Merge branch 'master' into master
This commit is contained in:
commit
51bc7d0231
|
@ -1,6 +1,87 @@
|
||||||
Changelog
|
Changelog
|
||||||
=========
|
=========
|
||||||
|
|
||||||
|
0.8.0 - `2020-11-13`
|
||||||
|
~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
This release comes after more than two years and contains many interesting new features and improvements.
|
||||||
|
In addition to multiple new plugins, such as ACME-http01, ADCS, PowerDNS, UltraDNS, Entrust, SNS, many of Lemur's existing
|
||||||
|
flows have improved.
|
||||||
|
|
||||||
|
In the future, we plan to do frequent releases.
|
||||||
|
|
||||||
|
|
||||||
|
Summary of notable changes:
|
||||||
|
|
||||||
|
- AWS S3 plugin: added delete, get methods, and support for uploading/deleting acme tokens
|
||||||
|
- ACME plugin:
|
||||||
|
- revamp of the plugin
|
||||||
|
- support for http01 domain validation, via S3 and SFTP as destination for the acme token
|
||||||
|
- support for CNAME delegated domain validation
|
||||||
|
- store-acme-account-details
|
||||||
|
- PowerDNS plugin
|
||||||
|
- UltraDNS plugin
|
||||||
|
- ADCS plugin
|
||||||
|
- SNS plugin
|
||||||
|
- Entrust plugin
|
||||||
|
- Rotation:
|
||||||
|
- respecting keyType and extensions
|
||||||
|
- region-by-region rotation option
|
||||||
|
- default to auto-rotate when cert attached to endpoint
|
||||||
|
- default to 1y validity during rotation for multi-year browser-trusted certs
|
||||||
|
- Certificate: search_by_name, and important performance improvements
|
||||||
|
- UI
|
||||||
|
- reducing the EC curve options to the relevant ones
|
||||||
|
- edit option for notifications, destinations and sources
|
||||||
|
- showing 13 month validity as default
|
||||||
|
- option to hide certs expired since 3month
|
||||||
|
- faster Permalink (no search involved)
|
||||||
|
- commonName Auto Added as DNS in the UI
|
||||||
|
- improved search and cert lookup
|
||||||
|
- celery tasks instead of crone, for better logging and monitoring
|
||||||
|
- countless bugfixes
|
||||||
|
- group-lookup-fix-referral
|
||||||
|
- url_context_path
|
||||||
|
- duplicate notification
|
||||||
|
- digicert-time-bug-fix
|
||||||
|
- improved-csr-support
|
||||||
|
- fix-cryptography-intermediate-ca
|
||||||
|
- enhanced logging
|
||||||
|
- vault-k8s-auth
|
||||||
|
- cfssl-key-fix
|
||||||
|
- cert-sync-endpoint-find-by-hash
|
||||||
|
- nlb-naming-bug
|
||||||
|
- fix_vault_api_v2_append
|
||||||
|
- aid_openid_roles_provider_integration
|
||||||
|
- rewrite-java-keystore-use-pyjks
|
||||||
|
- vault_kv2
|
||||||
|
|
||||||
|
|
||||||
|
To see the full list of changes, you can run
|
||||||
|
|
||||||
|
$ git log --merges --first-parent master --pretty=format:"%h %<(10,trunc)%aN %C(white)%<(15)%ar%Creset %C(red bold)%<(15)%D%Creset %s" | grep -v "depend"
|
||||||
|
|
||||||
|
|
||||||
|
Special thanks to all who contributed to this release, notably:
|
||||||
|
|
||||||
|
- `peschmae <https://github.com/peschmae>`_
|
||||||
|
- `sirferl <https://github.com/sirferl>`_
|
||||||
|
- `lukasmrtvy <https://github.com/lukasmrtvy>`_
|
||||||
|
- `intgr <https://github.com/intgr>`_
|
||||||
|
- `kush-bavishi <https://github.com/kush-bavishi>`_
|
||||||
|
- `alwaysjolley <https://github.com/alwaysjolley>`_
|
||||||
|
- `jplana <https://github.com/jplana>`_
|
||||||
|
- `explody <https://github.com/explody>`_
|
||||||
|
- `titouanc <https://github.com/titouanc>`_
|
||||||
|
- `jramosf <https://github.com/jramosf>`_
|
||||||
|
|
||||||
|
|
||||||
|
Upgrading
|
||||||
|
---------
|
||||||
|
|
||||||
|
.. note:: This release will need a migration change. Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
0.7 - `2018-05-07`
|
0.7 - `2018-05-07`
|
||||||
~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~
|
||||||
|
|
|
@ -15,7 +15,7 @@ __title__ = "lemur"
|
||||||
__summary__ = "Certificate management and orchestration service"
|
__summary__ = "Certificate management and orchestration service"
|
||||||
__uri__ = "https://github.com/Netflix/lemur"
|
__uri__ = "https://github.com/Netflix/lemur"
|
||||||
|
|
||||||
__version__ = "0.7.0"
|
__version__ = "0.8.0"
|
||||||
|
|
||||||
__author__ = "The Lemur developers"
|
__author__ = "The Lemur developers"
|
||||||
__email__ = "security@netflix.com"
|
__email__ = "security@netflix.com"
|
||||||
|
|
|
@ -419,7 +419,7 @@ class S3DestinationPlugin(ExportDestinationPlugin):
|
||||||
:param kwargs:
|
:param kwargs:
|
||||||
:return:
|
:return:
|
||||||
"""
|
"""
|
||||||
current_app.logger.debug("S3 destination plugin is started for HTTP-01 challenge")
|
current_app.logger.debug("S3 destination plugin is started to upload HTTP-01 challenge")
|
||||||
|
|
||||||
function = f"{__name__}.{sys._getframe().f_code.co_name}"
|
function = f"{__name__}.{sys._getframe().f_code.co_name}"
|
||||||
|
|
||||||
|
@ -431,16 +431,16 @@ class S3DestinationPlugin(ExportDestinationPlugin):
|
||||||
if not prefix.endswith("/"):
|
if not prefix.endswith("/"):
|
||||||
prefix + "/"
|
prefix + "/"
|
||||||
|
|
||||||
res = s3.put(bucket_name=bucket_name,
|
response = s3.put(bucket_name=bucket_name,
|
||||||
region_name=region,
|
region_name=region,
|
||||||
prefix=prefix + filename,
|
prefix=prefix + filename,
|
||||||
data=token,
|
data=token,
|
||||||
encrypt=False,
|
encrypt=False,
|
||||||
account_number=account_number)
|
account_number=account_number)
|
||||||
res = "Success" if res else "Failure"
|
res = "Success" if response else "Failure"
|
||||||
log_data = {
|
log_data = {
|
||||||
"function": function,
|
"function": function,
|
||||||
"message": "check if any valid certificate is revoked",
|
"message": "upload acme token challenge",
|
||||||
"result": res,
|
"result": res,
|
||||||
"bucket_name": bucket_name,
|
"bucket_name": bucket_name,
|
||||||
"filename": filename
|
"filename": filename
|
||||||
|
@ -449,6 +449,34 @@ class S3DestinationPlugin(ExportDestinationPlugin):
|
||||||
metrics.send(f"{function}", "counter", 1, metric_tags={"result": res,
|
metrics.send(f"{function}", "counter", 1, metric_tags={"result": res,
|
||||||
"bucket_name": bucket_name,
|
"bucket_name": bucket_name,
|
||||||
"filename": filename})
|
"filename": filename})
|
||||||
|
return response
|
||||||
|
|
||||||
|
def delete_acme_token(self, token_path, options, **kwargs):
|
||||||
|
|
||||||
|
current_app.logger.debug("S3 destination plugin is started to delete HTTP-01 challenge")
|
||||||
|
|
||||||
|
function = f"{__name__}.{sys._getframe().f_code.co_name}"
|
||||||
|
|
||||||
|
account_number = self.get_option("accountNumber", options)
|
||||||
|
bucket_name = self.get_option("bucket", options)
|
||||||
|
prefix = self.get_option("prefix", options)
|
||||||
|
filename = token_path.split("/")[-1]
|
||||||
|
response = s3.delete(bucket_name=bucket_name,
|
||||||
|
prefixed_object_name=prefix + filename,
|
||||||
|
account_number=account_number)
|
||||||
|
res = "Success" if response else "Failure"
|
||||||
|
log_data = {
|
||||||
|
"function": function,
|
||||||
|
"message": "delete acme token challenge",
|
||||||
|
"result": res,
|
||||||
|
"bucket_name": bucket_name,
|
||||||
|
"filename": filename
|
||||||
|
}
|
||||||
|
current_app.logger.info(log_data)
|
||||||
|
metrics.send(f"{function}", "counter", 1, metric_tags={"result": res,
|
||||||
|
"bucket_name": bucket_name,
|
||||||
|
"filename": filename})
|
||||||
|
return response
|
||||||
|
|
||||||
|
|
||||||
class SNSNotificationPlugin(ExpirationNotificationPlugin):
|
class SNSNotificationPlugin(ExpirationNotificationPlugin):
|
||||||
|
|
|
@ -68,10 +68,11 @@ def test_upload_acme_token(app):
|
||||||
s3_client.create_bucket(Bucket=bucket)
|
s3_client.create_bucket(Bucket=bucket)
|
||||||
p = plugins.get("aws-s3")
|
p = plugins.get("aws-s3")
|
||||||
|
|
||||||
p.upload_acme_token(token_path=token_path,
|
response = p.upload_acme_token(token_path=token_path,
|
||||||
token_content=token_content,
|
token_content=token_content,
|
||||||
token=token_content,
|
token=token_content,
|
||||||
options=additional_options)
|
options=additional_options)
|
||||||
|
assert response
|
||||||
|
|
||||||
response = get(bucket_name=bucket,
|
response = get(bucket_name=bucket,
|
||||||
prefixed_object_name=prefix + token_name,
|
prefixed_object_name=prefix + token_name,
|
||||||
|
@ -80,3 +81,8 @@ def test_upload_acme_token(app):
|
||||||
|
|
||||||
# put data, and getting the same data
|
# put data, and getting the same data
|
||||||
assert (response == token_content)
|
assert (response == token_content)
|
||||||
|
|
||||||
|
response = p.delete_acme_token(token_path=token_path,
|
||||||
|
options=additional_options,
|
||||||
|
account_number=account)
|
||||||
|
assert response
|
||||||
|
|
|
@ -79,7 +79,6 @@ pyrfc3339==1.1 # via -r requirements.txt, acme
|
||||||
python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore
|
python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore
|
||||||
python-editor==1.0.4 # via -r requirements.txt, alembic
|
python-editor==1.0.4 # via -r requirements.txt, alembic
|
||||||
python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python
|
python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python
|
||||||
python-ldap==3.3.1 # via -r requirements.txt
|
|
||||||
pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339
|
pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339
|
||||||
pyyaml==5.3.1 # via -r requirements.txt, cloudflare
|
pyyaml==5.3.1 # via -r requirements.txt, cloudflare
|
||||||
raven[flask]==6.10.0 # via -r requirements.txt
|
raven[flask]==6.10.0 # via -r requirements.txt
|
||||||
|
|
Loading…
Reference in New Issue