Merge branch 'master' into feature/store-acme-account-details

lemur/plugins/lemur_digicert/plugin.py

@@ -21,7 +21,7 @@ import requests
 import sys
 from cryptography import x509
 from flask import current_app, g
-from lemur.common.utils import validate_conf
+from lemur.common.utils import validate_conf, convert_pkcs7_bytes_to_pem
 from lemur.extensions import metrics
 from lemur.plugins import lemur_digicert as digicert
 from lemur.plugins.bases import IssuerPlugin, SourcePlugin
@@ -235,15 +235,18 @@ def get_certificate_id(session, base_url, order_id):
 
 @retry(stop_max_attempt_number=10, wait_fixed=10000)
 def get_cis_certificate(session, base_url, order_id):
-    """Retrieve certificate order id from Digicert API."""
-    certificate_url = "{0}/platform/cis/certificate/{1}".format(base_url, order_id)
-    session.headers.update({"Accept": "application/x-pem-file"})
+    """Retrieve certificate order id from Digicert API, including the chain"""
+    certificate_url = "{0}/platform/cis/certificate/{1}/download".format(base_url, order_id)
+    session.headers.update({"Accept": "application/x-pkcs7-certificates"})
     response = session.get(certificate_url)
 
     if response.status_code == 404:
         raise Exception("Order not in issued state.")
 
-    return response.content
+    cert_chain_pem = convert_pkcs7_bytes_to_pem(response.content)
+    if len(cert_chain_pem) < 3:
+        raise Exception("Missing the certificate chain")
+    return cert_chain_pem
 
 
 class DigiCertSourcePlugin(SourcePlugin):
@@ -447,7 +450,6 @@ class DigiCertCISSourcePlugin(SourcePlugin):
             "DIGICERT_CIS_API_KEY",
             "DIGICERT_CIS_URL",
             "DIGICERT_CIS_ROOTS",
-            "DIGICERT_CIS_INTERMEDIATES",
             "DIGICERT_CIS_PROFILE_NAMES",
         ]
         validate_conf(current_app, required_vars)
@@ -522,7 +524,6 @@ class DigiCertCISIssuerPlugin(IssuerPlugin):
             "DIGICERT_CIS_API_KEY",
             "DIGICERT_CIS_URL",
             "DIGICERT_CIS_ROOTS",
-            "DIGICERT_CIS_INTERMEDIATES",
             "DIGICERT_CIS_PROFILE_NAMES",
         ]
 
@@ -552,22 +553,15 @@ class DigiCertCISIssuerPlugin(IssuerPlugin):
         data = handle_cis_response(response)
 
         # retrieve certificate
-        certificate_pem = get_cis_certificate(self.session, base_url, data["id"])
+        certificate_chain_pem = get_cis_certificate(self.session, base_url, data["id"])
 
         self.session.headers.pop("Accept")
-        end_entity = pem.parse(certificate_pem)[0]
+        end_entity = certificate_chain_pem[0]
+        intermediate = certificate_chain_pem[1]
 
-        if "ECC" in issuer_options["key_type"]:
-            return (
-                "\n".join(str(end_entity).splitlines()),
-                current_app.config.get("DIGICERT_ECC_CIS_INTERMEDIATES", {}).get(issuer_options['authority'].name),
-                data["id"],
-            )
-
-        # By default return RSA
         return (
             "\n".join(str(end_entity).splitlines()),
-            current_app.config.get("DIGICERT_CIS_INTERMEDIATES", {}).get(issuer_options['authority'].name),
+            "\n".join(str(intermediate).splitlines()),
             data["id"],
         )
 

lemur/plugins/lemur_entrust/plugin.py

@@ -34,8 +34,7 @@ def determine_end_date(end_date):
 
     if not end_date:
         end_date = max_validity_end
-
-    if end_date > max_validity_end:
+    elif end_date > max_validity_end:
         end_date = max_validity_end
     return end_date.format('YYYY-MM-DD')
 

lemur/plugins/lemur_entrust/tests/test_entrust.py

@@ -3,6 +3,7 @@ from unittest.mock import patch, Mock
 import arrow
 from cryptography import x509
 from lemur.plugins.lemur_entrust import plugin
+from freezegun import freeze_time
 
 
 def config_mock(*args):
@@ -21,11 +22,18 @@ def config_mock(*args):
     return values[args[0]]
 
 
+@patch("lemur.plugins.lemur_digicert.plugin.current_app")
+def test_determine_end_date(mock_current_app):
+    with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime):
+        assert arrow.get(2017, 12, 3).format('YYYY-MM-DD') == plugin.determine_end_date(0)  # 1 year + 1 month
+        assert arrow.get(2017, 3, 5).format('YYYY-MM-DD') == plugin.determine_end_date(arrow.get(2017, 3, 5))
+        assert arrow.get(2017, 12, 3).format('YYYY-MM-DD') == plugin.determine_end_date(arrow.get(2020, 5, 7))
+
+
 @patch("lemur.plugins.lemur_entrust.plugin.current_app")
 def test_process_options(mock_current_app, authority):
     mock_current_app.config.get = Mock(side_effect=config_mock)
-    plugin.determine_end_date = Mock(return_value=arrow.get(2020, 10, 7).format('YYYY-MM-DD'))
-
+    plugin.determine_end_date = Mock(return_value=arrow.get(2017, 11, 5).format('YYYY-MM-DD'))
     authority.name = "Entrust"
     names = [u"one.example.com", u"two.example.com", u"three.example.com"]
     options = {
@@ -35,7 +43,7 @@ def test_process_options(mock_current_app, authority):
         "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
         "organization": "Example, Inc.",
         "organizational_unit": "Example Org",
-        "validity_end": arrow.get(2020, 10, 7),
+        "validity_end": arrow.utcnow().shift(years=1, months=+1),
         "authority": authority,
     }
 
@@ -43,7 +51,7 @@ def test_process_options(mock_current_app, authority):
         "signingAlg": "SHA-2",
         "eku": "SERVER_AND_CLIENT_AUTH",
         "certType": "ADVANTAGE_SSL",
-        "certExpiryDate": arrow.get(2020, 10, 7).format('YYYY-MM-DD'),
+        "certExpiryDate": arrow.get(2017, 11, 5).format('YYYY-MM-DD'),
         "tracking": {
             "requesterName": mock_current_app.config.get("ENTRUST_NAME"),
             "requesterEmail": mock_current_app.config.get("ENTRUST_EMAIL"),