Merge pull request #3484 from jtschladen/security-fixes

Security fixes

lemur/authorities/service.py

@@ -117,6 +117,12 @@ def create(**kwargs):
     """
     Creates a new authority.
     """
+    ca_name = kwargs.get("name")
+    if get_by_name(ca_name):
+        raise Exception(f"Authority with name {ca_name} already exists")
+    if role_service.get_by_name(f"{ca_name}_admin") or role_service.get_by_name(f"{ca_name}_operator"):
+        raise Exception(f"Admin and/or operator roles for authority {ca_name} already exist")
+
     body, private_key, chain, roles = mint(**kwargs)
 
     kwargs["creator"].roles = list(set(list(kwargs["creator"].roles) + roles))

lemur/dns_providers/schemas.py

@@ -10,9 +10,9 @@ class DnsProvidersNestedOutputSchema(LemurOutputSchema):
     name = fields.String()
     provider_type = fields.String()
     description = fields.String()
-    credentials = fields.String()
     api_endpoint = fields.String()
     date_created = ArrowDateTime()
+    # credentials are intentionally omitted (they are input-only)
 
 
 class DnsProvidersNestedInputSchema(LemurInputSchema):

lemur/tests/conftest.py

@@ -36,6 +36,7 @@ from .factories import (
     InvalidCertificateFactory,
     CryptoAuthorityFactory,
     CACertificateFactory,
+    DnsProviderFactory,
 )
 
 
@@ -183,6 +184,13 @@ def user(session):
     return {"user": u, "token": token}
 
 
+@pytest.fixture
+def dns_provider(session):
+    d = DnsProviderFactory()
+    session.commit()
+    return d
+
+
 @pytest.fixture
 def pending_certificate(session):
     u = UserFactory()

lemur/tests/factories.py

@@ -1,14 +1,15 @@
+import json
 from datetime import date
 
 from factory import Sequence, post_generation, SubFactory
 from factory.alchemy import SQLAlchemyModelFactory
 from factory.fuzzy import FuzzyChoice, FuzzyText, FuzzyDate, FuzzyInteger
 
-
 from lemur.database import db
 from lemur.authorities.models import Authority
 from lemur.certificates.models import Certificate
 from lemur.destinations.models import Destination
+from lemur.dns_providers.models import DnsProvider
 from lemur.sources.models import Source
 from lemur.notifications.models import Notification
 from lemur.pending_certificates.models import PendingCertificate
@@ -435,3 +436,17 @@ class PendingCertificateFactory(BaseFactory):
         if extracted:
             for domain in extracted:
                 self.roles.append(domain)
+
+
+class DnsProviderFactory(BaseFactory):
+    """DnsProvider Factory."""
+
+    name = Sequence(lambda n: f"dnsProvider{n}")
+    description = FuzzyText(length=128)
+    provider_type = FuzzyText(length=128)
+    credentials = json.dumps({"account_id": f"{FuzzyInteger(100000, 999999).fuzz()}"})
+
+    class Meta:
+        """Factory Configuration."""
+
+        model = DnsProvider

lemur/tests/test_dns_providers.py

@@ -1,5 +1,7 @@
+import json
 import unittest
 from lemur.dns_providers import util as dnsutil
+from lemur.dns_providers.schemas import dns_provider_output_schema
 
 
 class TestDNSProvider(unittest.TestCase):
@@ -21,3 +23,17 @@ class TestDNSProvider(unittest.TestCase):
         self.assertFalse(dnsutil.is_valid_domain('example..io'))
         self.assertFalse(dnsutil.is_valid_domain('exa mple.io'))
         self.assertFalse(dnsutil.is_valid_domain('-'))
+
+
+def test_output_schema(dns_provider):
+    # no credentials using the output schema dump
+    assert dns_provider.credentials
+    assert json.loads(dns_provider.credentials)["account_id"]
+    dump = dns_provider_output_schema.dump(dns_provider).data
+    assert 'name' in dump
+    assert 'credentials' not in dump
+
+
+def test_json(dns_provider):
+    # we can still get credentials using json.load
+    assert 'account_id' in json.loads(dns_provider.credentials)