From 8f16402c0a4cbab85c447697db2d858becccc47b Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 5 Jan 2021 18:13:09 -0800 Subject: [PATCH 1/2] Config to change algo to ECC during reissue --- lemur/certificates/service.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py index b22090b6..5999760f 100644 --- a/lemur/certificates/service.py +++ b/lemur/certificates/service.py @@ -795,6 +795,15 @@ def reissue_certificate(certificate, replace=None, user=None): else: primitives["description"] = f"{reissue_message_prefix}{certificate.id}" + # Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list + # This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners + # Unless identified a use case, this will be removed in mid-Q2 2021 + ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", []) + ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", []) + + if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list): + primitives["key_type"] = "ECCPRIME256V1" + new_cert = create(**primitives) return new_cert From 396e3afdfa40aacc55d1737e1e9941854ebdb30f Mon Sep 17 00:00:00 2001 From: sayali Date: Tue, 5 Jan 2021 18:14:57 -0800 Subject: [PATCH 2/2] Fix @pytest.yield_fixture deprecation Use @pytest.fixture instead; they are the same. --- lemur/tests/conftest.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lemur/tests/conftest.py b/lemur/tests/conftest.py index 2efd65d9..f388acc6 100644 --- a/lemur/tests/conftest.py +++ b/lemur/tests/conftest.py @@ -56,7 +56,7 @@ def pytest_runtest_makereport(item, call): parent._previousfailed = item -@pytest.yield_fixture(scope="session") +@pytest.fixture(scope="session") def app(request): """ Creates a new Flask application for a test duration. @@ -73,7 +73,7 @@ def app(request): ctx.pop() -@pytest.yield_fixture(scope="session") +@pytest.fixture(scope="session") def db(app, request): _db.drop_all() _db.engine.execute(text("CREATE EXTENSION IF NOT EXISTS pg_trgm")) @@ -92,7 +92,7 @@ def db(app, request): _db.drop_all() -@pytest.yield_fixture(scope="function") +@pytest.fixture(scope="function") def session(db, request): """ Creates a new database session with (with working transaction) @@ -103,7 +103,7 @@ def session(db, request): db.session.rollback() -@pytest.yield_fixture(scope="function") +@pytest.fixture(scope="function") def client(app, session, client): yield client @@ -276,14 +276,14 @@ def source_plugin(): return TestSourcePlugin -@pytest.yield_fixture(scope="function") +@pytest.fixture(scope="function") def logged_in_user(session, app): with app.test_request_context(): identity_changed.send(current_app._get_current_object(), identity=Identity(1)) yield -@pytest.yield_fixture(scope="function") +@pytest.fixture(scope="function") def logged_in_admin(session, app): with app.test_request_context(): identity_changed.send(current_app._get_current_object(), identity=Identity(2))