From d4d51c702a8f835ef7963681d73dee3af6666b41 Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 12 Nov 2020 13:51:08 +0100 Subject: [PATCH 1/9] Entrust: add organization handling --- lemur/plugins/lemur_entrust/plugin.py | 48 +++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 9b7848ed..5a6daf05 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -40,7 +40,7 @@ def determine_end_date(end_date): return end_date.format('YYYY-MM-DD') -def process_options(options): +def process_options(options, client_id): """ Processes and maps the incoming issuer options to fields/options that Entrust understands @@ -74,10 +74,36 @@ def process_options(options): "certType": product_type, "certExpiryDate": validity_end, # "keyType": "RSA", Entrust complaining about this parameter - "tracking": tracking_data + "tracking": tracking_data, + "org": options.get("organization"), + "clientId": client_id } return data +def get_client_id(my_response, organization): + """ + Helper function for parsing responses from the Entrust API. + :param content: + :return: :raise Exception: + """ + try: + d = json.loads(my_response.content) + except ValueError: + # catch an empty json object here + d = {'response': 'No detailed message'} + s = my_response.status_code + if s > 399: + raise Exception(f"ENTRUST error: {msg.get(s, s)}\n{d['errors']}") + + found = False + for y in d["organizations"]: + if y["name"] == organization: + found = True + client_id = y["clientId"] + if found: + return client_id + else: + raise Exception(f"Error on Organization - Use on of the List: {d['organizations']}") def handle_response(my_response): """ @@ -163,9 +189,25 @@ class EntrustIssuerPlugin(IssuerPlugin): } current_app.logger.info(log_data) + #firstly we need the organization ID + url = current_app.config.get("ENTRUST_URL") + "/organizations" + try: + response = self.session.get(url, timeout=(15, 40)) + except requests.exceptions.Timeout: + raise Exception("Timeout for Getting Organizations") + except requests.exceptions.RequestException as e: + raise Exception(f"Error for Getting Organization {e}") + + client_id = get_client_id(response, issuer_options.get("organization")) + log_data = { + "function": f"{__name__}.{sys._getframe().f_code.co_name}", + "message": f"Organization id: {client_id}" + } + current_app.logger.info(log_data) + url = current_app.config.get("ENTRUST_URL") + "/certificates" - data = process_options(issuer_options) + data = process_options(issuer_options, client_id) data["csr"] = csr try: From e1926f2f3cefd1adfae3d20a5055e3a98adf0243 Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 12 Nov 2020 14:09:24 +0100 Subject: [PATCH 2/9] Entrust: add organization handling-linting --- lemur/plugins/lemur_entrust/plugin.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 5a6daf05..16197836 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -105,6 +105,7 @@ def get_client_id(my_response, organization): else: raise Exception(f"Error on Organization - Use on of the List: {d['organizations']}") + def handle_response(my_response): """ Helper function for parsing responses from the Entrust API. @@ -189,7 +190,7 @@ class EntrustIssuerPlugin(IssuerPlugin): } current_app.logger.info(log_data) - #firstly we need the organization ID + # firstly we need the organization ID url = current_app.config.get("ENTRUST_URL") + "/organizations" try: response = self.session.get(url, timeout=(15, 40)) @@ -221,7 +222,7 @@ class EntrustIssuerPlugin(IssuerPlugin): external_id = response_dict['trackingId'] cert = response_dict['endEntityCert'] if len(response_dict['chainCerts']) < 2: - # certificate signed by CA directly, no ICA included ini the chain + # certificate signed by CA directly, no ICA included in the chain chain = None else: chain = response_dict['chainCerts'][1] From 8738c4d893da3d69e41e6df3a635bdea59ab2f2e Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 12 Nov 2020 14:14:20 +0100 Subject: [PATCH 3/9] Entrust: add organization handling-linting --- lemur/plugins/lemur_entrust/plugin.py | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index ab08f948..3e00a1f4 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -83,6 +83,7 @@ def process_options(options, client_id): } return data + def get_client_id(my_response, organization): """ Helper function for parsing responses from the Entrust API. @@ -94,19 +95,16 @@ def get_client_id(my_response, organization): except ValueError: # catch an empty json object here d = {'response': 'No detailed message'} - s = my_response.status_code - if s > 399: - raise Exception(f"ENTRUST error: {msg.get(s, s)}\n{d['errors']}") found = False for y in d["organizations"]: - if y["name"] == organization: - found = True - client_id = y["clientId"] + if y["name"] == organization: + found = True + client_id = y["clientId"] if found: - return client_id + return client_id else: - raise Exception(f"Error on Organization - Use on of the List: {d['organizations']}") + raise Exception(f"Error on Organization - Use on of the List: {d['organizations']}") def handle_response(my_response): From 50ffe6a29c34afae9633633065c1a15c68f4dcb6 Mon Sep 17 00:00:00 2001 From: sirferl Date: Thu, 12 Nov 2020 14:31:49 +0100 Subject: [PATCH 4/9] Entrust: add organization handling-test change --- lemur/plugins/lemur_entrust/tests/test_entrust.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/tests/test_entrust.py b/lemur/plugins/lemur_entrust/tests/test_entrust.py index 354e204e..bcb2f50a 100644 --- a/lemur/plugins/lemur_entrust/tests/test_entrust.py +++ b/lemur/plugins/lemur_entrust/tests/test_entrust.py @@ -59,4 +59,5 @@ def test_process_options(mock_current_app, authority): } } - assert expected == plugin.process_options(options) + client_id = 1 + assert expected == plugin.process_options(options, client_id) From b191b32312d380543e37ce3b5340d58ceeb50437 Mon Sep 17 00:00:00 2001 From: sirferl Date: Fri, 13 Nov 2020 07:57:06 +0100 Subject: [PATCH 5/9] Entrust: add organization handling-error in script --- lemur/plugins/lemur_entrust/plugin.py | 4 +++- lemur/plugins/lemur_kubernetes/plugin.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_entrust/plugin.py b/lemur/plugins/lemur_entrust/plugin.py index 3e00a1f4..924345eb 100644 --- a/lemur/plugins/lemur_entrust/plugin.py +++ b/lemur/plugins/lemur_entrust/plugin.py @@ -79,7 +79,9 @@ def process_options(options, client_id): "certType": product_type, "certExpiryDate": validity_end, # "keyType": "RSA", Entrust complaining about this parameter - "tracking": tracking_data + "tracking": tracking_data, + "org": options.get("organization"), + "clientId": client_id } return data diff --git a/lemur/plugins/lemur_kubernetes/plugin.py b/lemur/plugins/lemur_kubernetes/plugin.py index f7ff00f7..b8ea3d1b 100644 --- a/lemur/plugins/lemur_kubernetes/plugin.py +++ b/lemur/plugins/lemur_kubernetes/plugin.py @@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain): if secret_format == "TLS": secret["type"] = "kubernetes.io/tls" secret["data"] = { - "tls.crt": base64encode(body), + "tls.crt": base64encode("%s\n%s" % (body, cert_chain)), "tls.key": base64encode(private_key), } if secret_format == "Certificate": From ff540069e29138434348408f1f418a030aebbb09 Mon Sep 17 00:00:00 2001 From: sirferl Date: Fri, 13 Nov 2020 08:08:54 +0100 Subject: [PATCH 6/9] Entrust: add organization handling-Update test --- lemur/plugins/lemur_entrust/tests/test_entrust.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/tests/test_entrust.py b/lemur/plugins/lemur_entrust/tests/test_entrust.py index bcb2f50a..3fe75422 100644 --- a/lemur/plugins/lemur_entrust/tests/test_entrust.py +++ b/lemur/plugins/lemur_entrust/tests/test_entrust.py @@ -56,7 +56,9 @@ def test_process_options(mock_current_app, authority): "requesterName": mock_current_app.config.get("ENTRUST_NAME"), "requesterEmail": mock_current_app.config.get("ENTRUST_EMAIL"), "requesterPhone": mock_current_app.config.get("ENTRUST_PHONE") - } + }, + "org": "Example, Inc.", + "clientID": 1 } client_id = 1 From 75107bcd695552dad2f58a5da5798841803762fd Mon Sep 17 00:00:00 2001 From: sirferl Date: Fri, 13 Nov 2020 08:18:33 +0100 Subject: [PATCH 7/9] Entrust: add organization handling-Lint error --- lemur/plugins/lemur_entrust/tests/test_entrust.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/tests/test_entrust.py b/lemur/plugins/lemur_entrust/tests/test_entrust.py index 3fe75422..f6835c96 100644 --- a/lemur/plugins/lemur_entrust/tests/test_entrust.py +++ b/lemur/plugins/lemur_entrust/tests/test_entrust.py @@ -57,7 +57,7 @@ def test_process_options(mock_current_app, authority): "requesterEmail": mock_current_app.config.get("ENTRUST_EMAIL"), "requesterPhone": mock_current_app.config.get("ENTRUST_PHONE") }, - "org": "Example, Inc.", + "org": "Example, Inc.", "clientID": 1 } From 334367376f80781b3655eee67f438536ae5fec65 Mon Sep 17 00:00:00 2001 From: sirferl Date: Sat, 14 Nov 2020 11:50:25 +0100 Subject: [PATCH 8/9] Entrust: add organization handling-param error --- lemur/plugins/lemur_entrust/tests/test_entrust.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_entrust/tests/test_entrust.py b/lemur/plugins/lemur_entrust/tests/test_entrust.py index f6835c96..2c501581 100644 --- a/lemur/plugins/lemur_entrust/tests/test_entrust.py +++ b/lemur/plugins/lemur_entrust/tests/test_entrust.py @@ -58,7 +58,7 @@ def test_process_options(mock_current_app, authority): "requesterPhone": mock_current_app.config.get("ENTRUST_PHONE") }, "org": "Example, Inc.", - "clientID": 1 + "clientId": 1 } client_id = 1 From 5f1978a4da9a3da210d39408bad8d1ee88c54f39 Mon Sep 17 00:00:00 2001 From: sirferl Date: Sat, 14 Nov 2020 12:00:59 +0100 Subject: [PATCH 9/9] Kubernetes: revert unintentionally change --- lemur/plugins/lemur_kubernetes/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_kubernetes/plugin.py b/lemur/plugins/lemur_kubernetes/plugin.py index b8ea3d1b..f7ff00f7 100644 --- a/lemur/plugins/lemur_kubernetes/plugin.py +++ b/lemur/plugins/lemur_kubernetes/plugin.py @@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain): if secret_format == "TLS": secret["type"] = "kubernetes.io/tls" secret["data"] = { - "tls.crt": base64encode("%s\n%s" % (body, cert_chain)), + "tls.crt": base64encode(body), "tls.key": base64encode(private_key), } if secret_format == "Certificate":