diff --git a/docker/Dockerfile-src b/docker/Dockerfile-src new file mode 100644 index 00000000..c23f249c --- /dev/null +++ b/docker/Dockerfile-src @@ -0,0 +1,64 @@ +FROM alpine:3.8 + +ARG VERSION +ENV VERSION master + +ENV uid 1337 +ENV gid 1337 +ENV user lemur +ENV group lemur + +RUN addgroup -S ${group} -g ${gid} && \ + adduser -D -S ${user} -G ${group} -u ${uid} && \ + apk --update add python3 libldap postgresql-client nginx supervisor curl tzdata openssl bash && \ + apk --update add --virtual build-dependencies \ + git \ + tar \ + curl \ + python3-dev \ + npm \ + bash \ + musl-dev \ + gcc \ + autoconf \ + automake \ + make \ + nasm \ + zlib-dev \ + postgresql-dev \ + libressl-dev \ + libffi-dev \ + cyrus-sasl-dev \ + openldap-dev && \ + pip3 install --upgrade pip && \ + pip3 install --upgrade setuptools && \ + mkdir -p /home/lemur/.lemur/ && \ + mkdir -p /run/nginx/ /etc/nginx/ssl/ + +COPY ./ /opt/lemur +WORKDIR /opt/lemur + +RUN chown -R $user:$group /opt/lemur/ /home/lemur/.lemur/ && \ + npm install --unsafe-perm && \ + pip3 install -e . && \ + node_modules/.bin/gulp build && \ + node_modules/.bin/gulp package --urlContextPath=$(urlContextPath) && \ + apk del build-dependencies + +COPY docker/entrypoint / +COPY docker/src/lemur.conf.py /home/lemur/.lemur/lemur.conf.py +COPY docker/supervisor.conf / +COPY docker/nginx/default.conf /etc/nginx/conf.d/ +COPY docker/nginx/default-ssl.conf /etc/nginx/conf.d/ + +RUN chmod +x /entrypoint +WORKDIR / + +HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \ + CMD curl --fail http://localhost:80/api/1/healthcheck | grep -q ok || exit 1 + +USER root + +ENTRYPOINT ["/entrypoint"] + +CMD ["/usr/bin/supervisord","-c","supervisor.conf"] diff --git a/docker/entrypoint b/docker/entrypoint index 2a3a84e3..3f25951a 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -36,7 +36,7 @@ fi # fi echo " # Running init" -su lemur -s /bin/bash -c "cd /opt/lemur/lemur; python3 /opt/lemur/lemur/manage.py init -p ${LEMUR_ADMIN_PASSWORD}" +su lemur -s /bin/bash -c "cd /opt/lemur/lemur; lemur init -p ${LEMUR_ADMIN_PASSWORD}" echo " # Done" # echo "Creating user" @@ -47,11 +47,13 @@ echo " # Done" cron_notify="${CRON_NOTIFY:-"0 22 * * *"}" cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" +cron_reissue="${CRON_REISSUE:-"0 23 * * *"}" echo " # Populating crontab" -echo "${cron_notify} lemur python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur_notify -echo "${cron_sync} lemur python3 /opt/lemur/lemur/manage.py source sync -s all" > /etc/crontabs/lemur_sync -echo "${cron_revoked} lemur python3 /opt/lemur/lemur/manage.py certificate check_revoked" > /etc/crontabs/lemur_revoked +echo "${cron_notify} lemur notify expirations" > /etc/crontabs/lemur +echo "${cron_sync} lemur source sync -s all" >> /etc/crontabs/lemur +echo "${cron_revoked} lemur certificate check_revoked" >> /etc/crontabs/lemur +echo "${cron_reissue} lemur certificate reissue -c" >> /etc/crontabs/lemur echo " # Done" exec "$@" diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 0f294b28..3cc51792 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -16,12 +16,16 @@ LEMUR_WHITELISTED_DOMAINS = [] LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] +ALLOW_CERT_DELETION = os.environ.get('ALLOW_CERT_DELETION') == "True" -LEMUR_DEFAULT_COUNTRY = repr(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) -LEMUR_DEFAULT_STATE = repr(os.environ.get('LEMUR_DEFAULT_STATE','')) -LEMUR_DEFAULT_LOCATION = repr(os.environ.get('LEMUR_DEFAULT_LOCATION','')) -LEMUR_DEFAULT_ORGANIZATION = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) -LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) +LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) +LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) +LEMUR_DEFAULT_LOCATION = str(os.environ.get('LEMUR_DEFAULT_LOCATION','')) +LEMUR_DEFAULT_ORGANIZATION = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) +LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) + +LEMUR_DEFAULT_ISSUER_PLUGIN = str(os.environ.get('LEMUR_DEFAULT_ISSUER_PLUGIN','')) +LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY','')) ACTIVE_PROVIDERS = [] diff --git a/docker/supervisor.conf b/docker/supervisor.conf index fed01581..ec4b221d 100644 --- a/docker/supervisor.conf +++ b/docker/supervisor.conf @@ -7,7 +7,7 @@ pidfile = /tmp/supervisord.pid [program:lemur] environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py -command=/usr/bin/python3 manage.py start -b 0.0.0.0:8000 +command=lemur start -b 0.0.0.0:8000 user=lemur directory=/opt/lemur/lemur stdout_logfile=/dev/stdout @@ -24,6 +24,7 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 [program:cron] +environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py command=/usr/sbin/crond -f user=root stdout_logfile=/dev/stdout diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 8f15542d..42e444bc 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -146,7 +146,8 @@ class CertificateInputSchema(CertificateCreationSchema): data["extensions"]["subAltNames"] = {"names": []} elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] - data["extensions"]["subAltNames"]["names"] += csr_sans + + data["extensions"]["subAltNames"]["names"] = csr_sans return missing.convert_validity_years(data) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 41b9c252..3c5301f7 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -14,7 +14,7 @@ import re import hvac from flask import current_app -from lemur.common.defaults import common_name +from lemur.common.defaults import common_name, country, state, location, organizational_unit, organization from lemur.common.utils import parse_certificate from lemur.plugins.bases import DestinationPlugin from lemur.plugins.bases import SourcePlugin @@ -58,7 +58,7 @@ class VaultSourcePlugin(SourcePlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -94,7 +94,7 @@ class VaultSourcePlugin(SourcePlugin): body = "" url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) obj_name = self.get_option("objectName", options) @@ -185,7 +185,7 @@ class VaultDestinationPlugin(DestinationPlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -202,15 +202,15 @@ class VaultDestinationPlugin(DestinationPlugin): "name": "vaultPath", "type": "str", "required": True, - "validation": "^([a-zA-Z0-9._-]+/?)+$", - "helpMessage": "Must be a valid Vault secrets path", + "validation": "^(([a-zA-Z0-9._-]+|{(CN|OU|O|L|S|C)})+/?)+$", + "helpMessage": "Must be a valid Vault secrets path. Support vars: {CN|OU|O|L|S|C}", }, { "name": "objectName", "type": "str", "required": False, - "validation": "[0-9a-zA-Z.:_-]+", - "helpMessage": "Name to bundle certs under, if blank use cn", + "validation": "^([0-9a-zA-Z.:_-]+|{(CN|OU|O|L|S|C)})+$", + "helpMessage": "Name to bundle certs under, if blank use {CN}. Support vars: {CN|OU|O|L|S|C}", }, { "name": "bundleChain", @@ -241,11 +241,12 @@ class VaultDestinationPlugin(DestinationPlugin): :param cert_chain: :return: """ - cname = common_name(parse_certificate(body)) + cert = parse_certificate(body) + cname = common_name(cert) url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) bundle = self.get_option("bundleChain", options) @@ -285,10 +286,27 @@ class VaultDestinationPlugin(DestinationPlugin): client.secrets.kv.default_kv_version = api_version - if obj_name: - path = "{0}/{1}".format(path, obj_name) - else: - path = "{0}/{1}".format(path, cname) + t_path = path.format( + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), # noqa: E741 + L=location(cert), + S=state(cert), + C=country(cert) + ) + if not obj_name: + obj_name = '{CN}' + + f_obj_name = obj_name.format( + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), # noqa: E741 + L=location(cert), + S=state(cert), + C=country(cert) + ) + + path = "{0}/{1}".format(t_path, f_obj_name) secret = get_secret(client, mount, path) secret["data"][cname] = {} diff --git a/requirements-dev.txt b/requirements-dev.txt index 785d3f29..3f53aaf7 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -33,7 +33,7 @@ readme-renderer==25.0 # via twine requests-toolbelt==0.9.1 # via twine requests==2.23.0 # via requests-toolbelt, twine secretstorage==3.1.2 # via keyring -six==1.14.0 # via bleach, cryptography, readme-renderer, virtualenv +six==1.15.0 # via bleach, cryptography, readme-renderer, virtualenv toml==0.10.0 # via pre-commit tqdm==4.45.0 # via twine twine==3.1.1 # via -r requirements-dev.in diff --git a/requirements-docs.txt b/requirements-docs.txt index 16d97413..2d36962e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -16,8 +16,8 @@ babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.13.11 # via -r requirements.txt -botocore==1.16.11 # via -r requirements.txt, boto3, s3transfer +boto3==1.13.18 # via -r requirements.txt +botocore==1.16.18 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.4.5.1 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt @@ -42,7 +42,7 @@ flask-sqlalchemy==2.4.1 # via -r requirements.txt, flask-migrate flask==1.1.2 # via -r requirements.txt, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven future==0.18.2 # via -r requirements.txt, cloudflare gunicorn==20.0.4 # via -r requirements.txt -hvac==0.10.1 # via -r requirements.txt +hvac==0.10.3 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx inflection==0.4.0 # via -r requirements.txt @@ -87,7 +87,7 @@ requests-toolbelt==0.9.1 # via -r requirements.txt, acme requests[security]==2.23.0 # via -r requirements.txt, acme, certsrv, cloudflare, hvac, requests-toolbelt, sphinx retrying==1.3.3 # via -r requirements.txt s3transfer==0.3.3 # via -r requirements.txt, boto3 -six==1.14.0 # via -r requirements.txt, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, packaging, pynacl, pyopenssl, python-dateutil, retrying, sphinxcontrib-httpdomain, sqlalchemy-utils +six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, packaging, pynacl, pyopenssl, python-dateutil, retrying, sphinxcontrib-httpdomain, sqlalchemy-utils snowballstemmer==2.0.0 # via sphinx sphinx-rtd-theme==0.4.3 # via -r requirements-docs.in sphinx==3.0.3 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain @@ -98,7 +98,7 @@ sphinxcontrib-httpdomain==1.7.0 # via -r requirements-docs.in sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.3 # via sphinx sphinxcontrib-serializinghtml==1.1.4 # via sphinx -sqlalchemy-utils==0.36.5 # via -r requirements.txt +sqlalchemy-utils==0.36.6 # via -r requirements.txt sqlalchemy==1.3.16 # via -r requirements.txt, alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.7 # via -r requirements.txt twofish==0.3.0 # via -r requirements.txt, pyjks diff --git a/requirements-tests.txt b/requirements-tests.txt index 79340e51..3fe1daa5 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.13.11 # via aws-sam-translator, moto +boto3==1.13.18 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.16.11 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.16.18 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.4.5.1 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto @@ -72,7 +72,7 @@ requests==2.23.0 # via docker, moto, requests-mock, responses responses==0.10.12 # via moto rsa==4.0 # via python-jose s3transfer==0.3.3 # via boto3 -six==1.14.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, freezegun, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client +six==1.15.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, freezegun, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client smmap==3.0.2 # via gitdb sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto diff --git a/requirements.txt b/requirements.txt index 315f39b8..1814d124 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,8 +14,8 @@ asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.13.11 # via -r requirements.in -botocore==1.16.11 # via -r requirements.in, boto3, s3transfer +boto3==1.13.18 # via -r requirements.in +botocore==1.16.18 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.4.5.1 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in @@ -40,7 +40,7 @@ flask-sqlalchemy==2.4.1 # via -r requirements.in, flask-migrate flask==1.1.2 # via -r requirements.in, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven future==0.18.2 # via -r requirements.in, cloudflare gunicorn==20.0.4 # via -r requirements.in -hvac==0.10.1 # via -r requirements.in +hvac==0.10.3 # via -r requirements.in idna==2.9 # via requests inflection==0.4.0 # via -r requirements.in itsdangerous==1.1.0 # via flask @@ -81,8 +81,8 @@ requests-toolbelt==0.9.1 # via acme requests[security]==2.23.0 # via -r requirements.in, acme, certsrv, cloudflare, hvac, requests-toolbelt retrying==1.3.3 # via -r requirements.in s3transfer==0.3.3 # via boto3 -six==1.14.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils -sqlalchemy-utils==0.36.5 # via -r requirements.in +six==1.15.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils +sqlalchemy-utils==0.36.6 # via -r requirements.in sqlalchemy==1.3.16 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.7 # via -r requirements.in twofish==0.3.0 # via pyjks