From d5ae45a0d0e6f07297c7b26c81fb4b88bfbd6c51 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 14 Jul 2020 17:35:13 -0700 Subject: [PATCH 01/43] Let's Encrypt has been using a cross-signed intermediate CA by DST Root CA X3, which is included in any older devices' TrustStore. https://letsencrypt.org/certificates/ Let's Encrypt is transitioning to use the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html This PR allows Lemur to pin to the cross-signed ICA (same public/private key pair as the ICA signed by ISRG X1). This will prolong support for incompatible systems. --- lemur/plugins/lemur_acme/plugin.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_acme/plugin.py b/lemur/plugins/lemur_acme/plugin.py index 3fc1df61..16d61a0f 100644 --- a/lemur/plugins/lemur_acme/plugin.py +++ b/lemur/plugins/lemur_acme/plugin.py @@ -205,9 +205,15 @@ class AcmeHandler(object): OpenSSL.crypto.FILETYPE_PEM, orderr.fullchain_pem ), ).decode() - pem_certificate_chain = orderr.fullchain_pem[ - len(pem_certificate) : # noqa - ].lstrip() + + if current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA", False) \ + and datetime.datetime.now() < datetime.datetime.strptime( + current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): + pem_certificate_chain = current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA") + else: + pem_certificate_chain = orderr.fullchain_pem[ + len(pem_certificate) : # noqa + ].lstrip() current_app.logger.debug( "{0} {1}".format(type(pem_certificate), type(pem_certificate_chain)) From 231796780256b91cf29e78c19909252ea234fe65 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Wed, 15 Jul 2020 17:04:49 -0700 Subject: [PATCH 02/43] lack of an empty config file was resulting into this error ``` Traceback (most recent call last): File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/tests/test_acme.py", line 159, in test_request_certificate self.acme.request_certificate(mock_acme, [], mock_order) File "/home/travis/build/Netflix/lemur/lemur/plugins/lemur_acme/plugin.py", line 211, in request_certificate current_app.config.get("IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE", "17/03/21"), '%d/%m/%y'): TypeError: strptime() argument 1 must be str, not MagicMock ``` --- lemur/plugins/lemur_acme/tests/test_acme.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/plugins/lemur_acme/tests/test_acme.py b/lemur/plugins/lemur_acme/tests/test_acme.py index 94949a74..8320a2de 100644 --- a/lemur/plugins/lemur_acme/tests/test_acme.py +++ b/lemur/plugins/lemur_acme/tests/test_acme.py @@ -156,6 +156,7 @@ class TestAcme(unittest.TestCase): mock_acme.fetch_chain = Mock(return_value="mock_chain") mock_crypto.dump_certificate = Mock(return_value=b"chain") mock_order = Mock() + mock_current_app.config = {} self.acme.request_certificate(mock_acme, [], mock_order) def test_setup_acme_client_fail(self): From e7c684724abbb00c072d88a67afb9df6e447765e Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Fri, 31 Jul 2020 17:54:18 -0700 Subject: [PATCH 03/43] fixing Dockerfile, Lemur builds now --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index fc83a034..a7f8c878 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ RUN apt-get install -y make software-properties-common curl RUN curl -sL https://deb.nodesource.com/setup_7.x | bash - RUN apt-get update RUN apt-get install -y npm libldap2-dev libsasl2-dev libldap2-dev libssl-dev +RUN pip install pip==20.0.2 RUN pip install -U setuptools RUN pip install coveralls bandit WORKDIR /app From 57e06cf1db7aed6d1062fbfffa2bc7435331a3c6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 13:36:46 +0000 Subject: [PATCH 04/43] Bump pytest from 5.4.3 to 6.0.1 Bumps [pytest](https://github.com/pytest-dev/pytest) from 5.4.3 to 6.0.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/5.4.3...6.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index cd625630..3d5c4318 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -34,6 +34,7 @@ gitdb==4.0.4 # via gitpython gitpython==3.1.1 # via bandit idna==2.8 # via moto, requests importlib-metadata==1.6.0 # via jsonpickle +iniconfig==1.0.1 # via pytest itsdangerous==1.1.0 # via flask jinja2==2.11.2 # via flask, moto jmespath==0.9.5 # via boto3, botocore @@ -52,7 +53,7 @@ packaging==20.3 # via pytest pathspec==0.8.0 # via black pbr==5.4.5 # via stevedore pluggy==0.13.1 # via pytest -py==1.8.1 # via pytest +py==1.9.0 # via pytest pyasn1==0.4.8 # via python-jose, rsa pycparser==2.20 # via cffi pyflakes==2.2.0 # via -r requirements-tests.in @@ -60,7 +61,7 @@ pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in pytest-mock==3.2.0 # via -r requirements-tests.in -pytest==5.4.3 # via -r requirements-tests.in, pytest-flask, pytest-mock +pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto pytz==2019.3 # via moto @@ -78,10 +79,9 @@ sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto stevedore==1.32.0 # via bandit text-unidecode==1.3 # via faker -toml==0.10.0 # via black +toml==0.10.0 # via black, pytest typed-ast==1.4.1 # via black urllib3==1.25.8 # via botocore, requests -wcwidth==0.1.9 # via pytest websocket-client==0.57.0 # via docker werkzeug==1.0.1 # via flask, moto, pytest-flask wrapt==1.12.1 # via aws-xray-sdk From c80a3390e77ed826e8b81c816c2f315c51dca714 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:27:26 +0000 Subject: [PATCH 05/43] Bump botocore from 1.17.28 to 1.17.33 Bumps [botocore](https://github.com/boto/botocore) from 1.17.28 to 1.17.33. - [Release notes](https://github.com/boto/botocore/releases) - [Changelog](https://github.com/boto/botocore/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/botocore/compare/1.17.28...1.17.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 4f70314f..63af4e4a 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -18,7 +18,7 @@ beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.txt -botocore==1.17.28 # via -r requirements.txt, boto3, s3transfer +botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 3d5c4318..3212f033 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -12,7 +12,7 @@ bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in boto3==1.14.28 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.28 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index a57f6205..eb4be2fd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven boto3==1.14.28 # via -r requirements.in -botocore==1.17.28 # via -r requirements.in, boto3, s3transfer +botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 117c0bab044db58c74afcf863392d7c2f55fe059 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 3 Aug 2020 17:38:07 +0000 Subject: [PATCH 06/43] Bump boto3 from 1.14.28 to 1.14.33 Bumps [boto3](https://github.com/boto/boto3) from 1.14.28 to 1.14.33. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.28...1.14.33) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 63af4e4a..3d1ed54c 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,7 +17,7 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.txt +boto3==1.14.33 # via -r requirements.txt botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests diff --git a/requirements-tests.txt b/requirements-tests.txt index 3212f033..7fd13f76 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,7 +10,7 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.28 # via aws-sam-translator, moto +boto3==1.14.33 # via aws-sam-translator, moto boto==2.49.0 # via moto botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests diff --git a/requirements.txt b/requirements.txt index eb4be2fd..46723b0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.28 # via -r requirements.in +boto3==1.14.33 # via -r requirements.in botocore==1.17.33 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests From 084f9a14f4177e5576304d83597cc74694a1a0e2 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Mon, 3 Aug 2020 16:14:14 -0700 Subject: [PATCH 07/43] updating documentation for cross-signed ICA --- docs/production/index.rst | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/production/index.rst b/docs/production/index.rst index b91ed6bd..67e97dae 100644 --- a/docs/production/index.rst +++ b/docs/production/index.rst @@ -451,3 +451,53 @@ LetsEncrypt flow to function. However, Lemur will attempt to automatically deter possible. To enable this functionality, periodically (or through Cron/Celery) run `lemur dns_providers get_all_zones`. This command will traverse all DNS providers, determine which zones they control, and upload this list of zones to Lemur's database (in the dns_providers table). Alternatively, you can manually input this data. + + +LetsEncrypt: pinning to cross-signed ICA +---------------------------------------- + +Let's Encrypt has been using a `cross-signed `_ intermediate CA by DST Root CA X3, +which is included in many older devices' TrustStore. + + +Let's Encrypt is `transitioning `_ to use +the intermediate CA issued by their own root (ISRG X1) starting from September 29th 2020. +This is in preparation of concluding the initial bootstrapping of their CA, by having it cross-signed by an older CA. + + +Lemur can temporarily pin to the cross-signed intermediate CA (same public/private key pair as the ICA signed by ISRG X1). +This will prolong support for incompatible devices. + +The following must be added to the config file to activate the pinning (the pinning will be removed by September 2021):: + + # remove or update after Mar 17 16:40:46 2021 GMT + IDENTRUST_CROSS_SIGNED_LE_ICA_EXPIRATION_DATE = "17/03/21" + IDENTRUST_CROSS_SIGNED_LE_ICA = """ + -----BEGIN CERTIFICATE----- + MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow + SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT + GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC + AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF + q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 + SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 + Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA + a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj + /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T + AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG + CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv + bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k + c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw + VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC + ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz + MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu + Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF + AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo + uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ + wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu + X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG + PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 + KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== + -----END CERTIFICATE----- + """ From c15a2c62d11e2402460a21db7ca5a76dee17269b Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:22:13 -0700 Subject: [PATCH 08/43] Honor selected algorithm during certificate cloning --- .../static/app/angular/certificates/certificate/certificate.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 21f61f22..83b0cfe8 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -212,12 +212,14 @@ angular.module('lemur') }) .controller('CertificateCloneController', function ($scope, $uibModalInstance, CertificateApi, CertificateService, DestinationService, AuthorityService, AuthorityApi, PluginService, MomentService, WizardHandler, LemurRestangular, NotificationService, toaster, editId) { + $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; + $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone CertificateService.getDefaults($scope.certificate); }); From c3d8501401ef2d59af115055c4ab3046acc64811 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:23:24 -0700 Subject: [PATCH 09/43] Do not inherit replacement info during cert clone --- .../static/app/angular/certificates/certificate/certificate.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index 83b0cfe8..bb4e7db6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -215,11 +215,14 @@ angular.module('lemur') $scope.certificate = LemurRestangular.restangularizeElement(null, {}, 'certificates'); CertificateApi.get(editId).then(function (certificate) { $scope.certificate = certificate; + // prepare the certificate for cloning $scope.certificate.name = ''; // we should prefer the generated name $scope.certificate.csr = null; // should not clone CSR in case other settings are changed in clone $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.replacedBy = []; // should not clone 'replaced by' info + $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); }); From 817a4c3d9081cf7d30056328c45d677b92422c2c Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 3 Aug 2020 19:24:06 -0700 Subject: [PATCH 10/43] Modified cert description to have cert id being cloned --- lemur/static/app/angular/certificates/certificate/certificate.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lemur/static/app/angular/certificates/certificate/certificate.js b/lemur/static/app/angular/certificates/certificate/certificate.js index bb4e7db6..155658e6 100644 --- a/lemur/static/app/angular/certificates/certificate/certificate.js +++ b/lemur/static/app/angular/certificates/certificate/certificate.js @@ -221,6 +221,7 @@ angular.module('lemur') $scope.certificate.validityStart = null; $scope.certificate.validityEnd = null; $scope.certificate.keyType = 'RSA2048'; // default algo to show during clone + $scope.certificate.description = 'Cloning from cert ID ' + editId; $scope.certificate.replacedBy = []; // should not clone 'replaced by' info $scope.certificate.removeReplaces(); // should not clone 'replacement cert' info CertificateService.getDefaults($scope.certificate); From 914c0291382debbf9faab7a96c1f69b014a80569 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 11/43] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 7a83799bcd9fe9292dc9bd3fe91b8d629aae3585 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 17:30:34 -0700 Subject: [PATCH 12/43] Cert validity should not exceed 397 days for publicly trusted issuers --- lemur/common/validators.py | 12 ++++++++++++ lemur/plugins/lemur_digicert/plugin.py | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..4aecb97e 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,6 +152,18 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) + # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity + # for certs issued by public CA + # The list of public issuers can be managed through a config named PUBLIC_CA + public_CA = current_app.config.get("PUBLIC_CA", []) + if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: + max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + if ( + (data.get("validity_end").date() - data.get("validity_start").date()).days + > max_validity_days + ): + raise ValidationError("Certificate cannot be valid for more than " + + str(max_validity_days) + " days") return data diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index e5c4b2ce..32a5375a 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -82,11 +82,11 @@ def determine_end_date(end_date): :param end_date: :return: validity_end """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)) + default_days = current_app.config.get("DIGICERT_DEFAULT_VALIDITY_DAYS", 397) + max_validity_end = arrow.utcnow().shift(days=current_app.config.get("DIGICERT_MAX_VALIDITY_DAYS", default_days)) if not end_date: - end_date = arrow.utcnow().shift(years=default_years) + end_date = arrow.utcnow().shift(days=default_days) if end_date > max_validity_end: end_date = max_validity_end From 18a3514974a7bd40c971e303df7ffd573b484c69 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:06:45 -0700 Subject: [PATCH 13/43] Renaming PUBLIC_CA to PUBLIC_CA_AUTHORITY_NAMES --- lemur/common/validators.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 4aecb97e..74095255 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -155,7 +155,7 @@ def dates(data): # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity # for certs issued by public CA # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA", []) + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) if ( From 682991c02277d899aa43763c20a5e999a6713529 Mon Sep 17 00:00:00 2001 From: sayali Date: Mon, 10 Aug 2020 18:07:46 -0700 Subject: [PATCH 14/43] Updating Lemur docs to capture Digicert validity config changes --- docs/administration.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 157af478..a6d93af7 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -729,16 +729,16 @@ The following configuration properties are required to use the Digicert issuer p This is the root to be used for your CA chain -.. data:: DIGICERT_DEFAULT_VALIDITY +.. data:: DIGICERT_DEFAULT_VALIDITY_DAYS :noindex: - This is the default validity (in years), if no end date is specified. (Default: 1) + This is the default validity (in days), if no end date is specified. (Default: 397) -.. data:: DIGICERT_MAX_VALIDITY +.. data:: DIGICERT_MAX_VALIDITY_DAYS :noindex: - This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY) + This is the maximum validity (in days). (Default: value of DIGICERT_DEFAULT_VALIDITY_DAYS) .. data:: DIGICERT_PRIVATE From 9d3b7ac5ddfc4c9d7cfcff942d04fbe853d95221 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 15/43] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From 0d1798b0e0a2bc96bea5635093db96f8cd658fa4 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 10 Aug 2020 13:43:11 +0000 Subject: [PATCH 16/43] Bump cloudflare from 2.8.8 to 2.8.9 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.8 to 2.8.9. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.8...2.8.9) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 3d1ed54c..a154dbef 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.8 # via -r requirements.txt +cloudflare==2.8.9 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 46723b0d..d9e86d97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.8 # via -r requirements.in +cloudflare==2.8.9 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 226a62d338c89e7111759370b6616778798b830d Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 11 Aug 2020 01:40:26 +0000 Subject: [PATCH 17/43] Bump sphinx from 3.1.2 to 3.2.0 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.1.2 to 3.2.0. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.2...v3.2.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a154dbef..7e187213 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.1.2 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From bde2829e720f31129347db281ba2984eea7a5b4f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 17:10:29 -0700 Subject: [PATCH 18/43] Modify unit test test_determine_end_date to match new config --- lemur/plugins/lemur_digicert/tests/test_digicert.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index 8bfd1dcf..ca2ddf68 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -32,11 +32,11 @@ def test_determine_validity_years(mock_current_app): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_end_date(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) + mock_current_app.config.get = Mock(return_value=397) # 397 days validity with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime): - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(0) - assert arrow.get(2018, 5, 7) == plugin.determine_end_date(arrow.get(2018, 5, 7)) - assert arrow.get(2018, 11, 3) == plugin.determine_end_date(arrow.get(2020, 5, 7)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(0) # 397 days from (2016, 11, 3) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2017, 12, 5)) + assert arrow.get(2017, 12, 5) == plugin.determine_end_date(arrow.get(2020, 5, 7)) @patch("lemur.plugins.lemur_digicert.plugin.current_app") From d7ca1570beb44a62ac79ac96052a420ade5ba028 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:02:42 -0700 Subject: [PATCH 19/43] maximum 1 year validity for digicert --- lemur/plugins/lemur_digicert/plugin.py | 18 ++++++++---------- .../lemur_digicert/tests/test_digicert.py | 11 ++++------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 32a5375a..9b3d4429 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -61,18 +61,16 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): - """Given an end date determine how many years into the future that date is. - :param years: - :return: validity in years """ - default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1) - max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years) + Considering maximum allowed certificate validity period of 398 days, this method should not return + more than 1 year of validity. Thus changing it to return 1. + Lemur will change this method in future to handle validity in months (determine_validity_months) + instead of years. This will allow flexibility to handle short-lived certificates. - if years > max_years: - return max_years - if years not in [1, 2, 3]: - return default_years - return years + :param years: + :return: 1 + """ + return 1 def determine_end_date(end_date): diff --git a/lemur/plugins/lemur_digicert/tests/test_digicert.py b/lemur/plugins/lemur_digicert/tests/test_digicert.py index ca2ddf68..4abfcf54 100644 --- a/lemur/plugins/lemur_digicert/tests/test_digicert.py +++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py @@ -14,8 +14,6 @@ def config_mock(*args): "DIGICERT_ORG_ID": 111111, "DIGICERT_PRIVATE": False, "DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256", - "DIGICERT_DEFAULT_VALIDITY": 1, - "DIGICERT_MAX_VALIDITY": 2, "DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'}, "DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'}, } @@ -24,10 +22,9 @@ def config_mock(*args): @patch("lemur.plugins.lemur_digicert.plugin.current_app") def test_determine_validity_years(mock_current_app): - mock_current_app.config.get = Mock(return_value=2) assert plugin.determine_validity_years(1) == 1 - assert plugin.determine_validity_years(0) == 2 - assert plugin.determine_validity_years(3) == 2 + assert plugin.determine_validity_years(0) == 1 + assert plugin.determine_validity_years(3) == 1 @patch("lemur.plugins.lemur_digicert.plugin.current_app") @@ -52,7 +49,7 @@ def test_map_fields_with_validity_years(mock_current_app): "owner": "bob@example.com", "description": "test certificate", "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}}, - "validity_years": 2 + "validity_years": 1 } expected = { "certificate": { @@ -62,7 +59,7 @@ def test_map_fields_with_validity_years(mock_current_app): "signature_hash": "sha256", }, "organization": {"id": 111111}, - "validity_years": 2, + "validity_years": 1, } assert expected == plugin.map_fields(options, CSR_STR) From acb04638440a5b191ac4015212adfae58934f78c Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:51:41 -0700 Subject: [PATCH 20/43] Add new configs to the doc --- docs/administration.rst | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index a6d93af7..9f377119 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -66,7 +66,7 @@ Basic Configuration .. data:: SQLALCHEMY_POOL_SIZE -:noindex: + :noindex: The default connection pool size is 5 for sqlalchemy managed connections. Depending on the number of Lemur instances, please specify per instance connection pool size. Below is an example to set connection pool size to 10. @@ -80,7 +80,7 @@ Basic Configuration This is an optional setting but important to review and set for optimal database connection usage and for overall database performance. .. data:: SQLALCHEMY_MAX_OVERFLOW -:noindex: + :noindex: This setting allows to create connections in addition to specified number of connections in pool size. By default, sqlalchemy allows 10 connections to create in addition to the pool size. This is also an optional setting. If `SQLALCHEMY_POOL_SIZE` and @@ -155,6 +155,22 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s='] +.. data:: PUBLIC_CA_AUTHORITY_NAMES + :noindex: + A list of public issuers which would be checked against to determine whether limit of max validity of 397 days + should be applied to the certificate. Configure public CA authority names in this list to enforce validity check. + This is an optional setting. Using this will allow the sanity check as mentioned. The name check is a case-insensitive + string comparision. + +.. data:: PUBLIC_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 397 days of validity for certificates issued by public issuers configured + using PUBLIC_CA_AUTHORITY_NAMES. Below example overrides the default validity of 397 days and sets it to 365 days. + + :: + + PUBLIC_CA_MAX_VALIDITY_DAYS = 365 + .. data:: DEBUG_DUMP :noindex: From 6ff8910f873051298a99d88ee9c586cb508a2594 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 11 Aug 2020 18:53:19 -0700 Subject: [PATCH 21/43] mention 397 for digicert plugin --- lemur/plugins/lemur_digicert/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_digicert/plugin.py b/lemur/plugins/lemur_digicert/plugin.py index 9b3d4429..fd8c4e2d 100644 --- a/lemur/plugins/lemur_digicert/plugin.py +++ b/lemur/plugins/lemur_digicert/plugin.py @@ -62,8 +62,8 @@ def signature_hash(signing_algorithm): def determine_validity_years(years): """ - Considering maximum allowed certificate validity period of 398 days, this method should not return - more than 1 year of validity. Thus changing it to return 1. + Considering maximum allowed certificate validity period of 397 days, this method should not return + more than 1 year of validity. Thus changing it to always return 1. Lemur will change this method in future to handle validity in months (determine_validity_months) instead of years. This will allow flexibility to handle short-lived certificates. From 5b3f40467b3675ffab2f0a6672b5136ab024c763 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:12:07 -0700 Subject: [PATCH 22/43] Make Organizational Unit optional --- .../angular/authorities/authority/distinguishedName.tpl.html | 3 +-- .../certificates/certificate/distinguishedName.tpl.html | 4 +--- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html index 33b0ba4b..c6a7d312 100644 --- a/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html +++ b/lemur/static/app/angular/authorities/authority/distinguishedName.tpl.html @@ -46,8 +46,7 @@ Organizational Unit
- -

You must enter a organizational unit

+
diff --git a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html index 19102b03..72f168a0 100644 --- a/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/distinguishedName.tpl.html @@ -62,9 +62,7 @@
-

You must - enter a organizational unit

+ class="form-control"/>
From bc5579e9bfdec597a2acf62735d1890a8faff2db Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 14:47:55 -0700 Subject: [PATCH 23/43] max date on UI as per max validity configs --- docs/administration.rst | 11 +++++++++++ lemur/authorities/schemas.py | 2 ++ lemur/certificates/models.py | 10 ++++++++++ .../certificates/certificate/tracking.tpl.html | 4 ++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 9f377119..df027f70 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,6 +172,17 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 +.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS + :noindex: + Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is + not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of + 365 days and sets it to 90 days. + + :: + + INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + + .. data:: DEBUG_DUMP :noindex: diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index c78aec94..135f4f3d 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,6 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() + max_issuance_date = fields.DateTime() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -134,6 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 58630ee6..9ea45409 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -311,6 +311,16 @@ class Certificate(db.Model): def validity_range(self): return self.not_after - self.not_before + @property + def max_issuance_date(self): + public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) + if self.name.lower() in [ca.lower() for ca in public_CA]: + default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + else: + default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year + issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) + return arrow.utcnow().shift(days=issuance_validity_days) + @property def subject(self): return self.parsed_cert.subject diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 027add0f..47de640e 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -154,7 +154,7 @@ is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,7 +174,7 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.notAfter" + max-date="certificate.authority.authorityCertificate.maxIssuanceDate" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="End Date" From cab1216cb711db4a2bfdafe3615c0fe45bc0ebdd Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 15:14:34 -0700 Subject: [PATCH 24/43] Updating LEMUR_DEFAULT_ORGANIZATIONAL_UNIT to empty string --- docs/administration.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration.rst b/docs/administration.rst index df027f70..83747636 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -240,7 +240,7 @@ and are used when Lemur creates the CSR for your certificates. :: - LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations" + LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "" .. data:: LEMUR_DEFAULT_ISSUER_PLUGIN From 240f0b99c8963066dd86fe09a78f8767d9d0baad Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:34:59 -0700 Subject: [PATCH 25/43] Max end date as per start date + default validity 3 years --- lemur/authorities/schemas.py | 4 ++-- lemur/certificates/models.py | 10 ++++------ .../certificates/certificate/tracking.tpl.html | 7 ++++--- .../static/app/angular/certificates/services.js | 16 ++++++++++++++++ .../app/angular/pending_certificates/services.js | 15 +++++++++++++++ 5 files changed, 41 insertions(+), 11 deletions(-) diff --git a/lemur/authorities/schemas.py b/lemur/authorities/schemas.py index 135f4f3d..0700c15b 100644 --- a/lemur/authorities/schemas.py +++ b/lemur/authorities/schemas.py @@ -109,7 +109,7 @@ class RootAuthorityCertificateOutputSchema(LemurOutputSchema): cn = fields.String() not_after = fields.DateTime() not_before = fields.DateTime() - max_issuance_date = fields.DateTime() + max_issuance_days = fields.Integer() owner = fields.Email() status = fields.Boolean() user = fields.Nested(UserNestedOutputSchema) @@ -135,7 +135,7 @@ class AuthorityNestedOutputSchema(LemurOutputSchema): owner = fields.Email() plugin = fields.Nested(PluginOutputSchema) active = fields.Boolean() - authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_date"]) + authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema, only=["max_issuance_days"]) authority_update_schema = AuthorityUpdateSchema() diff --git a/lemur/certificates/models.py b/lemur/certificates/models.py index 9ea45409..5f6c4ba9 100644 --- a/lemur/certificates/models.py +++ b/lemur/certificates/models.py @@ -312,14 +312,12 @@ class Certificate(db.Model): return self.not_after - self.not_before @property - def max_issuance_date(self): + def max_issuance_days(self): public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) if self.name.lower() in [ca.lower() for ca in public_CA]: - default_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - else: - default_validity_days = current_app.config.get("INTERNAL_CA_MAX_VALIDITY_DAYS", 365) # 1 Year - issuance_validity_days = min(abs(self.not_after - arrow.utcnow()).days, default_validity_days) - return arrow.utcnow().shift(days=issuance_validity_days) + return current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) + + return current_app.config.get("DEFAULT_MAX_VALIDITY_DAYS", 1095) # 3 years default @property def subject(self): diff --git a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html index 47de640e..07d6b0f4 100644 --- a/lemur/static/app/angular/certificates/certificate/tracking.tpl.html +++ b/lemur/static/app/angular/certificates/certificate/tracking.tpl.html @@ -151,10 +151,11 @@ uib-tooltip="yyyy/MM/dd" uib-datepicker-popup="yyyy/MM/dd" ng-model="certificate.validityStart" + ng-change="certificate.setValidityEndDateRange(certificate.validityStart)" is-open="popup1.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" + max-date="certificate.authority.authorityCertificate.notAfter" min-date="certificate.authority.authorityCertificate.notBefore" alt-input-formats="altInputFormats" placeholder="Start Date" @@ -174,8 +175,8 @@ is-open="popup2.opened" datepicker-options="dateOptions" close-text="Close" - max-date="certificate.authority.authorityCertificate.maxIssuanceDate" - min-date="certificate.authority.authorityCertificate.notBefore" + max-date="certificate.authority.authorityCertificate.maxValidityEnd" + min-date="certificate.authority.authorityCertificate.minValidityEnd" alt-input-formats="altInputFormats" placeholder="End Date" /> diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 3a23076d..7d46f4ca 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -164,6 +164,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -264,6 +276,9 @@ angular.module('lemur') } } + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; + if (certificate.dnsProviderId) { certificate.dnsProvider = {id: certificate.dnsProviderId}; } @@ -292,3 +307,4 @@ angular.module('lemur') return CertificateService; }); + diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index 4e1b23e4..a9bb8079 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -144,6 +144,18 @@ angular.module('lemur') this.extensions.keyUsage.useDecipherOnly = true; } } + }, + setValidityEndDateRange: function (value) { + // clear selected validity end date as we are about to calculate new range + if(this.validityEnd) this.validityEnd = ''; + + // Minimum end date will be same as selected start date + this.authority.authorityCertificate.minValidityEnd = value; + + // Move max end date by maxIssuanceDays + let endDate = new Date(value); + endDate.setDate(endDate.getDate() + this.authority.authorityCertificate.maxIssuanceDays); + this.authority.authorityCertificate.maxValidityEnd = endDate; } }); }); @@ -230,6 +242,9 @@ angular.module('lemur') certificate.authority = defaults.authority; } } + + certificate.authority.authorityCertificate.minValidityEnd = defaults.authority.authorityCertificate.notBefore; + certificate.authority.authorityCertificate.maxValidityEnd = defaults.authority.authorityCertificate.notAfter; }); }; From d41227327e84a0134bccee200d889e8c5d8b0cc7 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 19:47:38 -0700 Subject: [PATCH 26/43] doc update DEFAULT_MAX_VALIDITY_DAYS --- docs/administration.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/administration.rst b/docs/administration.rst index 83747636..846a4c34 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -172,15 +172,15 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c PUBLIC_CA_MAX_VALIDITY_DAYS = 365 -.. data:: INTERNAL_CA_MAX_VALIDITY_DAYS +.. data:: DEFAULT_MAX_VALIDITY_DAYS :noindex: - Use this config to override the limit of 365 days of validity for certificates issued by internal CA. Any CA which is - not listed in PUBLIC_CA_AUTHORITY_NAMES will be treated as internal. Below example overrides the default validity of - 365 days and sets it to 90 days. + Use this config to override the default limit of 1095 days (3 years) of validity. Any CA which is not listed in + PUBLIC_CA_AUTHORITY_NAMES will be using this validity to display date range on UI. Below example overrides the + default validity of 1095 days and sets it to 365 days. :: - INTERNAL_CA_MAX_VALIDITY_DAYS = 90 + DEFAULT_MAX_VALIDITY_DAYS = 365 .. data:: DEBUG_DUMP From 5b96b3a0320d6e446a952ad97c51bd3ad0addd3e Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 18 Aug 2020 20:03:15 -0700 Subject: [PATCH 27/43] Lint error fix --- lemur/static/app/angular/certificates/services.js | 6 ++++-- lemur/static/app/angular/pending_certificates/services.js | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lemur/static/app/angular/certificates/services.js b/lemur/static/app/angular/certificates/services.js index 7d46f4ca..881a443a 100644 --- a/lemur/static/app/angular/certificates/services.js +++ b/lemur/static/app/angular/certificates/services.js @@ -167,8 +167,10 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; - + if(this.validityEnd) { + this.validityEnd = ''; + } + // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; diff --git a/lemur/static/app/angular/pending_certificates/services.js b/lemur/static/app/angular/pending_certificates/services.js index a9bb8079..2f99eb7d 100644 --- a/lemur/static/app/angular/pending_certificates/services.js +++ b/lemur/static/app/angular/pending_certificates/services.js @@ -147,7 +147,9 @@ angular.module('lemur') }, setValidityEndDateRange: function (value) { // clear selected validity end date as we are about to calculate new range - if(this.validityEnd) this.validityEnd = ''; + if(this.validityEnd) { + this.validityEnd = ''; + } // Minimum end date will be same as selected start date this.authority.authorityCertificate.minValidityEnd = value; From c2116df6526fc6e50bb797bb1a2960602a5b66de Mon Sep 17 00:00:00 2001 From: sirferl <41906265+sirferl@users.noreply.github.com> Date: Wed, 19 Aug 2020 12:25:52 +0200 Subject: [PATCH 28/43] Extended ADCS_TEMPLATE_ Variable If there is a config variable ADCS_TEMPLATE_ take the value as Cert template else default to ADCS_TEMPLATE to be compatible with former versions --- lemur/plugins/lemur_adcs/plugin.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_adcs/plugin.py b/lemur/plugins/lemur_adcs/plugin.py index a69afc90..4b4eb20c 100644 --- a/lemur/plugins/lemur_adcs/plugin.py +++ b/lemur/plugins/lemur_adcs/plugin.py @@ -40,7 +40,10 @@ class ADCSIssuerPlugin(IssuerPlugin): adcs_user = current_app.config.get("ADCS_USER") adcs_pwd = current_app.config.get("ADCS_PWD") adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD") - adcs_template = current_app.config.get("ADCS_TEMPLATE") + # if there is a config variable ADCS_TEMPLATE_ take the value as Cert template + # else default to ADCS_TEMPLATE to be compatible with former versions + authority = issuer_options.get("authority").name.upper() + adcs_template = current_app.config.get("ADCS_TEMPLATE_{0}".format(authority), current_app.config.get("ADCS_TEMPLATE")) ca_server = Certsrv( adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method ) From 3e8ca982a10e525d1ad45b24de4c28af4af2cc25 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:41:17 +0000 Subject: [PATCH 29/43] Bump acme from 1.6.0 to 1.7.0 Bumps [acme](https://github.com/letsencrypt/letsencrypt) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/letsencrypt/letsencrypt/releases) - [Commits](https://github.com/letsencrypt/letsencrypt/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 7e187213..a70fc3ea 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in # -acme==1.6.0 # via -r requirements.txt +acme==1.7.0 # via -r requirements.txt alabaster==0.7.12 # via sphinx alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate diff --git a/requirements.txt b/requirements.txt index d9e86d97..86650ced 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ # # pip-compile --no-index --output-file=requirements.txt requirements.in # -acme==1.6.0 # via -r requirements.in +acme==1.7.0 # via -r requirements.in alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu From 7b2b3911bc181759e17bd71bc8d6bf29cf45dca6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:19:48 +0000 Subject: [PATCH 30/43] Bump fakeredis from 1.4.1 to 1.4.3 Bumps [fakeredis](https://github.com/jamesls/fakeredis) from 1.4.1 to 1.4.3. - [Release notes](https://github.com/jamesls/fakeredis/releases) - [Commits](https://github.com/jamesls/fakeredis/compare/1.4.1...1.4.3) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 7fd13f76..10c3209b 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -26,7 +26,7 @@ docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==2.12.0 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy -fakeredis==1.4.1 # via -r requirements-tests.in +fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in future==0.18.2 # via aws-xray-sdk From 553b7fab8d7780b16a011db3378df67f5ac3c545 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:28:39 +0000 Subject: [PATCH 31/43] Bump factory-boy from 2.12.0 to 3.0.1 Bumps [factory-boy](https://github.com/FactoryBoy/factory_boy) from 2.12.0 to 3.0.1. - [Release notes](https://github.com/FactoryBoy/factory_boy/releases) - [Changelog](https://github.com/FactoryBoy/factory_boy/blob/master/docs/changelog.rst) - [Commits](https://github.com/FactoryBoy/factory_boy/compare/2.12.0...3.0.1) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 10c3209b..4893d4e3 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -24,7 +24,7 @@ decorator==4.4.2 # via networkx docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys -factory-boy==2.12.0 # via -r requirements-tests.in +factory-boy==3.0.1 # via -r requirements-tests.in faker==4.1.1 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask From 660a09e4c92ef4874bc2e20783cec02f21ef1494 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:41:18 +0000 Subject: [PATCH 32/43] Bump pre-commit from 2.6.0 to 2.7.1 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.6.0 to 2.7.1. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/master/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.6.0...v2.7.1) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 2299848e..97ec82d1 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -24,7 +24,7 @@ keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine -pre-commit==2.6.0 # via -r requirements-dev.in +pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 pycparser==2.20 # via cffi pyflakes==1.6.0 # via flake8 From ad0e469e92c797c66dc86f12d51c34a2a5707365 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 17:54:14 +0000 Subject: [PATCH 33/43] Bump nodeenv from 1.4.0 to 1.5.0 Bumps [nodeenv](https://github.com/ekalinin/nodeenv) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/ekalinin/nodeenv/releases) - [Changelog](https://github.com/ekalinin/nodeenv/blob/master/CHANGES) - [Commits](https://github.com/ekalinin/nodeenv/compare/1.4.0...1.5.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 97ec82d1..a029d4ae 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -22,7 +22,7 @@ invoke==1.4.1 # via -r requirements-dev.in jeepney==0.4.3 # via keyring, secretstorage keyring==21.2.0 # via twine mccabe==0.6.1 # via flake8 -nodeenv==1.4.0 # via -r requirements-dev.in, pre-commit +nodeenv==1.5.0 # via -r requirements-dev.in, pre-commit pkginfo==1.5.0.1 # via twine pre-commit==2.7.1 # via -r requirements-dev.in pycodestyle==2.3.1 # via flake8 From 61eac2aada6d54f822d443d3dd4f66670da7b6a0 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:03:20 +0000 Subject: [PATCH 34/43] Bump faker from 4.1.1 to 4.1.2 Bumps [faker](https://github.com/joke2k/faker) from 4.1.1 to 4.1.2. - [Release notes](https://github.com/joke2k/faker/releases) - [Changelog](https://github.com/joke2k/faker/blob/master/CHANGELOG.rst) - [Commits](https://github.com/joke2k/faker/compare/v4.1.1...v4.1.2) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index 4893d4e3..ee406105 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -25,7 +25,7 @@ docker==4.2.0 # via moto docutils==0.15.2 # via botocore ecdsa==0.15 # via python-jose, sshpubkeys factory-boy==3.0.1 # via -r requirements-tests.in -faker==4.1.1 # via -r requirements-tests.in, factory-boy +faker==4.1.2 # via -r requirements-tests.in, factory-boy fakeredis==1.4.3 # via -r requirements-tests.in flask==1.1.2 # via pytest-flask freezegun==0.3.15 # via -r requirements-tests.in From 1a8e96ed329a77d0a6727fe48706900226ebe44f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:12:28 +0000 Subject: [PATCH 35/43] Bump sphinx from 3.2.0 to 3.2.1 Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 3.2.0 to 3.2.1. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/3.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.2.0...v3.2.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index a70fc3ea..202e0700 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -92,7 +92,7 @@ six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, snowballstemmer==2.0.0 # via sphinx soupsieve==2.0.1 # via -r requirements.txt, beautifulsoup4 sphinx-rtd-theme==0.5.0 # via -r requirements-docs.in -sphinx==3.2.0 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain +sphinx==3.2.1 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain sphinxcontrib-applehelp==1.0.2 # via sphinx sphinxcontrib-devhelp==1.0.2 # via sphinx sphinxcontrib-htmlhelp==1.0.3 # via sphinx From 88a043cfecf0e65d3651855588418f52cac1be6b Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:28:42 +0000 Subject: [PATCH 36/43] Bump inflection from 0.5.0 to 0.5.1 Bumps [inflection](https://github.com/jpvanhal/inflection) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/jpvanhal/inflection/releases) - [Commits](https://github.com/jpvanhal/inflection/compare/0.5.0...0.5.1) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 202e0700..1a2986d5 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -46,7 +46,7 @@ gunicorn==20.0.4 # via -r requirements.txt hvac==0.10.5 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx -inflection==0.5.0 # via -r requirements.txt +inflection==0.5.1 # via -r requirements.txt itsdangerous==1.1.0 # via -r requirements.txt, flask javaobj-py3==0.4.0.1 # via -r requirements.txt, pyjks jinja2==2.11.2 # via -r requirements.txt, flask, sphinx diff --git a/requirements.txt b/requirements.txt index 86650ced..9a0a521c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -43,7 +43,7 @@ future==0.18.2 # via -r requirements.in gunicorn==20.0.4 # via -r requirements.in hvac==0.10.5 # via -r requirements.in idna==2.9 # via requests -inflection==0.5.0 # via -r requirements.in +inflection==0.5.1 # via -r requirements.in itsdangerous==1.1.0 # via flask javaobj-py3==0.4.0.1 # via pyjks jinja2==2.11.2 # via -r requirements.in, flask From ad5416e441366a756c19992e61b4eb00591e2d4c Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:42:38 +0000 Subject: [PATCH 37/43] Bump pytest-mock from 3.2.0 to 3.3.0 Bumps [pytest-mock](https://github.com/pytest-dev/pytest-mock) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/pytest-dev/pytest-mock/releases) - [Changelog](https://github.com/pytest-dev/pytest-mock/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-mock/compare/v3.2.0...v3.3.0) Signed-off-by: dependabot-preview[bot] --- requirements-tests.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-tests.txt b/requirements-tests.txt index ee406105..1dc1f48d 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -60,7 +60,7 @@ pyflakes==2.2.0 # via -r requirements-tests.in pyparsing==2.4.7 # via packaging pyrsistent==0.16.0 # via jsonschema pytest-flask==1.0.0 # via -r requirements-tests.in -pytest-mock==3.2.0 # via -r requirements-tests.in +pytest-mock==3.3.0 # via -r requirements-tests.in pytest==6.0.1 # via -r requirements-tests.in, pytest-flask, pytest-mock python-dateutil==2.8.1 # via botocore, faker, freezegun, moto python-jose==3.1.0 # via moto From a4a83dda72ace6f697a10a02ccc01fde47ce923f Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 18:55:27 +0000 Subject: [PATCH 38/43] Bump cloudflare from 2.8.9 to 2.8.13 Bumps [cloudflare](https://github.com/cloudflare/python-cloudflare) from 2.8.9 to 2.8.13. - [Release notes](https://github.com/cloudflare/python-cloudflare/releases) - [Changelog](https://github.com/cloudflare/python-cloudflare/blob/master/CHANGELOG.md) - [Commits](https://github.com/cloudflare/python-cloudflare/compare/2.8.9...2.8.13) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 1a2986d5..69679ebf 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -25,7 +25,7 @@ certsrv==2.1.1 # via -r requirements.txt cffi==1.14.0 # via -r requirements.txt, bcrypt, cryptography, pynacl chardet==3.0.4 # via -r requirements.txt, requests click==7.1.1 # via -r requirements.txt, flask -cloudflare==2.8.9 # via -r requirements.txt +cloudflare==2.8.13 # via -r requirements.txt cryptography==3.0 # via -r requirements.txt, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.txt dnspython==1.15.0 # via -r requirements.txt, dnspython3 diff --git a/requirements.txt b/requirements.txt index 9a0a521c..9a0a2833 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ certsrv==2.1.1 # via -r requirements.in cffi==1.14.0 # via bcrypt, cryptography, pynacl chardet==3.0.4 # via requests click==7.1.1 # via flask -cloudflare==2.8.9 # via -r requirements.in +cloudflare==2.8.13 # via -r requirements.in cryptography==3.0 # via -r requirements.in, acme, josepy, paramiko, pyopenssl, requests dnspython3==1.15.0 # via -r requirements.in dnspython==1.15.0 # via dnspython3 From 939c41a70eff246ac1a83cee97e9ab6135aee466 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:04:47 +0000 Subject: [PATCH 39/43] Bump arrow from 0.15.8 to 0.16.0 Bumps [arrow](https://github.com/arrow-py/arrow) from 0.15.8 to 0.16.0. - [Release notes](https://github.com/arrow-py/arrow/releases) - [Changelog](https://github.com/arrow-py/arrow/blob/master/CHANGELOG.rst) - [Commits](https://github.com/arrow-py/arrow/compare/0.15.8...0.16.0) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 69679ebf..045c1832 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -10,7 +10,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.txt alembic==1.4.2 # via -r requirements.txt, flask-migrate amqp==2.5.2 # via -r requirements.txt, kombu aniso8601==8.0.0 # via -r requirements.txt, flask-restful -arrow==0.15.8 # via -r requirements.txt +arrow==0.16.0 # via -r requirements.txt asyncpool==1.0 # via -r requirements.txt babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko diff --git a/requirements.txt b/requirements.txt index 9a0a2833..2ecb1f9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,7 +9,7 @@ alembic-autogenerate-enums==0.0.2 # via -r requirements.in alembic==1.4.2 # via flask-migrate amqp==2.5.2 # via kombu aniso8601==8.0.0 # via flask-restful -arrow==0.15.8 # via -r requirements.in +arrow==0.16.0 # via -r requirements.in asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare From 0f463d5f13ef75100aa04a416722425f0fbec038 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue, 25 Aug 2020 19:17:13 +0000 Subject: [PATCH 40/43] Bump boto3 from 1.14.33 to 1.14.48 Bumps [boto3](https://github.com/boto/boto3) from 1.14.33 to 1.14.48. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.14.33...1.14.48) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 045c1832..0ee5d42e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -17,8 +17,8 @@ bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via -r requirements.txt, cloudflare billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.txt -botocore==1.17.33 # via -r requirements.txt, boto3, s3transfer +boto3==1.14.48 # via -r requirements.txt +botocore==1.17.48 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.6.20 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index 1dc1f48d..303338c1 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.14.33 # via aws-sam-translator, moto +boto3==1.14.48 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.17.33 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.17.48 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.6.20 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 2ecb1f9c..c79ec23d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,8 +15,8 @@ bcrypt==3.1.7 # via flask-bcrypt, paramiko beautifulsoup4==4.9.1 # via cloudflare billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.14.33 # via -r requirements.in -botocore==1.17.33 # via -r requirements.in, boto3, s3transfer +boto3==1.14.48 # via -r requirements.in +botocore==1.17.48 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.6.20 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in From 3efe14c43f6efac50ed59a1bcd942c57345ed360 Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 25 Aug 2020 16:26:20 -0700 Subject: [PATCH 41/43] Remove 397 days validation as it causes error in API calls More to come in future --- lemur/common/validators.py | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 74095255..e1dfe3c1 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -152,18 +152,6 @@ def dates(data): data["authority"].authority_certificate.not_after ) ) - # Allow no more than PUBLIC_CA_MAX_VALIDITY_DAYS (Default: 397) days of validity - # for certs issued by public CA - # The list of public issuers can be managed through a config named PUBLIC_CA - public_CA = current_app.config.get("PUBLIC_CA_AUTHORITY_NAMES", []) - if data["authority"].name.lower() in [ca.lower() for ca in public_CA]: - max_validity_days = current_app.config.get("PUBLIC_CA_MAX_VALIDITY_DAYS", 397) - if ( - (data.get("validity_end").date() - data.get("validity_start").date()).days - > max_validity_days - ): - raise ValidationError("Certificate cannot be valid for more than " + - str(max_validity_days) + " days") return data From be21d357cb20e45b0f3bebe3da61d95fba72134a Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:38:17 -0700 Subject: [PATCH 42/43] fixing setup-git so build continues if ./git/hooks does not exist. --- Makefile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 069eb29b..fb8b9afa 100644 --- a/Makefile +++ b/Makefile @@ -49,10 +49,13 @@ reset-db: cd lemur && lemur db upgrade setup-git: - @echo "--> Installing git hooks" - git config branch.autosetuprebase always - cd .git/hooks && ln -sf ../../hooks/* ./ - @echo "" + if [ -d .git/hooks ]; then \ + @echo "--> Installing git hooks"; \ + git config branch.autosetuprebase always; \ + cd .git/hooks && ln -sf ../../hooks/* ./; \ + @echo ""; \ + fi + clean: @echo "--> Cleaning static cache" From 27c553917818ae41e3109064a4cc9c366297b64a Mon Sep 17 00:00:00 2001 From: csine-nflx Date: Wed, 26 Aug 2020 01:47:17 -0700 Subject: [PATCH 43/43] fixing Makefile build issue with @echo --- Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index fb8b9afa..3312a41d 100644 --- a/Makefile +++ b/Makefile @@ -49,13 +49,12 @@ reset-db: cd lemur && lemur db upgrade setup-git: + @echo "--> Installing git hooks" if [ -d .git/hooks ]; then \ - @echo "--> Installing git hooks"; \ git config branch.autosetuprebase always; \ cd .git/hooks && ln -sf ../../hooks/* ./; \ - @echo ""; \ fi - + @echo "" clean: @echo "--> Cleaning static cache"