diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index cc045504..10187c23 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -23,8 +23,8 @@ class AuthorityInputSchema(LemurInputSchema): description = fields.String() common_name = fields.String(required=True, validate=validators.sensitive_domain) - validity_start = fields.DateTime() - validity_end = fields.DateTime() + validity_start = fields.Date() + validity_end = fields.Date() validity_years = fields.Integer() # certificate body fields diff --git a/lemur/authorities/service.py b/lemur/authorities/service.py index 0ce3fbb1..d74fc4d7 100644 --- a/lemur/authorities/service.py +++ b/lemur/authorities/service.py @@ -45,23 +45,25 @@ def mint(**kwargs): """ issuer = kwargs['plugin']['plugin_object'] body, chain, roles = issuer.create_authority(kwargs) + roles = create_authority_roles(roles, kwargs['owner'], kwargs['plugin']['plugin_object'].title) return body, chain, roles -def create_authority_roles(**kwargs): +def create_authority_roles(roles, owner, plugin_title): """ Creates all of the necessary authority roles. :param roles: - :param kwargs: :return: """ role_objs = [] - for r in kwargs['roles']: - role = role_service.create( - r['name'], - password=r['password'], - description="Auto generated role for {0}".format(kwargs['plugin']['plugin_object'].title), - username=r['username']) + for r in roles: + role = role_service.get_by_name(r['name']) + if not role: + role = role_service.create( + r['name'], + password=r['password'], + description="Auto generated role for {0}".format(plugin_title), + username=r['username']) # the user creating the authority should be able to administer it if role.username == 'admin': @@ -70,11 +72,11 @@ def create_authority_roles(**kwargs): role_objs.append(role) # create an role for the owner and assign it - owner_role = role_service.get_by_name(kwargs['owner']) + owner_role = role_service.get_by_name(owner) if not owner_role: owner_role = role_service.create( - kwargs['owner'], - description="Auto generated role based on owner: {0}".format(kwargs['owner']) + owner, + description="Auto generated role based on owner: {0}".format(owner) ) role_objs.append(owner_role) @@ -96,8 +98,6 @@ def create(**kwargs): else: kwargs['roles'] = roles - kwargs['roles'] = create_authority_roles(**kwargs) - if kwargs['type'] == 'subca': description = "This is the ROOT certificate for the {0} sub certificate authority the parent \ authority is {1}.".format(kwargs.get('name'), kwargs.get('parent')) @@ -162,11 +162,8 @@ def get_authority_role(ca_name): # TODO we should pick admin ca roles for admin return authority.roles[0] else: - for role in g.current_user.roles: - if role.authority: - for authority in role.authorities: - if authority.name == ca_name: - return role + authority = get_by_name(ca_name) + return authority.roles[1] def render(args): diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 45b1c1ec..6492799c 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -125,10 +125,7 @@ def create_certificate_roles(**kwargs): description="Auto generated role based on owner: {0}".format(kwargs['owner']) ) - if kwargs.get('roles'): - kwargs['roles'].append(owner_role) - - return kwargs + return [owner_role] def mint(**kwargs): @@ -180,7 +177,12 @@ def upload(**kwargs): """ Allows for pre-made certificates to be imported into Lemur. """ - kwargs = create_certificate_roles(**kwargs) + roles = create_certificate_roles(**kwargs) + + if kwargs.get('roles'): + kwargs['roles'] += roles + else: + kwargs['roles'] = roles cert = Certificate(**kwargs) @@ -205,7 +207,12 @@ def create(**kwargs): kwargs['private_key'] = private_key kwargs['chain'] = cert_chain - kwargs = create_certificate_roles(**kwargs) + roles = create_certificate_roles(**kwargs) + + if kwargs.get('roles'): + kwargs['roles'] += roles + else: + kwargs['roles'] = roles cert = Certificate(**kwargs) @@ -214,6 +221,7 @@ def create(**kwargs): cert.name = kwargs['name'] g.user.certificates.append(cert) + cert.authority = kwargs['authority'] database.commit() metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) diff --git a/lemur/common/defaults.py b/lemur/common/defaults.py index 0e90bfc4..7e6847af 100644 --- a/lemur/common/defaults.py +++ b/lemur/common/defaults.py @@ -1,4 +1,4 @@ - +import sys from flask import current_app from cryptography import x509 from cryptography.hazmat.backends import default_backend @@ -6,7 +6,10 @@ from lemur.constants import SAN_NAMING_TEMPLATE, DEFAULT_NAMING_TEMPLATE def parse_certificate(body): - return x509.load_pem_x509_certificate(bytes(body), default_backend()) + if sys.version_info >= (3, 0): + return x509.load_pem_x509_certificate(body, default_backend()) + else: + return x509.load_pem_x509_certificate(bytes(body), default_backend()) def certificate_name(common_name, issuer, not_before, not_after, san): diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 395a7c2a..fc037ba0 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -102,10 +102,10 @@ def dates(data): raise ValidationError('Validity start must be before validity end.') if data.get('authority'): - if data.get('validity_start').replace(tzinfo=None) < data['authority'].authority_certificate.not_before: + if data.get('validity_start').replace(hour=0, minute=0, second=0, tzinfo=None) < data['authority'].authority_certificate.not_before.replace(hour=0, minute=0, second=0): raise ValidationError('Validity start must not be before {0}'.format(data['authority'].authority_certificate.not_before)) - if data.get('validity_end').replace(tzinfo=None) > data['authority'].authority_certificate.not_after: + if data.get('validity_end').replace(hour=0, minute=0, second=0, tzinfo=None) > data['authority'].authority_certificate.not_after.replace(hour=0, minute=0, second=0): raise ValidationError('Validity end must not be after {0}'.format(data['authority'].authority_certificate.not_after)) if data.get('validity_years'): diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py index db736d2d..3f800f70 100644 --- a/lemur/tests/test_certificates.py +++ b/lemur/tests/test_certificates.py @@ -187,8 +187,8 @@ def test_certificate_valid_dates(client, authority): 'owner': 'jim@example.com', 'authority': {'id': authority.id}, 'description': 'testtestest', - 'validityStart': '2020-01-01T00:21:34.513631', - 'validityEnd': '2020-01-01T00:22:34.513631' + 'validityStart': '2020-01-01T00:00:00', + 'validityEnd': '2020-01-01T00:00:01' } data, errors = CertificateInputSchema().load(input_data)