From 377ba25413f89a282200b0d58e22e319533fea86 Mon Sep 17 00:00:00 2001
From: csine-nflx <csine@netflix.com>
Date: Mon, 22 Feb 2021 14:56:34 -0800
Subject: [PATCH] Adding allow_list to stats endpoint

---
 lemur/certificates/service.py | 13 +++++++++++--
 lemur/certificates/views.py   |  7 ++++++-
 lemur/destinations/views.py   |  2 +-
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py
index b9bc16f0..8f21a751 100644
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@@ -678,7 +678,16 @@ def stats(**kwargs):
     :param kwargs:
     :return:
     """
-    if kwargs.get("metric") == "not_after":
+
+    # Verify requested metric
+    allow_list = ["bits", "issuer", "not_after", "signing_algorithm"]
+    req_metric = kwargs.get("metric")
+    if req_metric not in allow_list:
+        raise Exception(
+            f"Stats not available for requested metric: {req_metric}"
+        )
+
+    if req_metric == "not_after":
         start = arrow.utcnow()
         end = start.shift(weeks=+32)
         items = (
@@ -690,7 +699,7 @@ def stats(**kwargs):
         )
 
     else:
-        attr = getattr(Certificate, kwargs.get("metric"))
+        attr = getattr(Certificate, req_metric)
         query = database.db.session.query(attr, func.count(attr))
 
         items = query.group_by(attr).all()
diff --git a/lemur/certificates/views.py b/lemur/certificates/views.py
index 8d4e6954..3de08003 100644
--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@@ -635,7 +635,12 @@ class CertificatesStats(AuthenticatedResource):
 
         args = self.reqparse.parse_args()
 
-        items = service.stats(**args)
+        try:
+            items = service.stats(**args)
+        except Exception as e:
+            sentry.captureException()
+            return dict(message=f"Failed to retrieve stats: {str(e)}"), 400
+
         return dict(items=items, total=len(items))
 
 
diff --git a/lemur/destinations/views.py b/lemur/destinations/views.py
index 6de6f74f..2c89da76 100644
--- a/lemur/destinations/views.py
+++ b/lemur/destinations/views.py
@@ -425,7 +425,7 @@ class CertificateDestinations(AuthenticatedResource):
 
 
 class DestinationsStats(AuthenticatedResource):
-    """ Defines the 'certificates' stats endpoint """
+    """ Defines the 'destinations' stats endpoint """
 
     def __init__(self):
         self.reqparse = reqparse.RequestParser()