Merge branch 'master' into powerdnsplugin_01
This commit is contained in:
commit
e1e7efc96e
|
@ -735,6 +735,12 @@ The following configuration properties are required to use the Digicert issuer p
|
||||||
This is the default validity (in years), if no end date is specified. (Default: 1)
|
This is the default validity (in years), if no end date is specified. (Default: 1)
|
||||||
|
|
||||||
|
|
||||||
|
.. data:: DIGICERT_MAX_VALIDITY
|
||||||
|
:noindex:
|
||||||
|
|
||||||
|
This is the maximum validity (in years). (Default: value of DIGICERT_DEFAULT_VALIDITY)
|
||||||
|
|
||||||
|
|
||||||
.. data:: DIGICERT_PRIVATE
|
.. data:: DIGICERT_PRIVATE
|
||||||
:noindex:
|
:noindex:
|
||||||
|
|
||||||
|
|
|
@ -172,7 +172,7 @@ class AcmeHandler(object):
|
||||||
|
|
||||||
except (AcmeError, TimeoutError):
|
except (AcmeError, TimeoutError):
|
||||||
sentry.captureException(extra={"order_url": str(order.uri)})
|
sentry.captureException(extra={"order_url": str(order.uri)})
|
||||||
metrics.send("request_certificate_error", "counter", 1)
|
metrics.send("request_certificate_error", "counter", 1, metric_tags={"uri": order.uri})
|
||||||
current_app.logger.error(
|
current_app.logger.error(
|
||||||
f"Unable to resolve Acme order: {order.uri}", exc_info=True
|
f"Unable to resolve Acme order: {order.uri}", exc_info=True
|
||||||
)
|
)
|
||||||
|
@ -183,6 +183,11 @@ class AcmeHandler(object):
|
||||||
else:
|
else:
|
||||||
raise
|
raise
|
||||||
|
|
||||||
|
metrics.send("request_certificate_success", "counter", 1, metric_tags={"uri": order.uri})
|
||||||
|
current_app.logger.info(
|
||||||
|
f"Successfully resolved Acme order: {order.uri}", exc_info=True
|
||||||
|
)
|
||||||
|
|
||||||
pem_certificate = OpenSSL.crypto.dump_certificate(
|
pem_certificate = OpenSSL.crypto.dump_certificate(
|
||||||
OpenSSL.crypto.FILETYPE_PEM,
|
OpenSSL.crypto.FILETYPE_PEM,
|
||||||
OpenSSL.crypto.load_certificate(
|
OpenSSL.crypto.load_certificate(
|
||||||
|
|
|
@ -14,21 +14,17 @@
|
||||||
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
||||||
"""
|
"""
|
||||||
import json
|
import json
|
||||||
|
|
||||||
import arrow
|
import arrow
|
||||||
import requests
|
|
||||||
|
|
||||||
import pem
|
import pem
|
||||||
from retrying import retry
|
import requests
|
||||||
|
|
||||||
from flask import current_app
|
|
||||||
|
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
|
from flask import current_app
|
||||||
from lemur.extensions import metrics
|
|
||||||
from lemur.common.utils import validate_conf
|
from lemur.common.utils import validate_conf
|
||||||
from lemur.plugins.bases import IssuerPlugin, SourcePlugin
|
from lemur.extensions import metrics
|
||||||
|
|
||||||
from lemur.plugins import lemur_digicert as digicert
|
from lemur.plugins import lemur_digicert as digicert
|
||||||
|
from lemur.plugins.bases import IssuerPlugin, SourcePlugin
|
||||||
|
from retrying import retry
|
||||||
|
|
||||||
|
|
||||||
def log_status_code(r, *args, **kwargs):
|
def log_status_code(r, *args, **kwargs):
|
||||||
|
@ -64,24 +60,37 @@ def signature_hash(signing_algorithm):
|
||||||
raise Exception("Unsupported signing algorithm.")
|
raise Exception("Unsupported signing algorithm.")
|
||||||
|
|
||||||
|
|
||||||
def determine_validity_years(end_date):
|
def determine_validity_years(years):
|
||||||
"""Given an end date determine how many years into the future that date is.
|
"""Given an end date determine how many years into the future that date is.
|
||||||
|
:param years:
|
||||||
|
:return: validity in years
|
||||||
|
"""
|
||||||
|
default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1)
|
||||||
|
max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)
|
||||||
|
|
||||||
|
if years > max_years:
|
||||||
|
return max_years
|
||||||
|
if years not in [1, 2, 3]:
|
||||||
|
return default_years
|
||||||
|
return years
|
||||||
|
|
||||||
|
|
||||||
|
def determine_end_date(end_date):
|
||||||
|
"""
|
||||||
|
Determine appropriate end date
|
||||||
|
|
||||||
:param end_date:
|
:param end_date:
|
||||||
:return: str validity in years
|
:return: validity_end
|
||||||
"""
|
"""
|
||||||
now = arrow.utcnow()
|
default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1)
|
||||||
|
max_validity_end = arrow.utcnow().shift(years=current_app.config.get("DIGICERT_MAX_VALIDITY", default_years))
|
||||||
|
|
||||||
if end_date < now.shift(years=+1):
|
if not end_date:
|
||||||
return 1
|
end_date = arrow.utcnow().shift(years=default_years)
|
||||||
elif end_date < now.shift(years=+2):
|
|
||||||
return 2
|
|
||||||
elif end_date < now.shift(years=+3):
|
|
||||||
return 3
|
|
||||||
|
|
||||||
raise Exception(
|
if end_date > max_validity_end:
|
||||||
"DigiCert issued certificates cannot exceed three" " years in validity"
|
end_date = max_validity_end
|
||||||
)
|
return end_date
|
||||||
|
|
||||||
|
|
||||||
def get_additional_names(options):
|
def get_additional_names(options):
|
||||||
|
@ -107,12 +116,6 @@ def map_fields(options, csr):
|
||||||
:param csr:
|
:param csr:
|
||||||
:return: dict or valid DigiCert options
|
:return: dict or valid DigiCert options
|
||||||
"""
|
"""
|
||||||
if not options.get("validity_years"):
|
|
||||||
if not options.get("validity_end"):
|
|
||||||
options["validity_years"] = current_app.config.get(
|
|
||||||
"DIGICERT_DEFAULT_VALIDITY", 1
|
|
||||||
)
|
|
||||||
|
|
||||||
data = dict(
|
data = dict(
|
||||||
certificate={
|
certificate={
|
||||||
"common_name": options["common_name"],
|
"common_name": options["common_name"],
|
||||||
|
@ -125,9 +128,11 @@ def map_fields(options, csr):
|
||||||
data["certificate"]["dns_names"] = get_additional_names(options)
|
data["certificate"]["dns_names"] = get_additional_names(options)
|
||||||
|
|
||||||
if options.get("validity_years"):
|
if options.get("validity_years"):
|
||||||
data["validity_years"] = options["validity_years"]
|
data["validity_years"] = determine_validity_years(options.get("validity_years"))
|
||||||
|
elif options.get("validity_end"):
|
||||||
|
data["custom_expiration_date"] = determine_end_date(options.get("validity_end")).format("YYYY-MM-DD")
|
||||||
else:
|
else:
|
||||||
data["custom_expiration_date"] = options["validity_end"].format("YYYY-MM-DD")
|
data["validity_years"] = determine_validity_years(0)
|
||||||
|
|
||||||
if current_app.config.get("DIGICERT_PRIVATE", False):
|
if current_app.config.get("DIGICERT_PRIVATE", False):
|
||||||
if "product" in data:
|
if "product" in data:
|
||||||
|
@ -144,18 +149,15 @@ def map_cis_fields(options, csr):
|
||||||
|
|
||||||
:param options:
|
:param options:
|
||||||
:param csr:
|
:param csr:
|
||||||
:return:
|
:return: data
|
||||||
"""
|
"""
|
||||||
if not options.get("validity_years"):
|
|
||||||
if not options.get("validity_end"):
|
if options.get("validity_years"):
|
||||||
options["validity_end"] = arrow.utcnow().shift(
|
validity_end = determine_end_date(arrow.utcnow().shift(years=options["validity_years"]))
|
||||||
years=current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1)
|
elif options.get("validity_end"):
|
||||||
)
|
validity_end = determine_end_date(options.get("validity_end"))
|
||||||
options["validity_years"] = determine_validity_years(options["validity_end"])
|
|
||||||
else:
|
else:
|
||||||
options["validity_end"] = arrow.utcnow().shift(
|
validity_end = determine_end_date(False)
|
||||||
years=options["validity_years"]
|
|
||||||
)
|
|
||||||
|
|
||||||
data = {
|
data = {
|
||||||
"profile_name": current_app.config.get("DIGICERT_CIS_PROFILE_NAMES", {}).get(options['authority'].name),
|
"profile_name": current_app.config.get("DIGICERT_CIS_PROFILE_NAMES", {}).get(options['authority'].name),
|
||||||
|
@ -164,7 +166,7 @@ def map_cis_fields(options, csr):
|
||||||
"csr": csr,
|
"csr": csr,
|
||||||
"signature_hash": signature_hash(options.get("signing_algorithm")),
|
"signature_hash": signature_hash(options.get("signing_algorithm")),
|
||||||
"validity": {
|
"validity": {
|
||||||
"valid_to": options["validity_end"].format("YYYY-MM-DDTHH:MM") + "Z"
|
"valid_to": validity_end.format("YYYY-MM-DDTHH:MM") + "Z"
|
||||||
},
|
},
|
||||||
"organization": {
|
"organization": {
|
||||||
"name": options["organization"],
|
"name": options["organization"],
|
||||||
|
@ -173,7 +175,8 @@ def map_cis_fields(options, csr):
|
||||||
}
|
}
|
||||||
# possibility to default to a SIGNING_ALGORITHM for a given profile
|
# possibility to default to a SIGNING_ALGORITHM for a given profile
|
||||||
if current_app.config.get("DIGICERT_CIS_SIGNING_ALGORITHMS", {}).get(options['authority'].name):
|
if current_app.config.get("DIGICERT_CIS_SIGNING_ALGORITHMS", {}).get(options['authority'].name):
|
||||||
data["signature_hash"] = current_app.config.get("DIGICERT_CIS_SIGNING_ALGORITHMS", {}).get(options['authority'].name)
|
data["signature_hash"] = current_app.config.get("DIGICERT_CIS_SIGNING_ALGORITHMS", {}).get(
|
||||||
|
options['authority'].name)
|
||||||
|
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
|
|
@ -1,20 +1,81 @@
|
||||||
import pytest
|
|
||||||
import arrow
|
|
||||||
import json
|
import json
|
||||||
from unittest.mock import patch
|
|
||||||
|
|
||||||
from freezegun import freeze_time
|
|
||||||
|
|
||||||
from lemur.tests.vectors import CSR_STR
|
|
||||||
|
|
||||||
|
import arrow
|
||||||
|
import pytest
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
|
from freezegun import freeze_time
|
||||||
|
from lemur.plugins.lemur_digicert import plugin
|
||||||
|
from lemur.tests.vectors import CSR_STR
|
||||||
|
from mock import Mock, patch
|
||||||
|
|
||||||
|
|
||||||
def test_map_fields_with_validity_end_and_start(app):
|
def config_mock(*args):
|
||||||
from lemur.plugins.lemur_digicert.plugin import map_fields
|
values = {
|
||||||
|
"DIGICERT_ORG_ID": 111111,
|
||||||
|
"DIGICERT_PRIVATE": False,
|
||||||
|
"DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256",
|
||||||
|
"DIGICERT_DEFAULT_VALIDITY": 1,
|
||||||
|
"DIGICERT_MAX_VALIDITY": 2,
|
||||||
|
"DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'},
|
||||||
|
"DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'},
|
||||||
|
}
|
||||||
|
return values[args[0]]
|
||||||
|
|
||||||
|
|
||||||
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_determine_validity_years(mock_current_app):
|
||||||
|
mock_current_app.config.get = Mock(return_value=2)
|
||||||
|
assert plugin.determine_validity_years(1) == 1
|
||||||
|
assert plugin.determine_validity_years(0) == 2
|
||||||
|
assert plugin.determine_validity_years(3) == 2
|
||||||
|
|
||||||
|
|
||||||
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_determine_end_date(mock_current_app):
|
||||||
|
mock_current_app.config.get = Mock(return_value=2)
|
||||||
|
with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime):
|
||||||
|
assert arrow.get(2018, 11, 3) == plugin.determine_end_date(0)
|
||||||
|
assert arrow.get(2018, 5, 7) == plugin.determine_end_date(arrow.get(2018, 5, 7))
|
||||||
|
assert arrow.get(2018, 11, 3) == plugin.determine_end_date(arrow.get(2020, 5, 7))
|
||||||
|
|
||||||
|
|
||||||
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_map_fields_with_validity_years(mock_current_app):
|
||||||
|
mock_current_app.config.get = Mock(side_effect=config_mock)
|
||||||
|
|
||||||
|
with patch('lemur.plugins.lemur_digicert.plugin.signature_hash') as mock_signature_hash:
|
||||||
|
mock_signature_hash.return_value = "sha256"
|
||||||
|
|
||||||
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
||||||
|
options = {
|
||||||
|
"common_name": "example.com",
|
||||||
|
"owner": "bob@example.com",
|
||||||
|
"description": "test certificate",
|
||||||
|
"extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
|
||||||
|
"validity_years": 2
|
||||||
|
}
|
||||||
|
expected = {
|
||||||
|
"certificate": {
|
||||||
|
"csr": CSR_STR,
|
||||||
|
"common_name": "example.com",
|
||||||
|
"dns_names": names,
|
||||||
|
"signature_hash": "sha256",
|
||||||
|
},
|
||||||
|
"organization": {"id": 111111},
|
||||||
|
"validity_years": 2,
|
||||||
|
}
|
||||||
|
assert expected == plugin.map_fields(options, CSR_STR)
|
||||||
|
|
||||||
|
|
||||||
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_map_fields_with_validity_end_and_start(mock_current_app):
|
||||||
|
mock_current_app.config.get = Mock(side_effect=config_mock)
|
||||||
|
plugin.determine_end_date = Mock(return_value=arrow.get(2017, 5, 7))
|
||||||
|
|
||||||
|
with patch('lemur.plugins.lemur_digicert.plugin.signature_hash') as mock_signature_hash:
|
||||||
|
mock_signature_hash.return_value = "sha256"
|
||||||
|
|
||||||
|
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
||||||
options = {
|
options = {
|
||||||
"common_name": "example.com",
|
"common_name": "example.com",
|
||||||
"owner": "bob@example.com",
|
"owner": "bob@example.com",
|
||||||
|
@ -24,9 +85,7 @@ def test_map_fields_with_validity_end_and_start(app):
|
||||||
"validity_start": arrow.get(2016, 10, 30),
|
"validity_start": arrow.get(2016, 10, 30),
|
||||||
}
|
}
|
||||||
|
|
||||||
data = map_fields(options, CSR_STR)
|
expected = {
|
||||||
|
|
||||||
assert data == {
|
|
||||||
"certificate": {
|
"certificate": {
|
||||||
"csr": CSR_STR,
|
"csr": CSR_STR,
|
||||||
"common_name": "example.com",
|
"common_name": "example.com",
|
||||||
|
@ -37,66 +96,18 @@ def test_map_fields_with_validity_end_and_start(app):
|
||||||
"custom_expiration_date": arrow.get(2017, 5, 7).format("YYYY-MM-DD"),
|
"custom_expiration_date": arrow.get(2017, 5, 7).format("YYYY-MM-DD"),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
assert expected == plugin.map_fields(options, CSR_STR)
|
||||||
|
|
||||||
def test_map_fields_with_validity_years(app):
|
|
||||||
from lemur.plugins.lemur_digicert.plugin import map_fields
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_map_cis_fields_with_validity_years(mock_current_app, authority):
|
||||||
|
mock_current_app.config.get = Mock(side_effect=config_mock)
|
||||||
|
plugin.determine_end_date = Mock(return_value=arrow.get(2018, 11, 3))
|
||||||
|
|
||||||
|
with patch('lemur.plugins.lemur_digicert.plugin.signature_hash') as mock_signature_hash:
|
||||||
|
mock_signature_hash.return_value = "sha256"
|
||||||
|
|
||||||
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
||||||
|
|
||||||
options = {
|
|
||||||
"common_name": "example.com",
|
|
||||||
"owner": "bob@example.com",
|
|
||||||
"description": "test certificate",
|
|
||||||
"extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
|
|
||||||
"validity_years": 2,
|
|
||||||
"validity_end": arrow.get(2017, 10, 30),
|
|
||||||
}
|
|
||||||
|
|
||||||
data = map_fields(options, CSR_STR)
|
|
||||||
|
|
||||||
assert data == {
|
|
||||||
"certificate": {
|
|
||||||
"csr": CSR_STR,
|
|
||||||
"common_name": "example.com",
|
|
||||||
"dns_names": names,
|
|
||||||
"signature_hash": "sha256",
|
|
||||||
},
|
|
||||||
"organization": {"id": 111111},
|
|
||||||
"validity_years": 2,
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def test_map_cis_fields(app, authority):
|
|
||||||
from lemur.plugins.lemur_digicert.plugin import map_cis_fields
|
|
||||||
|
|
||||||
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
|
||||||
|
|
||||||
options = {
|
|
||||||
"common_name": "example.com",
|
|
||||||
"owner": "bob@example.com",
|
|
||||||
"description": "test certificate",
|
|
||||||
"extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
|
|
||||||
"organization": "Example, Inc.",
|
|
||||||
"organizational_unit": "Example Org",
|
|
||||||
"validity_end": arrow.get(2017, 5, 7),
|
|
||||||
"validity_start": arrow.get(2016, 10, 30),
|
|
||||||
"authority": authority,
|
|
||||||
}
|
|
||||||
|
|
||||||
data = map_cis_fields(options, CSR_STR)
|
|
||||||
|
|
||||||
assert data == {
|
|
||||||
"common_name": "example.com",
|
|
||||||
"csr": CSR_STR,
|
|
||||||
"additional_dns_names": names,
|
|
||||||
"signature_hash": "sha256",
|
|
||||||
"organization": {"name": "Example, Inc.", "units": ["Example Org"]},
|
|
||||||
"validity": {
|
|
||||||
"valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM") + "Z"
|
|
||||||
},
|
|
||||||
"profile_name": None,
|
|
||||||
}
|
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
"common_name": "example.com",
|
"common_name": "example.com",
|
||||||
"owner": "bob@example.com",
|
"owner": "bob@example.com",
|
||||||
|
@ -108,10 +119,7 @@ def test_map_cis_fields(app, authority):
|
||||||
"authority": authority,
|
"authority": authority,
|
||||||
}
|
}
|
||||||
|
|
||||||
with freeze_time(time_to_freeze=arrow.get(2016, 11, 3).datetime):
|
expected = {
|
||||||
data = map_cis_fields(options, CSR_STR)
|
|
||||||
|
|
||||||
assert data == {
|
|
||||||
"common_name": "example.com",
|
"common_name": "example.com",
|
||||||
"csr": CSR_STR,
|
"csr": CSR_STR,
|
||||||
"additional_dns_names": names,
|
"additional_dns_names": names,
|
||||||
|
@ -123,17 +131,55 @@ def test_map_cis_fields(app, authority):
|
||||||
"profile_name": None,
|
"profile_name": None,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
assert expected == plugin.map_cis_fields(options, CSR_STR)
|
||||||
|
|
||||||
def test_signature_hash(app):
|
|
||||||
from lemur.plugins.lemur_digicert.plugin import signature_hash
|
|
||||||
|
|
||||||
assert signature_hash(None) == "sha256"
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
assert signature_hash("sha256WithRSA") == "sha256"
|
def test_map_cis_fields_with_validity_end_and_start(mock_current_app, app, authority):
|
||||||
assert signature_hash("sha384WithRSA") == "sha384"
|
mock_current_app.config.get = Mock(side_effect=config_mock)
|
||||||
assert signature_hash("sha512WithRSA") == "sha512"
|
plugin.determine_end_date = Mock(return_value=arrow.get(2017, 5, 7))
|
||||||
|
|
||||||
|
with patch('lemur.plugins.lemur_digicert.plugin.signature_hash') as mock_signature_hash:
|
||||||
|
mock_signature_hash.return_value = "sha256"
|
||||||
|
|
||||||
|
names = [u"one.example.com", u"two.example.com", u"three.example.com"]
|
||||||
|
options = {
|
||||||
|
"common_name": "example.com",
|
||||||
|
"owner": "bob@example.com",
|
||||||
|
"description": "test certificate",
|
||||||
|
"extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
|
||||||
|
"organization": "Example, Inc.",
|
||||||
|
"organizational_unit": "Example Org",
|
||||||
|
"validity_end": arrow.get(2017, 5, 7),
|
||||||
|
"validity_start": arrow.get(2016, 10, 30),
|
||||||
|
"authority": authority
|
||||||
|
}
|
||||||
|
|
||||||
|
expected = {
|
||||||
|
"common_name": "example.com",
|
||||||
|
"csr": CSR_STR,
|
||||||
|
"additional_dns_names": names,
|
||||||
|
"signature_hash": "sha256",
|
||||||
|
"organization": {"name": "Example, Inc.", "units": ["Example Org"]},
|
||||||
|
"validity": {
|
||||||
|
"valid_to": arrow.get(2017, 5, 7).format("YYYY-MM-DDTHH:MM") + "Z"
|
||||||
|
},
|
||||||
|
"profile_name": None,
|
||||||
|
}
|
||||||
|
|
||||||
|
assert expected == plugin.map_cis_fields(options, CSR_STR)
|
||||||
|
|
||||||
|
|
||||||
|
@patch("lemur.plugins.lemur_digicert.plugin.current_app")
|
||||||
|
def test_signature_hash(mock_current_app, app):
|
||||||
|
mock_current_app.config.get = Mock(side_effect=config_mock)
|
||||||
|
assert plugin.signature_hash(None) == "sha256"
|
||||||
|
assert plugin.signature_hash("sha256WithRSA") == "sha256"
|
||||||
|
assert plugin.signature_hash("sha384WithRSA") == "sha384"
|
||||||
|
assert plugin.signature_hash("sha512WithRSA") == "sha512"
|
||||||
|
|
||||||
with pytest.raises(Exception):
|
with pytest.raises(Exception):
|
||||||
signature_hash("sdfdsf")
|
plugin.signature_hash("sdfdsf")
|
||||||
|
|
||||||
|
|
||||||
def test_issuer_plugin_create_certificate(
|
def test_issuer_plugin_create_certificate(
|
||||||
|
|
|
@ -96,7 +96,7 @@ def build_secret(secret_format, secret_name, body, private_key, cert_chain):
|
||||||
if secret_format == "TLS":
|
if secret_format == "TLS":
|
||||||
secret["type"] = "kubernetes.io/tls"
|
secret["type"] = "kubernetes.io/tls"
|
||||||
secret["data"] = {
|
secret["data"] = {
|
||||||
"tls.crt": base64encode(cert_chain),
|
"tls.crt": base64encode(body),
|
||||||
"tls.key": base64encode(private_key),
|
"tls.key": base64encode(private_key),
|
||||||
}
|
}
|
||||||
if secret_format == "Certificate":
|
if secret_format == "Certificate":
|
||||||
|
|
|
@ -98,10 +98,14 @@ def process_options(options):
|
||||||
:param options:
|
:param options:
|
||||||
:return: dict or valid verisign options
|
:return: dict or valid verisign options
|
||||||
"""
|
"""
|
||||||
|
# if there is a config variable with VERISIGN_PRODUCT_<upper(authority.name)> take the value as Cert product-type
|
||||||
|
# else default to "Server", to be compatoible with former versions
|
||||||
|
authority = options.get("authority").name.upper()
|
||||||
|
product_type = current_app.config.get("VERISIGN_PRODUCT_{0}".format(authority), "Server")
|
||||||
data = {
|
data = {
|
||||||
"challenge": get_psuedo_random_string(),
|
"challenge": get_psuedo_random_string(),
|
||||||
"serverType": "Apache",
|
"serverType": "Apache",
|
||||||
"certProductType": "Server",
|
"certProductType": product_type,
|
||||||
"firstName": current_app.config.get("VERISIGN_FIRST_NAME"),
|
"firstName": current_app.config.get("VERISIGN_FIRST_NAME"),
|
||||||
"lastName": current_app.config.get("VERISIGN_LAST_NAME"),
|
"lastName": current_app.config.get("VERISIGN_LAST_NAME"),
|
||||||
"signatureAlgorithm": "sha256WithRSAEncryption",
|
"signatureAlgorithm": "sha256WithRSAEncryption",
|
||||||
|
@ -111,11 +115,6 @@ def process_options(options):
|
||||||
|
|
||||||
data["subject_alt_names"] = ",".join(get_additional_names(options))
|
data["subject_alt_names"] = ",".join(get_additional_names(options))
|
||||||
|
|
||||||
if options.get("validity_end") > arrow.utcnow().shift(years=2):
|
|
||||||
raise Exception(
|
|
||||||
"Verisign issued certificates cannot exceed two years in validity"
|
|
||||||
)
|
|
||||||
|
|
||||||
if options.get("validity_end"):
|
if options.get("validity_end"):
|
||||||
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date
|
# VeriSign (Symantec) only accepts strictly smaller than 2 year end date
|
||||||
if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1):
|
if options.get("validity_end") < arrow.utcnow().shift(years=2, days=-1):
|
||||||
|
@ -210,7 +209,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
|
||||||
|
|
||||||
response = self.session.post(url, data=data)
|
response = self.session.post(url, data=data)
|
||||||
try:
|
try:
|
||||||
cert = handle_response(response.content)["Response"]["Certificate"]
|
response_dict = handle_response(response.content)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
metrics.send(
|
metrics.send(
|
||||||
"verisign_create_certificate_error",
|
"verisign_create_certificate_error",
|
||||||
|
@ -222,8 +221,13 @@ class VerisignIssuerPlugin(IssuerPlugin):
|
||||||
extra={"common_name": issuer_options.get("common_name", "")}
|
extra={"common_name": issuer_options.get("common_name", "")}
|
||||||
)
|
)
|
||||||
raise Exception(f"Error with Verisign: {response.content}")
|
raise Exception(f"Error with Verisign: {response.content}")
|
||||||
# TODO add external id
|
authority = issuer_options.get("authority").name.upper()
|
||||||
return cert, current_app.config.get("VERISIGN_INTERMEDIATE"), None
|
cert = response_dict['Response']['Certificate']
|
||||||
|
external_id = None
|
||||||
|
if 'Transaction_ID' in response_dict['Response'].keys():
|
||||||
|
external_id = response_dict['Response']['Transaction_ID']
|
||||||
|
chain = current_app.config.get("VERISIGN_INTERMEDIATE_{0}".format(authority), current_app.config.get("VERISIGN_INTERMEDIATE"))
|
||||||
|
return cert, chain, external_id
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def create_authority(options):
|
def create_authority(options):
|
||||||
|
|
|
@ -140,7 +140,6 @@
|
||||||
<select ng-model="certificate.validityYears" class="form-control">
|
<select ng-model="certificate.validityYears" class="form-control">
|
||||||
<option value="">-</option>
|
<option value="">-</option>
|
||||||
<option value="1">1 year</option>
|
<option value="1">1 year</option>
|
||||||
<option value="2">2 years</option>
|
|
||||||
</select>
|
</select>
|
||||||
</div>
|
</div>
|
||||||
<span style="padding-top: 15px" class="text-center col-sm-1">
|
<span style="padding-top: 15px" class="text-center col-sm-1">
|
||||||
|
|
|
@ -5,37 +5,39 @@
|
||||||
# pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in
|
# pip-compile --no-index --output-file=requirements-dev.txt requirements-dev.in
|
||||||
#
|
#
|
||||||
aspy.yaml==1.3.0 # via pre-commit
|
aspy.yaml==1.3.0 # via pre-commit
|
||||||
bleach==3.1.0 # via readme-renderer
|
bleach==3.1.1 # via readme-renderer
|
||||||
certifi==2019.11.28 # via requests
|
certifi==2019.11.28 # via requests
|
||||||
|
cffi==1.14.0 # via cryptography
|
||||||
cfgv==2.0.1 # via pre-commit
|
cfgv==2.0.1 # via pre-commit
|
||||||
chardet==3.0.4 # via requests
|
chardet==3.0.4 # via requests
|
||||||
|
cryptography==2.8 # via secretstorage
|
||||||
docutils==0.15.2 # via readme-renderer
|
docutils==0.15.2 # via readme-renderer
|
||||||
flake8==3.5.0
|
flake8==3.5.0
|
||||||
identify==1.4.9 # via pre-commit
|
identify==1.4.9 # via pre-commit
|
||||||
idna==2.8 # via requests
|
idna==2.8 # via requests
|
||||||
importlib-metadata==1.3.0 # via keyring, pre-commit, twine
|
|
||||||
invoke==1.3.0
|
invoke==1.3.0
|
||||||
|
jeepney==0.4.2 # via secretstorage
|
||||||
keyring==21.0.0 # via twine
|
keyring==21.0.0 # via twine
|
||||||
mccabe==0.6.1 # via flake8
|
mccabe==0.6.1 # via flake8
|
||||||
more-itertools==8.0.2 # via zipp
|
|
||||||
nodeenv==1.3.3
|
nodeenv==1.3.3
|
||||||
pkginfo==1.5.0.1 # via twine
|
pkginfo==1.5.0.1 # via twine
|
||||||
pre-commit==1.21.0
|
pre-commit==1.21.0
|
||||||
pycodestyle==2.3.1 # via flake8
|
pycodestyle==2.3.1 # via flake8
|
||||||
|
pycparser==2.19 # via cffi
|
||||||
pyflakes==1.6.0 # via flake8
|
pyflakes==1.6.0 # via flake8
|
||||||
pygments==2.5.2 # via readme-renderer
|
pygments==2.5.2 # via readme-renderer
|
||||||
pyyaml==5.2
|
pyyaml==5.2
|
||||||
readme-renderer==24.0 # via twine
|
readme-renderer==24.0 # via twine
|
||||||
requests-toolbelt==0.9.1 # via twine
|
requests-toolbelt==0.9.1 # via twine
|
||||||
requests==2.22.0 # via requests-toolbelt, twine
|
requests==2.22.0 # via requests-toolbelt, twine
|
||||||
six==1.13.0 # via bleach, cfgv, pre-commit, readme-renderer
|
secretstorage==3.1.2 # via keyring
|
||||||
|
six==1.13.0 # via bleach, cfgv, cryptography, pre-commit, readme-renderer
|
||||||
toml==0.10.0 # via pre-commit
|
toml==0.10.0 # via pre-commit
|
||||||
tqdm==4.41.1 # via twine
|
tqdm==4.41.1 # via twine
|
||||||
twine==3.1.1
|
twine==3.1.1
|
||||||
urllib3==1.25.7 # via requests
|
urllib3==1.25.7 # via requests
|
||||||
virtualenv==16.7.9 # via pre-commit
|
virtualenv==16.7.9 # via pre-commit
|
||||||
webencodings==0.5.1 # via bleach
|
webencodings==0.5.1 # via bleach
|
||||||
zipp==0.6.0 # via importlib-metadata
|
|
||||||
|
|
||||||
# The following packages are considered to be unsafe in a requirements file:
|
# The following packages are considered to be unsafe in a requirements file:
|
||||||
# setuptools
|
# setuptools
|
||||||
|
|
Loading…
Reference in New Issue