Closes #122

2015-11-24 14:53:22 -08:00
parent ce1fe9321c
commit d6b3f5af81
13 changed files with 306 additions and 117 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -22,7 +22,8 @@ from lemur.domains.models import Domain
 from lemur.constants import SAN_NAMING_TEMPLATE, DEFAULT_NAMING_TEMPLATE

 from lemur.models import certificate_associations, certificate_source_associations, \
-    certificate_destination_associations, certificate_notification_associations
+    certificate_destination_associations, certificate_notification_associations, \
+    certificate_replacement_associations


 def create_name(issuer, not_before, not_after, subject, san):
@ -32,6 +33,11 @@ def create_name(issuer, not_before, not_after, subject, san):
    useful information such as Common Name, Validation dates,
    and Issuer.

+    :param san:
+    :param subject:
+    :param not_after:
+    :param issuer:
+    :param not_before:
    :rtype : str
    :return:
    """
@ -231,6 +237,11 @@ class Certificate(db.Model):
    authority_id = Column(Integer, ForeignKey('authorities.id'))
    notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')
    destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')
+    replaces = relationship("Certificate",
+                            secondary=certificate_replacement_associations,
+                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
+                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
+                            backref='replaced')
    sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')
    domains = relationship("Domain", secondary=certificate_associations, backref="certificate")

@ -280,11 +291,44 @@ class Certificate(db.Model):
        """
        return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)

-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
-

@event.listens_for(Certificate.destinations, 'append')
 def update_destinations(target, value, initiator):
+    """
+    Attempt to upload the new certificate to the new destination
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
    destination_plugin = plugins.get(value.plugin_name)
    destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
+
+
+@event.listens_for(Certificate.replaces, 'append')
+def update_replacement(target, value, initiator):
+    """
+    When a certificate is marked as 'replaced' it is then marked as in-active
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
+    value.active = False
+
+
+@event.listens_for(Certificate, 'before_update')
+def protect_active(mapper, connection, target):
+    """
+    When a certificate has a replacement do not allow it to be marked as 'active'
+
+    :param connection:
+    :param mapper:
+    :param target:
+    :return:
+    """
+    if target.active:
+        if target.replaced:
+            raise Exception("Cannot mark certificate as active, certificate has been marked as replaced.")
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -76,13 +76,16 @@ def find_duplicates(cert_body):
    return Certificate.query.filter_by(body=cert_body).all()


-def update(cert_id, owner, description, active, destinations, notifications):
+def update(cert_id, owner, description, active, destinations, notifications, replaces):
    """
-    Updates a certificate.
-
+    Updates a certificate
    :param cert_id:
    :param owner:
+    :param description:
    :param active:
+    :param destinations:
+    :param notifications:
+    :param replaces:
    :return:
    """
    from lemur.notifications import service as notification_service
@ -104,6 +107,7 @@ def update(cert_id, owner, description, active, destinations, notifications):
    cert.notifications = new_notifications

    database.update_list(cert, 'destinations', Destination, destinations)
+    database.update_list(cert, 'replaces', Certificate, replaces)

    cert.owner = owner

@ -165,6 +169,7 @@ def import_certificate(**kwargs):

    notification_name = 'DEFAULT_SECURITY'
    notifications = notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
+    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    cert.notifications = notifications

    cert = database.create(cert)
@ -194,8 +199,8 @@ def upload(**kwargs):
    g.user.certificates.append(cert)

    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
-
    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
+    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])

    # create default notifications for this certificate if none are provided
    notifications = []
@ -228,7 +233,7 @@ def create(**kwargs):
    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
-
+    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))

    # create default notifications for this certificate if none are provided
--- a/lemur/certificates/views.py
+++ b/lemur/certificates/views.py
@ -269,7 +269,10 @@ class CertificatesList(AuthenticatedResource):
                },
                "commonName": "test",
                "validityStart": "2015-06-05T07:00:00.000Z",
-                "validityEnd": "2015-06-16T07:00:00.000Z"
+                "validityEnd": "2015-06-16T07:00:00.000Z",
+                "replacements": [
+                    {'id': 123}
+                ]
             }

           **Example response**:
@ -317,6 +320,7 @@ class CertificatesList(AuthenticatedResource):
        self.reqparse.add_argument('extensions', type=dict, location='json')
        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
        self.reqparse.add_argument('notifications', type=list, default=[], location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
        self.reqparse.add_argument('validityStart', type=str, location='json')  # TODO validate
        self.reqparse.add_argument('validityEnd', type=str, location='json')  # TODO validate
        self.reqparse.add_argument('authority', type=valid_authority, location='json', required=True)
@ -375,6 +379,7 @@ class CertificatesUpload(AuthenticatedResource):
                 "privateKey": "---Begin Private..."
                 "destinations": [],
                 "notifications": [],
+                 "replacements": [],
                 "name": "cert1"
              }

@ -419,8 +424,9 @@ class CertificatesUpload(AuthenticatedResource):
        self.reqparse.add_argument('owner', type=str, required=True, location='json')
        self.reqparse.add_argument('name', type=str, location='json')
        self.reqparse.add_argument('publicCert', type=pem_str, required=True, dest='public_cert', location='json')
-        self.reqparse.add_argument('destinations', type=list, default=[], dest='destinations', location='json')
-        self.reqparse.add_argument('notifications', type=list, default=[], dest='notifications', location='json')
+        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
+        self.reqparse.add_argument('notifications', type=list, default=[], location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
        self.reqparse.add_argument('intermediateCert', type=pem_str, dest='intermediate_cert', location='json')
        self.reqparse.add_argument('privateKey', type=private_key_str, dest='private_key', location='json')

@ -575,7 +581,8 @@ class Certificates(AuthenticatedResource):
                 "owner": "jimbob@example.com",
                 "active": false
                 "notifications": [],
-                 "destinations": []
+                 "destinations": [],
+                 "replacements": []
              }

           **Example response**:
@ -614,6 +621,7 @@ class Certificates(AuthenticatedResource):
        self.reqparse.add_argument('description', type=str, location='json')
        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
        self.reqparse.add_argument('notifications', type=notification_list, default=[], location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
        args = self.reqparse.parse_args()

        cert = service.get(certificate_id)
@ -628,7 +636,8 @@ class Certificates(AuthenticatedResource):
                args['description'],
                args['active'],
                args['destinations'],
-                args['notifications']
+                args['notifications'],
+                args['replacements']
            )

        return dict(message='You are not authorized to update this certificate'), 403
@ -711,9 +720,65 @@ class NotificationCertificatesList(AuthenticatedResource):
        return service.render(args)


+class CertificatesReplacementsList(AuthenticatedResource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(CertificatesReplacementsList, self).__init__()
+
+    @marshal_items(FIELDS)
+    def get(self, certificate_id):
+        """
+        .. http:get:: /certificates/1/replacements
+
+           One certificate
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /certificates/1/replacements HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              [{
+                "id": 1,
+                "name": "cert1",
+                "description": "this is cert1",
+                "bits": 2048,
+                "deleted": false,
+                "issuer": "ExampeInc.",
+                "serial": "123450",
+                "chain": "-----Begin ...",
+                "body": "-----Begin ...",
+                "san": true,
+                "owner": "bob@example.com",
+                "active": true,
+                "notBefore": "2015-06-05T17:09:39",
+                "notAfter": "2015-06-10T17:09:39",
+                "signingAlgorithm": "sha2",
+                "cn": "example.com",
+                "status": "unknown"
+              }]
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        return service.get(certificate_id).replaces
+
+
 api.add_resource(CertificatesList, '/certificates', endpoint='certificates')
 api.add_resource(Certificates, '/certificates/<int:certificate_id>', endpoint='certificate')
 api.add_resource(CertificatesStats, '/certificates/stats', endpoint='certificateStats')
 api.add_resource(CertificatesUpload, '/certificates/upload', endpoint='certificateUpload')
 api.add_resource(CertificatePrivateKey, '/certificates/<int:certificate_id>/key', endpoint='privateKeyCertificates')
 api.add_resource(NotificationCertificatesList, '/notifications/<int:notification_id>/certificates', endpoint='notificationCertificates')
+api.add_resource(CertificatesReplacementsList, '/certificates/<int:certificate_id>/replacements', endpoint='replacements')