Fixing autorotation failures. (#825)

* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00 · 2017-06-02 08:59:42 -07:00 · 9c92138f2d
parent 5a4806bc43
commit 9c92138f2d
3 changed files with 41 additions and 40 deletions
--- a/lemur/certificates/cli.py
+++ b/lemur/certificates/cli.py
@ -16,7 +16,14 @@ from lemur.extensions import metrics
 from lemur.deployment import service as deployment_service
 from lemur.endpoints import service as endpoint_service
 from lemur.notifications.messaging import send_rotation_notification
-from lemur.certificates.service import reissue_certificate, get_certificate_primitives, get_all_pending_reissue, get_by_name, get_all_certs
+from lemur.certificates.schemas import CertificateOutputSchema
+from lemur.certificates.service import (
+    reissue_certificate,
+    get_certificate_primitives,
+    get_all_pending_reissue,
+    get_by_name,
+    get_all_certs
+)

 from lemur.certificates.verify import verify_string

@ -29,28 +36,19 @@ def print_certificate_details(details):
    :param details:
    :return:
    """
+    details, errors = CertificateOutputSchema().dump(details)
    print("[+] Re-issuing certificate with the following details: ")
    print(
        "\t[+] Common Name: {common_name}\n"
        "\t[+] Subject Alternate Names: {sans}\n"
        "\t[+] Authority: {authority_name}\n"
        "\t[+] Validity Start: {validity_start}\n"
-        "\t[+] Validity End: {validity_end}\n"
-        "\t[+] Organization: {organization}\n"
-        "\t[+] Organizational Unit: {organizational_unit}\n"
-        "\t[+] Country: {country}\n"
-        "\t[+] State: {state}\n"
-        "\t[+] Location: {location}".format(
-            common_name=details['common_name'],
-            sans=",".join(x['value'] for x in details['extensions']['sub_alt_names']['names']) or None,
-            authority_name=details['authority'].name,
-            validity_start=details['validity_start'].isoformat(),
-            validity_end=details['validity_end'].isoformat(),
-            organization=details['organization'],
-            organizational_unit=details['organizational_unit'],
-            country=details['country'],
-            state=details['state'],
-            location=details['location']
+        "\t[+] Validity End: {validity_end}\n".format(
+            common_name=details['commonName'],
+            sans=",".join(x['value'] for x in details['extensions']['subAltNames']['names']) or None,
+            authority_name=details['authority']['name'],
+            validity_start=details['validityStart'],
+            validity_end=details['validityEnd']
        )
    )

@ -126,19 +124,11 @@ def request_reissue(certificate, commit):
    details = get_certificate_primitives(certificate)

    print_certificate_details(details)
+
    if commit:
-        try:
-            new_cert = reissue_certificate(certificate, replace=True)
-            metrics.send('certificate_reissue_success', 'counter', 1)
-            print("[+] New certificate named: {0}".format(new_cert.name))
-        except Exception as e:
-            metrics.send('certificate_reissue_failure', 'counter', 1)
-            print(
-                "[!] Failed to reissue certificate {1} reason: {2}".format(
-                    certificate.name,
-                    e
-                )
-            )
+        new_cert = reissue_certificate(certificate, replace=True)
+        metrics.send('certificate_reissue_success', 'counter', 1)
+        print("[+] New certificate named: {0}".format(new_cert.name))


@manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.')
@ -199,16 +189,25 @@ def reissue(old_certificate_name, commit):

    print("[+] Starting certificate re-issuance.")

-    old_cert = validate_certificate(old_certificate_name)
+    try:
+        old_cert = validate_certificate(old_certificate_name)

-    if not old_cert:
-        for certificate in get_all_pending_reissue():
-            print("[+] {0} is eligible for re-issuance".format(certificate.name))
-            request_reissue(certificate, commit)
-    else:
-        request_reissue(old_cert, commit)
+        if not old_cert:
+            for certificate in get_all_pending_reissue():
+                print("[+] {0} is eligible for re-issuance".format(certificate.name))
+                request_reissue(certificate, commit)
+        else:
+            request_reissue(old_cert, commit)

-    print("[+] Done!")
+        print("[+] Done!")
+    except Exception as e:
+        metrics.send('certificate_reissue_failure', 'counter', 1)
+        print(
+            "[!] Failed to reissue certificate {0} reason: {1}".format(
+                old_cert.name,
+                e
+            )
+        )


@manager.command
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -475,8 +475,10 @@ def get_certificate_primitives(certificate):
    # we will rely on the Lemur generated name
    data.pop('name', None)

-    data['validity_start'] = start
-    data['validity_end'] = end
+    # TODO this can be removed once we migrate away from cn
+    data['cn'] = data['common_name']
+    data['not_before'] = start
+    data['not_after'] = end
    return data


--- a/lemur/tests/test_certificates.py
+++ b/lemur/tests/test_certificates.py
@ -53,7 +53,7 @@ def test_get_certificate_primitives(certificate):

    with freeze_time(datetime.date(year=2016, month=10, day=30)):
        primitives = get_certificate_primitives(certificate)
-        assert len(primitives) == 20
+        assert len(primitives) == 23


 def test_certificate_edit_schema(session):