From 8efa68285874b7d9d98c55dbd54f360d9c80f31f Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 10 Nov 2020 17:43:35 -0800 Subject: [PATCH 1/5] add delete acme token --- lemur/plugins/lemur_aws/plugin.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/lemur/plugins/lemur_aws/plugin.py b/lemur/plugins/lemur_aws/plugin.py index b54787ac..8fca73e9 100644 --- a/lemur/plugins/lemur_aws/plugin.py +++ b/lemur/plugins/lemur_aws/plugin.py @@ -449,6 +449,34 @@ class S3DestinationPlugin(ExportDestinationPlugin): metrics.send(f"{function}", "counter", 1, metric_tags={"result": res, "bucket_name": bucket_name, "filename": filename}) + return response + + def delete_acme_token(self, token_path, options, **kwargs): + + current_app.logger.debug("S3 destination plugin is started to delete HTTP-01 challenge") + + function = f"{__name__}.{sys._getframe().f_code.co_name}" + + account_number = self.get_option("accountNumber", options) + bucket_name = self.get_option("bucket", options) + prefix = self.get_option("prefix", options) + filename = token_path.split("/")[-1] + response = s3.delete(bucket_name=bucket_name, + prefixed_object_name=prefix + filename, + account_number=account_number) + res = "Success" if response else "Failure" + log_data = { + "function": function, + "message": "delete acme token challenge", + "result": res, + "bucket_name": bucket_name, + "filename": filename + } + current_app.logger.info(log_data) + metrics.send(f"{function}", "counter", 1, metric_tags={"result": res, + "bucket_name": bucket_name, + "filename": filename}) + return response class SNSNotificationPlugin(ExpirationNotificationPlugin): From ea77ef08aa2656b8c1b873d782d7932f37a25ab4 Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 10 Nov 2020 17:45:02 -0800 Subject: [PATCH 2/5] testing for delete --- lemur/plugins/lemur_aws/tests/test_plugin.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lemur/plugins/lemur_aws/tests/test_plugin.py b/lemur/plugins/lemur_aws/tests/test_plugin.py index be9b14fd..89a318ca 100644 --- a/lemur/plugins/lemur_aws/tests/test_plugin.py +++ b/lemur/plugins/lemur_aws/tests/test_plugin.py @@ -80,3 +80,8 @@ def test_upload_acme_token(app): # put data, and getting the same data assert (response == token_content) + + response = p.delete_acme_token(token_path=token_path, + options=additional_options, + account_number=account) + assert response From 252f84cf213b6a66926e72df56c49fb11f68165c Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Tue, 10 Nov 2020 17:46:00 -0800 Subject: [PATCH 3/5] adding also response to upload acme token, just for future use-cases --- lemur/plugins/lemur_aws/plugin.py | 18 +++++++++--------- lemur/plugins/lemur_aws/tests/test_plugin.py | 9 +++++---- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/lemur/plugins/lemur_aws/plugin.py b/lemur/plugins/lemur_aws/plugin.py index 8fca73e9..fcc2e0cf 100644 --- a/lemur/plugins/lemur_aws/plugin.py +++ b/lemur/plugins/lemur_aws/plugin.py @@ -419,7 +419,7 @@ class S3DestinationPlugin(ExportDestinationPlugin): :param kwargs: :return: """ - current_app.logger.debug("S3 destination plugin is started for HTTP-01 challenge") + current_app.logger.debug("S3 destination plugin is started to upload HTTP-01 challenge") function = f"{__name__}.{sys._getframe().f_code.co_name}" @@ -431,16 +431,16 @@ class S3DestinationPlugin(ExportDestinationPlugin): if not prefix.endswith("/"): prefix + "/" - res = s3.put(bucket_name=bucket_name, - region_name=region, - prefix=prefix + filename, - data=token, - encrypt=False, - account_number=account_number) - res = "Success" if res else "Failure" + response = s3.put(bucket_name=bucket_name, + region_name=region, + prefix=prefix + filename, + data=token, + encrypt=False, + account_number=account_number) + res = "Success" if response else "Failure" log_data = { "function": function, - "message": "check if any valid certificate is revoked", + "message": "upload acme token challenge", "result": res, "bucket_name": bucket_name, "filename": filename diff --git a/lemur/plugins/lemur_aws/tests/test_plugin.py b/lemur/plugins/lemur_aws/tests/test_plugin.py index 89a318ca..e032cf02 100644 --- a/lemur/plugins/lemur_aws/tests/test_plugin.py +++ b/lemur/plugins/lemur_aws/tests/test_plugin.py @@ -68,10 +68,11 @@ def test_upload_acme_token(app): s3_client.create_bucket(Bucket=bucket) p = plugins.get("aws-s3") - p.upload_acme_token(token_path=token_path, - token_content=token_content, - token=token_content, - options=additional_options) + response = p.upload_acme_token(token_path=token_path, + token_content=token_content, + token=token_content, + options=additional_options) + assert response response = get(bucket_name=bucket, prefixed_object_name=prefix + token_name, From bb11ff9f60663d9e2d7b9434a4d7244463689d69 Mon Sep 17 00:00:00 2001 From: Jasmine Schladen Date: Fri, 13 Nov 2020 17:31:40 -0800 Subject: [PATCH 4/5] Remove python-ldap from requirements-docs.txt --- requirements-docs.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 1fcf06ab..69c4710c 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -79,7 +79,6 @@ pyrfc3339==1.1 # via -r requirements.txt, acme python-dateutil==2.8.1 # via -r requirements.txt, alembic, arrow, botocore python-editor==1.0.4 # via -r requirements.txt, alembic python-json-logger==0.1.11 # via -r requirements.txt, logmatic-python -python-ldap==3.3.1 # via -r requirements.txt pytz==2019.3 # via -r requirements.txt, acme, babel, celery, flask-restful, pyrfc3339 pyyaml==5.3.1 # via -r requirements.txt, cloudflare raven[flask]==6.10.0 # via -r requirements.txt From 50483c01da63d9c65822e9681d4fc7d5b263067b Mon Sep 17 00:00:00 2001 From: Hossein Shafagh Date: Fri, 13 Nov 2020 17:37:01 -0800 Subject: [PATCH 5/5] preparing for release 0.8.0 --- CHANGELOG.rst | 81 ++++++++++++++++++++++++++++++++++++++++++++++ lemur/__about__.py | 2 +- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ea8d23b7..67b792f8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,87 @@ Changelog ========= +0.8.0 - `2020-11-13` +~~~~~~~~~~~~~~ + +This release comes after more than two years and contains many interesting new features and improvements. +In addition to multiple new plugins, such as ACME-http01, ADCS, PowerDNS, UltraDNS, Entrust, SNS, many of Lemur's existing +flows have improved. + +In the future, we plan to do frequent releases. + + +Summary of notable changes: + +- AWS S3 plugin: added delete, get methods, and support for uploading/deleting acme tokens +- ACME plugin: + - revamp of the plugin + - support for http01 domain validation, via S3 and SFTP as destination for the acme token + - support for CNAME delegated domain validation + - store-acme-account-details +- PowerDNS plugin +- UltraDNS plugin +- ADCS plugin +- SNS plugin +- Entrust plugin +- Rotation: + - respecting keyType and extensions + - region-by-region rotation option + - default to auto-rotate when cert attached to endpoint + - default to 1y validity during rotation for multi-year browser-trusted certs +- Certificate: search_by_name, and important performance improvements +- UI + - reducing the EC curve options to the relevant ones + - edit option for notifications, destinations and sources + - showing 13 month validity as default + - option to hide certs expired since 3month + - faster Permalink (no search involved) + - commonName Auto Added as DNS in the UI + - improved search and cert lookup +- celery tasks instead of crone, for better logging and monitoring +- countless bugfixes + - group-lookup-fix-referral + - url_context_path + - duplicate notification + - digicert-time-bug-fix + - improved-csr-support + - fix-cryptography-intermediate-ca + - enhanced logging + - vault-k8s-auth + - cfssl-key-fix + - cert-sync-endpoint-find-by-hash + - nlb-naming-bug + - fix_vault_api_v2_append + - aid_openid_roles_provider_integration + - rewrite-java-keystore-use-pyjks + - vault_kv2 + + +To see the full list of changes, you can run + + $ git log --merges --first-parent master --pretty=format:"%h %<(10,trunc)%aN %C(white)%<(15)%ar%Creset %C(red bold)%<(15)%D%Creset %s" | grep -v "depend" + + +Special thanks to all who contributed to this release, notably: + +- `peschmae `_ +- `sirferl `_ +- `lukasmrtvy `_ +- `intgr `_ +- `kush-bavishi `_ +- `alwaysjolley `_ +- `jplana `_ +- `explody `_ +- `titouanc `_ +- `jramosf `_ + + +Upgrading +--------- + +.. note:: This release will need a migration change. Please follow the `documentation `_ to upgrade Lemur. + + 0.7 - `2018-05-07` ~~~~~~~~~~~~~~ diff --git a/lemur/__about__.py b/lemur/__about__.py index 766d3668..0926ef33 100644 --- a/lemur/__about__.py +++ b/lemur/__about__.py @@ -15,7 +15,7 @@ __title__ = "lemur" __summary__ = "Certificate management and orchestration service" __uri__ = "https://github.com/Netflix/lemur" -__version__ = "0.7.0" +__version__ = "0.8.0" __author__ = "The Lemur developers" __email__ = "security@netflix.com"