From 588ac1d6a60b4db670e6305041ec69d7b8f57c8e Mon Sep 17 00:00:00 2001 From: kevgliss Date: Tue, 29 Nov 2016 17:15:39 -0800 Subject: [PATCH] Digicert cis fixes (#540) --- lemur/authorities/views.py | 1 + lemur/certificates/service.py | 2 +- lemur/plugins/lemur_digicert/plugin.py | 33 +++++++++++-------- .../lemur_digicert/tests/test_digicert.py | 10 +++--- .../certificates/certificate/certificate.js | 4 ++- lemur/tests/test_certificates.py | 2 +- 6 files changed, 31 insertions(+), 21 deletions(-) diff --git a/lemur/authorities/views.py b/lemur/authorities/views.py index fe6b5523..9191d290 100644 --- a/lemur/authorities/views.py +++ b/lemur/authorities/views.py @@ -219,6 +219,7 @@ class AuthoritiesList(AuthenticatedResource): :statuscode 403: unauthenticated :statuscode 200: no error """ + data['creator'] = g.current_user return service.create(**data) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index b955abeb..46b2672e 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -410,7 +410,7 @@ def create_csr(**csr_config): csr = request.public_bytes( encoding=serialization.Encoding.PEM - ) + ).decode('utf-8') return csr, private_key diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 5a353bd9..172a3064 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -79,8 +79,8 @@ def get_issuance(options): if not options.get('validity_end'): options['validity_end'] = arrow.utcnow().replace(years=current_app.config.get('DIGICERT_DEFAULT_VALIDITY', 1)) - validity_years = determine_validity_years(options['validity_end']) - return validity_years + options['validity_years'] = determine_validity_years(options['validity_end']) + return options def get_additional_names(options): @@ -105,6 +105,8 @@ def map_fields(options, csr): :param csr: :return: dict or valid DigiCert options """ + options = get_issuance(options) + data = { "certificate": { @@ -120,9 +122,7 @@ def map_fields(options, csr): } data['certificate']['dns_names'] = get_additional_names(options) - validity_years = get_issuance(options) data['custom_expiration_date'] = options['validity_end'].format('YYYY-MM-DD') - data['validity_years'] = validity_years return data @@ -135,7 +135,9 @@ def map_cis_fields(options, csr): :param csr: :return: """ + options = get_issuance(options) data = { + "profile_name": current_app.config.get('DIGICERT_CIS_PROFILE_NAME'), "common_name": options['common_name'], "additional_dns_names": get_additional_names(options), "csr": csr, @@ -243,11 +245,6 @@ class DigiCertIssuerPlugin(IssuerPlugin): def __init__(self, *args, **kwargs): """Initialize the issuer with the appropriate details.""" required_vars = [ - 'DIGICERT_API_KEY', - 'DIGICERT_URL', - 'DIGICERT_ORG_ID', - 'DIGICERT_ROOT', - 'DIGICERT_INTERMEDIATE' ] validate_conf(current_app, required_vars) @@ -275,11 +272,15 @@ class DigiCertIssuerPlugin(IssuerPlugin): determinator_url = "{0}/services/v2/order/certificate/ssl".format(base_url) data = map_fields(issuer_options, csr) response = self.session.post(determinator_url, data=json.dumps(data)) + + if response.status_code > 399: + raise Exception(response.json()['message']) + order_id = response.json()['id'] certificate_id = get_certificate_id(self.session, base_url, order_id) - # retrieve certificate + # retrieve ceqrtificate certificate_url = "{0}/services/v2/certificate/{1}/download/format/pem_all".format(base_url, certificate_id) end_entity, intermediate, root = pem.parse(self.session.get(certificate_url).content) return str(end_entity), str(intermediate) @@ -314,7 +315,6 @@ class DigiCertCISIssuerPlugin(IssuerPlugin): required_vars = [ 'DIGICERT_CIS_API_KEY', 'DIGICERT_CIS_URL', - 'DIGICERT_CIS_ORG_ID', 'DIGICERT_CIS_ROOT', 'DIGICERT_CIS_INTERMEDIATE', 'DIGICERT_CIS_PROFILE_NAME' @@ -337,16 +337,21 @@ class DigiCertCISIssuerPlugin(IssuerPlugin): base_url = current_app.config.get('DIGICERT_CIS_URL') # make certificate request - create_url = '{0}/platform/cis/certificate' + create_url = '{0}/platform/cis/certificate'.format(base_url) data = map_cis_fields(issuer_options, csr) response = self.session.post(create_url, data=json.dumps(data)) + + current_app.logger.debug(data) + if response.status_code > 399: + raise Exception(response.json()['errors'][0]['message']) + order_id = response.json()['id'] # retrieve certificate certificate_pem = get_cis_certificate(self.session, base_url, order_id) - end_entity, intermediate, root = pem.parse(certificate_pem) - return str(end_entity), str(intermediate) + end_entity = pem.parse(certificate_pem)[0] + return str(end_entity), current_app.config.get('DIGICERT_CIS_INTERMEDIATE') @staticmethod def create_authority(options): diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index c47d2be0..a4e5f7a4 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -33,7 +33,6 @@ def test_map_fields(app): 'signature_hash': 'sha256' }, 'organization': {'id': 111111}, - 'validity_years': 1, 'custom_expiration_date': arrow.get(2017, 5, 7).format('YYYY-MM-DD') } @@ -68,7 +67,8 @@ def test_map_cis_fields(app): 'organization': {'name': 'Example, Inc.', 'units': ['Example Org']}, 'validity': { 'valid_to': arrow.get(2017, 5, 7).format('YYYY-MM-DD') - } + }, + 'profile_name': None } @@ -81,14 +81,16 @@ def test_issuance(): 'validity_start': arrow.get(2016, 10, 30) } - assert get_issuance(options) == 2 + new_options = get_issuance(options) + assert new_options['validity_years'] == 2 options = { 'validity_end': arrow.get(2017, 5, 7), 'validity_start': arrow.get(2016, 10, 30) } - assert get_issuance(options) == 1 + new_options = get_issuance(options) + assert new_options['validity_years'] == 1 options = { 'validity_end': arrow.get(2020, 5, 7), diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 104259a0..09b78845 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -213,7 +213,9 @@ angular.module('lemur') .controller('CertificateCloneController', function ($scope, $uibModalInstance, CertificateApi, CertificateService, DestinationService, AuthorityService, AuthorityApi, PluginService, MomentService, WizardHandler, LemurRestangular, NotificationService, toaster, editId) { CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; - $scope.certificate.name = ''; // we should prefer the generated name. + $scope.certificate.name = ''; // we should prefer the generated name + $scope.validityStart = null; // we should rely the defaults + $scope.validityEnd = null; // we should rely on the defaults CertificateService.getDefaults($scope.certificate); }); diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py index 6b2f373e..eedd6356 100644 --- a/lemur/tests/test_certificates.py +++ b/lemur/tests/test_certificates.py @@ -336,7 +336,7 @@ def test_create_basic_csr(client): ) csr, pem = create_csr(**csr_config) - csr = x509.load_pem_x509_csr(csr, default_backend()) + csr = x509.load_pem_x509_csr(csr.encode('utf-8'), default_backend()) for name in csr.subject: assert name.value in csr_config.values()