From c169ad291e8605676f3e68cf63e912838c1f650b Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 27 Aug 2020 13:29:56 -0700 Subject: [PATCH 01/45] adding the correct signing algorithm, and a missing key Type --- lemur/authorities/schemas.py | 5 ++-- .../authorities/authority/options.tpl.html | 4 ++-- lemur/tests/test_authorities.py | 23 +++++++++++++++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index c78aec94..9f9d4686 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -56,11 +56,12 @@ class AuthorityInputSchema(LemurInputSchema): type = fields.String(validate=validate.OneOf(["root", "subca"]), missing="root") parent = fields.Nested(AssociatedAuthoritySchema) signing_algorithm = fields.String( - validate=validate.OneOf(["sha256WithRSA", "sha1WithRSA"]), + validate=validate.OneOf(["sha256WithRSA", "sha1WithRSA", + "sha256WithECDSA", "SHA384withECDSA", "SHA512withECDSA"]), missing="sha256WithRSA", ) key_type = fields.String( - validate=validate.OneOf(["RSA2048", "RSA4096"]), missing="RSA2048" + validate=validate.OneOf(["RSA2048", "RSA4096", "EC256"]), missing="RSA2048" ) key_name = fields.String() sensitivity = fields.String( diff --git a/lemur/static/app/angular/authorities/authority/options.tpl.html b/lemur/static/app/angular/authorities/authority/options.tpl.html index dbc4f40a..7ba858a7 100644 --- a/lemur/static/app/angular/authorities/authority/options.tpl.html +++ b/lemur/static/app/angular/authorities/authority/options.tpl.html @@ -4,7 +4,7 @@ Signing Algorithm
- +
@@ -20,7 +20,7 @@ Key Type
-
diff --git a/lemur/tests/test_authorities.py b/lemur/tests/test_authorities.py index 9649e949..6090d0b6 100644 --- a/lemur/tests/test_authorities.py +++ b/lemur/tests/test_authorities.py @@ -34,6 +34,29 @@ def test_authority_input_schema(client, role, issuer_plugin, logged_in_user): assert not errors +def test_authority_input_schema_ecc(client, role, issuer_plugin, logged_in_user): + from lemur.authorities.schemas import AuthorityInputSchema + + input_data = { + "name": "Example Authority", + "owner": "jim@example.com", + "description": "An example authority.", + "commonName": "An Example Authority", + "plugin": { + "slug": "test-issuer", + "plugin_options": [{"name": "test", "value": "blah"}], + }, + "type": "root", + "signingAlgorithm": "sha256WithECDSA", + "keyType": "EC256", + "sensitivity": "medium", + } + + data, errors = AuthorityInputSchema().load(input_data) + + assert not errors + + def test_user_authority(session, client, authority, role, user, issuer_plugin): u = user["user"] u.roles.append(role) From 5a6e4e5b43628558c931d15e7eb8529e22b1f093 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 14 Jul 2020 17:35:13 -0700 Subject: [PATCH 02/45] Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore. https://letsencrypt.org/certificates/ Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems. --- lemur/plugins/lemur_acme/plugin.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3fc1df61..16d61a0f 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -205,9 +205,15 @@ class AcmeHandler(object): OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem ), ).decode() - pem_certificate_chain = orderr.fullchain_pem[ - len(pem_certificate) : # noqa - ].lstrip() + + if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \ + and datetime.datetime.now() < datetime.datetime.strptime( + current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): + pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA") + else: + pem_certificate_chain = orderr.fullchain_pem[ + len(pem_certificate) : # noqa + ].lstrip() current_app.logger.debug( "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)) From f4bcd1cf304c1a9eada8b5f9f82fd565e404efd2 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 15 Jul 2020 17:04:49 -0700 Subject: [PATCH 03/45] lack of an empty config file was resulting into this error ``` Traceback (most recent call last): File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/tests/test_acme.py", line 159, in test_request_certificate self.acme.request_certificate(mock_acme, [], mock_order) File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/plugin.py", line 211, in request_certificate current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): TypeError: strptime() argument 1 must be str, not MagicMock ``` --- lemur/plugins/lemur_acme/tests/test_acme.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py index 94949a74..8320a2de 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme.py +++ b/lemur/plugins/lemur_acme/tests/test_acme.py @@ -156,6 +156,7 @@ class TestAcme(unittest.TestCase): mock_acme.fetch_chain = Mock(return_value="mock_chain") mock_crypto.dump_certificate = Mock(return_value=b"chain") mock_order = Mock() + mock_current_app.config = {} self.acme.request_certificate(mock_acme, [], mock_order) def test_setup_acme_client_fail(self): From bc8eda2a6bd39f74410c7df78e6a610142a15f01 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Fri, 31 Jul 2020 17:54:18 -0700 Subject: [PATCH 04/45] fixing Dockerfile, Lemur builds now --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fc83a034..a7f8c878 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - RUN apt-get update RUN apt-get install -y npm libldap2-dev libsasl2-dev libldap2-dev libssl-dev +RUN pip install pip==20.0.2 RUN pip install -U setuptools RUN pip install coveralls bandit WORKDIR /app From 85f18afa8102b588f5d52e8f47d1c824e802ab07 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 13:36:46 +0000 Subject: [PATCH 05/45] Bump pytest from 5.4.3 to 6.0.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 5.4.3 to 6.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/5.4.3...6.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index cd625630..3d5c4318 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -34,6 +34,7 @@ gitdb==4.0.4 # via gitpython gitpython==3.1.1 # via bandit idna==2.8 # via moto, requests importlib-metadata==1.6.0 # via jsonpickle +iniconfig==1.0.1 # via pytest itsdangerous==1.1.0 # via flask jinja2==2.11.2 # via flask, moto jmespath==0.9.5 # via boto3, botocore @@ -52,7 +53,7 @@ packaging==20.3 # via pytest pathspec==0.8.0 # via black pbr==5.4.5 # via stevedore pluggy==0.13.1 # via pytest -py==1.8.1 # via pytest +py==1.9.0 # via pytest pyasn1==0.4.8 # via python-jose, rsa pycparser==2.20 # via cffi pyflakes==2.2.0 # via -r requirements-tests.in @@ -60,7 +61,7 @@ pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.2.0 # via -r requirements-tests.in -pytest==5.4.3 # via -r requirements-tests.in, pytest-flask, pytest-mock +pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto pytz==2019.3 # via moto @@ -78,10 +79,9 @@ sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto stevedore==1.32.0 # via bandit text-unidecode==1.3 # via faker -toml==0.10.0 # via black +toml==0.10.0 # via black, pytest typed-ast==1.4.1 # via black urllib3==1.25.8 # via botocore, requests -wcwidth==0.1.9 # via pytest websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask wrapt==1.12.1 # via aws-xray-sdk From 5c5e53b8ec635e6c8bb54bf35bee3ad5a58742eb Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:27:26 +0000 Subject: [PATCH 06/45] Bump botocore from 1.17.28 to 1.17.33 Bumps [botocore](https://github.com/boto/botocore) from 1.17.28 to 1.17.33. - [Release notes](https://github.com/boto/botocore/releases) - [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/botocore/compare/1.17.28...1.17.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 4f70314f..63af4e4a 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -18,7 +18,7 @@ beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.txt -botocore==1.17.28 # via -r requirements.txt, boto3, s3transfer +botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 3d5c4318..3212f033 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,7 +12,7 @@ bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in boto3==1.14.28 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.28 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index a57f6205..eb4be2fd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.in -botocore==1.17.28 # via -r requirements.in, boto3, s3transfer +botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From de0e646cf9d7a02e1b660b942270f01568f24783 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:38:07 +0000 Subject: [PATCH 07/45] Bump boto3 from 1.14.28 to 1.14.33 Bumps [boto3](https://github.com/boto/boto3) from 1.14.28 to 1.14.33. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.28...1.14.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 63af4e4a..3d1ed54c 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,7 +17,7 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.txt +boto3==1.14.33 # via -r requirements.txt botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests diff --git a/requirements-tests.txt b/requirements-tests.txt index 3212f033..7fd13f76 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,7 +10,7 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.28 # via aws-sam-translator, moto +boto3==1.14.33 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests diff --git a/requirements.txt b/requirements.txt index eb4be2fd..46723b0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.in +boto3==1.14.33 # via -r requirements.in botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests From d07464f3b1245b521da7ded21cfd8af66d34ec21 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 3 Aug 2020 16:14:14 -0700 Subject: [PATCH 08/45] updating documentation for cross-signed ICA --- docs/production/index.rst | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/production/index.rst b/docs/production/index.rst index b91ed6bd..67e97dae 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -451,3 +451,53 @@ LetsEncrypt flow to function. However, Lemur will attempt to automatically deter possible. To enable this functionality, periodically (or through Cron/Celery) run `lemur dns_providers get_all_zones`. This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to Lemur's database (in the dns_providers table). Alternatively, you can manually input this data. + + +LetsEncrypt: pinning to cross-signed ICA +---------------------------------------- + +Let's Encrypt has been using a `cross-signed `_ intermediate CA by DST Root CA X3, +which is included in many older devices' TrustStore. + + +Let's Encrypt is `transitioning `_ to use +the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. +This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. + + +Lemur can temporarily pin to the cross-signed intermediate CA (same public/private key pair as the ICA signed by ISRG X1). +This will prolong support for incompatible devices. + +The following must be added to the config file to activate the pinning (the pinning will be removed by September 2021):: + + # remove or update after Mar 17 16:40:46 2021 GMT + IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE = "17/03/21" + IDENTRUST_CROSS_SIGNED_LE_ICA = """ + -----BEGIN CERTIFICATE----- + MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow + SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT + GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC + AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF + q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 + SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 + Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA + a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj + /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T + AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG + CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv + bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k + c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw + VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC + ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz + MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu + Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF + AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo + uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ + wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu + X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG + PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 + KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== + -----END CERTIFICATE----- + """ From 69b64c63ea8670f479afe73bace1921cb7a9fc24 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:22:13 -0700 Subject: [PATCH 09/45] Honor selected algorithm during certificate cloning --- .../static/app/angular/certificates/certificate/certificate.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 21f61f22..83b0cfe8 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -212,12 +212,14 @@ angular.module('lemur') }) .controller('CertificateCloneController', function ($scope, $uibModalInstance, CertificateApi, CertificateService, DestinationService, AuthorityService, AuthorityApi, PluginService, MomentService, WizardHandler, LemurRestangular, NotificationService, toaster, editId) { + $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; + $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone CertificateService.getDefaults($scope.certificate); }); From e75e472a1acd95989bdc87d36b14b4b050a280fb Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:23:24 -0700 Subject: [PATCH 10/45] Do not inherit replacement info during cert clone --- .../static/app/angular/certificates/certificate/certificate.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 83b0cfe8..bb4e7db6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -215,11 +215,14 @@ angular.module('lemur') $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; + // prepare the certificate for cloning $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.replacedBy = []; // should not clone 'replaced by' info + $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); }); From 404d213e8f83fa254bea43f60581cce4a9c413c3 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:24:06 -0700 Subject: [PATCH 11/45] Modified cert description to have cert id being cloned --- lemur/static/app/angular/certificates/certificate/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index bb4e7db6..155658e6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -221,6 +221,7 @@ angular.module('lemur') $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.description = 'Cloning from cert ID ' + editId; $scope.certificate.replacedBy = []; // should not clone 'replaced by' info $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); From a7082f7332f999f47901cdba803163c8f7fba130 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 12/45] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 25125f32576cb7ac47d063d3f0a1c8cd7446a495 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 17:30:34 -0700 Subject: [PATCH 13/45] Cert validity should not exceed 397 days for publicly trusted issuers --- lemur/common/validators.py | 12 ++++++++++++ lemur/plugins/lemur_digicert/plugin.py | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..4aecb97e 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,6 +152,18 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) + # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity + # for certs issued by public CA + # The list of public issuers can be managed through a config named PUBLIC_CA + public_CA = current_app.config.get("PUBLIC_CA", []) + if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: + max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + if ( + (data.get("validity_end").date() - data.get("validity_start").date()).days + > max_validity_days + ): + raise ValidationError("Certificate cannot be valid for more than " + + str(max_validity_days) + " days") return data diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index e5c4b2ce..32a5375a 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -82,11 +82,11 @@ def determine_end_date(end_date): :param end_date: :return: validity_end """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) + default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397) + max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days)) if not end_date: - end_date = arrow.utcnow().shift(years=default_years) + end_date = arrow.utcnow().shift(days=default_days) if end_date > max_validity_end: end_date = max_validity_end From d7d483fa9b2f4b84993ced286c0b3d0e40c3627d Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:06:45 -0700 Subject: [PATCH 14/45] Renaming PUBLIC_CA to PUBLIC_CA_AUTHORITY_NAMES --- lemur/common/validators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 4aecb97e..74095255 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -155,7 +155,7 @@ def dates(data): # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity # for certs issued by public CA # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA", []) + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) if ( From 8a1563db547ea098855bb39edc2db20567107aae Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:07:46 -0700 Subject: [PATCH 15/45] Updating Lemur docs to capture Digicert validity config changes --- docs/administration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 157af478..a6d93af7 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -729,16 +729,16 @@ The following configuration properties are required to use the Digicert issuer p This is the root to be used for your CA chain -.. data:: DIGICERT_DEFAULT_VALIDITY +.. data:: DIGICERT_DEFAULT_VALIDITY_DAYS :noindex: - This is the default validity (in years), if no end date is specified. (Default: 1) + This is the default validity (in days), if no end date is specified. (Default: 397) -.. data:: DIGICERT_MAX_VALIDITY +.. data:: DIGICERT_MAX_VALIDITY_DAYS :noindex: - This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY) + This is the maximum validity (in days). (Default: value of DIGICERT_DEFAULT_VALIDITY_DAYS) .. data:: DIGICERT_PRIVATE From 747df683a9292561710e5a5c426640317590f4b0 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 16/45] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From e06dea106fbcb704b59bcefea5646bd816a8a368 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 17:10:29 -0700 Subject: [PATCH 17/45] Modify unit test test_determine_end_date to match new config --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 8bfd1dcf..ca2ddf68 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -32,11 +32,11 @@ def test_determine_validity_years(mock_current_app): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_end_date(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) + mock_current_app.config.get = Mock(return_value=397) # 397 days validity with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime): - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(0) - assert arrow.get(2018, 5, 7) == plugin.determine_end_date(arrow.get(2018, 5, 7)) - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(arrow.get(2020, 5, 7)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(0) # 397 days from (2016, 11, 3) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2017, 12, 5)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2020, 5, 7)) @patch("lemur.plugins.lemur_digicert.plugin.current_app") From 3cb386cc0f5d1db7bdd6376530dd18f1f901dc54 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:02:42 -0700 Subject: [PATCH 18/45] maximum 1 year validity for digicert --- lemur/plugins/lemur_digicert/plugin.py | 18 ++++++++---------- .../lemur_digicert/tests/test_digicert.py | 11 ++++------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 32a5375a..9b3d4429 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -61,18 +61,16 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): - """Given an end date determine how many years into the future that date is. - :param years: - :return: validity in years """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years) + Considering maximum allowed certificate validity period of 398 days, this method should not return + more than 1 year of validity. Thus changing it to return 1. + Lemur will change this method in future to handle validity in months (determine_validity_months) + instead of years. This will allow flexibility to handle short-lived certificates. - if years > max_years: - return max_years - if years not in [1, 2, 3]: - return default_years - return years + :param years: + :return: 1 + """ + return 1 def determine_end_date(end_date): diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index ca2ddf68..4abfcf54 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -14,8 +14,6 @@ def config_mock(*args): "DIGICERT_ORG_ID": 111111, "DIGICERT_PRIVATE": False, "DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256", - "DIGICERT_DEFAULT_VALIDITY": 1, - "DIGICERT_MAX_VALIDITY": 2, "DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'}, "DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'}, } @@ -24,10 +22,9 @@ def config_mock(*args): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_validity_years(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) assert plugin.determine_validity_years(1) == 1 - assert plugin.determine_validity_years(0) == 2 - assert plugin.determine_validity_years(3) == 2 + assert plugin.determine_validity_years(0) == 1 + assert plugin.determine_validity_years(3) == 1 @patch("lemur.plugins.lemur_digicert.plugin.current_app") @@ -52,7 +49,7 @@ def test_map_fields_with_validity_years(mock_current_app): "owner": "bob@example.com", "description": "test certificate", "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}}, - "validity_years": 2 + "validity_years": 1 } expected = { "certificate": { @@ -62,7 +59,7 @@ def test_map_fields_with_validity_years(mock_current_app): "signature_hash": "sha256", }, "organization": {"id": 111111}, - "validity_years": 2, + "validity_years": 1, } assert expected == plugin.map_fields(options, CSR_STR) From 8d2fffba87e1de3086abc8b1a4b549d9b9b75675 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:51:41 -0700 Subject: [PATCH 19/45] Add new configs to the doc --- docs/administration.rst | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index a6d93af7..9f377119 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -66,7 +66,7 @@ Basic Configuration .. data:: SQLALCHEMY_POOL_SIZE -:noindex: + :noindex: The default connection pool size is 5 for sqlalchemy managed connections. Depending on the number of Lemur instances, please specify per instance connection pool size. Below is an example to set connection pool size to 10. @@ -80,7 +80,7 @@ Basic Configuration This is an optional setting but important to review and set for optimal database connection usage and for overall database performance. .. data:: SQLALCHEMY_MAX_OVERFLOW -:noindex: + :noindex: This setting allows to create connections in addition to specified number of connections in pool size. By default, sqlalchemy allows 10 connections to create in addition to the pool size. This is also an optional setting. If `SQLALCHEMY_POOL_SIZE` and @@ -155,6 +155,22 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s='] +.. data:: PUBLIC_CA_AUTHORITY_NAMES + :noindex: + A list of public issuers which would be checked against to determine whether limit of max validity of 397 days + should be applied to the certificate. Configure public CA authority names in this list to enforce validity check. + This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive + string comparision. + +.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured + using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days. + + :: + + PUBLIC_CA_MAX_VALIDITY_DAYS = 365 + .. data:: DEBUG_DUMP :noindex: From 2645c4a82d0ff299d007e6db221801d780313366 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:53:19 -0700 Subject: [PATCH 20/45] mention 397 for digicert plugin --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9b3d4429..fd8c4e2d 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -62,8 +62,8 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): """ - Considering maximum allowed certificate validity period of 398 days, this method should not return - more than 1 year of validity. Thus changing it to return 1. + Considering maximum allowed certificate validity period of 397 days, this method should not return + more than 1 year of validity. Thus changing it to always return 1. Lemur will change this method in future to handle validity in months (determine_validity_months) instead of years. This will allow flexibility to handle short-lived certificates. From 4d7c6844e5217ae9d7c583a2ba33be88fb897410 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:12:07 -0700 Subject: [PATCH 21/45] Make Organizational Unit optional --- .../angular/authorities/authority/distinguishedName.tpl.html | 3 +-- .../certificates/certificate/distinguishedName.tpl.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html index 33b0ba4b..c6a7d312 100644 --- a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html +++ b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html @@ -46,8 +46,7 @@ Organizational Unit
- -

You must enter a organizational unit

+
diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index 19102b03..72f168a0 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -62,9 +62,7 @@
-

You must - enter a organizational unit

+ class="form-control"/>
From 7011a4df8b8bfed11baaad7cc21f02f43c0b6f58 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:47:55 -0700 Subject: [PATCH 22/45] max date on UI as per max validity configs --- docs/administration.rst | 11 +++++++++++ lemur/authorities/schemas.py | 2 ++ lemur/certificates/models.py | 10 ++++++++++ .../certificates/certificate/tracking.tpl.html | 4 ++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 9f377119..df027f70 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,6 +172,17 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 +.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is + not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of + 365 days and sets it to 90 days. + + :: + + INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + + .. data:: DEBUG_DUMP :noindex: diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 9f9d4686..e77c6456 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -110,6 +110,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() + max_issuance_date = fields.DateTime() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -135,6 +136,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 58630ee6..9ea45409 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -311,6 +311,16 @@ class Certificate(db.Model): def validity_range(self): return self.not_after - self.not_before + @property + def max_issuance_date(self): + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) + if self.name.lower() in [ca.lower() for ca in public_CA]: + default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + else: + default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year + issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) + return arrow.utcnow().shift(days=issuance_validity_days) + @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 027add0f..47de640e 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -154,7 +154,7 @@ is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,7 +174,7 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="End Date" From 599a6943e2aaa366c012dd2286eeb84b21f31e58 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 15:14:34 -0700 Subject: [PATCH 23/45] Updating LEMUR_DEFAULT_ORGANIZATIONAL_UNIT to empty string --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index df027f70..83747636 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -240,7 +240,7 @@ and are used when Lemur creates the CSR for your certificates. :: - LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations" + LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "" .. data:: LEMUR_DEFAULT_ISSUER_PLUGIN From 5ed109e998c3a10e30657910154dbae7b87aeec3 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:34:59 -0700 Subject: [PATCH 24/45] Max end date as per start date + default validity 3 years --- lemur/authorities/schemas.py | 4 ++-- lemur/certificates/models.py | 10 ++++------ .../certificates/certificate/tracking.tpl.html | 7 ++++--- .../static/app/angular/certificates/services.js | 16 ++++++++++++++++ .../app/angular/pending_certificates/services.js | 15 +++++++++++++++ 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index e77c6456..34ad1564 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -110,7 +110,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() - max_issuance_date = fields.DateTime() + max_issuance_days = fields.Integer() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -136,7 +136,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() - authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 9ea45409..5f6c4ba9 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -312,14 +312,12 @@ class Certificate(db.Model): return self.not_after - self.not_before @property - def max_issuance_date(self): + def max_issuance_days(self): public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if self.name.lower() in [ca.lower() for ca in public_CA]: - default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - else: - default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year - issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) - return arrow.utcnow().shift(days=issuance_validity_days) + return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + + return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default @property def subject(self): diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 47de640e..07d6b0f4 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -151,10 +151,11 @@ uib-tooltip="yyyy/MM/dd" uib-datepicker-popup="yyyy/MM/dd" ng-model="certificate.validityStart" + ng-change="certificate.setValidityEndDateRange(certificate.validityStart)" is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" + max-date="certificate.authority.authorityCertificate.notAfter" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,8 +175,8 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" - min-date="certificate.authority.authorityCertificate.notBefore" + max-date="certificate.authority.authorityCertificate.maxValidityEnd" + min-date="certificate.authority.authorityCertificate.minValidityEnd" alt-input-formats="altInputFormats" placeholder="End Date" /> diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 3a23076d..7d46f4ca 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -164,6 +164,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -264,6 +276,9 @@ angular.module('lemur') } } + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; + if (certificate.dnsProviderId) { certificate.dnsProvider = {id: certificate.dnsProviderId}; } @@ -292,3 +307,4 @@ angular.module('lemur') return CertificateService; }); + diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index 4e1b23e4..a9bb8079 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -144,6 +144,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -230,6 +242,9 @@ angular.module('lemur') certificate.authority = defaults.authority; } } + + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; }); }; From e79dda338452cbe8507cdd3bc8ced8814270748b Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:47:38 -0700 Subject: [PATCH 25/45] doc update DEFAULT_MAX_VALIDITY_DAYS --- docs/administration.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 83747636..846a4c34 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,15 +172,15 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 -.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS +.. data:: DEFAULT_MAX_VALIDITY_DAYS :noindex: - Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is - not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of - 365 days and sets it to 90 days. + Use this config to override the default limit of 1095 days (3 years) of validity. Any CA which is not listed in + PUBLIC_CA_AUTHORITY_NAMES will be using this validity to display date range on UI. Below example overrides the + default validity of 1095 days and sets it to 365 days. :: - INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + DEFAULT_MAX_VALIDITY_DAYS = 365 .. data:: DEBUG_DUMP From 7a9500eee0919c2340f172d37dce6aa77f18c521 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 20:03:15 -0700 Subject: [PATCH 26/45] Lint error fix --- lemur/static/app/angular/certificates/services.js | 6 ++++-- lemur/static/app/angular/pending_certificates/services.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 7d46f4ca..881a443a 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -167,8 +167,10 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; - + if(this.validityEnd) { + this.validityEnd = ''; + } + // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index a9bb8079..2f99eb7d 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -147,7 +147,9 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; + if(this.validityEnd) { + this.validityEnd = ''; + } // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; From ab4cda2298d90b2805eed8d61bb335696cb1b0a6 Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Wed, 19 Aug 2020 12:25:52 +0200 Subject: [PATCH 27/45] Extended ADCS_TEMPLATE_ Variable If there is a config variable ADCS_TEMPLATE_ take the value as Cert template else default to ADCS_TEMPLATE to be compatible with former versions --- lemur/plugins/lemur_adcs/plugin.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_adcs/plugin.py b/lemur/plugins/lemur_adcs/plugin.py index a69afc90..4b4eb20c 100644 --- a/lemur/plugins/lemur_adcs/plugin.py +++ b/lemur/plugins/lemur_adcs/plugin.py @@ -40,7 +40,10 @@ class ADCSIssuerPlugin(IssuerPlugin): adcs_user = current_app.config.get("ADCS_USER") adcs_pwd = current_app.config.get("ADCS_PWD") adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD") - adcs_template = current_app.config.get("ADCS_TEMPLATE") + # if there is a config variable ADCS_TEMPLATE_ take the value as Cert template + # else default to ADCS_TEMPLATE to be compatible with former versions + authority = issuer_options.get("authority").name.upper() + adcs_template = current_app.config.get("ADCS_TEMPLATE_{0}".format(authority), current_app.config.get("ADCS_TEMPLATE")) ca_server = Certsrv( adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method ) From 07f1d751c45552fa777f8416d224f009445e29de Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:41:17 +0000 Subject: [PATCH 28/45] Bump acme from 1.6.0 to 1.7.0 Bumps [acme](https://github.com/letsencrypt/letsencrypt) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/letsencrypt/letsencrypt/releases) - [Commits](https://github.com/letsencrypt/letsencrypt/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 7e187213..a70fc3ea 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # -acme==1.6.0 # via -r requirements.txt +acme==1.7.0 # via -r requirements.txt alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate diff --git a/requirements.txt b/requirements.txt index d9e86d97..86650ced 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements.txt requirements.in # -acme==1.6.0 # via -r requirements.in +acme==1.7.0 # via -r requirements.in alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu From c5106f5fa461cd5f867102a734ca543c86d08bec Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:19:48 +0000 Subject: [PATCH 29/45] Bump fakeredis from 1.4.1 to 1.4.3 Bumps [fakeredis](https://github.com/jamesls/fakeredis) from 1.4.1 to 1.4.3. - [Release notes](https://github.com/jamesls/fakeredis/releases) - [Commits](https://github.com/jamesls/fakeredis/compare/1.4.1...1.4.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 7fd13f76..10c3209b 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -26,7 +26,7 @@ docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==2.12.0 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy -fakeredis==1.4.1 # via -r requirements-tests.in +fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in future==0.18.2 # via aws-xray-sdk From cbc328d0735583818021751a4851226a8b188868 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:28:39 +0000 Subject: [PATCH 30/45] Bump factory-boy from 2.12.0 to 3.0.1 Bumps [factory-boy](https://github.com/FactoryBoy/factory_boy) from 2.12.0 to 3.0.1. - [Release notes](https://github.com/FactoryBoy/factory_boy/releases) - [Changelog](https://github.com/FactoryBoy/factory_boy/blob/master/docs/changelog.rst) - [Commits](https://github.com/FactoryBoy/factory_boy/compare/2.12.0...3.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 10c3209b..4893d4e3 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -24,7 +24,7 @@ decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys -factory-boy==2.12.0 # via -r requirements-tests.in +factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask From d4dfa63cf563dcfc313c659193d430d69494bcdf Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:41:18 +0000 Subject: [PATCH 31/45] Bump pre-commit from 2.6.0 to 2.7.1 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.6.0 to 2.7.1. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.6.0...v2.7.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 2299848e..97ec82d1 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -24,7 +24,7 @@ keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine -pre-commit==2.6.0 # via -r requirements-dev.in +pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 pycparser==2.20 # via cffi pyflakes==1.6.0 # via flake8 From f7abfff51d3f83553d5f4d26cea2b368e8303256 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:54:14 +0000 Subject: [PATCH 32/45] Bump nodeenv from 1.4.0 to 1.5.0 Bumps [nodeenv](https://github.com/ekalinin/nodeenv) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/ekalinin/nodeenv/releases) - [Changelog](https://github.com/ekalinin/nodeenv/blob/master/CHANGES) - [Commits](https://github.com/ekalinin/nodeenv/compare/1.4.0...1.5.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 97ec82d1..a029d4ae 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -22,7 +22,7 @@ invoke==1.4.1 # via -r requirements-dev.in jeepney==0.4.3 # via keyring, secretstorage keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 -nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit +nodeenv==1.5.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 From 54ca1315cab536a6de33c7fc494c0292b55ed92a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:03:20 +0000 Subject: [PATCH 33/45] Bump faker from 4.1.1 to 4.1.2 Bumps [faker](https://github.com/joke2k/faker) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/joke2k/faker/releases) - [Changelog](https://github.com/joke2k/faker/blob/master/CHANGELOG.rst) - [Commits](https://github.com/joke2k/faker/compare/v4.1.1...v4.1.2) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 4893d4e3..ee406105 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -25,7 +25,7 @@ docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in -faker==4.1.1 # via -r requirements-tests.in, factory-boy +faker==4.1.2 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in From 50d5c15a69632e14c35ef1a77ed3f391b2893043 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:12:28 +0000 Subject: [PATCH 34/45] Bump sphinx from 3.2.0 to 3.2.1 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.2.0 to 3.2.1. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.2.0...v3.2.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a70fc3ea..202e0700 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.1 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From ced9696322ec0fad63022de83ec9d730a6d4e523 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:28:42 +0000 Subject: [PATCH 35/45] Bump inflection from 0.5.0 to 0.5.1 Bumps [inflection](https://github.com/jpvanhal/inflection) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/jpvanhal/inflection/releases) - [Commits](https://github.com/jpvanhal/inflection/compare/0.5.0...0.5.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 202e0700..1a2986d5 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -46,7 +46,7 @@ gunicorn==20.0.4 # via -r requirements.txt hvac==0.10.5 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx -inflection==0.5.0 # via -r requirements.txt +inflection==0.5.1 # via -r requirements.txt itsdangerous==1.1.0 # via -r requirements.txt, flask javaobj-py3==0.4.0.1 # via -r requirements.txt, pyjks jinja2==2.11.2 # via -r requirements.txt, flask, sphinx diff --git a/requirements.txt b/requirements.txt index 86650ced..9a0a521c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ future==0.18.2 # via -r requirements.in gunicorn==20.0.4 # via -r requirements.in hvac==0.10.5 # via -r requirements.in idna==2.9 # via requests -inflection==0.5.0 # via -r requirements.in +inflection==0.5.1 # via -r requirements.in itsdangerous==1.1.0 # via flask javaobj-py3==0.4.0.1 # via pyjks jinja2==2.11.2 # via -r requirements.in, flask From 4955ec8541b28ea88297a09ae4e7aef1b8357e7a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:42:38 +0000 Subject: [PATCH 36/45] Bump pytest-mock from 3.2.0 to 3.3.0 Bumps [pytest-mock](https://github.com/pytest-dev/pytest-mock) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/pytest-dev/pytest-mock/releases) - [Changelog](https://github.com/pytest-dev/pytest-mock/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-mock/compare/v3.2.0...v3.3.0) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index ee406105..1dc1f48d 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -60,7 +60,7 @@ pyflakes==2.2.0 # via -r requirements-tests.in pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in -pytest-mock==3.2.0 # via -r requirements-tests.in +pytest-mock==3.3.0 # via -r requirements-tests.in pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto From beea47fd0934b76035302c9cb5830eaf67daa65f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:55:27 +0000 Subject: [PATCH 37/45] Bump cloudflare from 2.8.9 to 2.8.13 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.9 to 2.8.13. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.9...2.8.13) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 1a2986d5..69679ebf 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.9 # via -r requirements.txt +cloudflare==2.8.13 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 9a0a521c..9a0a2833 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.9 # via -r requirements.in +cloudflare==2.8.13 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 9d37f8018a178fec7d2e7de78fc98edc671dda6b Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:04:47 +0000 Subject: [PATCH 38/45] Bump arrow from 0.15.8 to 0.16.0 Bumps [arrow](https://github.com/arrow-py/arrow) from 0.15.8 to 0.16.0. - [Release notes](https://github.com/arrow-py/arrow/releases) - [Changelog](https://github.com/arrow-py/arrow/blob/master/CHANGELOG.rst) - [Commits](https://github.com/arrow-py/arrow/compare/0.15.8...0.16.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 69679ebf..045c1832 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -10,7 +10,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate amqp==2.5.2 # via -r requirements.txt, kombu aniso8601==8.0.0 # via -r requirements.txt, flask-restful -arrow==0.15.8 # via -r requirements.txt +arrow==0.16.0 # via -r requirements.txt asyncpool==1.0 # via -r requirements.txt babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko diff --git a/requirements.txt b/requirements.txt index 9a0a2833..2ecb1f9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,7 +9,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu aniso8601==8.0.0 # via flask-restful -arrow==0.15.8 # via -r requirements.in +arrow==0.16.0 # via -r requirements.in asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare From 1577f9956702e1b294840a9aa8fb4e6ca28941b4 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:17:13 +0000 Subject: [PATCH 39/45] Bump boto3 from 1.14.33 to 1.14.48 Bumps [boto3](https://github.com/boto/boto3) from 1.14.33 to 1.14.48. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.33...1.14.48) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 045c1832..0ee5d42e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.txt -botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.48 # via -r requirements.txt +botocore==1.17.48 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 1dc1f48d..303338c1 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.33 # via aws-sam-translator, moto +boto3==1.14.48 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 2ecb1f9c..c79ec23d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.in -botocore==1.17.33 # via -r requirements.in, boto3, s3transfer +boto3==1.14.48 # via -r requirements.in +botocore==1.17.48 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 1fc2e29ab8308dad99c5d235e41d84ee6f6b8788 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 25 Aug 2020 16:26:20 -0700 Subject: [PATCH 40/45] Remove 397 days validation as it causes error in API calls More to come in future --- lemur/common/validators.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 74095255..e1dfe3c1 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,18 +152,6 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) - # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity - # for certs issued by public CA - # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) - if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: - max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - if ( - (data.get("validity_end").date() - data.get("validity_start").date()).days - > max_validity_days - ): - raise ValidationError("Certificate cannot be valid for more than " + - str(max_validity_days) + " days") return data From 75eaea3aad8d566bde91350cc8f12be0f0726e09 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:38:17 -0700 Subject: [PATCH 41/45] fixing setup-git so build continues if ./git/hooks does not exist. --- Makefile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 069eb29b..fb8b9afa 100644 --- a/Makefile +++ b/Makefile @@ -49,10 +49,13 @@ reset-db: cd lemur && lemur db upgrade setup-git: - @echo "--> Installing git hooks" - git config branch.autosetuprebase always - cd .git/hooks && ln -sf ../../hooks/* ./ - @echo "" + if [ -d .git/hooks ]; then \ + @echo "--> Installing git hooks"; \ + git config branch.autosetuprebase always; \ + cd .git/hooks && ln -sf ../../hooks/* ./; \ + @echo ""; \ + fi + clean: @echo "--> Cleaning static cache" From 91c2976bfc17f11cd2f5b1245a6a09d8654ddf86 Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:47:17 -0700 Subject: [PATCH 42/45] fixing Makefile build issue with @echo --- Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index fb8b9afa..3312a41d 100644 --- a/Makefile +++ b/Makefile @@ -49,13 +49,12 @@ reset-db: cd lemur && lemur db upgrade setup-git: + @echo "--> Installing git hooks" if [ -d .git/hooks ]; then \ - @echo "--> Installing git hooks"; \ git config branch.autosetuprebase always; \ cd .git/hooks && ln -sf ../../hooks/* ./; \ - @echo ""; \ fi - + @echo "" clean: @echo "--> Cleaning static cache" From 9671b344859e5417a68a4fec1af646f1176dff25 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Thu, 27 Aug 2020 14:15:01 -0700 Subject: [PATCH 43/45] adding support for all type of ECC curves which existing CA plugins might support --- lemur/authorities/schemas.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 34ad1564..6bbeddd6 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -23,6 +23,7 @@ from lemur.common.schema import LemurInputSchema, LemurOutputSchema from lemur.common import validators, missing from lemur.common.fields import ArrowDateTime +from lemur.constants import CERTIFICATE_KEY_TYPES class AuthorityInputSchema(LemurInputSchema): @@ -61,7 +62,7 @@ class AuthorityInputSchema(LemurInputSchema): missing="sha256WithRSA", ) key_type = fields.String( - validate=validate.OneOf(["RSA2048", "RSA4096", "EC256"]), missing="RSA2048" + validate=validate.OneOf(CERTIFICATE_KEY_TYPES + ["EC256"]), missing="RSA2048" ) key_name = fields.String() sensitivity = fields.String( From 9a7a6324896c601f7e56c94b4ca693be489f65d4 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 28 Aug 2020 09:48:35 -0700 Subject: [PATCH 44/45] using a standard curve for testing --- lemur/tests/test_authorities.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/tests/test_authorities.py b/lemur/tests/test_authorities.py index 6090d0b6..fade39e8 100644 --- a/lemur/tests/test_authorities.py +++ b/lemur/tests/test_authorities.py @@ -48,7 +48,7 @@ def test_authority_input_schema_ecc(client, role, issuer_plugin, logged_in_user) }, "type": "root", "signingAlgorithm": "sha256WithECDSA", - "keyType": "EC256", + "keyType": "ECCPRIME256V1", "sensitivity": "medium", } From d478def98cc85adfc8040c4144c31c03228a14a5 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 31 Aug 2020 16:35:47 -0700 Subject: [PATCH 45/45] removing the custom key Type and doing the conversion in the backend --- lemur/authorities/schemas.py | 2 +- lemur/static/app/angular/authorities/authority/options.tpl.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 6bbeddd6..7f9f57d4 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -62,7 +62,7 @@ class AuthorityInputSchema(LemurInputSchema): missing="sha256WithRSA", ) key_type = fields.String( - validate=validate.OneOf(CERTIFICATE_KEY_TYPES + ["EC256"]), missing="RSA2048" + validate=validate.OneOf(CERTIFICATE_KEY_TYPES), missing="RSA2048" ) key_name = fields.String() sensitivity = fields.String( diff --git a/lemur/static/app/angular/authorities/authority/options.tpl.html b/lemur/static/app/angular/authorities/authority/options.tpl.html index 7ba858a7..bf1ad70c 100644 --- a/lemur/static/app/angular/authorities/authority/options.tpl.html +++ b/lemur/static/app/angular/authorities/authority/options.tpl.html @@ -20,7 +20,7 @@ Key Type
-