch_chain(cert_response):
+        chain = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
+        full_chain.append(chain.decode("utf-8"))
+    pem_certificate_chain = "\n".join(full_chain)
 
-    current_app.logger.debug("{0} {1}".format(type(pem_certificate). type(pem_certificate_chain)))
+    current_app.logger.debug("{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)))
     return pem_certificate, pem_certificate_chain
 
 
 def setup_acme_client(authority):
-    options = json.loads(authority.get('options', '[]'))
-    email = options.getcurrent_app.config.get('ACME_EMAIL')
-    tel = current_app.config.get('ACME_TEL')
-    directory_url = current_app.config.get('ACME_DIRECTORY_URL')
+    if not authority.options:
+        raise Exception("Invalid authority. Options not set")
+    options = {}
+    for o in json.loads(authority.options):
+        print(o)
+        options[o.get("name")] = o.get("value")
+    email = options.get('email', current_app.config.get('ACME_EMAIL'))
+    tel = options.get('telephone', current_app.config.get('ACME_TEL'))
+    directory_url = options.get('acme_url', current_app.config.get('ACME_DIRECTORY_URL'))
     contact = ('mailto:{}'.format(email), 'tel:{}'.format(tel))
 
     key = jose.JWKRSA(key=generate_private_key('RSA2048'))
@@ -173,7 +179,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
     description = 'Enables the creation of certificates via ACME CAs (including Let\'s Encrypt)'
     version = acme.VERSION
 
-    author = 'Kevin Glisson'
+    author = 'Netflix'
     author_url = 'https://github.com/netflix/lemur.git'
 
     options = [
@@ -207,18 +213,6 @@ class ACMEIssuerPlugin(IssuerPlugin):
     ]
 
     def __init__(self, *args, **kwargs):
-        required_vars = [
-            'ACME_DIRECTORY_URL',
-            'ACME_TEL',
-            'ACME_EMAIL',
-            'ACME_AWS_ACCOUNT_NUMBER',
-            'ACME_ROOT'
-        ]
-
-        validate_conf(current_app, required_vars)
-        self.dns_provider_name = current_app.config.get('ACME_DNS_PROVIDER', 'route53')
-        current_app.logger.debug("Using DNS provider: {0}".format(self.dns_provider_name))
-        self.dns_provider = __import__(self.dns_provider_name, globals(), locals(), [], 1)
         super(ACMEIssuerPlugin, self).__init__(*args, **kwargs)
 
     def create_certificate(self, csr, issuer_options):
@@ -229,12 +223,22 @@ class ACMEIssuerPlugin(IssuerPlugin):
         :param issuer_options:
         :return: :raise Exception:
         """
-        current_app.logger.debug("Requesting a new acme certificate: {0}".format(issuer_options))
-        acme_client, registration = setup_acme_client(issuer_options.get(issuer_options.get('authority')))
-        # Deal with account number per certificate
-        account_number = current_app.config.get('ACME_AWS_ACCOUNT_NUMBER')
+        authority = issuer_options.get('authority')
+        acme_client, registration = setup_acme_client(authority)
+        dns_provider = issuer_options.get('dns_provider')
+        if not dns_provider:
+            raise Exception("DNS Provider setting is required for ACME certificates.")
+        credentials = json.loads(dns_provider.credentials)
+
+        current_app.logger.debug("Using DNS provider: {0}".format(dns_provider.provider_type))
+        dns_provider_type = __import__(dns_provider.provider_type, globals(), locals(), [], 1)
+        account_number = credentials.get("account_number")
+        if dns_provider.provider_type == 'route53' and not account_number:
+            error = "DNS Provider {} does not have an account number configured.".format(dns_provider.name)
+            current_app.logger.error(error)
+            raise Exception(error)
         domains = get_domains(issuer_options)
-        authorizations = get_authorizations(acme_client, account_number, domains, self.dns_provider)
+        authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type)
         pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
         # TODO add external ID (if possible)
         return pem_certificate, pem_certificate_chain, None

lemur/plugins/lemur_digicert/tests/test_digicert.py

@@ -150,11 +150,7 @@ def test_signature_hash(app):
         signature_hash('sdfdsf')
 
 
-def test_issuer_plugin_create_certificate():
-    import requests_mock
-    from lemur.plugins.lemur_digicert.plugin import DigiCertIssuerPlugin
-
-    pem_fixture = """\
+def test_issuer_plugin_create_certificate(certificate_="""\
 -----BEGIN CERTIFICATE-----
 abc
 -----END CERTIFICATE-----
@@ -164,7 +160,11 @@ def
 -----BEGIN CERTIFICATE-----
 ghi
 -----END CERTIFICATE-----
-"""
+"""):
+    import requests_mock
+    from lemur.plugins.lemur_digicert.plugin import DigiCertIssuerPlugin
+
+    pem_fixture = certificate_
 
     subject = DigiCertIssuerPlugin()
     adapter = requests_mock.Adapter()