Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs

CertificateInputSchema requires the rotation_policy field, but
certificates created before the field existed have set to NULL. Thus
saving such certificates failed and probably caused other errors.

Made cert re-issuing (get_certificate_primitives) more strict so such
errors are harder to miss in the future.
This commit is contained in:
Marti Raudsepp 2018-08-03 13:21:45 +03:00
parent acd2701fa2
commit 82158aece6
5 changed files with 50 additions and 13 deletions

View File

@ -514,7 +514,9 @@ def get_certificate_primitives(certificate):
certificate via `create`. certificate via `create`.
""" """
start, end = calculate_reissue_range(certificate.not_before, certificate.not_after) start, end = calculate_reissue_range(certificate.not_before, certificate.not_after)
data = CertificateInputSchema().load(CertificateOutputSchema().dump(certificate).data).data ser = CertificateInputSchema().load(CertificateOutputSchema().dump(certificate).data)
assert not ser.errors, "Error re-serializing certificate: %s" % ser.errors
data = ser.data
# we can't quite tell if we are using a custom name, as this is an automated process (typically) # we can't quite tell if we are using a custom name, as this is an automated process (typically)
# we will rely on the Lemur generated name # we will rely on the Lemur generated name

View File

@ -0,0 +1,33 @@
"""Add default rotation_policy to certs where it's missing
Revision ID: 1db4f82bc780
Revises: 3adfdd6598df
Create Date: 2018-08-03 12:56:44.565230
"""
# revision identifiers, used by Alembic.
revision = '1db4f82bc780'
down_revision = '3adfdd6598df'
import logging
from alembic import op
log = logging.getLogger(__name__)
def upgrade():
connection = op.get_bind()
result = connection.execute("""\
UPDATE certificates
SET rotation_policy_id=(SELECT id FROM rotation_policies WHERE name='default')
WHERE rotation_policy_id IS NULL
RETURNING id
""")
log.info("Filled rotation_policy for %d certificates" % result.rowcount)
def downgrade():
pass

View File

@ -23,7 +23,8 @@ LEMUR_ENCRYPTION_KEYS = 'o61sBLNBSGtAckngtNrfVNd8xy8Hp9LBGDstTbMbqCY='
# List of domain regular expressions that non-admin users can issue # List of domain regular expressions that non-admin users can issue
LEMUR_WHITELISTED_DOMAINS = [ LEMUR_WHITELISTED_DOMAINS = [
'^[a-zA-Z0-9-]+\.example\.com$' '^[a-zA-Z0-9-]+\.example\.com$',
'^example\d+\.long\.com$',
] ]
# Mail Server # Mail Server

View File

@ -31,6 +31,16 @@ class BaseFactory(SQLAlchemyModelFactory):
sqlalchemy_session = db.session sqlalchemy_session = db.session
class RotationPolicyFactory(BaseFactory):
"""Rotation Factory."""
name = Sequence(lambda n: 'policy{0}'.format(n))
days = 30
class Meta:
"""Factory configuration."""
model = RotationPolicy
class CertificateFactory(BaseFactory): class CertificateFactory(BaseFactory):
"""Certificate factory.""" """Certificate factory."""
name = Sequence(lambda n: 'certificate{0}'.format(n)) name = Sequence(lambda n: 'certificate{0}'.format(n))
@ -43,6 +53,7 @@ class CertificateFactory(BaseFactory):
description = FuzzyText(length=128) description = FuzzyText(length=128)
active = True active = True
date_created = FuzzyDate(date(2016, 1, 1), date(2020, 1, 1)) date_created = FuzzyDate(date(2016, 1, 1), date(2020, 1, 1))
rotation_policy = SubFactory(RotationPolicyFactory)
class Meta: class Meta:
"""Factory Configuration.""" """Factory Configuration."""
@ -150,16 +161,6 @@ class AsyncAuthorityFactory(AuthorityFactory):
authority_certificate = SubFactory(CertificateFactory) authority_certificate = SubFactory(CertificateFactory)
class RotationPolicyFactory(BaseFactory):
"""Rotation Factory."""
name = Sequence(lambda n: 'policy{0}'.format(n))
days = 30
class Meta:
"""Factory configuration."""
model = RotationPolicy
class DestinationFactory(BaseFactory): class DestinationFactory(BaseFactory):
"""Destination factory.""" """Destination factory."""
plugin_name = 'test-destination' plugin_name = 'test-destination'

View File

@ -46,7 +46,7 @@ def test_get_certificate_primitives(certificate):
with freeze_time(datetime.date(year=2016, month=10, day=30)): with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate) primitives = get_certificate_primitives(certificate)
assert len(primitives) == 24 assert len(primitives) == 25
def test_certificate_output_schema(session, certificate, issuer_plugin): def test_certificate_output_schema(session, certificate, issuer_plugin):