Merge branch 'master' into master

This commit is contained in:
sirferl 2020-11-14 11:56:27 +01:00 committed by GitHub
commit 51bc7d0231
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 129 additions and 15 deletions

View File

@ -1,6 +1,87 @@
Changelog Changelog
========= =========
0.8.0 - `2020-11-13`
~~~~~~~~~~~~~~
This release comes after more than two years and contains many interesting new features and improvements.
In addition to multiple new plugins, such as ACME-http01, ADCS, PowerDNS, UltraDNS, Entrust, SNS, many of Lemur's existing
flows have improved.
In the future, we plan to do frequent releases.
Summary of notable changes:
- AWS S3 plugin: added delete, get methods, and support for uploading/deleting acme tokens
- ACME plugin:
- revamp of the plugin
- support for http01 domain validation, via S3 and SFTP as destination for the acme token
- support for CNAME delegated domain validation
- store-acme-account-details
- PowerDNS plugin
- UltraDNS plugin
- ADCS plugin
- SNS plugin
- Entrust plugin
- Rotation:
- respecting keyType and extensions
- region-by-region rotation option
- default to auto-rotate when cert attached to endpoint
- default to 1y validity during rotation for multi-year browser-trusted certs
- Certificate: search_by_name, and important performance improvements
- UI
- reducing the EC curve options to the relevant ones
- edit option for notifications, destinations and sources
- showing 13 month validity as default
- option to hide certs expired since 3month
- faster Permalink (no search involved)
- commonName Auto Added as DNS in the UI
- improved search and cert lookup
- celery tasks instead of crone, for better logging and monitoring
- countless bugfixes
- group-lookup-fix-referral
- url_context_path
- duplicate notification
- digicert-time-bug-fix
- improved-csr-support
- fix-cryptography-intermediate-ca
- enhanced logging
- vault-k8s-auth
- cfssl-key-fix
- cert-sync-endpoint-find-by-hash
- nlb-naming-bug
- fix_vault_api_v2_append
- aid_openid_roles_provider_integration
- rewrite-java-keystore-use-pyjks
- vault_kv2
To see the full list of changes, you can run
$ git log --merges --first-parent master --pretty=format:"%h %<(10,trunc)%aN %C(white)%<(15)%ar%Creset %C(red bold)%<(15)%D%Creset %s" | grep -v "depend"
Special thanks to all who contributed to this release, notably:
- `peschmae <https://github.com/peschmae>`_
- `sirferl <https://github.com/sirferl>`_
- `lukasmrtvy <https://github.com/lukasmrtvy>`_
- `intgr <https://github.com/intgr>`_
- `kush-bavishi <https://github.com/kush-bavishi>`_
- `alwaysjolley <https://github.com/alwaysjolley>`_
- `jplana <https://github.com/jplana>`_
- `explody <https://github.com/explody>`_
- `titouanc <https://github.com/titouanc>`_
- `jramosf <https://github.com/jramosf>`_
Upgrading
---------
.. note:: This release will need a migration change. Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.
0.7 - `2018-05-07` 0.7 - `2018-05-07`
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~

View File

@ -15,7 +15,7 @@ __title__ = "lemur"
__summary__ = "Certificate management and orchestration service" __summary__ = "Certificate management and orchestration service"
__uri__ = "https://github.com/Netflix/lemur" __uri__ = "https://github.com/Netflix/lemur"
__version__ = "0.7.0" __version__ = "0.8.0"
__author__ = "The Lemur developers" __author__ = "The Lemur developers"
__email__ = "security@netflix.com" __email__ = "security@netflix.com"

View File

@ -419,7 +419,7 @@ class S3DestinationPlugin(ExportDestinationPlugin):
:param kwargs: :param kwargs:
:return: :return:
""" """
current_app.logger.debug("S3 destination plugin is started for HTTP-01 challenge") current_app.logger.debug("S3 destination plugin is started to upload HTTP-01 challenge")
function = f"{__name__}.{sys._getframe().f_code.co_name}" function = f"{__name__}.{sys._getframe().f_code.co_name}"
@ -431,16 +431,16 @@ class S3DestinationPlugin(ExportDestinationPlugin):
if not prefix.endswith("/"): if not prefix.endswith("/"):
prefix + "/" prefix + "/"
res = s3.put(bucket_name=bucket_name, response = s3.put(bucket_name=bucket_name,
region_name=region, region_name=region,
prefix=prefix + filename, prefix=prefix + filename,
data=token, data=token,
encrypt=False, encrypt=False,
account_number=account_number) account_number=account_number)
res = "Success" if res else "Failure" res = "Success" if response else "Failure"
log_data = { log_data = {
"function": function, "function": function,
"message": "check if any valid certificate is revoked", "message": "upload acme token challenge",
"result": res, "result": res,
"bucket_name": bucket_name, "bucket_name": bucket_name,
"filename": filename "filename": filename
@ -449,6 +449,34 @@ class S3DestinationPlugin(ExportDestinationPlugin):
metrics.send(f"{function}", "counter", 1, metric_tags={"result": res, metrics.send(f"{function}", "counter", 1, metric_tags={"result": res,
"bucket_name": bucket_name, "bucket_name": bucket_name,
"filename": filename}) "filename": filename})
return response
def delete_acme_token(self, token_path, options, **kwargs):
current_app.logger.debug("S3 destination plugin is started to delete HTTP-01 challenge")
function = f"{__name__}.{sys._getframe().f_code.co_name}"
account_number = self.get_option("accountNumber", options)
bucket_name = self.get_option("bucket", options)
prefix = self.get_option("prefix", options)
filename = token_path.split("/")[-1]
response = s3.delete(bucket_name=bucket_name,
prefixed_object_name=prefix + filename,
account_number=account_number)
res = "Success" if response else "Failure"
log_data = {
"function": function,
"message": "delete acme token challenge",
"result": res,
"bucket_name": bucket_name,
"filename": filename
}
current_app.logger.info(log_data)
metrics.send(f"{function}", "counter", 1, metric_tags={"result": res,
"bucket_name": bucket_name,
"filename": filename})
return response
class SNSNotificationPlugin(ExpirationNotificationPlugin): class SNSNotificationPlugin(ExpirationNotificationPlugin):

View File

@ -68,10 +68,11 @@ def test_upload_acme_token(app):
s3_client.create_bucket(Bucket=bucket) s3_client.create_bucket(Bucket=bucket)
p = plugins.get("aws-s3") p = plugins.get("aws-s3")
p.upload_acme_token(token_path=token_path, response = p.upload_acme_token(token_path=token_path,
token_content=token_content, token_content=token_content,
token=token_content, token=token_content,
options=additional_options) options=additional_options)
assert response
response = get(bucket_name=bucket, response = get(bucket_name=bucket,
prefixed_object_name=prefix + token_name, prefixed_object_name=prefix + token_name,
@ -80,3 +81,8 @@ def test_upload_acme_token(app):
# put data, and getting the same data # put data, and getting the same data
assert (response == token_content) assert (response == token_content)
response = p.delete_acme_token(token_path=token_path,
options=additional_options,
account_number=account)
assert response

View File

@ -79,7 +79,6 @@ pyrfc3339==1.1 # via -r requirements.txt, acme
python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore
python-editor==1.0.4 # via -r requirements.txt, alembic python-editor==1.0.4 # via -r requirements.txt, alembic
python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python
python-ldap==3.3.1 # via -r requirements.txt
pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339 pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339
pyyaml==5.3.1 # via -r requirements.txt, cloudflare pyyaml==5.3.1 # via -r requirements.txt, cloudflare
raven[flask]==6.10.0 # via -r requirements.txt raven[flask]==6.10.0 # via -r requirements.txt