Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #3346 from charhate/rotate-cert-ec 

Config to change algo to ECC during reissue
This commit is contained in:
charhate 2021-01-06 11:24:43 -08:00 committed by GitHub
parent 9657098514 396e3afdfa
commit b3c5d23a3a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lemur/certificates/service.py
View File

@ -795,6 +795,15 @@ def reissue_certificate(certificate, replace=None, user=None):
else: else:
primitives["description"] = f"{reissue_message_prefix}{certificate.id}" primitives["description"] = f"{reissue_message_prefix}{certificate.id}"
# Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list
# This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners
# Unless identified a use case, this will be removed in mid-Q2 2021
ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", [])
ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", [])
if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list):
primitives["key_type"] = "ECCPRIME256V1"
new_cert = create(**primitives) new_cert = create(**primitives)
return new_cert return new_cert

12
lemur/tests/conftest.py
View File

@ -56,7 +56,7 @@ def pytest_runtest_makereport(item, call):
parent._previousfailed = item parent._previousfailed = item
@pytest.yield_fixture(scope="session") @pytest.fixture(scope="session")
def app(request): def app(request):
""" """
Creates a new Flask application for a test duration. Creates a new Flask application for a test duration.
@ -73,7 +73,7 @@ def app(request):
ctx.pop() ctx.pop()
@pytest.yield_fixture(scope="session") @pytest.fixture(scope="session")
def db(app, request): def db(app, request):
_db.drop_all() _db.drop_all()
_db.engine.execute(text("CREATE EXTENSION IF NOT EXISTS pg_trgm")) _db.engine.execute(text("CREATE EXTENSION IF NOT EXISTS pg_trgm"))
@ -92,7 +92,7 @@ def db(app, request):
_db.drop_all() _db.drop_all()
@pytest.yield_fixture(scope="function") @pytest.fixture(scope="function")
def session(db, request): def session(db, request):
""" """
Creates a new database session with (with working transaction) Creates a new database session with (with working transaction)
@ -103,7 +103,7 @@ def session(db, request):
db.session.rollback() db.session.rollback()
@pytest.yield_fixture(scope="function") @pytest.fixture(scope="function")
def client(app, session, client): def client(app, session, client):
yield client yield client
@ -276,14 +276,14 @@ def source_plugin():
return TestSourcePlugin return TestSourcePlugin
@pytest.yield_fixture(scope="function") @pytest.fixture(scope="function")
def logged_in_user(session, app): def logged_in_user(session, app):
with app.test_request_context(): with app.test_request_context():
identity_changed.send(current_app._get_current_object(), identity=Identity(1)) identity_changed.send(current_app._get_current_object(), identity=Identity(1))
yield yield
@pytest.yield_fixture(scope="function") @pytest.fixture(scope="function")
def logged_in_admin(session, app): def logged_in_admin(session, app):
with app.test_request_context(): with app.test_request_context():
identity_changed.send(current_app._get_current_object(), identity=Identity(2)) identity_changed.send(current_app._get_current_object(), identity=Identity(2))