optimizing the call to describe cert to only the few certs with the naming issue

2019-10-18 09:24:49 -07:00 · 2019-10-18 09:24:49 -07:00 · 8aea257e6a
parent f075c5af3d
commit 8aea257e6a
2 changed files with 35 additions and 29 deletions
--- a/lemur/plugins/lemur_aws/plugin.py
+++ b/lemur/plugins/lemur_aws/plugin.py
@ -112,8 +112,6 @@ def get_elb_endpoints(account_number, region, elb_dict):
                listener["Listener"]["SSLCertificateId"]
            ),
        )
-        endpoint["certificate"] = get_elb_certificate_by_name(certificate_name=endpoint["certificate_name"],
-                                                              account_number=account_number)

        if listener["PolicyNames"]:
            policy = elb.describe_load_balancer_policies(
@ -131,28 +129,6 @@ def get_elb_endpoints(account_number, region, elb_dict):
    return endpoints


-def get_elb_certificate_by_name(certificate_name, account_number):
-    # certificate name may contain path, in which case we remove it
-    if "/" in certificate_name:
-        certificate_name = certificate_name.split('/')[1]
-    try:
-        cert = iam.get_certificate(certificate_name, account_number=account_number)
-        return dict(
-            body=cert["CertificateBody"],
-            chain=cert.get("CertificateChain"),
-            name=cert["ServerCertificateMetadata"]["ServerCertificateName"],
-        )
-    except ClientError:
-        current_app.logger.warning(
-            "get_elb_certificate_failed: Unable to get certificate for {0}".format(certificate_name))
-        sentry.captureException()
-        metrics.send(
-            "get_elb_certificate_failed", "counter", 1,
-            metric_tags={"certificate_name": certificate_name, "account_number": account_number}
-        )
-    return None
-
-
 def get_elb_endpoints_v2(account_number, region, elb_dict):
    """
    Retrieves endpoint information from elbv2 response data.
@ -179,8 +155,6 @@ def get_elb_endpoints_v2(account_number, region, elb_dict):
                port=listener["Port"],
                certificate_name=iam.get_name_from_arn(certificate["CertificateArn"]),
            )
-            endpoint["certificate"] = get_elb_certificate_by_name(certificate_name=endpoint["certificate_name"],
-                                                                  account_number=account_number)

        if listener["SslPolicy"]:
            policy = elb.describe_ssl_policies_v2(
@ -299,6 +273,28 @@ class AWSSourcePlugin(SourcePlugin):
        account_number = self.get_option("accountNumber", options)
        iam.delete_cert(certificate.name, account_number=account_number)

+    def get_certificate_by_name(self, certificate_name, options):
+        account_number = self.get_option("accountNumber", options)
+        # certificate name may contain path, in which case we remove it
+        if "/" in certificate_name:
+            certificate_name = certificate_name.split('/')[1]
+        try:
+            cert = iam.get_certificate(certificate_name, account_number=account_number)
+            return dict(
+                body=cert["CertificateBody"],
+                chain=cert.get("CertificateChain"),
+                name=cert["ServerCertificateMetadata"]["ServerCertificateName"],
+            )
+        except ClientError:
+            current_app.logger.warning(
+                "get_elb_certificate_failed: Unable to get certificate for {0}".format(certificate_name))
+            sentry.captureException()
+            metrics.send(
+                "get_elb_certificate_failed", "counter", 1,
+                metric_tags={"certificate_name": certificate_name, "account_number": account_number}
+            )
+        return None
+

 class AWSDestinationPlugin(DestinationPlugin):
    title = "AWS"
--- a/lemur/sources/service.py
+++ b/lemur/sources/service.py
@ -15,7 +15,7 @@ from lemur.sources.models import Source
 from lemur.certificates.models import Certificate
 from lemur.certificates import service as certificate_service
 from lemur.endpoints import service as endpoint_service
-from lemur.extensions import metrics
+from lemur.extensions import metrics, sentry
 from lemur.destinations import service as destination_service

 from lemur.certificates.schemas import CertificateUploadInputSchema
@ -92,7 +92,18 @@ def sync_endpoints(source):
        # if get cert by name failed, we attempt a search via serial number and hash comparison
        # and link the endpoint certificate to Lemur certificate
        if not endpoint["certificate"]:
-            certificate_attached_to_endpoint = endpoint.pop("certificate")
+            certificate_attached_to_endpoint = None
+            try:
+                certificate_attached_to_endpoint = s.get_certificate_by_name(certificate_name, source.options)
+            except NotImplementedError:
+                current_app.logger.warning(
+                    "Unable to describe server certificate for endpoints in source {0}:"
+                    " plugin has not implemented 'get_certificate_by_name'".format(
+                        source.label
+                    )
+                )
+                sentry.captureException()
+
            if certificate_attached_to_endpoint:
                lemur_matching_cert, updated_by_hash_tmp = find_cert(certificate_attached_to_endpoint)
                updated_by_hash += updated_by_hash_tmp
@ -111,7 +122,6 @@ def sync_endpoints(source):
                                 metric_tags={"cert": certificate_name, "endpoint": endpoint["name"],
                                              "acct": s.get_option("accountNumber", source.options)})

-        # this indicates the we were not able to describe the endpoint cert
        if not endpoint["certificate"]:
            current_app.logger.error(
                "Certificate Not Found. Name: {0} Endpoint: {1}".format(