Merge branch 'master' into upgrade-dependabot

.github/workflows/lemur-publish-release-pypi.yml

@@ -18,6 +18,16 @@ jobs:
       uses: actions/setup-python@v2
       with:
         python-version: '3.x'
+    - name: Autobump version
+      run: |
+        # from refs/tags/v0.8.1 get 0.8.1
+        VERSION=$(echo $GITHUB_REF | sed 's#.*/v##')
+        PLACEHOLDER='__version__ = "develop"'
+        VERSION_FILE='lemur/__about__.py'
+        # in case placeholder is missing, exists with code 1 and github actions aborts the build
+        grep "$PLACEHOLDER" "$VERSION_FILE"
+        sed -i "s/$PLACEHOLDER/__version__ = \"${VERSION}\"/g" "$VERSION_FILE"
+      shell: bash
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip

CHANGELOG.rst

@@ -1,6 +1,37 @@
 Changelog
 =========
 
+0.8.1 - `2021-03-12`
+~~~~~~~~~~~~~~~~~~~~
+
+This release includes improvements on many fronts, such as:
+
+- Notifications:
+    - Enhanced SNS flow
+    - Expiration Summary
+    - CA expiration email
+- EC algorithm as the default
+- Improved revocation flow
+- Localized AWS STS option
+- Improved Lemur doc building
+- ACME:
+    - reduced failed attempts to 3x trials
+    - support for selecting the chain (Let's Encrypt X1 transition)
+    - revocation
+    - http01 documentation
+- Entrust:
+    - Support for cross-signed intermediate CA
+- Revised disclosure process
+- Dependency updates and conflict resolutions
+
+Special thanks to all who contributed to this release, notably:
+
+- `peschmae  <https://github.com/peschmae>`_
+- `atugushev  <https://github.com/atugushev>`_
+- `sirferl   <https://github.com/sirferl>`_
+
+
+
 0.8.0 - `2020-11-13`
 ~~~~~~~~~~~~~~~~~~~~
 

docs/administration.rst

@@ -875,7 +875,7 @@ account. See :ref:`Using a pre-existing ACME account <AcmeAccountReuse>` for mor
     :noindex:
 
             This is an optional parameter to indicate the preferred chain to retrieve from ACME when finalizing the order.
-            This is applicable to Let's Encrypts recent `migration https://letsencrypt.org/certificates/`_ to their
+            This is applicable to Let's Encrypts recent `migration <https://letsencrypt.org/certificates/>`_ to their
             own root, where they provide two distinct certificate chains (fullchain_pem vs. alternative_fullchains_pem);
             the main chain will be the long chain that is rooted in the expiring DTS root, whereas the alternative chain
             is rooted in X1 root CA.

lemur/__about__.py

@@ -15,7 +15,7 @@ __title__ = "lemur"
 __summary__ = "Certificate management and orchestration service"
 __uri__ = "https://github.com/Netflix/lemur"
 
-__version__ = "0.8.0"
+__version__ = "develop"
 
 __author__ = "The Lemur developers"
 __email__ = "security@netflix.com"

requirements-dev.txt

@@ -50,7 +50,7 @@ packaging==20.9
     # via bleach
 pkginfo==1.5.0.1
     # via twine
-pre-commit==2.11.0
+pre-commit==2.11.1
     # via -r requirements-dev.in
 pycodestyle==2.6.0
     # via flake8

requirements-docs.in

@@ -7,6 +7,7 @@ acme
 arrow
 boto3
 botocore
+certbot
 certsrv
 CloudFlare
 cryptography

requirements-docs.txt

@@ -5,7 +5,10 @@
 #    pip-compile --no-index --output-file=requirements-docs.txt requirements-docs.in
 #
 acme==1.13.0
-    # via -r requirements-docs.in
+    # via
+    #   -r requirements-docs.in
+    #   -r requirements-tests.txt
+    #   certbot
 alabaster==0.7.12
     # via sphinx
 alembic==1.5.5
@@ -48,7 +51,7 @@ blinker==1.4
     #   flask-mail
     #   flask-principal
     #   raven
-boto3==1.17.22
+boto3==1.17.27
     # via
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
@@ -58,7 +61,7 @@ boto==2.49.0
     # via
     #   -r requirements-tests.txt
     #   moto
-botocore==1.20.22
+botocore==1.20.27
     # via
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
@@ -66,6 +69,10 @@ botocore==1.20.22
     #   boto3
     #   moto
     #   s3transfer
+certbot==1.13.0
+    # via
+    #   -r requirements-docs.in
+    #   -r requirements-tests.txt
 certifi==2020.12.5
     # via
     #   -r requirements-tests.txt
@@ -93,6 +100,14 @@ click==7.1.2
     #   flask
 cloudflare==2.8.15
     # via -r requirements-docs.in
+configargparse==1.4
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
+configobj==5.0.6
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
 coverage==5.5
     # via -r requirements-tests.txt
 cryptography==3.4.6
@@ -100,6 +115,7 @@ cryptography==3.4.6
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
     #   acme
+    #   certbot
     #   josepy
     #   moto
     #   paramiko
@@ -110,6 +126,10 @@ decorator==4.4.2
     # via
     #   -r requirements-tests.txt
     #   networkx
+distro==1.5.0
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
 dnspython3==1.15.0
     # via -r requirements-docs.in
 dnspython==1.15.0
@@ -225,7 +245,9 @@ jmespath==0.9.5
 josepy==1.7.0
     # via
     #   -r requirements-docs.in
+    #   -r requirements-tests.txt
     #   acme
+    #   certbot
 jsondiff==1.1.2
     # via
     #   -r requirements-tests.txt
@@ -292,6 +314,10 @@ packaging==20.3
     #   sphinx
 paramiko==2.7.2
     # via -r requirements-docs.in
+parsedatetime==2.6
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
 pathspec==0.8.0
     # via
     #   -r requirements-tests.txt
@@ -338,6 +364,7 @@ pynacl==1.4.0
 pyopenssl==20.0.1
     # via
     #   -r requirements-docs.in
+    #   -r requirements-tests.txt
     #   acme
     #   josepy
 pyparsing==2.4.7
@@ -345,7 +372,10 @@ pyparsing==2.4.7
     #   -r requirements-tests.txt
     #   packaging
 pyrfc3339==1.1
-    # via acme
+    # via
+    #   -r requirements-tests.txt
+    #   acme
+    #   certbot
 pyrsistent==0.16.0
     # via
     #   -r requirements-tests.txt
@@ -381,6 +411,7 @@ pytz==2019.3
     #   -r requirements-tests.txt
     #   acme
     #   babel
+    #   certbot
     #   flask-restful
     #   moto
     #   pyrfc3339
@@ -405,7 +436,9 @@ regex==2020.4.4
 requests-mock==1.8.0
     # via -r requirements-tests.txt
 requests-toolbelt==0.9.1
-    # via acme
+    # via
+    #   -r requirements-tests.txt
+    #   acme
 requests==2.25.1
     # via
     #   -r requirements-tests.txt
@@ -440,6 +473,7 @@ six==1.15.0
     #   bandit
     #   bcrypt
     #   cfn-lint
+    #   configobj
     #   docker
     #   ecdsa
     #   fakeredis
@@ -563,6 +597,36 @@ zipp==3.1.0
     #   -r requirements-tests.txt
     #   importlib-metadata
     #   moto
+zope.component==4.6.2
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
+zope.deferredimport==4.3.1
+    # via
+    #   -r requirements-tests.txt
+    #   zope.component
+zope.deprecation==4.4.0
+    # via
+    #   -r requirements-tests.txt
+    #   zope.component
+zope.event==4.5.0
+    # via
+    #   -r requirements-tests.txt
+    #   zope.component
+zope.hookable==5.0.1
+    # via
+    #   -r requirements-tests.txt
+    #   zope.component
+zope.interface==5.2.0
+    # via
+    #   -r requirements-tests.txt
+    #   certbot
+    #   zope.component
+    #   zope.proxy
+zope.proxy==4.3.5
+    # via
+    #   -r requirements-tests.txt
+    #   zope.deferredimport
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools

requirements-tests.txt

@@ -4,6 +4,8 @@
 #
 #    pip-compile --no-index --output-file=requirements-tests.txt requirements-tests.in
 #
+acme==1.13.0
+    # via certbot
 appdirs==1.4.3
     # via black
 attrs==19.3.0
@@ -18,19 +20,20 @@ bandit==1.7.0
     # via -r requirements-tests.in
 black==20.8b1
     # via -r requirements-tests.in
-boto3==1.17.22
+boto3==1.17.27
     # via
     #   aws-sam-translator
     #   moto
 boto==2.49.0
     # via moto
-botocore==1.20.22
+botocore==1.20.27
     # via
     #   aws-xray-sdk
     #   boto3
     #   moto
     #   s3transfer
 certbot==1.13.0
+    # via -r requirements-tests.in
 certifi==2020.12.5
     # via requests
 cffi==1.14.0
@@ -43,15 +46,25 @@ click==7.1.2
     # via
     #   black
     #   flask
+configargparse==1.4
+    # via certbot
+configobj==5.0.6
+    # via certbot
 coverage==5.5
     # via -r requirements-tests.in
 cryptography==3.4.6
     # via
+    #   acme
+    #   certbot
+    #   josepy
     #   moto
+    #   pyopenssl
     #   python-jose
     #   sshpubkeys
 decorator==4.4.2
     # via networkx
+distro==1.5.0
+    # via certbot
 docker==4.2.0
     # via moto
 ecdsa==0.14.1
@@ -95,6 +108,10 @@ jmespath==0.9.5
     # via
     #   boto3
     #   botocore
+josepy==1.7.0
+    # via
+    #   acme
+    #   certbot
 jsondiff==1.1.2
     # via moto
 jsonpatch==1.25
@@ -125,6 +142,8 @@ nose==1.3.7
     # via -r requirements-tests.in
 packaging==20.3
     # via pytest
+parsedatetime==2.6
+    # via certbot
 pathspec==0.8.0
     # via black
 pbr==5.4.5
@@ -141,8 +160,16 @@ pycparser==2.20
     # via cffi
 pyflakes==2.2.0
     # via -r requirements-tests.in
+pyopenssl==20.0.1
+    # via
+    #   acme
+    #   josepy
 pyparsing==2.4.7
     # via packaging
+pyrfc3339==1.1
+    # via
+    #   acme
+    #   certbot
 pyrsistent==0.16.0
     # via jsonschema
 pytest-flask==1.2.0
@@ -163,7 +190,11 @@ python-dateutil==2.8.1
 python-jose[cryptography]==3.1.0
     # via moto
 pytz==2019.3
-    # via moto
+    # via
+    #   acme
+    #   certbot
+    #   moto
+    #   pyrfc3339
 pyyaml==5.4.1
     # via
     #   -r requirements-tests.in
@@ -176,11 +207,15 @@ regex==2020.4.4
     # via black
 requests-mock==1.8.0
     # via -r requirements-tests.in
+requests-toolbelt==0.9.1
+    # via acme
 requests==2.25.1
     # via
+    #   acme
     #   docker
     #   moto
     #   requests-mock
+    #   requests-toolbelt
     #   responses
 responses==0.10.12
     # via moto
@@ -193,12 +228,15 @@ six==1.15.0
     #   aws-sam-translator
     #   bandit
     #   cfn-lint
+    #   configobj
     #   docker
     #   ecdsa
     #   fakeredis
+    #   josepy
     #   jsonschema
     #   moto
     #   packaging
+    #   pyopenssl
     #   pyrsistent
     #   python-dateutil
     #   python-jose
@@ -243,6 +281,23 @@ zipp==3.1.0
     # via
     #   importlib-metadata
     #   moto
+zope.component==4.6.2
+    # via certbot
+zope.deferredimport==4.3.1
+    # via zope.component
+zope.deprecation==4.4.0
+    # via zope.component
+zope.event==4.5.0
+    # via zope.component
+zope.hookable==5.0.1
+    # via zope.component
+zope.interface==5.2.0
+    # via
+    #   certbot
+    #   zope.component
+    #   zope.proxy
+zope.proxy==4.3.5
+    # via zope.deferredimport
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools

requirements.txt

@@ -5,7 +5,9 @@
 #    pip-compile --no-index --output-file=requirements.txt requirements.in
 #
 acme==1.13.0
-    # via -r requirements.in
+    # via
+    #   -r requirements.in
+    #   certbot
 alembic-autogenerate-enums==0.0.2
     # via -r requirements.in
 alembic==1.4.2
@@ -31,9 +33,9 @@ blinker==1.4
     #   flask-mail
     #   flask-principal
     #   raven
-boto3==1.17.22
+boto3==1.17.27
     # via -r requirements.in
-botocore==1.20.22
+botocore==1.20.27
     # via
     #   -r requirements.in
     #   boto3
@@ -41,6 +43,7 @@ botocore==1.20.22
 celery[redis]==4.4.2
     # via -r requirements.in
 certbot==1.13.0
+    # via -r requirements.in
 certifi==2020.12.5
     # via
     #   -r requirements.in
@@ -58,13 +61,20 @@ click==7.1.2
     # via flask
 cloudflare==2.8.15
     # via -r requirements.in
+configargparse==1.4
+    # via certbot
+configobj==5.0.6
+    # via certbot
 cryptography==3.4.6
     # via
     #   -r requirements.in
     #   acme
+    #   certbot
     #   josepy
     #   paramiko
     #   pyopenssl
+distro==1.5.0
+    # via certbot
 dnspython3==1.15.0
     # via -r requirements.in
 dnspython==1.15.0
@@ -126,7 +136,9 @@ jmespath==0.9.5
     #   boto3
     #   botocore
 josepy==1.7.0
-    # via acme
+    # via
+    #   acme
+    #   certbot
 jsonlines==1.2.0
     # via cloudflare
 kombu==4.6.8
@@ -151,6 +163,8 @@ ndg-httpsclient==0.5.1
     # via -r requirements.in
 paramiko==2.7.2
     # via -r requirements.in
+parsedatetime==2.6
+    # via certbot
 pem==21.1.0
     # via -r requirements.in
 psycopg2==2.8.6
@@ -182,7 +196,9 @@ pyopenssl==20.0.1
     #   josepy
     #   ndg-httpsclient
 pyrfc3339==1.1
-    # via acme
+    # via
+    #   acme
+    #   certbot
 python-dateutil==2.8.1
     # via
     #   alembic
@@ -198,6 +214,7 @@ pytz==2019.3
     # via
     #   acme
     #   celery
+    #   certbot
     #   flask-restful
     #   pyrfc3339
 pyyaml==5.4.1
@@ -228,6 +245,7 @@ six==1.15.0
     # via
     #   -r requirements.in
     #   bcrypt
+    #   configobj
     #   flask-cors
     #   flask-restful
     #   hvac
@@ -264,6 +282,22 @@ werkzeug==1.0.1
     # via flask
 xmltodict==0.12.0
     # via -r requirements.in
+zope.component==4.6.2
+    # via certbot
+zope.deferredimport==4.3.1
+    # via zope.component
+zope.deprecation==4.4.0
+    # via zope.component
+zope.event==4.5.0
+    # via zope.component
+zope.hookable==5.0.1
+    # via zope.component
+zope.interface==5.2.0
+    # via
+    #   certbot
+    #   zope.component
+zope.proxy==4.3.5
+    # via zope.deferredimport
 
 # The following packages are considered to be unsafe in a requirements file:
 # setuptools