Fixes (#476)

* Ensures that Vault can accept bytes and strings.

* Make restricted domains optional.

* Fixing notify flag.

lemur/certificates/service.py

@@ -102,20 +102,20 @@ def export(cert, export_plugin):
     return plugin.export(cert.body, cert.chain, cert.private_key, export_plugin['pluginOptions'])
 
 
-def update(cert_id, owner, description, active, destinations, notifications, replaces, roles):
+def update(cert_id, owner, description, notify, destinations, notifications, replaces, roles):
     """
     Updates a certificate
     :param cert_id:
     :param owner:
     :param description:
-    :param active:
+    :param notify:
     :param destinations:
     :param notifications:
     :param replaces:
     :return:
     """
     cert = get(cert_id)
-    cert.active = active
+    cert.notify = notify
     cert.description = description
     cert.destinations = destinations
     cert.notifications = notifications

lemur/certificates/views.py

@@ -593,7 +593,7 @@ class Certificates(AuthenticatedResource):
                 certificate_id,
                 data['owner'],
                 data['description'],
-                data['active'],
+                data['notify'],
                 data['destinations'],
                 data['notifications'],
                 data['replacements'],

lemur/common/validators.py

@@ -46,15 +46,16 @@ def sensitive_domain(domain):
     :param domain:
     :return:
     """
-    restricted_domains = current_app.config['LEMUR_RESTRICTED_DOMAINS']
+    restricted_domains = current_app.config.get('LEMUR_RESTRICTED_DOMAINS', [])
-    domains = domain_service.get_by_name(domain)
+    if restricted_domains:
-    for domain in domains:
+        domains = domain_service.get_by_name(domain)
-        # we only care about non-admins
+        for domain in domains:
-        if not SensitiveDomainPermission().can():
+            # we only care about non-admins
-            if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
+            if not SensitiveDomainPermission().can():
-                raise ValidationError(
+                if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
-                    'Domain {0} has been marked as sensitive, contact and administrator \
+                    raise ValidationError(
-                    to issue the certificate.'.format(domain))
+                        'Domain {0} has been marked as sensitive, contact and administrator \
+                        to issue the certificate.'.format(domain))
 
 
 def encoding(oid_encoding):

lemur/utils.py

@@ -7,6 +7,7 @@
 """
 import os
 import sys
+import six
 from flask import current_app
 from cryptography.fernet import Fernet, MultiFernet
 import sqlalchemy.types as types
@@ -96,10 +97,14 @@ class Vault(types.TypeDecorator):
         if not value:
             return
 
-        # we only support strings and they should be of type bytes for Fernet
+        if sys.version_info[0] <= 2:
-        if sys.version_info[0] >= 3:
+            return MultiFernet(self.keys).encrypt(bytes(value))
-            return MultiFernet(self.keys).encrypt(value)
+
-        return MultiFernet(self.keys).encrypt(bytes(value))
+        # ensure bytes for fernet
+        if isinstance(value, six.string_types):
+            value = value.encode('utf-8')
+
+        return MultiFernet(self.keys).encrypt(value)
 
     def process_result_value(self, value, dialect):
         """
@@ -117,6 +122,6 @@ class Vault(types.TypeDecorator):
         if not value:
             return
 
-        if sys.version_info[0] >= 3:
+        if sys.version_info[0] <= 2:
-            return str(MultiFernet(self.keys).decrypt(value), 'utf8')
+            return MultiFernet(self.keys).decrypt(value)
-        return MultiFernet(self.keys).decrypt(value)
+        return MultiFernet(self.keys).decrypt(value).decode('utf8')