Working acme flow. Pending DNS providers UI

2018-04-24 09:38:57 -07:00 · 2018-04-24 09:38:57 -07:00 · 7704f51441
parent 81e349e07d
commit 7704f51441
19 changed files with 143 additions and 34 deletions
--- a/lemur/authorizations/init.py
+++ b/lemur/authorizations/init.py
--- a/lemur/authorizations/models.py
+++ b/lemur/authorizations/models.py
@ -0,0 +1,34 @@
+"""
+.. module: lemur.authorizations.models
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Netflix Secops <secops@netflix.com>
+"""
+from sqlalchemy import Column, Integer, String
+from sqlalchemy_utils import JSONType
+from lemur.database import db
+
+from lemur.plugins.base import plugins
+
+
+class Authorizations(db.Model):
+    __tablename__ = 'pending_dns_authorizations'
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    account_number = Column(String(128))
+    domains = Column(JSONType)
+    dns_provider_type = Column(String(128))
+    options = Column(JSONType)
+
+    @property
+    def plugin(self):
+        return plugins.get(self.plugin_name)
+
+    def __repr__(self):
+        return "Authorizations(id={id})".format(label=self.id)
+
+    def __init__(self, account_number, domains, dns_provider_type, options=None):
+        self.account_number = account_number
+        self.domains = domains
+        self.dns_provider_type = dns_provider_type
+        self.options = options
--- a/lemur/authorizations/service.py
+++ b/lemur/authorizations/service.py
@ -0,0 +1,24 @@
+"""
+.. module: lemur.pending_certificates.service
+    Copyright (c) 2017 and onwards Instart Logic, Inc.  All rights reserved.
+.. moduleauthor:: Secops <secops@netflix.com>
+"""
+from lemur import database
+
+from lemur.authorizations.models import Authorizations
+
+
+def get(authorization_id):
+    """
+    Retrieve dns authorization by ID
+    """
+    return database.get(Authorizations, authorization_id)
+
+
+def create(account_number, domains, dns_provider_type, options=None):
+    """
+    Creates a new dns authorization.
+    """
+
+    authorization = Authorizations(account_number, domains, dns_provider_type, options)
+    return database.create(authorization)
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -71,7 +71,7 @@ class CertificateInputSchema(CertificateCreationSchema):
    replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)  # deprecated
    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
-    dns_provider = fields.Nested(DnsProviderSchema, missing={}, required=False)
+    dns_provider = fields.Nested(DnsProviderSchema, missing={}, required=False, allow_none=True)

    csr = fields.String(validate=validators.csr)
    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')
--- a/lemur/dns_providers/models.py
+++ b/lemur/dns_providers/models.py
@ -1,4 +1,4 @@
-from sqlalchemy import Column, Integer, PrimaryKeyConstraint, String, text, UniqueConstraint
+from sqlalchemy import Column, Integer, String, text
 from sqlalchemy.dialects.postgresql import JSON
 from sqlalchemy_utils import ArrowType

--- a/lemur/dns_providers/service.py
+++ b/lemur/dns_providers/service.py
@ -30,4 +30,4 @@ def delete(dns_provider_id):

    :param dns_provider_id: Lemur assigned ID
    """
-    database.delete(get(dns_provider_id))
+    database.delete(get(dns_provider_id))
--- a/lemur/models.py
+++ b/lemur/models.py
@ -8,9 +8,7 @@
    :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-from sqlalchemy import Column, Integer, ForeignKey, Index, PrimaryKeyConstraint, String, text, UniqueConstraint
-from sqlalchemy.dialects.postgresql import JSON
-from sqlalchemy_utils import ArrowType
+from sqlalchemy import Column, Integer, ForeignKey, Index, UniqueConstraint

 from lemur.database import db

--- a/lemur/pending_certificates/cli.py
+++ b/lemur/pending_certificates/cli.py
@ -29,7 +29,7 @@ def fetch(ids):

    for cert in pending_certs:
        authority = plugins.get(cert.authority.plugin_name)
-        real_cert = authority.get_ordered_certificate(cert.external_id)
+        real_cert = authority.get_ordered_certificate(cert)
        if real_cert:
            # If a real certificate was returned from issuer, then create it in Lemur and delete
            # the pending certificate
--- a/lemur/pending_certificates/models.py
+++ b/lemur/pending_certificates/models.py
@ -8,6 +8,7 @@ from datetime import datetime as dt
 from sqlalchemy.orm import relationship
 from sqlalchemy import Integer, ForeignKey, String, PassiveDefault, func, Column, Text, Boolean
 from sqlalchemy_utils.types.arrow import ArrowType
+from sqlalchemy_utils import JSONType

 import lemur.common.utils
 from lemur.certificates.models import get_or_increase_name
@ -37,6 +38,7 @@ class PendingCertificate(db.Model):
    private_key = Column(Vault, nullable=True)

    date_created = Column(ArrowType, PassiveDefault(func.now()), nullable=False)
+    dns_provider_id = Column(Integer(), nullable=True)

    status = Column(String(128))

@ -54,6 +56,7 @@ class PendingCertificate(db.Model):
                            secondary=pending_cert_replacement_associations,
                            backref='pending_cert',
                            passive_deletes=True)
+    options = Column(JSONType)

    rotation_policy = relationship("RotationPolicy")

@ -93,3 +96,7 @@ class PendingCertificate(db.Model):
        self.replaces = kwargs.get('replaces', [])
        self.rotation = kwargs.get('rotation')
        self.rotation_policy = kwargs.get('rotation_policy')
+        try:
+            self.dns_provider_id = kwargs.get('dns_provider', {}).get("id")
+        except AttributeError:
+            self.dns_provider_id = None
--- a/lemur/plugins/bases/issuer.py
+++ b/lemur/plugins/bases/issuer.py
@ -25,7 +25,7 @@ class IssuerPlugin(Plugin):
    def revoke_certificate(self, certificate, comments):
        raise NotImplementedError

-    def get_ordered_certificate(self, order_id):
+    def get_ordered_certificate(self, certificate):
        raise NotImplementedError

    def cancel_ordered_certificate(self, pending_cert, **kwargs):
--- a/lemur/plugins/lemur_acme/plugin.py
+++ b/lemur/plugins/lemur_acme/plugin.py
@ -24,6 +24,8 @@ from lemur.common.utils import generate_private_key

 import OpenSSL.crypto

+from lemur.authorizations import service as authorization_service
+from lemur.dns_providers import service as dns_provider_service
 from lemur.plugins.bases import IssuerPlugin
 from lemur.plugins import lemur_acme as acme

@ -153,11 +155,14 @@ def get_domains(options):

 def get_authorizations(acme_client, account_number, domains, dns_provider):
    authorizations = []
-    try:
-        for domain in domains:
-            authz_record = start_dns_challenge(acme_client, account_number, domain, dns_provider)
-            authorizations.append(authz_record)
+    for domain in domains:
+        authz_record = start_dns_challenge(acme_client, account_number, domain, dns_provider)
+        authorizations.append(authz_record)
+    return authorizations

+
+def finalize_authorizations(acme_client, account_number, dns_provider, authorizations):
+    try:
        for authz_record in authorizations:
            complete_dns_challenge(acme_client, account_number, authz_record, dns_provider)
    finally:
@ -215,6 +220,23 @@ class ACMEIssuerPlugin(IssuerPlugin):
    def __init__(self, *args, **kwargs):
        super(ACMEIssuerPlugin, self).__init__(*args, **kwargs)

+    def get_ordered_certificate(self, pending_cert):
+        acme_client, registration = setup_acme_client(pending_cert.authority)
+        order_info = authorization_service.get(pending_cert.external_id)
+        dns_provider = dns_provider_service.get(pending_cert.dns_provider_id)
+        dns_provider_type = __import__(dns_provider.provider_type, globals(), locals(), [], 1)
+        authorizations = get_authorizations(
+            acme_client, order_info.account_number, order_info.domains, dns_provider_type)
+
+        finalize_authorizations(acme_client, order_info.account_number, dns_provider_type, authorizations)
+        pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, pending_cert.csr)
+        cert = {
+            'body': "\n".join(str(pem_certificate).splitlines()),
+            'chain': "\n".join(str(pem_certificate_chain).splitlines()),
+            'external_id': str(pending_cert.external_id)
+        }
+        return cert
+
    def create_certificate(self, csr, issuer_options):
        """
        Creates an ACME certificate.
@ -224,10 +246,12 @@ class ACMEIssuerPlugin(IssuerPlugin):
        :return: :raise Exception:
        """
        authority = issuer_options.get('authority')
+        create_immediately = issuer_options.get('create_immediately', False)
        acme_client, registration = setup_acme_client(authority)
-        dns_provider = issuer_options.get('dns_provider')
-        if not dns_provider:
+        dns_provider_d = issuer_options.get('dns_provider')
+        if not dns_provider_d:
            raise Exception("DNS Provider setting is required for ACME certificates.")
+        dns_provider = dns_provider_service.get(dns_provider_d.get("id"))
        credentials = json.loads(dns_provider.credentials)

        current_app.logger.debug("Using DNS provider: {0}".format(dns_provider.provider_type))
@ -238,7 +262,21 @@ class ACMEIssuerPlugin(IssuerPlugin):
            current_app.logger.error(error)
            raise Exception(error)
        domains = get_domains(issuer_options)
+        if not create_immediately:
+            # Create pending authorizations that we'll need to do the creation
+            authz_domains = []
+            for d in domains:
+                if type(d) == str:
+                    authz_domains.append(d)
+                else:
+                    authz_domains.append(d.value)
+
+            dns_authorization = authorization_service.create(account_number, authz_domains, dns_provider.provider_type)
+            # Return id of the DNS Authorization
+            return None, None, dns_authorization.id
+
        authorizations = get_authorizations(acme_client, account_number, domains, dns_provider_type)
+        finalize_authorizations(acme_client, account_number, dns_provider_type, authorizations)
        pem_certificate, pem_certificate_chain = request_certificate(acme_client, authorizations, csr)
        # TODO add external ID (if possible)
        return pem_certificate, pem_certificate_chain, None
--- a/lemur/plugins/lemur_acme/route53.py
+++ b/lemur/plugins/lemur_acme/route53.py
@ -58,7 +58,7 @@ def change_txt_record(action, zone_id, domain, value, client=None):
 def create_txt_record(host, value, account_number):
    zone_id = find_zone_id(host, account_number=account_number)
    change_id = change_txt_record(
-        "CREATE",
+        "UPSERT",
        zone_id,
        host,
        value,
--- a/lemur/plugins/lemur_digicert/plugin.py
+++ b/lemur/plugins/lemur_digicert/plugin.py
@ -325,8 +325,9 @@ class DigiCertIssuerPlugin(IssuerPlugin):
        response = self.session.put(create_url, data=json.dumps({'comments': comments}))
        return handle_response(response)

-    def get_ordered_certificate(self, order_id):
+    def get_ordered_certificate(self, pending_cert):
        """ Retrieve a certificate via order id """
+        order_id = pending_cert.external_id
        base_url = current_app.config.get('DIGICERT_URL')
        try:
            certificate_id = get_certificate_id(self.session, base_url, order_id)
--- a/lemur/schemas.py
+++ b/lemur/schemas.py
@ -164,10 +164,6 @@ class DnsProviderSchema(LemurInputSchema):
    id = fields.Integer()
    name = fields.String()

-    @post_load
-    def get_object(self, data, many=False):
-        return fetch_objects(DnsProviders, data, many=many)
-

 class PluginInputSchema(LemurInputSchema):
    plugin_options = fields.List(fields.Dict(), validate=validate_options)
--- a/lemur/static/app/angular/certificates/services.js
+++ b/lemur/static/app/angular/certificates/services.js
@ -248,7 +248,7 @@ angular.module('lemur')

    CertificateService.getDnsProviders = function () {
      return DnsProviders.get();
-    }
+    };

    CertificateService.loadPrivateKey = function (certificate) {
      return certificate.customGET('key');
--- a/lemur/static/app/angular/dns_providers/dns_provider/dns_provider.js
+++ b/lemur/static/app/angular/dns_providers/dns_provider/dns_provider.js
@ -14,7 +14,7 @@ angular.module('lemur')
    });

    $scope.save = function (dns_provider) {
-      DnsProvider.create(dns_provider.then(
+      DnsProviderService.create(dns_provider.then(
        function () {
          toaster.pop({
            type: 'success',
@ -31,7 +31,7 @@ angular.module('lemur')
            directiveData: response.data,
            timeout: 100000
          });
-        });
+        }));
    };

    $scope.cancel = function () {
--- a/lemur/static/app/angular/dns_providers/services.js
+++ b/lemur/static/app/angular/dns_providers/services.js
@ -14,7 +14,7 @@ angular.module('lemur')

    DnsProviderService.getDnsProviders = function () {
      return DnsProviders.get();
-    }
+    };

    DnsProviderService.create = function (dns_provider) {
      return DnsProviderApi.post(dns_provider);
--- a/lemur/tests/plugins/issuer_plugin.py
+++ b/lemur/tests/plugins/issuer_plugin.py
@ -37,7 +37,8 @@ class TestAsyncIssuerPlugin(IssuerPlugin):
    def create_certificate(self, csr, issuer_options):
        return "", "", 12345

-    def get_ordered_certificate(self, order_id):
+    def get_ordered_certificate(self, pending_cert):
+        order_id = pending_cert.external_id
        return INTERNAL_VALID_LONG_STR, INTERNAL_VALID_SAN_STR, 54321

    @staticmethod
--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@ -63,7 +63,7 @@ def test_get_certificate_primitives(certificate):

    with freeze_time(datetime.date(year=2016, month=10, day=30)):
        primitives = get_certificate_primitives(certificate)
-        assert len(primitives) == 23
+        assert len(primitives) == 24


 def test_certificate_edit_schema(session):
@ -152,7 +152,8 @@ def test_certificate_input_schema(client, authority):
        'authority': {'id': authority.id},
        'description': 'testtestest',
        'validityEnd': arrow.get(2016, 11, 9).isoformat(),
-        'validityStart': arrow.get(2015, 11, 9).isoformat()
+        'validityStart': arrow.get(2015, 11, 9).isoformat(),
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -165,7 +166,7 @@ def test_certificate_input_schema(client, authority):
    assert data['country'] == 'US'
    assert data['location'] == 'Los Gatos'

-    assert len(data.keys()) == 18
+    assert len(data.keys()) == 19


 def test_certificate_input_with_extensions(client, authority):
@ -192,7 +193,8 @@ def test_certificate_input_with_extensions(client, authority):
                    {'nameType': 'DNSName', 'value': 'test.example.com'}
                ]
            }
-        }
+        },
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -206,7 +208,8 @@ def test_certificate_out_of_range_date(client, authority):
        'owner': 'jim@example.com',
        'authority': {'id': authority.id},
        'description': 'testtestest',
-        'validityYears': 100
+        'validityYears': 100,
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -230,7 +233,8 @@ def test_certificate_valid_years(client, authority):
        'owner': 'jim@example.com',
        'authority': {'id': authority.id},
        'description': 'testtestest',
-        'validityYears': 1
+        'validityYears': 1,
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -245,7 +249,8 @@ def test_certificate_valid_dates(client, authority):
        'authority': {'id': authority.id},
        'description': 'testtestest',
        'validityStart': '2020-01-01T00:00:00',
-        'validityEnd': '2020-01-01T00:00:01'
+        'validityEnd': '2020-01-01T00:00:01',
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -262,6 +267,7 @@ def test_certificate_cn_admin(client, authority, logged_in_admin):
        'description': 'testtestest',
        'validityStart': '2020-01-01T00:00:00',
        'validityEnd': '2020-01-01T00:00:01',
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -285,7 +291,8 @@ def test_certificate_allowed_names(client, authority, session, logged_in_user):
                    {'nameType': 'IPAddress', 'value': '127.0.0.1'},
                ]
            }
-        }
+        },
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -306,6 +313,7 @@ def test_certificate_incative_authority(client, authority, session, logged_in_us
        'description': 'testtestest',
        'validityStart': '2020-01-01T00:00:00',
        'validityEnd': '2020-01-01T00:00:01',
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -329,7 +337,8 @@ def test_certificate_disallowed_names(client, authority, session, logged_in_user
                    {'nameType': 'DNSName', 'value': 'evilhacker.org'},
                ]
            }
-        }
+        },
+        'dns_provider': None,
    }

    data, errors = CertificateInputSchema().load(input_data)
@ -348,6 +357,7 @@ def test_certificate_sensitive_name(client, authority, session, logged_in_user):
        'description': 'testtestest',
        'validityStart': '2020-01-01T00:00:00',
        'validityEnd': '2020-01-01T00:00:01',
+        'dns_provider': None,
    }
    session.add(Domain(name='sensitive.example.com', sensitive=True))