Merge branch 'master' into get_by_attributes

2019-02-01 16:48:50 -08:00
parent a8b357965e 73ac1591e0
commit 8e93d007be
63 changed files with 1232 additions and 422 deletions
--- a/lemur/tests/conf.py
+++ b/lemur/tests/conf.py
@ -1,7 +1,7 @@
-
 # This is just Python which means you can inherit and tweak settings

 import os
+
 _basedir = os.path.abspath(os.path.dirname(__file__))

 THREADS_PER_PAGE = 8
@ -78,14 +78,12 @@ DIGICERT_API_KEY = 'api-key'
 DIGICERT_ORG_ID = 111111
 DIGICERT_ROOT = "ROOT"

-
 VERISIGN_URL = 'http://example.com'
 VERISIGN_PEM_PATH = '~/'
 VERISIGN_FIRST_NAME = 'Jim'
 VERISIGN_LAST_NAME = 'Bob'
 VERSIGN_EMAIL = 'jim@example.com'

-
 ACME_AWS_ACCOUNT_NUMBER = '11111111111'

 ACME_PRIVATE_KEY = '''
@ -180,6 +178,7 @@ ACME_URL = 'https://acme-v01.api.letsencrypt.org'
 ACME_EMAIL = 'jim@example.com'
 ACME_TEL = '4088675309'
 ACME_DIRECTORY_URL = 'https://acme-v01.api.letsencrypt.org'
+ACME_DISABLE_AUTORESOLVE = True

 LDAP_AUTH = True
 LDAP_BIND_URI = 'ldap://localhost'
--- a/lemur/tests/conftest.py
+++ b/lemur/tests/conftest.py
@ -3,19 +3,18 @@ import os
 import datetime
 import pytest
 from cryptography import x509
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from flask import current_app
 from flask_principal import identity_changed, Identity

 from lemur import create_app
+from lemur.common.utils import parse_private_key
 from lemur.database import db as _db
 from lemur.auth.service import create_token
-from lemur.tests.vectors import SAN_CERT_KEY
+from lemur.tests.vectors import SAN_CERT_KEY, INTERMEDIATE_KEY

 from .factories import ApiKeyFactory, AuthorityFactory, NotificationFactory, DestinationFactory, \
    CertificateFactory, UserFactory, RoleFactory, SourceFactory, EndpointFactory, \
-    RotationPolicyFactory, PendingCertificateFactory, AsyncAuthorityFactory
+    RotationPolicyFactory, PendingCertificateFactory, AsyncAuthorityFactory, CryptoAuthorityFactory


 def pytest_runtest_setup(item):
@ -91,6 +90,13 @@ def authority(session):
    return a


+@pytest.fixture
+def crypto_authority(session):
+    a = CryptoAuthorityFactory()
+    session.commit()
+    return a
+
+
@pytest.fixture
 def async_authority(session):
    a = AsyncAuthorityFactory()
@ -228,7 +234,12 @@ def logged_in_admin(session, app):

@pytest.fixture
 def private_key():
-    return load_pem_private_key(SAN_CERT_KEY.encode(), password=None, backend=default_backend())
+    return parse_private_key(SAN_CERT_KEY)
+
+
+@pytest.fixture
+def issuer_private_key():
+    return parse_private_key(INTERMEDIATE_KEY)


@pytest.fixture
@ -240,3 +251,11 @@ def cert_builder(private_key):
            .public_key(private_key.public_key())
            .not_valid_before(datetime.datetime(2017, 12, 22))
            .not_valid_after(datetime.datetime(2040, 1, 1)))
+
+
+@pytest.fixture(scope='function')
+def aws_credentials():
+    os.environ['AWS_ACCESS_KEY_ID'] = 'testing'
+    os.environ['AWS_SECRET_ACCESS_KEY'] = 'testing'
+    os.environ['AWS_SECURITY_TOKEN'] = 'testing'
+    os.environ['AWS_SESSION_TOKEN'] = 'testing'
--- a/lemur/tests/factories.py
+++ b/lemur/tests/factories.py
@ -168,6 +168,11 @@ class AsyncAuthorityFactory(AuthorityFactory):
    authority_certificate = SubFactory(CertificateFactory)


+class CryptoAuthorityFactory(AuthorityFactory):
+    """Authority factory based on 'cryptography' plugin."""
+    plugin = {'slug': 'cryptography-issuer'}
+
+
 class DestinationFactory(BaseFactory):
    """Destination factory."""
    plugin_name = 'test-destination'
--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@ -18,7 +18,7 @@ from lemur.domains.models import Domain


 from lemur.tests.vectors import VALID_ADMIN_API_TOKEN, VALID_ADMIN_HEADER_TOKEN, VALID_USER_HEADER_TOKEN, CSR_STR, \
-    INTERMEDIATE_CERT_STR, SAN_CERT_STR, SAN_CERT_KEY
+    INTERMEDIATE_CERT_STR, SAN_CERT_STR, SAN_CERT_KEY, ROOTCA_KEY, ROOTCA_CERT_STR


 def test_get_or_increase_name(session, certificate):
@ -448,6 +448,85 @@ def test_certificate_sensitive_name(client, authority, session, logged_in_user):
    assert errors['common_name'][0].startswith("Domain sensitive.example.com has been marked as sensitive")


+def test_certificate_upload_schema_ok(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'name': 'Jane',
+        'owner': 'pwner@example.com',
+        'body': SAN_CERT_STR,
+        'privateKey': SAN_CERT_KEY,
+        'chain': INTERMEDIATE_CERT_STR,
+        'external_id': '1234',
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert not errors
+
+
+def test_certificate_upload_schema_minimal(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'owner': 'pwner@example.com',
+        'body': SAN_CERT_STR,
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert not errors
+
+
+def test_certificate_upload_schema_long_chain(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'owner': 'pwner@example.com',
+        'body': SAN_CERT_STR,
+        'chain': INTERMEDIATE_CERT_STR + '\n' + ROOTCA_CERT_STR
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert not errors
+
+
+def test_certificate_upload_schema_invalid_body(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'owner': 'pwner@example.com',
+        'body': 'Hereby I certify that this is a valid body',
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert errors == {'body': ['Public certificate presented is not valid.']}
+
+
+def test_certificate_upload_schema_invalid_pkey(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'owner': 'pwner@example.com',
+        'body': SAN_CERT_STR,
+        'privateKey': 'Look at me Im a private key!!111',
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert errors == {'private_key': ['Private key presented is not valid.']}
+
+
+def test_certificate_upload_schema_invalid_chain(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'body': SAN_CERT_STR,
+        'chain': 'CHAINSAW',
+        'owner': 'pwner@example.com',
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert errors == {'chain': ['Public certificate presented is not valid.']}
+
+
+def test_certificate_upload_schema_wrong_pkey(client):
+    from lemur.certificates.schemas import CertificateUploadInputSchema
+    data = {
+        'body': SAN_CERT_STR,
+        'privateKey': ROOTCA_KEY,
+        'chain': INTERMEDIATE_CERT_STR,
+        'owner': 'pwner@example.com',
+    }
+    data, errors = CertificateUploadInputSchema().load(data)
+    assert errors == {'_schema': ['Private key does not match certificate.']}
+
+
 def test_create_basic_csr(client):
    csr_config = dict(
        common_name='example.com',
@ -545,8 +624,11 @@ def test_create_certificate(issuer_plugin, authority, user):
    assert cert.name == 'ACustomName1'


-def test_reissue_certificate(issuer_plugin, authority, certificate):
+def test_reissue_certificate(issuer_plugin, crypto_authority, certificate, logged_in_user):
    from lemur.certificates.service import reissue_certificate
+
+    # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
+    certificate.authority = crypto_authority
    new_cert = reissue_certificate(certificate)
    assert new_cert

@ -570,7 +652,7 @@ def test_import(user):
    assert str(cert.not_after) == '2047-12-31T22:00:00+00:00'
    assert str(cert.not_before) == '2017-12-31T22:00:00+00:00'
    assert cert.issuer == 'LemurTrustUnittestsClass1CA2018'
-    assert cert.name == 'SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231-AFF2DB4F8D2D4D8E80FA382AE27C2333-2'
+    assert cert.name.startswith('SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231')

    cert = import_certificate(body=SAN_CERT_STR, chain=INTERMEDIATE_CERT_STR, private_key=SAN_CERT_KEY, owner='joe@example.com', name='ACustomName2', creator=user['user'])
    assert cert.name == 'ACustomName2'
@ -620,6 +702,12 @@ def test_certificate_get_body(client):
    response_body = client.get(api.url_for(Certificates, certificate_id=1), headers=VALID_USER_HEADER_TOKEN).json
    assert response_body['serial'] == '211983098819107449768450703123665283596'
    assert response_body['serialHex'] == '9F7A75B39DAE4C3F9524C68B06DA6A0C'
+    assert response_body['distinguishedName'] == ('CN=LemurTrust Unittests Class 1 CA 2018,'
+                                                  'O=LemurTrust Enterprises Ltd,'
+                                                  'OU=Unittesting Operations Center,'
+                                                  'C=EE,'
+                                                  'ST=N/A,'
+                                                  'L=Earth')


@pytest.mark.parametrize("token,status", [
--- a/lemur/tests/test_defaults.py
+++ b/lemur/tests/test_defaults.py
@ -1,3 +1,7 @@
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
+
 from .vectors import SAN_CERT, WILDCARD_CERT, INTERMEDIATE_CERT


@ -41,12 +45,14 @@ def test_cert_issuer(client):
 def test_text_to_slug(client):
    from lemur.common.defaults import text_to_slug
    assert text_to_slug('test - string') == 'test-string'
+    assert text_to_slug('test - string', '') == 'teststring'
    # Accented characters are decomposed
    assert text_to_slug('föö bär') == 'foo-bar'
    # Melt away the Unicode Snowman
    assert text_to_slug('\u2603') == ''
    assert text_to_slug('\u2603test\u2603') == 'test'
    assert text_to_slug('snow\u2603man') == 'snow-man'
+    assert text_to_slug('snow\u2603man', '') == 'snowman'
    # IDNA-encoded domain names should be kept as-is
    assert text_to_slug('xn--i1b6eqas.xn--xmpl-loa9b3671b.com') == 'xn--i1b6eqas.xn--xmpl-loa9b3671b.com'

@ -75,3 +81,29 @@ def test_create_name(client):
        datetime(2015, 5, 12, 0, 0, 0),
        False
    ) == 'xn--mnchen-3ya.de-VertrauenswurdigAutoritat-20150507-20150512'
+
+
+def test_issuer(client, cert_builder, issuer_private_key):
+    from lemur.common.defaults import issuer
+
+    assert issuer(INTERMEDIATE_CERT) == 'LemurTrustUnittestsRootCA2018'
+
+    # We need to override builder's issuer name
+    cert_builder._issuer_name = None
+    # Unicode issuer name
+    cert = (cert_builder
+            .issuer_name(x509.Name([x509.NameAttribute(x509.NameOID.COMMON_NAME, 'Vertrauenswürdig Autorität')]))
+            .sign(issuer_private_key, hashes.SHA256(), default_backend()))
+    assert issuer(cert) == 'VertrauenswurdigAutoritat'
+
+    # Fallback to 'Organization' field when issuer CN is missing
+    cert = (cert_builder
+            .issuer_name(x509.Name([x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, 'No Such Organization')]))
+            .sign(issuer_private_key, hashes.SHA256(), default_backend()))
+    assert issuer(cert) == 'NoSuchOrganization'
+
+    # Missing issuer name
+    cert = (cert_builder
+            .issuer_name(x509.Name([]))
+            .sign(issuer_private_key, hashes.SHA256(), default_backend()))
+    assert issuer(cert) == 'Unknown'
--- a/lemur/tests/test_pending_certificates.py
+++ b/lemur/tests/test_pending_certificates.py
@ -2,11 +2,10 @@ import json

 import pytest

+from lemur.pending_certificates.views import *  # noqa
 from .vectors import CSR_STR, INTERMEDIATE_CERT_STR, VALID_ADMIN_API_TOKEN, VALID_ADMIN_HEADER_TOKEN, \
    VALID_USER_HEADER_TOKEN, WILDCARD_CERT_STR

-from lemur.pending_certificates.views import *  # noqa
-

 def test_increment_attempt(pending_certificate):
    from lemur.pending_certificates.service import increment_attempt
@ -17,7 +16,8 @@ def test_increment_attempt(pending_certificate):

 def test_create_pending_certificate(async_issuer_plugin, async_authority, user):
    from lemur.certificates.service import create
-    pending_cert = create(authority=async_authority, csr=CSR_STR, owner='joe@example.com', creator=user['user'], common_name='ACommonName')
+    pending_cert = create(authority=async_authority, csr=CSR_STR, owner='joe@example.com', creator=user['user'],
+                          common_name='ACommonName')
    assert pending_cert.external_id == '12345'


--- a/lemur/tests/test_validators.py
+++ b/lemur/tests/test_validators.py
@ -1,16 +1,28 @@
-import pytest
 from datetime import datetime
-from .vectors import SAN_CERT_KEY
+
+import pytest
 from marshmallow.exceptions import ValidationError

+from lemur.common.utils import parse_private_key
+from lemur.common.validators import verify_private_key_match
+from lemur.tests.vectors import INTERMEDIATE_CERT, SAN_CERT, SAN_CERT_KEY
+

 def test_private_key(session):
-    from lemur.common.validators import private_key
+    parse_private_key(SAN_CERT_KEY)

-    private_key(SAN_CERT_KEY)
+    with pytest.raises(ValueError):
+        parse_private_key('invalid_private_key')
+
+
+def test_validate_private_key(session):
+    key = parse_private_key(SAN_CERT_KEY)
+
+    verify_private_key_match(key, SAN_CERT)

    with pytest.raises(ValidationError):
-        private_key('invalid_private_key')
+        # Wrong key for certificate
+        verify_private_key_match(key, INTERMEDIATE_CERT)


 def test_sub_alt_type(session):