Improving endpoint rotation logic (#545)

This commit is contained in:
kevgliss 2016-11-30 15:11:17 -08:00 committed by GitHub
parent bd2abdf45f
commit e1bbf9d80c
8 changed files with 118 additions and 121 deletions

View File

@ -94,6 +94,8 @@ def update(endpoint_id, **kwargs):
endpoint.policy = kwargs['policy']
endpoint.certificate = kwargs['certificate']
endpoint.source = kwargs['source']
metrics.send('endpoint_added', 'counter', 1)
database.update(endpoint)
return endpoint
@ -104,7 +106,7 @@ def rotate_certificate(endpoint, new_cert):
endpoint.source.plugin.update_endpoint(endpoint, new_cert)
endpoint.certificate = new_cert
except Exception as e:
metrics.send('rotate_failure', 'counter', 1, tags={'endpoint': endpoint.name})
metrics.send('rotate_failure', 'counter', 1, metric_tags={'endpoint': endpoint.name})
current_app.logger.exception(e)
raise e

View File

@ -518,38 +518,32 @@ def print_certificate_details(details):
)
class RotateCertificate(Command):
"""
Rotates certificate on all endpoints managed by Lemur.
"""
option_list = (
Option('-n', '--cert-name', dest='new_cert_name'),
Option('-o', '--old-cert-name', dest='old_cert_name', required=True),
Option('-c', '--commit', dest='commit', action='store_true', default=False)
)
certificate_manager = Manager(usage="Handles all certificate related tasks.")
def run(self, new_cert_name, old_cert_name, commit):
@certificate_manager.command
def rotate(new_certificate_name, old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
from lemur.endpoints.service import rotate_certificate
old_cert = get_by_name(old_cert_name)
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_cert_name))
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_certificate_name))
sys.exit(1)
if new_cert_name:
new_cert = get_by_name(new_cert_name)
if new_certificate_name:
new_cert = get_by_name(new_certificate_name)
if not new_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_cert_name))
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_certificate_name))
sys.exit(1)
if commit:
sys.stdout.write("[!] Running in COMMIT mode.\n")
if not new_cert_name:
sys.stdout.write("[!] No new certificate provided. Attempting to re-issue old certificate: {0}.\n".format(old_cert_name))
if not new_certificate_name:
sys.stdout.write("[!] No new certificate provided. Attempting to re-issue old certificate: {0}.\n".format(old_certificate_name))
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
@ -562,33 +556,32 @@ class RotateCertificate(Command):
if len(old_cert.endpoints) > 0:
for endpoint in old_cert.endpoints:
sys.stdout.write("[+] Certificate found deployed onto {0}\n ".format(endpoint.name))
sys.stdout.write("[+] Rotating certificate from: {0} to: {1}\n ".format(old_cert_name, new_cert.name))
sys.stdout.write(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}\n".format(
name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type
)
)
sys.stdout.write("[+] Rotating certificate from: {0} to: {1}\n".format(old_certificate_name, new_cert.name))
if commit:
rotate_certificate(endpoint, new_cert_name)
rotate_certificate(endpoint, new_cert)
sys.stdout.write("[+] Done! \n")
else:
sys.stdout.write("[!] Certificate not found on any existing endpoints. Nothing to rotate.\n")
class ReissueCertificate(Command):
"""
Reissues a certificate based on a given certificate.
"""
option_list = (
Option('-o', '--old-cert-name', dest='old_cert_name', required=True),
Option('-c', '--commit', dest='commit', action='store_true', default=False)
)
def run(self, old_cert_name, commit):
@certificate_manager.command
def reissue(old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
old_cert = get_by_name(old_cert_name)
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_cert_name))
sys.stdout.write("[-] No certificate found with name: {0}\n".format(old_certificate_name))
sys.exit(1)
if commit:
@ -743,29 +736,23 @@ class Report(Command):
sys.stdout.write(tabulate(rows, headers=["Authority Name", "Description", "Daily Average", "Monthy Average", "Yearly Average"]) + "\n")
class Sources(Command):
"""
Defines a set of actions to take against Lemur's sources.
"""
option_list = (
Option('-s', '--sources', dest='source_strings', action='append', help='Sources to operate on.', required=True),
Option('-a', '--action', choices=['sync', 'clean'], dest='action', help='Action to take on source.', required=True)
)
source_manager = Manager(usage="Handles all source related tasks.")
def run(self, source_strings, action):
def validate_sources(source_strings):
sources = []
if not source_strings:
table = []
for source in source_service.get_all():
table.append([source.label, source.active, source.description])
sys.stdout.write("No source specified choose from below:\n")
sys.stdout.write(tabulate(table, headers=['Label', 'Active', 'Description']))
sys.exit(1)
elif 'all' in source_strings:
if 'all' in source_strings:
sources = source_service.get_all()
else:
for source_str in source_strings:
source = source_service.get_by_label(source_str)
@ -773,16 +760,13 @@ class Sources(Command):
sys.stderr.write("Unable to find specified source with label: {0}".format(source_str))
sources.append(source)
return sources
for source in sources:
if action == 'sync':
self.sync(source)
if action == 'clean':
self.clean(source)
@staticmethod
def sync(source):
@source_manager.option('-s', '--sources', dest='source_strings', action='append', help='Sources to operate on.')
def sync(source_strings):
source_objs = validate_sources(source_strings)
for source in source_objs:
start_time = time.time()
sys.stdout.write("[+] Staring to sync source: {label}!\n".format(label=source.label))
@ -805,8 +789,11 @@ class Sources(Command):
metrics.send('sync_failed', 'counter', 1, metric_tags={'source': source.label})
@staticmethod
def clean(source):
@source_manager.option('-s', '--sources', dest='source_strings', action='append', help='Sources to operate on.')
def clean(source_strings):
source_objs = validate_sources(source_strings)
for source in source_objs:
start_time = time.time()
sys.stdout.write("[+] Staring to clean source: {label}!\n".format(label=source.label))
source_service.clean(source)
@ -828,10 +815,9 @@ def main():
manager.add_command("create_user", CreateUser())
manager.add_command("reset_password", ResetPassword())
manager.add_command("create_role", CreateRole())
manager.add_command("sources", Sources())
manager.add_command("source", source_manager)
manager.add_command("report", Report())
manager.add_command("rotate_certificate", RotateCertificate())
manager.add_command("reissue_certificate", ReissueCertificate())
manager.add_command("certificate", certificate_manager)
manager.run()

View File

@ -11,7 +11,7 @@ from flask import current_app
from retrying import retry
from lemur.exceptions import InvalidListener
from lemur.plugins.lemur_aws.sts import sts_client, assume_service
from lemur.plugins.lemur_aws.sts import sts_client
def retry_throttled(exception):
@ -104,15 +104,13 @@ def describe_load_balancer_types(policies, **kwargs):
@sts_client('elb')
def attach_certificate(account_number, region, name, port, certificate_id):
def attach_certificate(name, port, certificate_id, **kwargs):
"""
Attaches a certificate to a listener, throws exception
if certificate specified does not exist in a particular account.
:param account_number:
:param region:
:param name:
:param port:
:param certificate_id:
"""
return assume_service(account_number, 'elb', region).set_lb_listener_SSL_certificate(name, port, certificate_id)
return kwargs['client'].set_load_balancer_listener_ssl_certificate(LoadBalancerName=name, LoadBalancerPort=port, SSLCertificateId=certificate_id)

View File

@ -88,8 +88,7 @@ def create_arn_from_cert(account_number, region, certificate_name):
:param certificate_name:
:return:
"""
return "arn:aws:iam:{region}:{account_number}:{certificate_name}".format(
region=region,
return "arn:aws:iam::{account_number}:server-certificate/{certificate_name}".format(
account_number=account_number,
certificate_name=certificate_name)

View File

@ -40,6 +40,10 @@ from lemur.plugins.lemur_aws import iam, s3, elb, ec2
from lemur.plugins import lemur_aws as aws
def get_region_from_dns(dns):
return dns.split('.')[-4]
class AWSDestinationPlugin(DestinationPlugin):
title = 'AWS'
slug = 'aws-destination'
@ -149,20 +153,21 @@ class AWSSourcePlugin(SourcePlugin):
)
if listener['PolicyNames']:
policy = e.describe_load_balancer_policies(e['LoadBalancerName'], listener['PolicyNames'], account_number=account_number, region=region)
policy = elb.describe_load_balancer_policies(e['LoadBalancerName'], listener['PolicyNames'], account_number=account_number, region=region)
endpoint['policy'] = format_elb_cipher_policy(policy)
endpoints.append(endpoint)
return endpoints
def update_endpoint(self, options, endpoint, certificate):
def update_endpoint(self, endpoint, certificate):
options = endpoint.source.options
account_number = self.get_option('accountNumber', options)
regions = self.get_option('regions', options)
for region in regions:
# relies on the fact that region is included in DNS name
region = get_region_from_dns(endpoint.dnsname)
arn = iam.create_arn_from_cert(account_number, region, certificate.name)
elb.attach_certificate(account_number, region, certificate.name, endpoint.port, arn)
elb.attach_certificate(endpoint.name, endpoint.port, arn, account_number=account_number, region=region)
def clean(self, options, **kwargs):
account_number = self.get_option('accountNumber', options)

View File

@ -259,6 +259,11 @@ class DigiCertIssuerPlugin(IssuerPlugin):
def __init__(self, *args, **kwargs):
"""Initialize the issuer with the appropriate details."""
required_vars = [
'DIGICERT_API_KEY',
'DIGICERT_URL',
'DIGICERT_ORG_ID',
'DIGICERT_ROOT',
'DIGICERT_INTERMEDIATE'
]
validate_conf(current_app, required_vars)

View File

@ -6,11 +6,12 @@
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
from sqlalchemy.orm import relationship
from sqlalchemy import Column, Integer, String, Text, DateTime, Boolean
from sqlalchemy import Column, Integer, String, Text, Boolean
from sqlalchemy_utils import JSONType
from lemur.database import db
from lemur.plugins.base import plugins
from sqlalchemy_utils import ArrowType
class Source(db.Model):
@ -21,7 +22,7 @@ class Source(db.Model):
description = Column(Text())
plugin_name = Column(String(32))
active = Column(Boolean, default=True)
last_run = Column(DateTime)
last_run = Column(ArrowType)
endpoints = relationship("Endpoint", back_populates="source")
@property

View File

@ -141,6 +141,7 @@ def sync_endpoints(source):
policy['ciphers'] = policy_ciphers
endpoint['policy'] = endpoint_service.get_or_create_policy(**policy)
endpoint['source'] = source
if not exists:
endpoint_service.create(**endpoint)