Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs
CertificateInputSchema requires the rotation_policy field, but certificates created before the field existed have set to NULL. Thus saving such certificates failed and probably caused other errors. Made cert re-issuing (get_certificate_primitives) more strict so such errors are harder to miss in the future.
This commit is contained in:
parent
acd2701fa2
commit
82158aece6
|
@ -514,7 +514,9 @@ def get_certificate_primitives(certificate):
|
||||||
certificate via `create`.
|
certificate via `create`.
|
||||||
"""
|
"""
|
||||||
start, end = calculate_reissue_range(certificate.not_before, certificate.not_after)
|
start, end = calculate_reissue_range(certificate.not_before, certificate.not_after)
|
||||||
data = CertificateInputSchema().load(CertificateOutputSchema().dump(certificate).data).data
|
ser = CertificateInputSchema().load(CertificateOutputSchema().dump(certificate).data)
|
||||||
|
assert not ser.errors, "Error re-serializing certificate: %s" % ser.errors
|
||||||
|
data = ser.data
|
||||||
|
|
||||||
# we can't quite tell if we are using a custom name, as this is an automated process (typically)
|
# we can't quite tell if we are using a custom name, as this is an automated process (typically)
|
||||||
# we will rely on the Lemur generated name
|
# we will rely on the Lemur generated name
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
"""Add default rotation_policy to certs where it's missing
|
||||||
|
|
||||||
|
Revision ID: 1db4f82bc780
|
||||||
|
Revises: 3adfdd6598df
|
||||||
|
Create Date: 2018-08-03 12:56:44.565230
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
# revision identifiers, used by Alembic.
|
||||||
|
revision = '1db4f82bc780'
|
||||||
|
down_revision = '3adfdd6598df'
|
||||||
|
|
||||||
|
import logging
|
||||||
|
|
||||||
|
from alembic import op
|
||||||
|
|
||||||
|
log = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
def upgrade():
|
||||||
|
connection = op.get_bind()
|
||||||
|
|
||||||
|
result = connection.execute("""\
|
||||||
|
UPDATE certificates
|
||||||
|
SET rotation_policy_id=(SELECT id FROM rotation_policies WHERE name='default')
|
||||||
|
WHERE rotation_policy_id IS NULL
|
||||||
|
RETURNING id
|
||||||
|
""")
|
||||||
|
log.info("Filled rotation_policy for %d certificates" % result.rowcount)
|
||||||
|
|
||||||
|
|
||||||
|
def downgrade():
|
||||||
|
pass
|
|
@ -23,7 +23,8 @@ LEMUR_ENCRYPTION_KEYS = 'o61sBLNBSGtAckngtNrfVNd8xy8Hp9LBGDstTbMbqCY='
|
||||||
|
|
||||||
# List of domain regular expressions that non-admin users can issue
|
# List of domain regular expressions that non-admin users can issue
|
||||||
LEMUR_WHITELISTED_DOMAINS = [
|
LEMUR_WHITELISTED_DOMAINS = [
|
||||||
'^[a-zA-Z0-9-]+\.example\.com$'
|
'^[a-zA-Z0-9-]+\.example\.com$',
|
||||||
|
'^example\d+\.long\.com$',
|
||||||
]
|
]
|
||||||
|
|
||||||
# Mail Server
|
# Mail Server
|
||||||
|
|
|
@ -31,6 +31,16 @@ class BaseFactory(SQLAlchemyModelFactory):
|
||||||
sqlalchemy_session = db.session
|
sqlalchemy_session = db.session
|
||||||
|
|
||||||
|
|
||||||
|
class RotationPolicyFactory(BaseFactory):
|
||||||
|
"""Rotation Factory."""
|
||||||
|
name = Sequence(lambda n: 'policy{0}'.format(n))
|
||||||
|
days = 30
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
"""Factory configuration."""
|
||||||
|
model = RotationPolicy
|
||||||
|
|
||||||
|
|
||||||
class CertificateFactory(BaseFactory):
|
class CertificateFactory(BaseFactory):
|
||||||
"""Certificate factory."""
|
"""Certificate factory."""
|
||||||
name = Sequence(lambda n: 'certificate{0}'.format(n))
|
name = Sequence(lambda n: 'certificate{0}'.format(n))
|
||||||
|
@ -43,6 +53,7 @@ class CertificateFactory(BaseFactory):
|
||||||
description = FuzzyText(length=128)
|
description = FuzzyText(length=128)
|
||||||
active = True
|
active = True
|
||||||
date_created = FuzzyDate(date(2016, 1, 1), date(2020, 1, 1))
|
date_created = FuzzyDate(date(2016, 1, 1), date(2020, 1, 1))
|
||||||
|
rotation_policy = SubFactory(RotationPolicyFactory)
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
"""Factory Configuration."""
|
"""Factory Configuration."""
|
||||||
|
@ -150,16 +161,6 @@ class AsyncAuthorityFactory(AuthorityFactory):
|
||||||
authority_certificate = SubFactory(CertificateFactory)
|
authority_certificate = SubFactory(CertificateFactory)
|
||||||
|
|
||||||
|
|
||||||
class RotationPolicyFactory(BaseFactory):
|
|
||||||
"""Rotation Factory."""
|
|
||||||
name = Sequence(lambda n: 'policy{0}'.format(n))
|
|
||||||
days = 30
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
"""Factory configuration."""
|
|
||||||
model = RotationPolicy
|
|
||||||
|
|
||||||
|
|
||||||
class DestinationFactory(BaseFactory):
|
class DestinationFactory(BaseFactory):
|
||||||
"""Destination factory."""
|
"""Destination factory."""
|
||||||
plugin_name = 'test-destination'
|
plugin_name = 'test-destination'
|
||||||
|
|
|
@ -46,7 +46,7 @@ def test_get_certificate_primitives(certificate):
|
||||||
|
|
||||||
with freeze_time(datetime.date(year=2016, month=10, day=30)):
|
with freeze_time(datetime.date(year=2016, month=10, day=30)):
|
||||||
primitives = get_certificate_primitives(certificate)
|
primitives = get_certificate_primitives(certificate)
|
||||||
assert len(primitives) == 24
|
assert len(primitives) == 25
|
||||||
|
|
||||||
|
|
||||||
def test_certificate_output_schema(session, certificate, issuer_plugin):
|
def test_certificate_output_schema(session, certificate, issuer_plugin):
|
||||||
|
|
Loading…
Reference in New Issue