Infra
/
lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #240 from kevgliss/234-truststore-permission 

Adding a new flag to export plugins 'requires_key' that specifies whe…
This commit is contained in:
kevgliss 2016-01-29 12:55:41 -08:00
parent f8b6830013 028d86c0bb
commit d263e0e60c
4 changed files with 78 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lemur/certificates/views.py
View File

@ -15,6 +15,8 @@ from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives import serialization
from lemur.plugins import plugins
from lemur.auth.service import AuthenticatedResource from lemur.auth.service import AuthenticatedResource
from lemur.auth.permissions import ViewKeyPermission from lemur.auth.permissions import ViewKeyPermission
from lemur.auth.permissions import AuthorityPermission from lemur.auth.permissions import AuthorityPermission
@ -892,12 +894,17 @@ class CertificateExport(AuthenticatedResource):
permission = UpdateCertificatePermission(certificate_id, getattr(role, 'name', None)) permission = UpdateCertificatePermission(certificate_id, getattr(role, 'name', None))
if permission.can(): plugin = plugins.get(args['export']['plugin']['slug'])
extension, passphrase, data = service.export(cert, args['export']['plugin']) if plugin.requires_key:
# we take a hit in message size when b64 encoding if permission.can():
return dict(extension=extension, passphrase=passphrase, data=base64.b64encode(data)) extension, passphrase, data = plugin.export(cert.body, cert.chain, cert.private_key, args['export']['plugin']['pluginOptions'])
else:
return dict(message='You are not authorized to export this certificate'), 403
else:
extension, passphrase, data = plugin.export(cert.body, cert.chain, cert.private_key, args['export']['plugin']['pluginOptions'])
return dict(message='You are not authorized to export this certificate'), 403 # we take a hit in message size when b64 encoding
return dict(extension=extension, passphrase=passphrase, data=base64.b64encode(data))
api.add_resource(CertificatesList, '/certificates', endpoint='certificates') api.add_resource(CertificatesList, '/certificates', endpoint='certificates')

1
lemur/plugins/bases/export.py
View File

@ -15,6 +15,7 @@ class ExportPlugin(Plugin):
exporters will inherit from. exporters will inherit from.
""" """
type = 'export' type = 'export'
requires_key = True
def export(self): def export(self):
raise NotImplemented raise NotImplemented

86
lemur/plugins/lemur_java/plugin.py
View File

@ -120,10 +120,11 @@ def create_keystore(cert, jks_tmp, key, alias, passphrase):
]) ])
class JavaExportPlugin(ExportPlugin): class JavaTruststoreExportPlugin(ExportPlugin):
title = 'Java' title = 'Java Truststore (JKS)'
slug = 'java-export' slug = 'java-truststore-jks'
description = 'Attempts to generate a JKS keystore or truststore' description = 'Attempts to generate a JKS truststore'
requires_key = False
version = java.VERSION version = java.VERSION
author = 'Kevin Glisson' author = 'Kevin Glisson'
@ -131,11 +132,10 @@ class JavaExportPlugin(ExportPlugin):
options = [ options = [
{ {
'name': 'type', 'name': 'alias',
'type': 'select', 'type': 'str',
'required': True, 'required': False,
'available': ['Truststore (JKS)', 'Keystore (JKS)'], 'helpMessage': 'Enter the alias you wish to use for the truststore.',
'helpMessage': 'Choose the format you wish to export',
}, },
{ {
'name': 'passphrase', 'name': 'passphrase',
@ -144,6 +144,55 @@ class JavaExportPlugin(ExportPlugin):
'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.', 'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.',
'validation': '' 'validation': ''
}, },
]
def export(self, body, chain, key, options, **kwargs):
"""
Generates a Java Truststore
:param key:
:param chain:
:param body:
:param options:
:param kwargs:
"""
if self.get_option('alias', options):
alias = self.get_option('alias', options)
else:
alias = "blah"
if self.get_option('passphrase', options):
passphrase = self.get_option('passphrase', options)
else:
passphrase = get_psuedo_random_string()
with mktemppath() as jks_tmp:
create_truststore(body, chain, jks_tmp, alias, passphrase)
with open(jks_tmp, 'rb') as f:
raw = f.read()
return "jks", passphrase, raw
class JavaKeystoreExportPlugin(ExportPlugin):
title = 'Java Keystore (JKS)'
slug = 'java-keystore-jks'
description = 'Attempts to generate a JKS keystore'
version = java.VERSION
author = 'Kevin Glisson'
author_url = 'https://github.com/netflix/lemur'
options = [
{
'name': 'passphrase',
'type': 'str',
'required': False,
'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.',
'validation': ''
},
{ {
'name': 'alias', 'name': 'alias',
'type': 'str', 'type': 'str',
@ -154,7 +203,7 @@ class JavaExportPlugin(ExportPlugin):
def export(self, body, chain, key, options, **kwargs): def export(self, body, chain, key, options, **kwargs):
""" """
Generates a Java Keystore or Truststore Generates a Java Keystore
:param key: :param key:
:param chain: :param chain:
@ -173,21 +222,12 @@ class JavaExportPlugin(ExportPlugin):
else: else:
alias = "blah" alias = "blah"
type = self.get_option('type', options)
with mktemppath() as jks_tmp: with mktemppath() as jks_tmp:
if type == 'Truststore (JKS)': if not key:
create_truststore(body, chain, jks_tmp, alias, passphrase) raise Exception("Unable to export, no private key found.")
elif type == 'Keystore (JKS)': create_truststore(body, chain, jks_tmp, alias, passphrase)
if not key: create_keystore(body, jks_tmp, key, alias, passphrase)
raise Exception("Unable to export, no private key found.")
create_truststore(body, chain, jks_tmp, alias, passphrase)
create_keystore(body, jks_tmp, key, alias, passphrase)
else:
raise Exception("Unable to export, unsupported type: {0}".format(type))
with open(jks_tmp, 'rb') as f: with open(jks_tmp, 'rb') as f:
raw = f.read() raw = f.read()

3
setup.py
View File

@ -165,7 +165,8 @@ setup(
'aws_destination = lemur.plugins.lemur_aws.plugin:AWSDestinationPlugin', 'aws_destination = lemur.plugins.lemur_aws.plugin:AWSDestinationPlugin',
'aws_source = lemur.plugins.lemur_aws.plugin:AWSSourcePlugin', 'aws_source = lemur.plugins.lemur_aws.plugin:AWSSourcePlugin',
'email_notification = lemur.plugins.lemur_email.plugin:EmailNotificationPlugin', 'email_notification = lemur.plugins.lemur_email.plugin:EmailNotificationPlugin',
'java_export = lemur.plugins.lemur_java.plugin:JavaExportPlugin', 'java_truststore_export = lemur.plugins.lemur_java.plugin:JavaTruststoreExportPlugin',
'java_keystore_export = lemur.plugins.lemur_java.plugin:JavaKeystoreExportPlugin',
'openssl_export = lemur.plugins.lemur_openssl.plugin:OpenSSLExportPlugin' 'openssl_export = lemur.plugins.lemur_openssl.plugin:OpenSSLExportPlugin'
], ],
}, },