Enhance domains query and sensitive domain checking code; Allow creation of opt-out roles via config

lemur/auth/permissions.py

@@ -9,6 +9,7 @@
 from functools import partial
 from collections import namedtuple
 
+from flask import current_app
 from flask_principal import Permission, RoleNeed
 
 # Permissions
@@ -21,7 +22,14 @@ CertificateOwnerNeed = partial(CertificateOwner, "role")
 
 class SensitiveDomainPermission(Permission):
     def __init__(self):
-        super(SensitiveDomainPermission, self).__init__(RoleNeed("admin"))
+        needs = [RoleNeed("admin")]
+        sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", [])
+
+        if sensitive_domain_roles:
+            for role in sensitive_domain_roles:
+                needs.append(RoleNeed(role))
+
+        super(SensitiveDomainPermission, self).__init__(*needs)
 
 
 class CertificatePermission(Permission):

lemur/common/celery.py

@@ -16,13 +16,13 @@ from celery.exceptions import SoftTimeLimitExceeded
 from flask import current_app
 
 from lemur.authorities.service import get as get_authority
+from lemur.destinations import service as destinations_service
 from lemur.extensions import metrics, sentry
 from lemur.factory import create_app
 from lemur.notifications.messaging import send_pending_failure_notification
 from lemur.pending_certificates import service as pending_certificate_service
 from lemur.plugins.base import plugins
 from lemur.sources.cli import clean, sync, validate_sources
-from lemur.destinations import service as destinations_service
 from lemur.sources.service import add_aws_destination_to_sources
 
 if current_app:

lemur/common/validators.py

@@ -40,7 +40,7 @@ def sensitive_domain(domain):
     # Avoid circular import.
     from lemur.domains import service as domain_service
 
-    if any(d.sensitive for d in domain_service.get_by_name(domain)):
+    if domain_service.is_domain_sensitive(domain):
         raise ValidationError(
             "Domain {0} has been marked as sensitive. "
             "Contact an administrator to issue the certificate.".format(domain)

lemur/domains/service.py

@@ -6,10 +6,11 @@
 
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-from lemur.domains.models import Domain
+from sqlalchemy import and_
-from lemur.certificates.models import Certificate
 
 from lemur import database
+from lemur.certificates.models import Certificate
+from lemur.domains.models import Domain
 
 
 def get(domain_id):
@@ -42,6 +43,20 @@ def get_by_name(name):
     return database.get_all(Domain, name, field="name").all()
 
 
+def is_domain_sensitive(name):
+    """
+    Return True if domain is marked sensitive
+
+    :param name:
+    :return:
+    """
+    query = database.session_query(Domain)
+
+    query = query.filter(and_(Domain.sensitive, Domain.name == name))
+
+    return database.find_all(query, Domain, {}).all()
+
+
 def create(name, sensitive):
     """
     Create a new domain