From 788703ce12b9e3783fe6cd3ce00d3ebf98caf9e3 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 16:43:57 -0700 Subject: [PATCH 01/27] Fix cert reissue when L/OU is not set get_certificate_primitives complains with None L/OU --- lemur/certificates/schemas.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index cc0a607e..77f49c9b 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -353,6 +353,12 @@ class CertificateOutputSchema(LemurOutputSchema): data.pop("organization", None) data.pop("organizational_unit", None) + # Removing optional fields if None, else it complains in de-serialization + if "location" in data and data["location"] is None: + data.pop("location") + if "organizational_unit" in data and data["organizational_unit"] is None: + data.pop("organizational_unit") + class CertificateShortOutputSchema(LemurOutputSchema): id = fields.Integer() From 01dddd2a557286cbf8ecf1229ec5ed51518fd65f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 17:17:28 -0700 Subject: [PATCH 02/27] iterate over subject details --- lemur/certificates/schemas.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 77f49c9b..3dc864e7 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -340,6 +340,8 @@ class CertificateOutputSchema(LemurOutputSchema): @post_dump def handle_subject_details(self, data): + subject_details = ["country", "state", "location", "organization", "organizational_unit"] + # Remove subject details if authority is CA/Browser Forum compliant. The code will use default set of values in that case. # If CA/Browser Forum compliance of an authority is unknown (None), it is safe to fallback to default values. Thus below # condition checks for 'not False' ==> 'True or None' @@ -347,17 +349,13 @@ class CertificateOutputSchema(LemurOutputSchema): is_cab_compliant = data.get("authority").get("isCabCompliant") if is_cab_compliant is not False: - data.pop("country", None) - data.pop("state", None) - data.pop("location", None) - data.pop("organization", None) - data.pop("organizational_unit", None) + for field in subject_details: + data.pop(field, None) - # Removing optional fields if None, else it complains in de-serialization - if "location" in data and data["location"] is None: - data.pop("location") - if "organizational_unit" in data and data["organizational_unit"] is None: - data.pop("organizational_unit") + # Removing subject fields if None, else it complains in de-serialization + for field in subject_details: + if field in data and data[field] is None: + data.pop(field) class CertificateShortOutputSchema(LemurOutputSchema): From 49971652351ec487961234c353cad0ed62158984 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 20 Oct 2020 17:59:50 -0700 Subject: [PATCH 03/27] Removing ECC 192 and 521 from UI not CAB supported. Keeping 521 for authority --- .../static/app/angular/authorities/authority/options.tpl.html | 1 - .../app/angular/certificates/certificate/options.tpl.html | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/options.tpl.html b/lemur/static/app/angular/authorities/authority/options.tpl.html index 01928fc3..adf8eacc 100644 --- a/lemur/static/app/angular/authorities/authority/options.tpl.html +++ b/lemur/static/app/angular/authorities/authority/options.tpl.html @@ -24,7 +24,6 @@ ng-options="option.value as option.name for option in [ {'name': 'RSA-2048', 'value': 'RSA2048'}, {'name': 'RSA-4096', 'value': 'RSA4096'}, - {'name': 'ECC-PRIME192V1', 'value': 'ECCPRIME192V1'}, {'name': 'ECC-PRIME256V1', 'value': 'ECCPRIME256V1'}, {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}, {'name': 'ECC-SECP521R1', 'value': 'ECCSECP521R1'}]" diff --git a/lemur/static/app/angular/certificates/certificate/options.tpl.html b/lemur/static/app/angular/certificates/certificate/options.tpl.html index 2c02c693..11b8fe68 100644 --- a/lemur/static/app/angular/certificates/certificate/options.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/options.tpl.html @@ -35,10 +35,8 @@ ng-options="option.value as option.name for option in [ {'name': 'RSA-2048', 'value': 'RSA2048'}, {'name': 'RSA-4096', 'value': 'RSA4096'}, - {'name': 'ECC-PRIME192V1', 'value': 'ECCPRIME192V1'}, {'name': 'ECC-PRIME256V1', 'value': 'ECCPRIME256V1'}, - {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}, - {'name': 'ECC-SECP521R1', 'value': 'ECCSECP521R1'}]" + {'name': 'ECC-SECP384R1', 'value': 'ECCSECP384R1'}]" ng-init="certificate.keyType = 'RSA2048'"> From 757e190b6094966ff16113d2e82b5677ca8bb025 Mon Sep 17 00:00:00 2001 From: sayali Date: Wed, 21 Oct 2020 12:11:41 -0700 Subject: [PATCH 04/27] Check if OU and L is present in subject fixing index out of range --- lemur/common/defaults.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lemur/common/defaults.py b/lemur/common/defaults.py index b9c88e49..d94c3563 100644 --- a/lemur/common/defaults.py +++ b/lemur/common/defaults.py @@ -110,9 +110,11 @@ def organizational_unit(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATIONAL_UNIT_NAME)[ - 0 - ].value.strip() + ou = cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATIONAL_UNIT_NAME) + if not ou: + return None + + return ou[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get organizational unit! {0}".format(e)) @@ -155,9 +157,11 @@ def location(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_LOCALITY_NAME)[ - 0 - ].value.strip() + loc = cert.subject.get_attributes_for_oid(x509.OID_LOCALITY_NAME) + if not loc: + return None + + return loc[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get location! {0}".format(e)) From 43483cb1c7c6c29bfe0dde757e501faecd31a493 Mon Sep 17 00:00:00 2001 From: sayali Date: Wed, 21 Oct 2020 15:11:10 -0700 Subject: [PATCH 05/27] Check if present - Organization, State, Country --- lemur/common/defaults.py | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/lemur/common/defaults.py b/lemur/common/defaults.py index d94c3563..d7b37292 100644 --- a/lemur/common/defaults.py +++ b/lemur/common/defaults.py @@ -95,9 +95,11 @@ def organization(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME)[ - 0 - ].value.strip() + o = cert.subject.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME) + if not o: + return None + + return o[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get organization! {0}".format(e)) @@ -127,9 +129,11 @@ def country(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_COUNTRY_NAME)[ - 0 - ].value.strip() + c = cert.subject.get_attributes_for_oid(x509.OID_COUNTRY_NAME) + if not c: + return None + + return c[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get country! {0}".format(e)) @@ -142,9 +146,11 @@ def state(cert): :return: """ try: - return cert.subject.get_attributes_for_oid(x509.OID_STATE_OR_PROVINCE_NAME)[ - 0 - ].value.strip() + s = cert.subject.get_attributes_for_oid(x509.OID_STATE_OR_PROVINCE_NAME) + if not s: + return None + + return s[0].value.strip() except Exception as e: sentry.captureException() current_app.logger.error("Unable to get state! {0}".format(e)) From 92eec5cc9c014aae35dc65ba0bc145f47b0d0acd Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 21 Oct 2020 18:52:55 -0700 Subject: [PATCH 06/27] revocation should only check for not expired and not revoked certs --- lemur/certificates/service.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 6d1bd2ac..6daaa641 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -105,7 +105,7 @@ def get_all_certs(): def get_all_valid_certs(authority_plugin_name): """ - Retrieves all valid (not expired) certificates within Lemur, for the given authority plugin names + Retrieves all valid (not expired & not revoked) certificates within Lemur, for the given authority plugin names ignored if no authority_plugin_name provided. Note that depending on the DB size retrieving all certificates might an expensive operation @@ -116,11 +116,12 @@ def get_all_valid_certs(authority_plugin_name): return ( Certificate.query.outerjoin(Authority, Authority.id == Certificate.authority_id).filter( Certificate.not_after > arrow.now().format("YYYY-MM-DD")).filter( - Authority.plugin_name.in_(authority_plugin_name)).all() + Authority.plugin_name.in_(authority_plugin_name)).filter(Certificate.revoked.is_(False)).all() ) else: return ( - Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).all() + Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).filter( + Certificate.revoked.is_(False)).all() ) From 906b3b2337c56486584a4751a0a3b77270c0ebcf Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 21 Oct 2020 19:52:25 -0700 Subject: [PATCH 07/27] better handling of status code --- lemur/plugins/lemur_entrust/plugin.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 515e2400..d3f2c202 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -109,7 +109,12 @@ def handle_response(my_response): "response": d } current_app.logger.info(log_data) - return d + if d == {'response': 'No detailed message'}: + # status if no data + return s + else: + # return data from the response + return d class EntrustIssuerPlugin(IssuerPlugin): @@ -211,7 +216,7 @@ class EntrustIssuerPlugin(IssuerPlugin): deactivate_url = f"{base_url}/certificates/{certificate.external_id}/deactivations" response = self.session.post(deactivate_url) metrics.send("entrust_deactivate_certificate", "counter", 1) - return handle_response(response) + return response.status_code @staticmethod def create_authority(options): From a4dba0cb35a02960e6d63d6aa7bc7291673a4943 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 21 Oct 2020 19:52:51 -0700 Subject: [PATCH 08/27] creating a cli to handle entrust deactivation --- lemur/certificates/cli.py | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index b883dee0..224f02a2 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -735,3 +735,44 @@ def automatically_enable_autorotate(): }) cert.rotation = True database.update(cert) + + +@manager.command +def deactivate_entrust_certificates(): + """ + Attempt to deactivate test certificates issued by Entrust + """ + + log_data = { + "function": f"{__name__}.{sys._getframe().f_code.co_name}", + "message": "Deactivating Entrust certificates" + } + + certificates = get_all_valid_certs(['entrust-issuer']) + entrust_plugin = plugins.get('entrust-issuer') + for cert in certificates: + try: + response = entrust_plugin.deactivate_certificate(cert) + if response == 200: + cert.status = "revoked" + else: + cert.status = "unknown" + + log_data["valid"] = cert.status + log_data["certificate_name"] = cert.name + log_data["certificate_id"] = cert.id + metrics.send( + "certificate_deactivate", + "counter", + 1, + metric_tags={"status": log_data["valid"], + "certificate_name": log_data["certificate_name"], + "certificate_id": log_data["certificate_id"]}, + ) + current_app.logger.info(log_data) + + database.update(cert) + + except Exception as e: + sentry.captureException() + current_app.logger.exception(e) From 2cc03088cdba41bfaffb5ebacd28379a521f235b Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 21 Oct 2020 19:53:08 -0700 Subject: [PATCH 09/27] creating a celery task --- lemur/common/celery.py | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/lemur/common/celery.py b/lemur/common/celery.py index a490b13b..f72fd207 100644 --- a/lemur/common/celery.py +++ b/lemur/common/celery.py @@ -759,7 +759,7 @@ def check_revoked(): log_data = { "function": function, - "message": "check if any certificates are revoked revoked", + "message": "check if any valid certificate is revoked", "task_id": task_id, } @@ -842,3 +842,39 @@ def enable_autorotate_for_certs_attached_to_endpoint(): cli_certificate.automatically_enable_autorotate() metrics.send(f"{function}.success", "counter", 1) return log_data + + +@celery.task(soft_time_limit=3600) +def deactivate_entrust(): + """ + This celery task attempts to deactivate all not yet deactivated Entrust certificates, and should only run in TEST + :return: + """ + function = f"{__name__}.{sys._getframe().f_code.co_name}" + task_id = None + if celery.current_task: + task_id = celery.current_task.request.id + + log_data = { + "function": function, + "message": "deactivate entrust certificates", + "task_id": task_id, + } + + if task_id and is_task_active(function, task_id, None): + log_data["message"] = "Skipping task: Task is already active" + current_app.logger.debug(log_data) + return + + current_app.logger.debug(log_data) + try: + cli_certificate.deactivate_entrust_certificates() + except SoftTimeLimitExceeded: + log_data["message"] = "Time limit exceeded." + current_app.logger.error(log_data) + sentry.captureException() + metrics.send("celery.timeout", "counter", 1, metric_tags={"function": function}) + return + + metrics.send(f"{function}.success", "counter", 1) + return log_data From c40ecd12cbe8df3913897df5fd2fb95ce6e559d6 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 10:58:16 -0700 Subject: [PATCH 10/27] improved naming --- lemur/common/celery.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/common/celery.py b/lemur/common/celery.py index f72fd207..f9d58bd9 100644 --- a/lemur/common/celery.py +++ b/lemur/common/celery.py @@ -845,7 +845,7 @@ def enable_autorotate_for_certs_attached_to_endpoint(): @celery.task(soft_time_limit=3600) -def deactivate_entrust(): +def deactivate_entrust_test_certificates(): """ This celery task attempts to deactivate all not yet deactivated Entrust certificates, and should only run in TEST :return: From 2e7e3a82fa0b909ea83b0989e2f32dee084a1bce Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 11:57:54 -0700 Subject: [PATCH 11/27] Update cli.py logging in exception --- lemur/certificates/cli.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index 224f02a2..cf2ff367 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -774,5 +774,7 @@ def deactivate_entrust_certificates(): database.update(cert) except Exception as e: + current_app.logger.info(log_data) sentry.captureException() current_app.logger.exception(e) + From 03d1af16e7725527bbd5b5e80b417c05ddfd3108 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 15:59:38 -0700 Subject: [PATCH 12/27] better logging for exceptions around all plugins --- lemur/certificates/service.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 6d1bd2ac..9c544124 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -359,7 +359,12 @@ def create(**kwargs): try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: - current_app.logger.error("Exception minting certificate", exc_info=True) + log_data = { + "message": "Exception minting certificate", + "issuer": kwargs["authority"].name, + "cn": kwargs["common_name"], + } + current_app.logger.error(log_data, exc_info=True) sentry.captureException() raise kwargs["body"] = cert_body From c2fe2b5e0384ade0e0f2f2567e8cb1545b62ed85 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 15:59:59 -0700 Subject: [PATCH 13/27] improved logging for all responses --- lemur/plugins/lemur_entrust/plugin.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 515e2400..03919686 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -20,7 +20,13 @@ def log_status_code(r, *args, **kwargs): :param kwargs: :return: """ + log_data = { + "reason": (r.reason if r.reason else ""), + "status_code": r.status_code, + "url": (r.url if r.url else ""), + } metrics.send(f"entrust_status_code_{r.status_code}", "counter", 1) + current_app.logger.info(log_data) def determine_end_date(end_date): From c60645bec49f23d7c55276d1a17e7c316d683cf0 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:00:26 -0700 Subject: [PATCH 14/27] improved logging for all responses --- lemur/plugins/lemur_digicert/plugin.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index f28279a6..9a322371 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -37,7 +37,13 @@ def log_status_code(r, *args, **kwargs): :param kwargs: :return: """ + log_data = { + "reason": (r.reason if r.reason else ""), + "status_code": r.status_code, + "url": (r.url if r.url else ""), + } metrics.send("digicert_status_code_{}".format(r.status_code), "counter", 1) + current_app.logger.info(log_data) def signature_hash(signing_algorithm): From 8fa90a2ce54539853ee7ff2769b5f35ad3e2865f Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:01:09 -0700 Subject: [PATCH 15/27] digicert expects also seconds, though not yet honoring it --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9a322371..61a274fa 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -177,7 +177,7 @@ def map_cis_fields(options, csr): "csr": csr, "signature_hash": signature_hash(options.get("signing_algorithm")), "validity": { - "valid_to": validity_end.format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": validity_end.format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "organization": { "name": options["organization"], From 02c040865d6ca5a1c5fec2fe1e2cf039515bb08d Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 16:05:29 -0700 Subject: [PATCH 16/27] more meaningful message --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 61a274fa..574c8e8e 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -210,7 +210,7 @@ def handle_response(response): :return: """ if response.status_code > 399: - raise Exception(response.json()["errors"][0]["message"]) + raise Exception("DigiCert rejected certificate request with the following error:" + response.json()["errors"][0]["message"]) return response.json() From 1c96ea9ab1ee8f1e8c36331510e3866aace74bcf Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:10:32 -0700 Subject: [PATCH 17/27] better messaging of exceptions --- lemur/plugins/lemur_digicert/plugin.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 574c8e8e..a100954f 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -221,10 +221,13 @@ def handle_cis_response(response): :param response: :return: """ - if response.status_code > 399: - raise Exception(response.text) - return response.json() + if response.status_code == 404: + raise Exception("DigiCert: Order not in issued state.") + elif response.status_code == 406: + raise Exception("DigiCert: Wrong Header") + elif response.status_code > 399: + raise Exception("DigiCert rejected request with the error:" + response.text) @retry(stop_max_attempt_number=10, wait_fixed=10000) From 2e7652962cbbe4403ff44dc0df9550882e1e1b10 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:11:02 -0700 Subject: [PATCH 18/27] refactoring of the error handling --- lemur/plugins/lemur_digicert/plugin.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index a100954f..4143019e 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -221,7 +221,6 @@ def handle_cis_response(response): :param response: :return: """ - return response.json() if response.status_code == 404: raise Exception("DigiCert: Order not in issued state.") elif response.status_code == 406: @@ -229,6 +228,11 @@ def handle_cis_response(response): elif response.status_code > 399: raise Exception("DigiCert rejected request with the error:" + response.text) + if response.url.endswith("download"): + return response.content + else: + return response.json() + @retry(stop_max_attempt_number=10, wait_fixed=10000) def get_certificate_id(session, base_url, order_id): @@ -247,11 +251,9 @@ def get_cis_certificate(session, base_url, order_id): certificate_url = "{0}/platform/cis/certificate/{1}/download".format(base_url, order_id) session.headers.update({"Accept": "application/x-pkcs7-certificates"}) response = session.get(certificate_url) + response_content = handle_cis_response(response) - if response.status_code == 404: - raise Exception("Order not in issued state.") - - cert_chain_pem = convert_pkcs7_bytes_to_pem(response.content) + cert_chain_pem = convert_pkcs7_bytes_to_pem(response_content) if len(cert_chain_pem) < 3: raise Exception("Missing the certificate chain") return cert_chain_pem From ae1e9d120b8751c1de9fc7fee706cb79f3bf46d8 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:13:58 -0700 Subject: [PATCH 19/27] consistent messaging --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 4143019e..345bea72 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -210,7 +210,7 @@ def handle_response(response): :return: """ if response.status_code > 399: - raise Exception("DigiCert rejected certificate request with the following error:" + response.json()["errors"][0]["message"]) + raise Exception("DigiCert rejected request with the error:" + response.json()["errors"][0]["message"]) return response.json() From 9acd974b7451f63baf363b0f9e88e77cb2b82219 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:20:47 -0700 Subject: [PATCH 20/27] fixing the test to support seconds --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 34dcef71..fe47c5b8 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -123,7 +123,7 @@ def test_map_cis_fields_with_validity_years(mock_current_app, authority): "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "profile_name": None, } From 97f80b79dcea1601da700c06b77395e67ae2954a Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:23:33 -0700 Subject: [PATCH 21/27] adjusting digicert test to support seconds --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index fe47c5b8..059cdd82 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -159,7 +159,7 @@ def test_map_cis_fields_with_validity_end_and_start(mock_current_app, app, autho "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM") + "Z" + "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM:SS") + "Z" }, "profile_name": None, } From cf87e178c8f70d527478544f6b37a50a901c62cf Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:33:02 -0700 Subject: [PATCH 22/27] making lint happy --- lemur/certificates/cli.py | 1 - 1 file changed, 1 deletion(-) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index cf2ff367..f23948be 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -777,4 +777,3 @@ def deactivate_entrust_certificates(): current_app.logger.info(log_data) sentry.captureException() current_app.logger.exception(e) - From 9ce0010bf1a76a1057a9d3b88f1a51966d552568 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:33:39 -0700 Subject: [PATCH 23/27] handle_respone can also handle the no data response --- lemur/plugins/lemur_entrust/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index d3f2c202..0e9f6b7f 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -216,7 +216,7 @@ class EntrustIssuerPlugin(IssuerPlugin): deactivate_url = f"{base_url}/certificates/{certificate.external_id}/deactivations" response = self.session.post(deactivate_url) metrics.send("entrust_deactivate_certificate", "counter", 1) - return response.status_code + return handle_response(response) @staticmethod def create_authority(options): From 8610af8b8368565c2e48976eb01168bb2ab21c90 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 22 Oct 2020 17:54:46 -0700 Subject: [PATCH 24/27] more precise language --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 345bea72..ee917dac 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -222,9 +222,9 @@ def handle_cis_response(response): :return: """ if response.status_code == 404: - raise Exception("DigiCert: Order not in issued state.") + raise Exception("DigiCert: order not in issued state") elif response.status_code == 406: - raise Exception("DigiCert: Wrong Header") + raise Exception("DigiCert: wrong header request format") elif response.status_code > 399: raise Exception("DigiCert rejected request with the error:" + response.text) From e01863097bf55cd9864a4a2e46ae0a6de700b02e Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 23 Oct 2020 10:16:23 -0700 Subject: [PATCH 25/27] fixing the time bug, sub-second to second, and month to minute! --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index ee917dac..091539de 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -177,7 +177,7 @@ def map_cis_fields(options, csr): "csr": csr, "signature_hash": signature_hash(options.get("signing_algorithm")), "validity": { - "valid_to": validity_end.format("YYYY-MM-DDTHH:MM:SS") + "Z" + "valid_to": validity_end.format("YYYY-MM-DDTHH:MM:ss") + "Z" }, "organization": { "name": options["organization"], From bc6fb02fc2712e461270b28a01d317709d13d4dc Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 23 Oct 2020 10:16:38 -0700 Subject: [PATCH 26/27] fixing testing --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 059cdd82..fd07ea2b 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -123,7 +123,7 @@ def test_map_cis_fields_with_validity_years(mock_current_app, authority): "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:MM:SS") + "Z" + "valid_to": arrow.get(2018, 11, 3).format("YYYY-MM-DDTHH:mm:ss") + "Z" }, "profile_name": None, } @@ -159,7 +159,7 @@ def test_map_cis_fields_with_validity_end_and_start(mock_current_app, app, autho "signature_hash": "sha256", "organization": {"name": "Example, Inc."}, "validity": { - "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM:SS") + "Z" + "valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:mm:ss") + "Z" }, "profile_name": None, } From 1495fb3595bc102e6ff2f9400c6981fc8bba80ed Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 23 Oct 2020 10:18:24 -0700 Subject: [PATCH 27/27] now fixing the month to minute bug --- lemur/plugins/lemur_digicert/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 091539de..ec3a0792 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -177,7 +177,7 @@ def map_cis_fields(options, csr): "csr": csr, "signature_hash": signature_hash(options.get("signing_algorithm")), "validity": { - "valid_to": validity_end.format("YYYY-MM-DDTHH:MM:ss") + "Z" + "valid_to": validity_end.format("YYYY-MM-DDTHH:mm:ss") + "Z" }, "organization": { "name": options["organization"],