Merge branch 'master' into special-issuer-for-selfsigned-certs
This commit is contained in:
commit
8d261b4120
|
@ -0,0 +1,6 @@
|
||||||
|
"""Set the version information."""
|
||||||
|
try:
|
||||||
|
VERSION = __import__('pkg_resources') \
|
||||||
|
.get_distribution(__name__).version
|
||||||
|
except Exception as e:
|
||||||
|
VERSION = 'unknown'
|
|
@ -0,0 +1,116 @@
|
||||||
|
from lemur.plugins.bases import IssuerPlugin, SourcePlugin
|
||||||
|
import requests
|
||||||
|
from lemur.plugins import lemur_adcs as ADCS
|
||||||
|
from certsrv import Certsrv
|
||||||
|
from OpenSSL import crypto
|
||||||
|
from flask import current_app
|
||||||
|
|
||||||
|
|
||||||
|
class ADCSIssuerPlugin(IssuerPlugin):
|
||||||
|
title = 'ADCS'
|
||||||
|
slug = 'adcs-issuer'
|
||||||
|
description = 'Enables the creation of certificates by ADCS (Active Directory Certificate Services)'
|
||||||
|
version = ADCS.VERSION
|
||||||
|
|
||||||
|
author = 'sirferl'
|
||||||
|
author_url = 'https://github.com/sirferl/lemur'
|
||||||
|
|
||||||
|
def __init__(self, *args, **kwargs):
|
||||||
|
"""Initialize the issuer with the appropriate details."""
|
||||||
|
self.session = requests.Session()
|
||||||
|
super(ADCSIssuerPlugin, self).__init__(*args, **kwargs)
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def create_authority(options):
|
||||||
|
"""Create an authority.
|
||||||
|
Creates an authority, this authority is then used by Lemur to
|
||||||
|
allow a user to specify which Certificate Authority they want
|
||||||
|
to sign their certificate.
|
||||||
|
|
||||||
|
:param options:
|
||||||
|
:return:
|
||||||
|
"""
|
||||||
|
adcs_root = current_app.config.get('ADCS_ROOT')
|
||||||
|
adcs_issuing = current_app.config.get('ADCS_ISSUING')
|
||||||
|
role = {'username': '', 'password': '', 'name': 'adcs'}
|
||||||
|
return adcs_root, adcs_issuing, [role]
|
||||||
|
|
||||||
|
def create_certificate(self, csr, issuer_options):
|
||||||
|
adcs_server = current_app.config.get('ADCS_SERVER')
|
||||||
|
adcs_user = current_app.config.get('ADCS_USER')
|
||||||
|
adcs_pwd = current_app.config.get('ADCS_PWD')
|
||||||
|
adcs_auth_method = current_app.config.get('ADCS_AUTH_METHOD')
|
||||||
|
adcs_template = current_app.config.get('ADCS_TEMPLATE')
|
||||||
|
ca_server = Certsrv(adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method)
|
||||||
|
current_app.logger.info("Requesting CSR: {0}".format(csr))
|
||||||
|
current_app.logger.info("Issuer options: {0}".format(issuer_options))
|
||||||
|
cert, req_id = ca_server.get_cert(csr, adcs_template, encoding='b64').decode('utf-8').replace('\r\n', '\n')
|
||||||
|
chain = ca_server.get_ca_cert(encoding='b64').decode('utf-8').replace('\r\n', '\n')
|
||||||
|
return cert, chain, req_id
|
||||||
|
|
||||||
|
def revoke_certificate(self, certificate, comments):
|
||||||
|
raise NotImplementedError('Not implemented\n', self, certificate, comments)
|
||||||
|
|
||||||
|
def get_ordered_certificate(self, order_id):
|
||||||
|
raise NotImplementedError('Not implemented\n', self, order_id)
|
||||||
|
|
||||||
|
def canceled_ordered_certificate(self, pending_cert, **kwargs):
|
||||||
|
raise NotImplementedError('Not implemented\n', self, pending_cert, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
class ADCSSourcePlugin(SourcePlugin):
|
||||||
|
title = 'ADCS'
|
||||||
|
slug = 'adcs-source'
|
||||||
|
description = 'Enables the collecion of certificates'
|
||||||
|
version = ADCS.VERSION
|
||||||
|
|
||||||
|
author = 'sirferl'
|
||||||
|
author_url = 'https://github.com/sirferl/lemur'
|
||||||
|
options = [
|
||||||
|
{
|
||||||
|
'name': 'dummy',
|
||||||
|
'type': 'str',
|
||||||
|
'required': False,
|
||||||
|
'validation': '/^[0-9]{12,12}$/',
|
||||||
|
'helpMessage': 'Just to prevent error'
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
def get_certificates(self, options, **kwargs):
|
||||||
|
adcs_server = current_app.config.get('ADCS_SERVER')
|
||||||
|
adcs_user = current_app.config.get('ADCS_USER')
|
||||||
|
adcs_pwd = current_app.config.get('ADCS_PWD')
|
||||||
|
adcs_auth_method = current_app.config.get('ADCS_AUTH_METHOD')
|
||||||
|
adcs_start = current_app.config.get('ADCS_START')
|
||||||
|
adcs_stop = current_app.config.get('ADCS_STOP')
|
||||||
|
ca_server = Certsrv(adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method)
|
||||||
|
out_certlist = []
|
||||||
|
for id in range(adcs_start, adcs_stop):
|
||||||
|
try:
|
||||||
|
cert = ca_server.get_existing_cert(id, encoding='b64').decode('utf-8').replace('\r\n', '\n')
|
||||||
|
except Exception as err:
|
||||||
|
if '{0}'.format(err).find("CERTSRV_E_PROPERTY_EMPTY"):
|
||||||
|
# this error indicates end of certificate list(?), so we stop
|
||||||
|
break
|
||||||
|
else:
|
||||||
|
# We do nothing in case there is no certificate returned for other reasons
|
||||||
|
current_app.logger.info("Error with id {0}: {1}".format(id, err))
|
||||||
|
else:
|
||||||
|
# we have a certificate
|
||||||
|
pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
|
||||||
|
# loop through extensions to see if we find "TLS Web Server Authentication"
|
||||||
|
for e_id in range(0, pubkey.get_extension_count() - 1):
|
||||||
|
try:
|
||||||
|
extension = '{0}'.format(pubkey.get_extension(e_id))
|
||||||
|
except Exception:
|
||||||
|
extensionn = ''
|
||||||
|
if extension.find("TLS Web Server Authentication") != -1:
|
||||||
|
out_certlist.append({
|
||||||
|
'name': format(pubkey.get_subject().CN),
|
||||||
|
'body': cert})
|
||||||
|
break
|
||||||
|
return out_certlist
|
||||||
|
|
||||||
|
def get_endpoints(self, options, **kwargs):
|
||||||
|
# There are no endpoints in the ADCS
|
||||||
|
raise NotImplementedError('Not implemented\n', self, options, **kwargs)
|
|
@ -19,13 +19,13 @@ invoke==1.2.0
|
||||||
mccabe==0.6.1 # via flake8
|
mccabe==0.6.1 # via flake8
|
||||||
nodeenv==1.3.3
|
nodeenv==1.3.3
|
||||||
pkginfo==1.5.0.1 # via twine
|
pkginfo==1.5.0.1 # via twine
|
||||||
pre-commit==1.14.2
|
pre-commit==1.14.3
|
||||||
pycodestyle==2.3.1 # via flake8
|
pycodestyle==2.3.1 # via flake8
|
||||||
pyflakes==1.6.0 # via flake8
|
pyflakes==1.6.0 # via flake8
|
||||||
pygments==2.3.1 # via readme-renderer
|
pygments==2.3.1 # via readme-renderer
|
||||||
pyyaml==3.13 # via aspy.yaml, pre-commit
|
pyyaml==3.13 # via aspy.yaml, pre-commit
|
||||||
readme-renderer==24.0 # via twine
|
readme-renderer==24.0 # via twine
|
||||||
requests-toolbelt==0.9.0 # via twine
|
requests-toolbelt==0.9.1 # via twine
|
||||||
requests==2.21.0 # via requests-toolbelt, twine
|
requests==2.21.0 # via requests-toolbelt, twine
|
||||||
six==1.12.0 # via bleach, cfgv, pre-commit, readme-renderer
|
six==1.12.0 # via bleach, cfgv, pre-commit, readme-renderer
|
||||||
toml==0.10.0 # via pre-commit
|
toml==0.10.0 # via pre-commit
|
||||||
|
|
|
@ -8,7 +8,7 @@ acme==0.30.2
|
||||||
alabaster==0.7.12 # via sphinx
|
alabaster==0.7.12 # via sphinx
|
||||||
alembic-autogenerate-enums==0.0.2
|
alembic-autogenerate-enums==0.0.2
|
||||||
alembic==1.0.7
|
alembic==1.0.7
|
||||||
amqp==2.4.0
|
amqp==2.4.1
|
||||||
aniso8601==4.1.0
|
aniso8601==4.1.0
|
||||||
arrow==0.13.0
|
arrow==0.13.0
|
||||||
asn1crypto==0.24.0
|
asn1crypto==0.24.0
|
||||||
|
@ -17,8 +17,8 @@ babel==2.6.0 # via sphinx
|
||||||
bcrypt==3.1.6
|
bcrypt==3.1.6
|
||||||
billiard==3.5.0.5
|
billiard==3.5.0.5
|
||||||
blinker==1.4
|
blinker==1.4
|
||||||
boto3==1.9.86
|
boto3==1.9.87
|
||||||
botocore==1.12.86
|
botocore==1.12.87
|
||||||
celery[redis]==4.2.1
|
celery[redis]==4.2.1
|
||||||
certifi==2018.11.29
|
certifi==2018.11.29
|
||||||
cffi==1.11.5
|
cffi==1.11.5
|
||||||
|
@ -53,13 +53,13 @@ kombu==4.2.2.post1
|
||||||
lockfile==0.12.2
|
lockfile==0.12.2
|
||||||
mako==1.0.7
|
mako==1.0.7
|
||||||
markupsafe==1.1.0
|
markupsafe==1.1.0
|
||||||
marshmallow-sqlalchemy==0.15.0
|
marshmallow-sqlalchemy==0.16.0
|
||||||
marshmallow==2.18.0
|
marshmallow==2.18.0
|
||||||
mock==2.0.0
|
mock==2.0.0
|
||||||
ndg-httpsclient==0.5.1
|
ndg-httpsclient==0.5.1
|
||||||
packaging==19.0 # via sphinx
|
packaging==19.0 # via sphinx
|
||||||
paramiko==2.4.2
|
paramiko==2.4.2
|
||||||
pbr==5.1.1
|
pbr==5.1.2
|
||||||
pem==18.2.0
|
pem==18.2.0
|
||||||
psycopg2==2.7.7
|
psycopg2==2.7.7
|
||||||
pyasn1-modules==0.2.4
|
pyasn1-modules==0.2.4
|
||||||
|
@ -71,20 +71,20 @@ pynacl==1.3.0
|
||||||
pyopenssl==19.0.0
|
pyopenssl==19.0.0
|
||||||
pyparsing==2.3.1 # via packaging
|
pyparsing==2.3.1 # via packaging
|
||||||
pyrfc3339==1.1
|
pyrfc3339==1.1
|
||||||
python-dateutil==2.7.5
|
python-dateutil==2.8.0
|
||||||
python-editor==1.0.3
|
python-editor==1.0.4
|
||||||
pytz==2018.9
|
pytz==2018.9
|
||||||
pyyaml==3.13
|
pyyaml==3.13
|
||||||
raven[flask]==6.10.0
|
raven[flask]==6.10.0
|
||||||
redis==2.10.6
|
redis==2.10.6
|
||||||
requests-toolbelt==0.9.0
|
requests-toolbelt==0.9.1
|
||||||
requests[security]==2.21.0
|
requests[security]==2.21.0
|
||||||
retrying==1.3.3
|
retrying==1.3.3
|
||||||
s3transfer==0.1.13
|
s3transfer==0.1.13
|
||||||
six==1.12.0
|
six==1.12.0
|
||||||
snowballstemmer==1.2.1 # via sphinx
|
snowballstemmer==1.2.1 # via sphinx
|
||||||
sphinx-rtd-theme==0.4.2
|
sphinx-rtd-theme==0.4.2
|
||||||
sphinx==1.8.3
|
sphinx==1.8.4
|
||||||
sphinxcontrib-httpdomain==1.7.0
|
sphinxcontrib-httpdomain==1.7.0
|
||||||
sphinxcontrib-websupport==1.1.0 # via sphinx
|
sphinxcontrib-websupport==1.1.0 # via sphinx
|
||||||
sqlalchemy-utils==0.33.11
|
sqlalchemy-utils==0.33.11
|
||||||
|
|
|
@ -5,12 +5,12 @@
|
||||||
# pip-compile --no-index --output-file requirements-tests.txt requirements-tests.in
|
# pip-compile --no-index --output-file requirements-tests.txt requirements-tests.in
|
||||||
#
|
#
|
||||||
asn1crypto==0.24.0 # via cryptography
|
asn1crypto==0.24.0 # via cryptography
|
||||||
atomicwrites==1.2.1 # via pytest
|
atomicwrites==1.3.0 # via pytest
|
||||||
attrs==18.2.0 # via pytest
|
attrs==18.2.0 # via pytest
|
||||||
aws-xray-sdk==0.95 # via moto
|
aws-xray-sdk==0.95 # via moto
|
||||||
boto3==1.9.86 # via moto
|
boto3==1.9.87 # via moto
|
||||||
boto==2.49.0 # via moto
|
boto==2.49.0 # via moto
|
||||||
botocore==1.12.86 # via boto3, moto, s3transfer
|
botocore==1.12.87 # via boto3, moto, s3transfer
|
||||||
certifi==2018.11.29 # via requests
|
certifi==2018.11.29 # via requests
|
||||||
cffi==1.11.5 # via cryptography
|
cffi==1.11.5 # via cryptography
|
||||||
chardet==3.0.4 # via requests
|
chardet==3.0.4 # via requests
|
||||||
|
@ -37,7 +37,7 @@ mock==2.0.0 # via moto
|
||||||
more-itertools==5.0.0 # via pytest
|
more-itertools==5.0.0 # via pytest
|
||||||
moto==1.3.7
|
moto==1.3.7
|
||||||
nose==1.3.7
|
nose==1.3.7
|
||||||
pbr==5.1.1 # via mock
|
pbr==5.1.2 # via mock
|
||||||
pluggy==0.8.1 # via pytest
|
pluggy==0.8.1 # via pytest
|
||||||
py==1.7.0 # via pytest
|
py==1.7.0 # via pytest
|
||||||
pyaml==18.11.0 # via moto
|
pyaml==18.11.0 # via moto
|
||||||
|
@ -45,9 +45,9 @@ pycparser==2.19 # via cffi
|
||||||
pycryptodome==3.7.3 # via python-jose
|
pycryptodome==3.7.3 # via python-jose
|
||||||
pyflakes==2.1.0
|
pyflakes==2.1.0
|
||||||
pytest-flask==0.14.0
|
pytest-flask==0.14.0
|
||||||
pytest-mock==1.10.0
|
pytest-mock==1.10.1
|
||||||
pytest==4.1.1
|
pytest==4.2.0
|
||||||
python-dateutil==2.7.5 # via botocore, faker, freezegun, moto
|
python-dateutil==2.8.0 # via botocore, faker, freezegun, moto
|
||||||
python-jose==2.0.2 # via moto
|
python-jose==2.0.2 # via moto
|
||||||
pytz==2018.9 # via moto
|
pytz==2018.9 # via moto
|
||||||
pyyaml==3.13 # via pyaml
|
pyyaml==3.13 # via pyaml
|
||||||
|
|
|
@ -8,6 +8,7 @@ boto3
|
||||||
botocore
|
botocore
|
||||||
celery[redis]
|
celery[redis]
|
||||||
certifi
|
certifi
|
||||||
|
certsrv
|
||||||
CloudFlare
|
CloudFlare
|
||||||
cryptography
|
cryptography
|
||||||
dnspython3
|
dnspython3
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
acme==0.30.2
|
acme==0.30.2
|
||||||
alembic-autogenerate-enums==0.0.2
|
alembic-autogenerate-enums==0.0.2
|
||||||
alembic==1.0.7 # via flask-migrate
|
alembic==1.0.7 # via flask-migrate
|
||||||
amqp==2.4.0 # via kombu
|
amqp==2.4.1 # via kombu
|
||||||
aniso8601==4.1.0 # via flask-restful
|
aniso8601==4.1.0 # via flask-restful
|
||||||
arrow==0.13.0
|
arrow==0.13.0
|
||||||
asn1crypto==0.24.0 # via cryptography
|
asn1crypto==0.24.0 # via cryptography
|
||||||
|
@ -15,10 +15,11 @@ asyncpool==1.0
|
||||||
bcrypt==3.1.6 # via flask-bcrypt, paramiko
|
bcrypt==3.1.6 # via flask-bcrypt, paramiko
|
||||||
billiard==3.5.0.5 # via celery
|
billiard==3.5.0.5 # via celery
|
||||||
blinker==1.4 # via flask-mail, flask-principal, raven
|
blinker==1.4 # via flask-mail, flask-principal, raven
|
||||||
boto3==1.9.86
|
boto3==1.9.87
|
||||||
botocore==1.12.86
|
botocore==1.12.87
|
||||||
celery[redis]==4.2.1
|
celery[redis]==4.2.1
|
||||||
certifi==2018.11.29
|
certifi==2018.11.29
|
||||||
|
certsrv==2.1.0
|
||||||
cffi==1.11.5 # via bcrypt, cryptography, pynacl
|
cffi==1.11.5 # via bcrypt, cryptography, pynacl
|
||||||
chardet==3.0.4 # via requests
|
chardet==3.0.4 # via requests
|
||||||
click==7.0 # via flask
|
click==7.0 # via flask
|
||||||
|
@ -50,12 +51,12 @@ kombu==4.2.2.post1 # via celery
|
||||||
lockfile==0.12.2
|
lockfile==0.12.2
|
||||||
mako==1.0.7 # via alembic
|
mako==1.0.7 # via alembic
|
||||||
markupsafe==1.1.0 # via jinja2, mako
|
markupsafe==1.1.0 # via jinja2, mako
|
||||||
marshmallow-sqlalchemy==0.15.0
|
marshmallow-sqlalchemy==0.16.0
|
||||||
marshmallow==2.18.0
|
marshmallow==2.18.0
|
||||||
mock==2.0.0 # via acme
|
mock==2.0.0 # via acme
|
||||||
ndg-httpsclient==0.5.1
|
ndg-httpsclient==0.5.1
|
||||||
paramiko==2.4.2
|
paramiko==2.4.2
|
||||||
pbr==5.1.1 # via mock
|
pbr==5.1.2 # via mock
|
||||||
pem==18.2.0
|
pem==18.2.0
|
||||||
psycopg2==2.7.7
|
psycopg2==2.7.7
|
||||||
pyasn1-modules==0.2.4 # via python-ldap
|
pyasn1-modules==0.2.4 # via python-ldap
|
||||||
|
@ -65,14 +66,14 @@ pyjwt==1.7.1
|
||||||
pynacl==1.3.0 # via paramiko
|
pynacl==1.3.0 # via paramiko
|
||||||
pyopenssl==19.0.0
|
pyopenssl==19.0.0
|
||||||
pyrfc3339==1.1 # via acme
|
pyrfc3339==1.1 # via acme
|
||||||
python-dateutil==2.7.5 # via alembic, arrow, botocore
|
python-dateutil==2.8.0 # via alembic, arrow, botocore
|
||||||
python-editor==1.0.3 # via alembic
|
python-editor==1.0.4 # via alembic
|
||||||
python-ldap==3.1.0
|
python-ldap==3.1.0
|
||||||
pytz==2018.9 # via acme, celery, flask-restful, pyrfc3339
|
pytz==2018.9 # via acme, celery, flask-restful, pyrfc3339
|
||||||
pyyaml==3.13 # via cloudflare
|
pyyaml==3.13 # via cloudflare
|
||||||
raven[flask]==6.10.0
|
raven[flask]==6.10.0
|
||||||
redis==2.10.6
|
redis==2.10.6
|
||||||
requests-toolbelt==0.9.0 # via acme
|
requests-toolbelt==0.9.1 # via acme
|
||||||
requests[security]==2.21.0
|
requests[security]==2.21.0
|
||||||
retrying==1.3.3
|
retrying==1.3.3
|
||||||
s3transfer==0.1.13 # via boto3
|
s3transfer==0.1.13 # via boto3
|
||||||
|
|
4
setup.py
4
setup.py
|
@ -154,7 +154,9 @@ setup(
|
||||||
'digicert_cis_issuer = lemur.plugins.lemur_digicert.plugin:DigiCertCISIssuerPlugin',
|
'digicert_cis_issuer = lemur.plugins.lemur_digicert.plugin:DigiCertCISIssuerPlugin',
|
||||||
'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
|
'digicert_cis_source = lemur.plugins.lemur_digicert.plugin:DigiCertCISSourcePlugin',
|
||||||
'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
|
'csr_export = lemur.plugins.lemur_csr.plugin:CSRExportPlugin',
|
||||||
'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin'
|
'sftp_destination = lemur.plugins.lemur_sftp.plugin:SFTPDestinationPlugin',
|
||||||
|
'adcs_issuer = lemur.plugins.lemur_adcs.plugin:ADCSIssuerPlugin',
|
||||||
|
'adcs_source = lemur.plugins.lemur_adcs.plugin:ADCSSourcePlugin'
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
classifiers=[
|
classifiers=[
|
||||||
|
|
Loading…
Reference in New Issue