From 9c92138f2d449455c6cfc9271e4a691be8d10295 Mon Sep 17 00:00:00 2001 From: kevgliss Date: Fri, 2 Jun 2017 08:59:42 -0700 Subject: [PATCH] Fixing autorotation failures. (#825) * Fixing issue with auto rotation failing due to a change in the way certificate data is serialized. --- lemur/certificates/cli.py | 73 ++++++++++++++++---------------- lemur/certificates/service.py | 6 ++- lemur/tests/test_certificates.py | 2 +- 3 files changed, 41 insertions(+), 40 deletions(-) diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py index 633c8cbe..d30225ff 100644 --- a/lemur/certificates/cli.py +++ b/lemur/certificates/cli.py @@ -16,7 +16,14 @@ from lemur.extensions import metrics from lemur.deployment import service as deployment_service from lemur.endpoints import service as endpoint_service from lemur.notifications.messaging import send_rotation_notification -from lemur.certificates.service import reissue_certificate, get_certificate_primitives, get_all_pending_reissue, get_by_name, get_all_certs +from lemur.certificates.schemas import CertificateOutputSchema +from lemur.certificates.service import ( + reissue_certificate, + get_certificate_primitives, + get_all_pending_reissue, + get_by_name, + get_all_certs +) from lemur.certificates.verify import verify_string @@ -29,28 +36,19 @@ def print_certificate_details(details): :param details: :return: """ + details, errors = CertificateOutputSchema().dump(details) print("[+] Re-issuing certificate with the following details: ") print( "\t[+] Common Name: {common_name}\n" "\t[+] Subject Alternate Names: {sans}\n" "\t[+] Authority: {authority_name}\n" "\t[+] Validity Start: {validity_start}\n" - "\t[+] Validity End: {validity_end}\n" - "\t[+] Organization: {organization}\n" - "\t[+] Organizational Unit: {organizational_unit}\n" - "\t[+] Country: {country}\n" - "\t[+] State: {state}\n" - "\t[+] Location: {location}".format( - common_name=details['common_name'], - sans=",".join(x['value'] for x in details['extensions']['sub_alt_names']['names']) or None, - authority_name=details['authority'].name, - validity_start=details['validity_start'].isoformat(), - validity_end=details['validity_end'].isoformat(), - organization=details['organization'], - organizational_unit=details['organizational_unit'], - country=details['country'], - state=details['state'], - location=details['location'] + "\t[+] Validity End: {validity_end}\n".format( + common_name=details['commonName'], + sans=",".join(x['value'] for x in details['extensions']['subAltNames']['names']) or None, + authority_name=details['authority']['name'], + validity_start=details['validityStart'], + validity_end=details['validityEnd'] ) ) @@ -126,19 +124,11 @@ def request_reissue(certificate, commit): details = get_certificate_primitives(certificate) print_certificate_details(details) + if commit: - try: - new_cert = reissue_certificate(certificate, replace=True) - metrics.send('certificate_reissue_success', 'counter', 1) - print("[+] New certificate named: {0}".format(new_cert.name)) - except Exception as e: - metrics.send('certificate_reissue_failure', 'counter', 1) - print( - "[!] Failed to reissue certificate {1} reason: {2}".format( - certificate.name, - e - ) - ) + new_cert = reissue_certificate(certificate, replace=True) + metrics.send('certificate_reissue_success', 'counter', 1) + print("[+] New certificate named: {0}".format(new_cert.name)) @manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.') @@ -199,16 +189,25 @@ def reissue(old_certificate_name, commit): print("[+] Starting certificate re-issuance.") - old_cert = validate_certificate(old_certificate_name) + try: + old_cert = validate_certificate(old_certificate_name) - if not old_cert: - for certificate in get_all_pending_reissue(): - print("[+] {0} is eligible for re-issuance".format(certificate.name)) - request_reissue(certificate, commit) - else: - request_reissue(old_cert, commit) + if not old_cert: + for certificate in get_all_pending_reissue(): + print("[+] {0} is eligible for re-issuance".format(certificate.name)) + request_reissue(certificate, commit) + else: + request_reissue(old_cert, commit) - print("[+] Done!") + print("[+] Done!") + except Exception as e: + metrics.send('certificate_reissue_failure', 'counter', 1) + print( + "[!] Failed to reissue certificate {0} reason: {1}".format( + old_cert.name, + e + ) + ) @manager.command diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index 3bfb9909..b6d3bf92 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -475,8 +475,10 @@ def get_certificate_primitives(certificate): # we will rely on the Lemur generated name data.pop('name', None) - data['validity_start'] = start - data['validity_end'] = end + # TODO this can be removed once we migrate away from cn + data['cn'] = data['common_name'] + data['not_before'] = start + data['not_after'] = end return data diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py index cbb9b844..302327b5 100644 --- a/lemur/tests/test_certificates.py +++ b/lemur/tests/test_certificates.py @@ -53,7 +53,7 @@ def test_get_certificate_primitives(certificate): with freeze_time(datetime.date(year=2016, month=10, day=30)): primitives = get_certificate_primitives(certificate) - assert len(primitives) == 20 + assert len(primitives) == 23 def test_certificate_edit_schema(session):