From 77cec4fde94e25dd2a11b4bceae206f98e1b1da5 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 5 Feb 2020 19:11:36 +0300 Subject: [PATCH 01/21] Fix ssl env. Add issuer and authority --- docker/src/lemur.conf.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 0f294b28..7c98227f 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -17,11 +17,14 @@ LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] -LEMUR_DEFAULT_COUNTRY = repr(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) -LEMUR_DEFAULT_STATE = repr(os.environ.get('LEMUR_DEFAULT_STATE','')) -LEMUR_DEFAULT_LOCATION = repr(os.environ.get('LEMUR_DEFAULT_LOCATION','')) -LEMUR_DEFAULT_ORGANIZATION = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) -LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = repr(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) +LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) +LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) +LEMUR_DEFAULT_LOCATION = str(os.environ.get('LEMUR_DEFAULT_LOCATION','')) +LEMUR_DEFAULT_ORGANIZATION = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATION','')) +LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = str(os.environ.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT','')) + +LEMUR_DEFAULT_ISSUER_PLUGIN = str(os.environ.get('LEMUR_DEFAULT_ISSUER_PLUGIN','')) +LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY','')) ACTIVE_PROVIDERS = [] From 9612d291ed4fc17eb07ce5e71d1e34a4e3cf3f70 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:16:27 +0300 Subject: [PATCH 02/21] Add path suffix options --- lemur/plugins/lemur_vault_dest/plugin.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index e1715592..7cfc56db 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -180,6 +180,13 @@ class VaultDestinationPlugin(DestinationPlugin): "validation": "^([a-zA-Z0-9._-]+/?)+$", "helpMessage": "Must be a valid Vault secrets path", }, + { + "name": "vaultSuffix", + "type": "str", + "required": False, + "validation": "^([a-zA-Z0-9._-]+/?)+$", + "helpMessage": "Must be a valid Vault secrets path", + }, { "name": "objectName", "type": "str", @@ -222,6 +229,7 @@ class VaultDestinationPlugin(DestinationPlugin): token_file = self.get_option("vaultAuthTokenFile", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) + suffix = self.get_option("vaultSuffix", options) bundle = self.get_option("bundleChain", options) obj_name = self.get_option("objectName", options) api_version = self.get_option("vaultKvApiVersion", options) @@ -255,6 +263,9 @@ class VaultDestinationPlugin(DestinationPlugin): path = "{0}/{1}".format(path, obj_name) else: path = "{0}/{1}".format(path, cname) + + if suffix: + path = "{0}/{1}".format(path, suffix) secret = get_secret(client, mount, path) secret["data"][cname] = {} From ccb811516c11e209a759c6b131f3e9bab7d068d8 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:43:48 +0300 Subject: [PATCH 03/21] Add dockerfile to build from repo --- docker/Dockerfile-src | 64 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 docker/Dockerfile-src diff --git a/docker/Dockerfile-src b/docker/Dockerfile-src new file mode 100644 index 00000000..68f4ed7d --- /dev/null +++ b/docker/Dockerfile-src @@ -0,0 +1,64 @@ +FROM alpine:3.8 + +ARG VERSION +ENV VERSION master + +ENV uid 1337 +ENV gid 1337 +ENV user lemur +ENV group lemur + +RUN addgroup -S ${group} -g ${gid} && \ + adduser -D -S ${user} -G ${group} -u ${uid} && \ + apk --update add python3 libldap postgresql-client nginx supervisor curl tzdata openssl bash && \ + apk --update add --virtual build-dependencies \ + git \ + tar \ + curl \ + python3-dev \ + npm \ + bash \ + musl-dev \ + gcc \ + autoconf \ + automake \ + make \ + nasm \ + zlib-dev \ + postgresql-dev \ + libressl-dev \ + libffi-dev \ + cyrus-sasl-dev \ + openldap-dev && \ + pip3 install --upgrade pip && \ + pip3 install --upgrade setuptools && \ + mkdir -p /home/lemur/.lemur/ && \ + mkdir -p /run/nginx/ /etc/nginx/ssl/ + +COPY lemur /opt/lemur +WORKDIR /opt/lemur + +RUN chown -R $user:$group /opt/lemur/ /home/lemur/.lemur/ && \ + npm install --unsafe-perm && \ + pip3 install -e . && \ + node_modules/.bin/gulp build && \ + node_modules/.bin/gulp package --urlContextPath=$(urlContextPath) && \ + apk del build-dependencies + +COPY docker/entrypoint / +COPY docker/src/lemur.conf.py /home/lemur/.lemur/lemur.conf.py +COPY docker/supervisor.conf / +COPY docker/nginx/default.conf /etc/nginx/conf.d/ +COPY docker/nginx/default-ssl.conf /etc/nginx/conf.d/ + +RUN chmod +x /entrypoint +WORKDIR / + +HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \ + CMD curl --fail http://localhost:80/api/1/healthcheck | grep -q ok || exit 1 + +USER root + +ENTRYPOINT ["/entrypoint"] + +CMD ["/usr/bin/supervisord","-c","supervisor.conf"] From 1430ac539531dc38f60fd5eb9e250da50a1b6552 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Tue, 18 Feb 2020 19:54:41 +0300 Subject: [PATCH 04/21] fix --- docker/Dockerfile-src | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile-src b/docker/Dockerfile-src index 68f4ed7d..c23f249c 100644 --- a/docker/Dockerfile-src +++ b/docker/Dockerfile-src @@ -35,7 +35,7 @@ RUN addgroup -S ${group} -g ${gid} && \ mkdir -p /home/lemur/.lemur/ && \ mkdir -p /run/nginx/ /etc/nginx/ssl/ -COPY lemur /opt/lemur +COPY ./ /opt/lemur WORKDIR /opt/lemur RUN chown -R $user:$group /opt/lemur/ /home/lemur/.lemur/ && \ From ce69d47b8b2e8b4dd4ca2f6b44f13ed5fe502e58 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 26 Feb 2020 19:43:16 +0300 Subject: [PATCH 05/21] Fix --- docker/entrypoint | 6 +++--- docker/supervisor.conf | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docker/entrypoint b/docker/entrypoint index 2a3a84e3..50df18dd 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -49,9 +49,9 @@ cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" echo " # Populating crontab" -echo "${cron_notify} lemur python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur_notify -echo "${cron_sync} lemur python3 /opt/lemur/lemur/manage.py source sync -s all" > /etc/crontabs/lemur_sync -echo "${cron_revoked} lemur python3 /opt/lemur/lemur/manage.py certificate check_revoked" > /etc/crontabs/lemur_revoked +echo "${cron_notify} python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur +echo "${cron_sync} python3 /opt/lemur/lemur/manage.py source sync -s all" >> /etc/crontabs/lemur +echo "${cron_revoked} python3 /opt/lemur/lemur/manage.py certificate check_revoked" >> /etc/crontabs/lemur echo " # Done" exec "$@" diff --git a/docker/supervisor.conf b/docker/supervisor.conf index fed01581..eedd5c16 100644 --- a/docker/supervisor.conf +++ b/docker/supervisor.conf @@ -24,6 +24,7 @@ stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 [program:cron] +environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py command=/usr/sbin/crond -f user=root stdout_logfile=/dev/stdout From a584aeb7eb25b8305da55685f576076cf6b4136a Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 26 Feb 2020 20:12:53 +0300 Subject: [PATCH 06/21] User lemur instead manage.py --- docker/entrypoint | 8 ++++---- docker/supervisor.conf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docker/entrypoint b/docker/entrypoint index 50df18dd..6ac17a7a 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -36,7 +36,7 @@ fi # fi echo " # Running init" -su lemur -s /bin/bash -c "cd /opt/lemur/lemur; python3 /opt/lemur/lemur/manage.py init -p ${LEMUR_ADMIN_PASSWORD}" +su lemur -s /bin/bash -c "cd /opt/lemur/lemur; lemur init -p ${LEMUR_ADMIN_PASSWORD}" echo " # Done" # echo "Creating user" @@ -49,9 +49,9 @@ cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" echo " # Populating crontab" -echo "${cron_notify} python3 /opt/lemur/lemur/manage.py notify expirations" > /etc/crontabs/lemur -echo "${cron_sync} python3 /opt/lemur/lemur/manage.py source sync -s all" >> /etc/crontabs/lemur -echo "${cron_revoked} python3 /opt/lemur/lemur/manage.py certificate check_revoked" >> /etc/crontabs/lemur +echo "${cron_notify} lemur notify expirations" > /etc/crontabs/lemur +echo "${cron_sync} lemur source sync -s all" >> /etc/crontabs/lemur +echo "${cron_revoked} lemur certificate check_revoked" >> /etc/crontabs/lemur echo " # Done" exec "$@" diff --git a/docker/supervisor.conf b/docker/supervisor.conf index eedd5c16..ec4b221d 100644 --- a/docker/supervisor.conf +++ b/docker/supervisor.conf @@ -7,7 +7,7 @@ pidfile = /tmp/supervisord.pid [program:lemur] environment=LEMUR_CONF=/home/lemur/.lemur/lemur.conf.py -command=/usr/bin/python3 manage.py start -b 0.0.0.0:8000 +command=lemur start -b 0.0.0.0:8000 user=lemur directory=/opt/lemur/lemur stdout_logfile=/dev/stdout From 5fb3da8bec936c3568f6435015eb3417bc767a29 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Thu, 27 Feb 2020 11:24:35 +0300 Subject: [PATCH 07/21] Add certificate reissue to cron --- docker/entrypoint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/entrypoint b/docker/entrypoint index 6ac17a7a..3f25951a 100644 --- a/docker/entrypoint +++ b/docker/entrypoint @@ -47,11 +47,13 @@ echo " # Done" cron_notify="${CRON_NOTIFY:-"0 22 * * *"}" cron_sync="${CRON_SYNC:-"*/15 * * * *"}" cron_revoked="${CRON_CHECK_REVOKED:-"0 22 * * *"}" +cron_reissue="${CRON_REISSUE:-"0 23 * * *"}" echo " # Populating crontab" echo "${cron_notify} lemur notify expirations" > /etc/crontabs/lemur echo "${cron_sync} lemur source sync -s all" >> /etc/crontabs/lemur echo "${cron_revoked} lemur certificate check_revoked" >> /etc/crontabs/lemur +echo "${cron_reissue} lemur certificate reissue -c" >> /etc/crontabs/lemur echo " # Done" exec "$@" From fe67ff21469fa2acda41710a97eacb154b7cf650 Mon Sep 17 00:00:00 2001 From: e11it Date: Mon, 2 Mar 2020 09:18:02 +0300 Subject: [PATCH 08/21] Update plugin.py Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index d1b6bc68..0101f5a9 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -297,7 +297,7 @@ class VaultDestinationPlugin(DestinationPlugin): path = "{0}/{1}".format(path, obj_name) else: path = "{0}/{1}".format(path, cname) - + if suffix: path = "{0}/{1}".format(path, suffix) From 27a86f5c189d6859ebf749b8f847ea78f29f7c89 Mon Sep 17 00:00:00 2001 From: e11it Date: Tue, 3 Mar 2020 21:45:33 +0300 Subject: [PATCH 09/21] Fix: San values #2921 Not sure is it correct solution --- lemur/certificates/schemas.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index 8f15542d..bc7ff1b0 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -146,7 +146,9 @@ class CertificateInputSchema(CertificateCreationSchema): data["extensions"]["subAltNames"] = {"names": []} elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] - data["extensions"]["subAltNames"]["names"] += csr_sans + + if not data["extensions"]["subAltNames"]["names"]: + data["extensions"]["subAltNames"]["names"] += csr_sans return missing.convert_validity_years(data) From 790367ea5af4812a0c8032bf69aa1259fd8dcda1 Mon Sep 17 00:00:00 2001 From: e11it Date: Tue, 10 Mar 2020 13:46:59 +0300 Subject: [PATCH 10/21] Update lemur.conf.py ALLOW_CERT_DELETION from env --- docker/src/lemur.conf.py | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 7c98227f..3cc51792 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -16,6 +16,7 @@ LEMUR_WHITELISTED_DOMAINS = [] LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] +ALLOW_CERT_DELETION = os.environ.get('ALLOW_CERT_DELETION') == "True" LEMUR_DEFAULT_COUNTRY = str(os.environ.get('LEMUR_DEFAULT_COUNTRY','')) LEMUR_DEFAULT_STATE = str(os.environ.get('LEMUR_DEFAULT_STATE','')) From d3cb0b517a0dd6dc29bb8565e065d5cdc0b53717 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 02:27:31 +0300 Subject: [PATCH 11/21] Add format support --- lemur/plugins/lemur_vault_dest/plugin.py | 56 +++++++++++++++--------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 0101f5a9..a63896d2 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -14,7 +14,7 @@ import re import hvac from flask import current_app -from lemur.common.defaults import common_name +from lemur.common.defaults import common_name,country,state,location,organizational_unit,organization from lemur.common.utils import parse_certificate from lemur.plugins.bases import DestinationPlugin from lemur.plugins.bases import SourcePlugin @@ -202,22 +202,15 @@ class VaultDestinationPlugin(DestinationPlugin): "name": "vaultPath", "type": "str", "required": True, - "validation": "^([a-zA-Z0-9._-]+/?)+$", - "helpMessage": "Must be a valid Vault secrets path", - }, - { - "name": "vaultSuffix", - "type": "str", - "required": False, - "validation": "^([a-zA-Z0-9._-]+/?)+$", - "helpMessage": "Must be a valid Vault secrets path", + "validation": "^(([a-zA-Z0-9._-]+|{(CN|OU|O|L|S|C)})+/?)+$", + "helpMessage": "Must be a valid Vault secrets path. Support vars: {CN|OU|O|L|S|C}", }, { "name": "objectName", "type": "str", "required": False, - "validation": "[0-9a-zA-Z.:_-]+", - "helpMessage": "Name to bundle certs under, if blank use cn", + "validation": "^([0-9a-zA-Z.:_-]+|{(CN|OU|O|L|S|C)})+$", + "helpMessage": "Name to bundle certs under, if blank use {CN}. Support vars: {CN|OU|O|L|S|C}", }, { "name": "bundleChain", @@ -248,14 +241,20 @@ class VaultDestinationPlugin(DestinationPlugin): :param cert_chain: :return: """ - cname = common_name(parse_certificate(body)) + cert = parse_certificate(body) + + cn = common_name(cert) + ou= organizational_unit(cert) + o= organization(cert) + l= location(cert) + s= state(cert) + c= country(cert) url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) auth_key = self.get_option("tokenFile/vaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) - suffix = self.get_option("vaultSuffix", options) bundle = self.get_option("bundleChain", options) obj_name = self.get_option("objectName", options) api_version = self.get_option("vaultKvApiVersion", options) @@ -293,15 +292,30 @@ class VaultDestinationPlugin(DestinationPlugin): client.secrets.kv.default_kv_version = api_version - if obj_name: - path = "{0}/{1}".format(path, obj_name) - else: - path = "{0}/{1}".format(path, cname) + t_path = path.format( + CN=cn, + OU=ou, + O=o, + L=l, + S=s, + C=c + ) + if not obj_name: + obj_name = '{CN}' + + f_obj_name = obj_name.format( + CN=cn, + OU=ou, + O=o, + L=l, + S=s, + C=c + ) - if suffix: - path = "{0}/{1}".format(path, suffix) + path = "{0}/{1}".format(t_path, obj_name) + # TODO: obj_name support for vars - secret = get_secret(client, mount, path) + secret_t = get_secret(client, mount, path) secret["data"][cname] = {} if not cert_chain: From 729ed3843dbfcce084bf7c52767876f2be26d3b4 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 14:16:29 +0300 Subject: [PATCH 12/21] Fix bug wth get_options and slash in name --- lemur/plugins/lemur_vault_dest/plugin.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index a63896d2..2de19004 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -58,7 +58,7 @@ class VaultSourcePlugin(SourcePlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -94,7 +94,7 @@ class VaultSourcePlugin(SourcePlugin): body = "" url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) obj_name = self.get_option("objectName", options) @@ -185,7 +185,7 @@ class VaultDestinationPlugin(DestinationPlugin): "helpMessage": "Authentication method to use", }, { - "name": "tokenFile/VaultRole", + "name": "tokenFileOrVaultRole", "type": "str", "required": True, "validation": "^([a-zA-Z0-9/._-]+/?)+$", @@ -252,7 +252,7 @@ class VaultDestinationPlugin(DestinationPlugin): url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) - auth_key = self.get_option("tokenFile/vaultRole", options) + auth_key = self.get_option("tokenFileOrVaultRole", options) mount = self.get_option("vaultMount", options) path = self.get_option("vaultPath", options) bundle = self.get_option("bundleChain", options) From ba8e315eed2f33ffb32dc79df96bfbfa17315675 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 14:22:04 +0300 Subject: [PATCH 13/21] Fix typo --- lemur/plugins/lemur_vault_dest/plugin.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 2de19004..0c6bb9b2 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -301,8 +301,8 @@ class VaultDestinationPlugin(DestinationPlugin): C=c ) if not obj_name: - obj_name = '{CN}' - + obj_name = '{CN}' + f_obj_name = obj_name.format( CN=cn, OU=ou, @@ -312,10 +312,10 @@ class VaultDestinationPlugin(DestinationPlugin): C=c ) - path = "{0}/{1}".format(t_path, obj_name) + path = "{0}/{1}".format(t_path, f_obj_name) # TODO: obj_name support for vars - secret_t = get_secret(client, mount, path) + secret = get_secret(client, mount, path) secret["data"][cname] = {} if not cert_chain: From a6c3b85fe154ff6c77965807d9b2d85c2d1eb3ee Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 15:15:56 +0300 Subject: [PATCH 14/21] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 34 ++++++++++-------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 0c6bb9b2..977f476e 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -14,7 +14,7 @@ import re import hvac from flask import current_app -from lemur.common.defaults import common_name,country,state,location,organizational_unit,organization +from lemur.common.defaults import common_name, country, state, location, organizational_unit, organization from lemur.common.utils import parse_certificate from lemur.plugins.bases import DestinationPlugin from lemur.plugins.bases import SourcePlugin @@ -242,13 +242,7 @@ class VaultDestinationPlugin(DestinationPlugin): :return: """ cert = parse_certificate(body) - - cn = common_name(cert) - ou= organizational_unit(cert) - o= organization(cert) - l= location(cert) - s= state(cert) - c= country(cert) + cname = common_name(cert) url = self.get_option("vaultUrl", options) auth_method = self.get_option("authenticationMethod", options) @@ -293,23 +287,23 @@ class VaultDestinationPlugin(DestinationPlugin): client.secrets.kv.default_kv_version = api_version t_path = path.format( - CN=cn, - OU=ou, - O=o, - L=l, - S=s, - C=c + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), + L=location(cert), + S=state(cert), + C=country(cert) ) if not obj_name: obj_name = '{CN}' f_obj_name = obj_name.format( - CN=cn, - OU=ou, - O=o, - L=l, - S=s, - C=c + CN=cname, + OU=organizational_unit(cert), + O=organization(cert), + L=location(cert), + S=state(cert), + C=country(cert) ) path = "{0}/{1}".format(t_path, f_obj_name) From 92a89427274de3c6ed536e2691183f2469bb5548 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 15:37:11 +0300 Subject: [PATCH 15/21] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 977f476e..6a1cd074 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -289,10 +289,10 @@ class VaultDestinationPlugin(DestinationPlugin): t_path = path.format( CN=cname, OU=organizational_unit(cert), - O=organization(cert), + O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert) + C=country(cert), ) if not obj_name: obj_name = '{CN}' @@ -300,14 +300,13 @@ class VaultDestinationPlugin(DestinationPlugin): f_obj_name = obj_name.format( CN=cname, OU=organizational_unit(cert), - O=organization(cert), + O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert) + C=country(cert), ) path = "{0}/{1}".format(t_path, f_obj_name) - # TODO: obj_name support for vars secret = get_secret(client, mount, path) secret["data"][cname] = {} From be722fb1b3e543fff03bef87adbda259e9597f83 Mon Sep 17 00:00:00 2001 From: Ilya Makarov Date: Wed, 11 Mar 2020 20:51:10 +0300 Subject: [PATCH 16/21] Fix lint --- lemur/plugins/lemur_vault_dest/plugin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 6a1cd074..3c5301f7 100755 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -292,7 +292,7 @@ class VaultDestinationPlugin(DestinationPlugin): O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert), + C=country(cert) ) if not obj_name: obj_name = '{CN}' @@ -303,7 +303,7 @@ class VaultDestinationPlugin(DestinationPlugin): O=organization(cert), # noqa: E741 L=location(cert), S=state(cert), - C=country(cert), + C=country(cert) ) path = "{0}/{1}".format(t_path, f_obj_name) From f83e3f764e9b8fccf921feb4ee490eb7de1e9726 Mon Sep 17 00:00:00 2001 From: e11it Date: Fri, 22 May 2020 21:52:43 +0300 Subject: [PATCH 17/21] always assign csr_sans to name --- lemur/certificates/schemas.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lemur/certificates/schemas.py b/lemur/certificates/schemas.py index bc7ff1b0..42e444bc 100644 --- a/lemur/certificates/schemas.py +++ b/lemur/certificates/schemas.py @@ -147,8 +147,7 @@ class CertificateInputSchema(CertificateCreationSchema): elif not data["extensions"]["subAltNames"].get("names"): data["extensions"]["subAltNames"]["names"] = [] - if not data["extensions"]["subAltNames"]["names"]: - data["extensions"]["subAltNames"]["names"] += csr_sans + data["extensions"]["subAltNames"]["names"] = csr_sans return missing.convert_validity_years(data) From 760a219e09e42ff5ce9cceae7c8bdfcba9b6f75d Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 27 May 2020 21:38:46 +0000 Subject: [PATCH 18/21] Bump six from 1.14.0 to 1.15.0 Bumps [six](https://github.com/benjaminp/six) from 1.14.0 to 1.15.0. - [Release notes](https://github.com/benjaminp/six/releases) - [Changelog](https://github.com/benjaminp/six/blob/master/CHANGES) - [Commits](https://github.com/benjaminp/six/compare/1.14.0...1.15.0) Signed-off-by: dependabot-preview[bot] --- requirements-dev.txt | 2 +- requirements-docs.txt | 2 +- requirements-tests.txt | 2 +- requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 785d3f29..3f53aaf7 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -33,7 +33,7 @@ readme-renderer==25.0 # via twine requests-toolbelt==0.9.1 # via twine requests==2.23.0 # via requests-toolbelt, twine secretstorage==3.1.2 # via keyring -six==1.14.0 # via bleach, cryptography, readme-renderer, virtualenv +six==1.15.0 # via bleach, cryptography, readme-renderer, virtualenv toml==0.10.0 # via pre-commit tqdm==4.45.0 # via twine twine==3.1.1 # via -r requirements-dev.in diff --git a/requirements-docs.txt b/requirements-docs.txt index 16d97413..13bcdf08 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -87,7 +87,7 @@ requests-toolbelt==0.9.1 # via -r requirements.txt, acme requests[security]==2.23.0 # via -r requirements.txt, acme, certsrv, cloudflare, hvac, requests-toolbelt, sphinx retrying==1.3.3 # via -r requirements.txt s3transfer==0.3.3 # via -r requirements.txt, boto3 -six==1.14.0 # via -r requirements.txt, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, packaging, pynacl, pyopenssl, python-dateutil, retrying, sphinxcontrib-httpdomain, sqlalchemy-utils +six==1.15.0 # via -r requirements.txt, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, packaging, pynacl, pyopenssl, python-dateutil, retrying, sphinxcontrib-httpdomain, sqlalchemy-utils snowballstemmer==2.0.0 # via sphinx sphinx-rtd-theme==0.4.3 # via -r requirements-docs.in sphinx==3.0.3 # via -r requirements-docs.in, sphinx-rtd-theme, sphinxcontrib-httpdomain diff --git a/requirements-tests.txt b/requirements-tests.txt index 79340e51..e9a547d2 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -72,7 +72,7 @@ requests==2.23.0 # via docker, moto, requests-mock, responses responses==0.10.12 # via moto rsa==4.0 # via python-jose s3transfer==0.3.3 # via boto3 -six==1.14.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, freezegun, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client +six==1.15.0 # via aws-sam-translator, bandit, cfn-lint, cryptography, docker, ecdsa, fakeredis, freezegun, jsonschema, moto, packaging, pyrsistent, python-dateutil, python-jose, requests-mock, responses, stevedore, websocket-client smmap==3.0.2 # via gitdb sortedcontainers==2.1.0 # via fakeredis sshpubkeys==3.1.0 # via moto diff --git a/requirements.txt b/requirements.txt index 315f39b8..8526c89a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -81,7 +81,7 @@ requests-toolbelt==0.9.1 # via acme requests[security]==2.23.0 # via -r requirements.in, acme, certsrv, cloudflare, hvac, requests-toolbelt retrying==1.3.3 # via -r requirements.in s3transfer==0.3.3 # via boto3 -six==1.14.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils +six==1.15.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils sqlalchemy-utils==0.36.5 # via -r requirements.in sqlalchemy==1.3.16 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.7 # via -r requirements.in From 44eeb2b7388c90537c7c870a3d4f50db75819af6 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 27 May 2020 21:56:49 +0000 Subject: [PATCH 19/21] Bump sqlalchemy-utils from 0.36.5 to 0.36.6 Bumps [sqlalchemy-utils](https://github.com/kvesteri/sqlalchemy-utils) from 0.36.5 to 0.36.6. - [Release notes](https://github.com/kvesteri/sqlalchemy-utils/releases) - [Changelog](https://github.com/kvesteri/sqlalchemy-utils/blob/master/CHANGES.rst) - [Commits](https://github.com/kvesteri/sqlalchemy-utils/compare/0.36.5...0.36.6) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 13bcdf08..453b950d 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -98,7 +98,7 @@ sphinxcontrib-httpdomain==1.7.0 # via -r requirements-docs.in sphinxcontrib-jsmath==1.0.1 # via sphinx sphinxcontrib-qthelp==1.0.3 # via sphinx sphinxcontrib-serializinghtml==1.1.4 # via sphinx -sqlalchemy-utils==0.36.5 # via -r requirements.txt +sqlalchemy-utils==0.36.6 # via -r requirements.txt sqlalchemy==1.3.16 # via -r requirements.txt, alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.7 # via -r requirements.txt twofish==0.3.0 # via -r requirements.txt, pyjks diff --git a/requirements.txt b/requirements.txt index 8526c89a..96b80846 100644 --- a/requirements.txt +++ b/requirements.txt @@ -82,7 +82,7 @@ requests[security]==2.23.0 # via -r requirements.in, acme, certsrv, cloudflare, retrying==1.3.3 # via -r requirements.in s3transfer==0.3.3 # via boto3 six==1.15.0 # via -r requirements.in, acme, bcrypt, cryptography, flask-cors, flask-restful, hvac, josepy, jsonlines, pynacl, pyopenssl, python-dateutil, retrying, sqlalchemy-utils -sqlalchemy-utils==0.36.5 # via -r requirements.in +sqlalchemy-utils==0.36.6 # via -r requirements.in sqlalchemy==1.3.16 # via alembic, flask-sqlalchemy, marshmallow-sqlalchemy, sqlalchemy-utils tabulate==0.8.7 # via -r requirements.in twofish==0.3.0 # via pyjks From 3ac2e20e9347f5210bae18eb811e50fb6182bf8e Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 27 May 2020 22:05:24 +0000 Subject: [PATCH 20/21] Bump hvac from 0.10.1 to 0.10.3 Bumps [hvac](https://github.com/hvac/hvac) from 0.10.1 to 0.10.3. - [Release notes](https://github.com/hvac/hvac/releases) - [Changelog](https://github.com/hvac/hvac/blob/develop/CHANGELOG.md) - [Commits](https://github.com/hvac/hvac/compare/v0.10.1...v0.10.3) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 453b950d..25edf2dd 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -42,7 +42,7 @@ flask-sqlalchemy==2.4.1 # via -r requirements.txt, flask-migrate flask==1.1.2 # via -r requirements.txt, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven future==0.18.2 # via -r requirements.txt, cloudflare gunicorn==20.0.4 # via -r requirements.txt -hvac==0.10.1 # via -r requirements.txt +hvac==0.10.3 # via -r requirements.txt idna==2.9 # via -r requirements.txt, requests imagesize==1.2.0 # via sphinx inflection==0.4.0 # via -r requirements.txt diff --git a/requirements.txt b/requirements.txt index 96b80846..71ce9b97 100644 --- a/requirements.txt +++ b/requirements.txt @@ -40,7 +40,7 @@ flask-sqlalchemy==2.4.1 # via -r requirements.in, flask-migrate flask==1.1.2 # via -r requirements.in, flask-bcrypt, flask-cors, flask-mail, flask-migrate, flask-principal, flask-restful, flask-script, flask-sqlalchemy, raven future==0.18.2 # via -r requirements.in, cloudflare gunicorn==20.0.4 # via -r requirements.in -hvac==0.10.1 # via -r requirements.in +hvac==0.10.3 # via -r requirements.in idna==2.9 # via requests inflection==0.4.0 # via -r requirements.in itsdangerous==1.1.0 # via flask From 66a5c3880e5a2fec8f30098f4648ba9138f7e275 Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 27 May 2020 22:18:14 +0000 Subject: [PATCH 21/21] Bump boto3 from 1.13.11 to 1.13.18 Bumps [boto3](https://github.com/boto/boto3) from 1.13.11 to 1.13.18. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.13.11...1.13.18) Signed-off-by: dependabot-preview[bot] --- requirements-docs.txt | 4 ++-- requirements-tests.txt | 4 ++-- requirements.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-docs.txt b/requirements-docs.txt index 25edf2dd..2d36962e 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -16,8 +16,8 @@ babel==2.8.0 # via sphinx bcrypt==3.1.7 # via -r requirements.txt, flask-bcrypt, paramiko billiard==3.6.3.0 # via -r requirements.txt, celery blinker==1.4 # via -r requirements.txt, flask-mail, flask-principal, raven -boto3==1.13.11 # via -r requirements.txt -botocore==1.16.11 # via -r requirements.txt, boto3, s3transfer +boto3==1.13.18 # via -r requirements.txt +botocore==1.16.18 # via -r requirements.txt, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.txt certifi==2020.4.5.1 # via -r requirements.txt, requests certsrv==2.1.1 # via -r requirements.txt diff --git a/requirements-tests.txt b/requirements-tests.txt index e9a547d2..3fe1daa5 100644 --- a/requirements-tests.txt +++ b/requirements-tests.txt @@ -10,9 +10,9 @@ aws-sam-translator==1.22.0 # via cfn-lint aws-xray-sdk==2.5.0 # via moto bandit==1.6.2 # via -r requirements-tests.in black==19.10b0 # via -r requirements-tests.in -boto3==1.13.11 # via aws-sam-translator, moto +boto3==1.13.18 # via aws-sam-translator, moto boto==2.49.0 # via moto -botocore==1.16.11 # via aws-xray-sdk, boto3, moto, s3transfer +botocore==1.16.18 # via aws-xray-sdk, boto3, moto, s3transfer certifi==2020.4.5.1 # via requests cffi==1.14.0 # via cryptography cfn-lint==0.29.5 # via moto diff --git a/requirements.txt b/requirements.txt index 71ce9b97..1814d124 100644 --- a/requirements.txt +++ b/requirements.txt @@ -14,8 +14,8 @@ asyncpool==1.0 # via -r requirements.in bcrypt==3.1.7 # via flask-bcrypt, paramiko billiard==3.6.3.0 # via celery blinker==1.4 # via flask-mail, flask-principal, raven -boto3==1.13.11 # via -r requirements.in -botocore==1.16.11 # via -r requirements.in, boto3, s3transfer +boto3==1.13.18 # via -r requirements.in +botocore==1.16.18 # via -r requirements.in, boto3, s3transfer celery[redis]==4.4.2 # via -r requirements.in certifi==2020.4.5.1 # via -r requirements.in, requests certsrv==2.1.1 # via -r requirements.in