Fixing autorotation failures. (#825)

* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
This commit is contained in:
kevgliss 2017-06-02 08:59:42 -07:00 committed by GitHub
parent 5a4806bc43
commit 9c92138f2d
3 changed files with 41 additions and 40 deletions

View File

@ -16,7 +16,14 @@ from lemur.extensions import metrics
from lemur.deployment import service as deployment_service from lemur.deployment import service as deployment_service
from lemur.endpoints import service as endpoint_service from lemur.endpoints import service as endpoint_service
from lemur.notifications.messaging import send_rotation_notification from lemur.notifications.messaging import send_rotation_notification
from lemur.certificates.service import reissue_certificate, get_certificate_primitives, get_all_pending_reissue, get_by_name, get_all_certs from lemur.certificates.schemas import CertificateOutputSchema
from lemur.certificates.service import (
reissue_certificate,
get_certificate_primitives,
get_all_pending_reissue,
get_by_name,
get_all_certs
)
from lemur.certificates.verify import verify_string from lemur.certificates.verify import verify_string
@ -29,28 +36,19 @@ def print_certificate_details(details):
:param details: :param details:
:return: :return:
""" """
details, errors = CertificateOutputSchema().dump(details)
print("[+] Re-issuing certificate with the following details: ") print("[+] Re-issuing certificate with the following details: ")
print( print(
"\t[+] Common Name: {common_name}\n" "\t[+] Common Name: {common_name}\n"
"\t[+] Subject Alternate Names: {sans}\n" "\t[+] Subject Alternate Names: {sans}\n"
"\t[+] Authority: {authority_name}\n" "\t[+] Authority: {authority_name}\n"
"\t[+] Validity Start: {validity_start}\n" "\t[+] Validity Start: {validity_start}\n"
"\t[+] Validity End: {validity_end}\n" "\t[+] Validity End: {validity_end}\n".format(
"\t[+] Organization: {organization}\n" common_name=details['commonName'],
"\t[+] Organizational Unit: {organizational_unit}\n" sans=",".join(x['value'] for x in details['extensions']['subAltNames']['names']) or None,
"\t[+] Country: {country}\n" authority_name=details['authority']['name'],
"\t[+] State: {state}\n" validity_start=details['validityStart'],
"\t[+] Location: {location}".format( validity_end=details['validityEnd']
common_name=details['common_name'],
sans=",".join(x['value'] for x in details['extensions']['sub_alt_names']['names']) or None,
authority_name=details['authority'].name,
validity_start=details['validity_start'].isoformat(),
validity_end=details['validity_end'].isoformat(),
organization=details['organization'],
organizational_unit=details['organizational_unit'],
country=details['country'],
state=details['state'],
location=details['location']
) )
) )
@ -126,19 +124,11 @@ def request_reissue(certificate, commit):
details = get_certificate_primitives(certificate) details = get_certificate_primitives(certificate)
print_certificate_details(details) print_certificate_details(details)
if commit: if commit:
try: new_cert = reissue_certificate(certificate, replace=True)
new_cert = reissue_certificate(certificate, replace=True) metrics.send('certificate_reissue_success', 'counter', 1)
metrics.send('certificate_reissue_success', 'counter', 1) print("[+] New certificate named: {0}".format(new_cert.name))
print("[+] New certificate named: {0}".format(new_cert.name))
except Exception as e:
metrics.send('certificate_reissue_failure', 'counter', 1)
print(
"[!] Failed to reissue certificate {1} reason: {2}".format(
certificate.name,
e
)
)
@manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.') @manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.')
@ -199,16 +189,25 @@ def reissue(old_certificate_name, commit):
print("[+] Starting certificate re-issuance.") print("[+] Starting certificate re-issuance.")
old_cert = validate_certificate(old_certificate_name) try:
old_cert = validate_certificate(old_certificate_name)
if not old_cert: if not old_cert:
for certificate in get_all_pending_reissue(): for certificate in get_all_pending_reissue():
print("[+] {0} is eligible for re-issuance".format(certificate.name)) print("[+] {0} is eligible for re-issuance".format(certificate.name))
request_reissue(certificate, commit) request_reissue(certificate, commit)
else: else:
request_reissue(old_cert, commit) request_reissue(old_cert, commit)
print("[+] Done!") print("[+] Done!")
except Exception as e:
metrics.send('certificate_reissue_failure', 'counter', 1)
print(
"[!] Failed to reissue certificate {0} reason: {1}".format(
old_cert.name,
e
)
)
@manager.command @manager.command

View File

@ -475,8 +475,10 @@ def get_certificate_primitives(certificate):
# we will rely on the Lemur generated name # we will rely on the Lemur generated name
data.pop('name', None) data.pop('name', None)
data['validity_start'] = start # TODO this can be removed once we migrate away from cn
data['validity_end'] = end data['cn'] = data['common_name']
data['not_before'] = start
data['not_after'] = end
return data return data

View File

@ -53,7 +53,7 @@ def test_get_certificate_primitives(certificate):
with freeze_time(datetime.date(year=2016, month=10, day=30)): with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate) primitives = get_certificate_primitives(certificate)
assert len(primitives) == 20 assert len(primitives) == 23
def test_certificate_edit_schema(session): def test_certificate_edit_schema(session):