Commit Graph

425 Commits

Author SHA1 Message Date
Hossein Shafagh cc4fc66c93
Merge branch 'master' into master 2020-05-22 09:57:46 -07:00
Hossein Shafagh 748268ecd5
Merge branch 'master' into cert-rotation-region-by-region 2020-05-22 09:57:06 -07:00
Hossein Shafagh 2582086d39
Merge branch 'master' into ilabun/optimize-certificates-sql 2020-05-21 15:39:58 -07:00
Hossein Shafagh fd444403bb improved logging.
- adding destination name, fixing broken metric.
2020-05-21 15:32:38 -07:00
Hossein Shafagh 70985f4ff5 revised system arch 2020-05-14 22:37:30 -07:00
Hossein Shafagh cdd9137f4e
Merge branch 'master' into cert-rotation-region-by-region 2020-05-08 15:32:49 -07:00
Hossein Shafagh 529ee04ae7 removing duplicate line 2020-05-08 09:16:46 -07:00
Hossein Shafagh f68900d2b3 improving logging and the possibility of defining which Authorities qualify for auto-rotation 2020-05-07 18:28:01 -07:00
Hossein Shafagh 843ffad60e removing testing comments 2020-05-07 17:10:50 -07:00
Hossein Shafagh 1b6907a404 Certificate rotation region by region
example scheudule:
CELERYBEAT_SCHEDULE = {
    'certificate_rotate': {
        'task': 'lemur.common.celery.certificate_rotate',
        'options': {
            'expires': 180
        },
        'schedule': crontab(minute="*"),
        'kwargs': {'region': 'us-east-1'}
    }
}
2020-05-07 16:28:01 -07:00
Curtis Castrapel 863af7a3e5 Making CLI command ; Running black 2020-04-28 12:16:46 -07:00
Curtis Castrapel 273c3e2793 Celery task to enable autorotate for all certificates attached to endpoints without it enabled 2020-04-28 11:52:43 -07:00
Hossein Shafagh 2a2499a929 simplifying code 2020-03-26 20:45:00 -07:00
Hossein Shafagh 5206997468 expired is now called for new certs, where the not_after field might be in datetime format, and not comparable to utc 2020-03-26 19:01:07 -07:00
Hossein Shafagh 88c40aa93c
Merge branch 'master' into master 2020-03-23 20:31:16 -07:00
Hossein Shafagh 697215f8bc better handling of destination plugin errors, and also checking cert expiration before upload 2020-03-21 20:05:35 -07:00
Ilya Makarov 7bd5173da4 Merge with Netflix/lemur master 2020-03-20 20:52:33 +03:00
Hossein Shafagh 1d4da0e3d8 another polish 2020-03-17 16:59:09 -07:00
Hossein Shafagh ecca003ab4 improving the documentation and method naming 2020-03-17 16:55:36 -07:00
Hossein Shafagh 34d23503de fixing the data bug 2020-03-14 20:41:03 -07:00
Hossein Shafagh 593c35776c adding new methods for getting pending clean 2020-03-14 20:17:05 -07:00
e11it 27a86f5c18
Fix: San values #2921
Not sure is it correct solution
2020-03-03 21:45:33 +03:00
Ilya Labun 5d8eb51ef4
Merge branch 'master' into ilabun/optimize-certificates-sql 2020-01-24 11:28:55 +01:00
rajatsharma94 9984470b58 fix fatal error in schema validator 2020-01-23 15:27:02 +01:00
Ilya Labun bc1a2cf69c Optimize certificates SQL query
Co-authored-by: Javier Ramos <javier.ramos@booking.com>
2020-01-13 14:43:41 +01:00
Ilya Labun 189e8b2725 Eliminate subqueries when showing certificates list 2019-12-20 10:37:47 +01:00
Jay Zarfoss 00a0a27826 used fixedName variable to transport db lookup optimization 2019-11-20 09:44:31 -08:00
Hossein Shafagh a13c45e9cc updating dependencies, and fixing the deprecated arrow.replaces to shift 2019-09-20 13:49:38 -07:00
Hossein Shafagh 8340e0653b making lint happy 2019-08-07 18:04:28 -07:00
Hossein Shafagh d1519343d1 improving check revoked by only considering authorities which do support revocation and also only including not expired certs 2019-08-07 17:54:10 -07:00
Marti Raudsepp 2319858586 Expose new certificate field hasPrivateKey
We can also now disable the 'private key' tab when cert doesn't have a
private key.
2019-06-22 15:38:28 +03:00
Hossein Shafagh 23caac5576
Merge branch 'master' into temp-ExpiredToggle-3 2019-06-21 08:59:53 -07:00
Hossein Shafagh 34cdd29a50 removing the rotation enabled requirement, to keep the endpoint generic 2019-06-20 16:06:26 -07:00
Kush Bavishi f836c6fff6 API additions for viewing expired certs as well. Default behavior modified to show only valid certs and those which have expired less than 1 month ago. 2019-06-17 14:29:48 -07:00
Hossein Shafagh 071c083eae hiding expired certs after 6 months from the main page 2019-05-30 10:21:03 -07:00
Hossein Shafagh b4d9ab9f0c Merge branch 'master' of github.com:Netflix/lemur into improving-cert-lookup-time 2019-05-30 08:55:49 -07:00
Hossein Shafagh 13d46ae42e indexing the not after field in the cert table 2019-05-30 08:55:30 -07:00
Curtis Castrapel f81adb1371 Make get_or_increase_name queries less demanding 2019-05-29 12:20:05 -07:00
Curtis Castrapel 68fd1556b2 Black lint all the things 2019-05-16 07:57:02 -07:00
Hossein Shafagh f452a7ce68 adding a new API for faster certificate lookup.
The new API api/1/certificates/valid returns only non-expired (not_after >= today) certs which have auto-rotate enabled:

cn is a required parameter:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com
cn can also be a database string wildcard ('%'):

http://localhost:8000/api/1/certificates/valid?filter=cn;%
owner is the additional parameter, and must be the email address of the owner:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com&owner=hossein@example.com
given owner  and a database string wildcard ('%') one can retrieve all certs for that owner, which are still valid, and have auto-rotate enabled:

http://localhost:8000/api/1/certificates/valid?filter=cn;%&owner=hossein@example.com
2019-05-11 18:06:51 -07:00
Curtis Castrapel e33a103ca1 Allow searching for certificates by name via API 2019-05-09 14:36:56 -07:00
Curtis Castrapel 87470602fd Gather more metrics on certificate reissue/rotate jobs 2019-05-08 07:48:08 -07:00
Curtis f6afcc6d21
Merge branch 'master' into master 2019-04-17 10:28:46 -07:00
Javier Ramos 58dd424de8
Prevent potential NoneType not subscriptable
Fix when data['extensions']['subAltNames']['names'] is none
2019-04-17 18:33:52 +02:00
Jose Plana 770729a72e Allow csr to be empty during upload 2019-04-13 01:17:12 +02:00
Jose Plana 406753fcde Fix PEP8 2019-04-13 00:49:35 +02:00
Jose Plana a5570d07bc Added some documentation for API users. 2019-04-13 00:48:19 +02:00
Jose Plana c1b02cc8a5 Allow uploading csr along with certificates 2019-04-13 00:48:19 +02:00
Javier Ramos d80a6bb405 Added tests for CSR parsing into CertificateInputSchema 2019-04-01 08:44:40 +02:00
Javier Ramos b86e381e20 Parse SubjectAlternativeNames from CSR into Lemur Certificate 2019-03-27 13:46:33 +01:00
Curtis 4018c68d49
Merge branch 'master' into authority_validation_LE_errors 2019-03-25 08:34:10 -07:00
Curtis Castrapel c2158ff8fb Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs 2019-03-25 08:28:23 -07:00
Javier Ramos 9e5496b484
Update schemas.py 2019-03-15 10:19:25 +01:00
Javier Ramos f7452e8379 Parse DNSNames from CSR into Lemur Certificate 2019-03-15 09:29:23 +01:00
Hossein Shafagh 93ce259fb2
Merge branch 'master' into verify-cert-chain 2019-03-07 12:46:19 -08:00
Hossein Shafagh 45cb0f0513
Merge branch 'master' into allow-cert-deletion 2019-03-06 09:35:10 -08:00
Hossein Shafagh 54ad3ba777
Merge branch 'master' into verify-cert-chain 2019-03-04 17:55:36 -08:00
Curtis Castrapel dd2900bdbc Relax search;update requirements 2019-03-04 10:04:06 -08:00
Marti Raudsepp 10cec063c2 Check that stored certificate chain matches certificate
Similar to how the private key is checked.
2019-03-04 17:10:59 +02:00
Ronald Moesbergen 63de8047ce Return 'already deleted' instead of 'not found' when cert has already been deleted 2019-02-27 09:38:25 +01:00
Ronald Moesbergen 29bda6c00d Fix typo's 2019-02-14 11:58:29 +01:00
Ronald Moesbergen 8abf95063c Implement a ALLOW_CERT_DELETION option (boolean, default False). When enabled, the certificate delete API call will work and the UI
will no longer display deleted certificates. When disabled (the default), the delete API call will not work (405 method not allowed)
 and the UI will show all certificates, regardless of the 'deleted' flag.
2019-02-14 11:57:27 +01:00
Hossein Shafagh 1d2771b014
Merge branch 'master' into get_by_attributes 2019-02-04 21:07:09 -08:00
Hossein Shafagh 45fbaf159a
Merge branch 'master' into master 2019-02-01 16:50:09 -08:00
Hossein Shafagh 8e93d007be
Merge branch 'master' into get_by_attributes 2019-02-01 16:48:50 -08:00
Marti Raudsepp e24a94d798 Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
2019-01-30 18:11:24 +02:00
Hossein Shafagh e5ddf08f48
Merge branch 'master' into master 2019-01-29 16:37:29 -08:00
Marti Raudsepp 4b893ab5b4 Expose full certificate RFC 4514 Distinguished Name string
Using rfc4514_string() method added in cryptography version 2.5.
2019-01-23 10:03:40 +02:00
Ronald Moesbergen 4c4fbf3e48 Implement certificates delete API call by marking a cert as 'deleted' in the database. Only certificates that have expired can be deleted. 2019-01-21 10:25:28 +01:00
Curtis Castrapel 31a86687e7 Reduce the expense of joins 2019-01-14 09:20:02 -08:00
Curtis Castrapel c4e6e7c59b Optimize DB cert filtering 2019-01-14 08:02:27 -08:00
Marti Raudsepp 542e953919 Check that stored private keys match certificates
This is done in two places:
* Certificate import validator -- throws validation errors.
* Certificate model constructor -- to ensure integrity of Lemur's data
  even when issuer plugins or other code paths have bugs.
2018-12-31 16:28:20 +02:00
sirferl a50d80992c updated query to ignore empty parameters 2018-12-12 12:45:48 +01:00
Curtis Castrapel 39b76d18dc add countdown to async call 2018-11-28 14:41:56 -08:00
Curtis Castrapel e074a14ee9 unit test 2018-11-28 14:27:03 -08:00
Curtis Castrapel 2381d0a4bb Add async call to create pending cert when needed 2018-11-28 11:32:52 -08:00
Curtis Castrapel 3ce8abe46e Left outer join on domains tables to avoid missing results 2018-11-13 14:33:17 -08:00
Curtis 29be647911
Merge branch 'master' into no_csr_reissue 2018-11-12 09:54:47 -08:00
Curtis Castrapel a7a05e26bc Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler 2018-11-12 09:52:11 -08:00
Curtis Castrapel 1643650685 Changing essential part of query 2018-11-07 16:02:04 -08:00
Curtis Castrapel 08a2a2b0e5 Optimize certificate filtering by name 2018-11-07 15:34:25 -08:00
Curtis Castrapel 52e773230d Add new gin index to optimize ILIKE queries 2018-11-05 10:29:11 -08:00
Curtis Castrapel 50761d9d3b safer reissue, fix celery sync job 2018-10-29 13:22:50 -07:00
Curtis a8b357965e
Merge branch 'master' into get_by_attributes 2018-10-29 08:15:42 -07:00
Curtis 2138930102
Merge branch 'master' into get_by_attributes 2018-10-24 07:20:46 -07:00
James Chuong 75069cd52a Add CSR to certificiates
Add csr column to certificates field, as pending certificates have
exposed the CSR already.  This is required as generating CSR from
existing certificate is will not include SANs due to OpenSSL bug:
https://github.com/openssl/openssl/issues/6481

Change-Id: I9ea86c4f87067ee6d791d77dc1cce8f469cb2a22
2018-10-23 17:46:04 -07:00
Curtis Castrapel 73ed5164cd deps 2018-10-22 14:51:13 -07:00
Non Sequitur 81d114092e Merge branch 'github' into get_by_attributes 2018-10-17 12:00:36 -04:00
Non Sequitur 48017a9d4c Added get_by_attributes to the certificates service, for fetching certs based on arbitrary attributes. Also associated test and extra tests for other service methods 2018-10-17 11:42:09 -04:00
Curtis Castrapel cc18a68c00 Lemur LetsEncrypt Polling Support 2018-10-11 22:01:05 -07:00
Curtis Castrapel e91d8ec81b add indexes to domains and certificates tables to optimize load time 2018-10-11 11:36:50 -07:00
Non Sequitur 50919d85a8 Merge remote-tracking branch 'upstream/master' into improved_verify 2018-09-27 11:19:06 -04:00
Mike Culbertson 590fac4aa8 docstring update in verify.py 2018-09-27 10:11:13 -04:00
Mike Culbertson 652d7f65dd flake8 tweak 2018-09-27 09:28:21 -04:00
Curtis Castrapel 563f0fb9b2 Celery refactoring, celery beat job in configuration 2018-09-17 10:52:12 -07:00
Curtis Castrapel 23382b2777 Celery integration 2018-09-13 10:35:54 -07:00
Curtis Castrapel 7d42e4ce67 Fix certificate import issues 2018-09-10 10:34:47 -07:00
Mike Culbertson 2815ddf6c8 Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 13:34:55 -04:00
Mike Culbertson 34c88494b8 More specific exception catch for cert parsing. line shortening. 2018-08-31 12:19:55 -04:00
Mike Culbertson 7dbca821c3 Reducing the stacked exceptions plus a bit of pep8 2018-08-31 12:01:49 -04:00
Curtis Castrapel 1ad61b1550 allow null validity periods 2018-08-17 07:57:55 -07:00
Curtis Castrapel bb026b8b59 Allow LetsEncrypt renewals and requesting certificates without specifying DNS provider 2018-08-13 14:22:59 -07:00
Marti Raudsepp 82158aece6 Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs
CertificateInputSchema requires the rotation_policy field, but
certificates created before the field existed have set to NULL. Thus
saving such certificates failed and probably caused other errors.

Made cert re-issuing (get_certificate_primitives) more strict so such
errors are harder to miss in the future.
2018-08-03 20:06:21 +03:00
Mike Grima d6b482755b Proper flask_restful boolean parsing.
This is documented here: https://github.com/flask-restful/flask-restful/issues/488
2018-07-30 13:49:41 -07:00
Curtis Castrapel f93e938cda no bare except 2018-07-20 10:53:47 -07:00
Curtis Castrapel 5a01840784 Explicit capture exception during create failure 2018-07-20 10:47:19 -07:00
Steven Reiling 7f3454128d Adds an optional interval variable to notification service's
create_default_expiration_notifications and introduces a new optional
configuration variable, LEMUR_SECURITY_TEAM_EMAIL_INTERVALS, to allow admins
control over the centralized email notification defaults.
2018-07-13 14:08:31 -07:00
Marti Raudsepp 0398c6e723 Clean up module imports
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-07 23:56:23 +03:00
Marti Raudsepp d690ea32bc Cache parsed certificate instead of re-parsing for each field
Use @cached_property decorator to cache the results of parse_certificate().

This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-03 17:31:44 +03:00
Marti Raudsepp 50846eb682 Expose certificate dateCreated via API 2018-07-02 18:24:18 +03:00
Curtis Castrapel 544a02ca3f Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 10:23:01 -07:00
Curtis Castrapel a9b9b27a0b fix tests 2018-05-10 12:58:04 -07:00
Curtis Castrapel 52e7ff9919 Allow specification of dns provider name only 2018-05-10 12:58:04 -07:00
Curtis f4a010e505
Merge branch 'master' into master 2018-05-09 07:52:07 -07:00
Curtis Castrapel 6500559f8e Fix issue with automatically renewing acme certificates 2018-05-08 14:54:10 -07:00
kevgliss c26ae16060
fixing docs (#1231) 2018-05-08 10:58:48 -07:00
Curtis Castrapel e68b3d2cbd 0.7 release 2018-05-07 09:58:24 -07:00
Curtis Castrapel 1be3f8368f dyn support 2018-05-04 15:01:01 -07:00
Curtis Castrapel 3e64dd4653 Additional work 2018-05-04 15:01:01 -07:00
Curtis Castrapel 532872b3c6 dns_provider ui 2018-04-27 11:18:51 -07:00
Curtis Castrapel 7704f51441 Working acme flow. Pending DNS providers UI 2018-04-24 09:38:57 -07:00
Curtis Castrapel 44e3b33aaa More stuff. Will prioritize this more next week 2018-04-20 14:49:54 -07:00
Curtis Castrapel 2d6d2357b5 DNS Providers list returned 2018-04-13 15:50:55 -07:00
Curtis Castrapel b2e6938815 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-13 15:50:54 -07:00
Curtis Castrapel f6fd262618 DNS Providers list returned 2018-04-11 15:56:00 -07:00
Curtis Castrapel f61098b874 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-10 14:28:53 -07:00
Marti Raudsepp 8e2b2123f1 Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade
SQLAlchemy 1.2 does not allow comparing string values to boolean
columns. This caused errors like:

    sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true'

For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values
2018-04-09 18:59:23 +03:00
Curtis Castrapel c3a2781507 Allow quotes for exact match 2018-03-28 08:33:43 -07:00
kevgliss db746f1296
Adds support for CDLDistributionPoints. (#1130) 2018-03-23 08:51:18 -07:00
Curtis Castrapel 18c64fafe4 address comment 2018-02-27 12:34:18 -08:00
Curtis Castrapel 77a1600c13 Fix cloned notifications 2018-02-27 10:57:43 -08:00
Curtis Castrapel cca3797669 comments on alembic changes. resolve invalid usage of log_service.create 2018-02-26 12:08:31 -08:00
James Chuong 2578970f7d Async Certificate Issuing using Pending Certificates (#1037)
* Add PendingCertificate model

This change creates a DB table called pending_certificates and
associated mapping relationship tables from pending certificate to
roles, rotation policy, destination, sources, etc.

The table is generated on initialization of Lemur. A pending
certificate holds most of the information of a Certificate, while it has
not be issued so that it can later backfill the information when the CA
has issued the certificate.

Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0
Tickets: PBL-36499

* Create a PendingCertificate if cert is empty

IssuePlugins should return empty cert bodies if the request failed to
complete immediately (such as Digicert).  This way, we can immediately
return the certificate, or if not just place into PendingCertificates
for later processing.

+ Fix relation from Certificate to Pending Certificate, as view only.
There is no real need for anything more than that since Pending cert
only needs to know the cert to replace when it is issued later.

+ Made PendingCertificate private key be empty: UI does not allow
private key on 'Create' but only on 'Import'.  For Instart, we require
the private key but upstream does not necessarily need it.  Thus, if
someone at Instart wants to create a CSR / key combo, they should
manually issue the cert themselves and import later.  Otherwise you
should let Lemur generate that.  This keeps the workflow transparent for
upstream Lemur users.

Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26
Tickets: PBL-36343

* Fix empty private_key when create Pending Cert

On creation of a certificate with a CSR, there is no option for private
key.  In this case, we actually have a dictionary with private_key as
key, but the value is None.  This fixes the strip() called on NoneType.

Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199
Tickets: PBL-36499

* Source sync finds and uses pending certificate

When a source syncs certificates, it will check for a pending
certificate.  If that is found via external_id (given by digicert as
order_id) then it will use the found Pending Certificate's fields to
create a new certificate.  Then the pending certificate is deleted.

Tickets: PBL-36343
Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9

* Add Lemur static files and views for pending certs

This adds the basic static files to view pending certificates in a
table.

Tickets: PBL-36343
Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9

* Add CLI and plugin based pending fetch

This change uses the adds a new function to issuer plugins to fetch
certificates like source, but for one order.  This way, we can control
which pending certificates to try and populate instead of getting all
certificates from source.

Tickets: PBL-36343
Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6

* Revert source using Pending Certificate

Tickets: PBL-36343
Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51

* Fix PendingCertificate init getting authority id

Should get authority id from authority.id instead of the authority_id
key in kwargs.

Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623
Tickets: n/a

* Add fixtures and basic test for PendingCertificate

Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34
Tickets: PBL-36343

* Add User to create_certificate parameters

create_certificate now takes a User, which will be used to populate the
'creator' field in certificates.service.upload().  This allows the UI
populate with the current user if the owner does not exist in Lemur.

+ Fix chain being replaced with version from pending certificate, which
may be empty (depends on plugin implementation).

Change-Id: I516027b36bc643c4978b9c4890060569e03f3049
Tickets: n/a

* Fix permalink and filters to pending certs

Fixes the permalink button to get a single pending certificate
Add argument filter parsing for the pending certificate API
Fix comment on API usage
Added get_by_name for pending_certificate (currently unused, but useful
for CLI, instead of using IDs)

Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db
Tickets: PBL-36910

* Update displayed fields for Pending Certificates

There are a number of unused / unpopulated fields from Certificate UI
that does apply to Pending Certificates.  Those ones were removed, and
added other useful fields:
Owner, number of attempts to fetch and date created

Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b
Tickets: PBL-36910

* Add common name (cn) to Pending Certificate model

Fixes the UI missing the CN for Pending Certificate, as it was
originally being parsed from the generated certificate.  In the case of
pending certificate, the CN from the user generates the request, which
means a pending cert can trust the original user putting in the CN
instead of having to parse the not-yet-generated certificate.  There is
no real possibility to return a certificate from a pending certificate
where the CN has changed since it was initially ordered.

Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab
Tickets: PBL-36910

* Fix missing imports for service filter

+ Removed duplicate get_by_name function from old merge

Change-Id: I04ae6852533aa42988433338de74390e2868d69b
Tickets: PBL-36910

* Add private key viewing to Pending Certificates

Add private key API for Pending Certificates, with the same
authorization as Certificates (only owner, creator or owner-roles can
view private key).

Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b
Tickets: PBL-36910

* Add edit capability to pending certificates

Like editing certificates, we should be able to modify some parts of a
pending certificate so the resulting certificate has the right
references, owner, etc.

+ Added API to update pending certificate
+ Fix UI to use pending certificate scope instead of reusing Certificate
+ Change pending_certificate.replaces to non-passive association, so
that updates do affect it (similar to roles/notifications/etc)

Tickets: PBL-36910
Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6

* Add common_name parsing instead using kwargs

To fix tests where common name may not be passed in, use the CSR
generated to find the official common name.

Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4
Tickets: PBL-36343

* Add Cancel to pending certificates and plugins

This allows pending certificates to be cancelled, which will be handled
by the issuer plugin.

Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9
Tickets: PBL-36910

* Add API for Cancelling Pending Certificate

Added the DELETE handler for pending_certificates, which will cancel and
delete the pending certificate from the pending certs table on
successful cancellation via Issuer Plugin.

+ Add UT for testing cancel API

Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4
Tickets: PBL-36910

* Remove Export from Pending Certificates

Pending Certificates doesn't need an export since it should just be
fetched by Lemur via plugins, and the CSR is viewable via the UI.

Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae
Tickets: PBL-36910

* Add cancel button functionality to UI

This adds the Cancel option to the dropdown of pending certificates.

+ Adds modal window for Note (may not be required for all issuers, just
Digicert)
+ Add schema for cancel input
+ Fix Digitcert plugin for non-existant orders

When an order is actually issued, then attempting to cancel will return
a 403 from Digicert.  This is a case where it should only be done once
we know the pending cert has been sitting for too long.

Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0
Tickets: PBL-36910

* Fix test_pending_cancel UT

This change creates and injects a pending cert, which will then be used
for the ID so it can be canceled by the unit test.

Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346
Tickets: PBL-36343

* Fix test_digicert on non-existent order

cancelling a non-existent order is fine since we're cancelling it

Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c
Tickets: PBL-36343

* Add migrations for PendingCertificates

Added revision for Pending Certificates table and foreign key mapping
tables.

Change-Id: Ife8202cef1e6b99db377851264639ba540b749db
Tickets: n/a

* Fix relationship copy from Pending to Certificate

When a Pending Certificate is changed to a full Certificate, the
relationship fields are not copied via vars() function, as it's not a
column but mapped via association table.  This adds an explicit copy for
these relations.  Which will properly copy them to the new Certificate,
and thus also update destinations.

Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685
Tickets: PBL-36343

* Fix renaming of certificates and unit tests

The rename flag was not used to rename certificates on creation as
expected.

Fixed unit test, instead of expunging the session, just copy the
pending_certificate so we don't have a weird reference to the object
that can't be copied via vars() function.

Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0
Tickets: PBL-36343

* Updated developer docs for async certs

Added blurb for implementing new issuer functions.

Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c
Tickets: n/a
2018-02-22 08:13:16 -08:00
kevgliss eea413a90f
Modifying the way we report metrics. Relying on metric tags instead of the the metric name for additional dimensions. (#1036) 2018-01-02 15:26:31 -08:00
Marti Raudsepp 1287c3dc4a CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
2018-01-02 13:39:02 -08:00
Marti Raudsepp 99b10c436a CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 13:11:17 -08:00
kevgliss ecc0934657
Adding cli command to clear out pending symantec certificates. (#1009) 2017-12-04 10:04:12 -08:00
kevgliss cecfe47540
Adding the ability to revoke enmasse (#999) 2017-11-21 09:36:10 -08:00
kevgliss f990ef27cf Adding sentry tracking to issued with certificate deployment. (#978) 2017-10-26 15:21:13 -07:00
kevgliss 0152985e64 Adding serial numbers when certificates with the same name are encoun… (#970)
* Adding serial numbers when certificates with the same name are encountered.
2017-10-11 13:20:19 -07:00
kevgliss b66d7ce1fd Source plugin (#963)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.

* Minor fix.
2017-10-06 13:22:03 -07:00
kevgliss dc34652efd Source plugin (#962)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.
2017-10-06 08:49:05 -07:00
kevgliss a6305a5cae Adding Digicert CIS Sourceplugin (#959)
* Adding necessary features to complete backfill

* Fixing pagination logic.
2017-10-04 16:56:01 -07:00
kevgliss 09b8f532a7 Adding cli to mass revoke certificates. (#955) 2017-10-03 10:51:53 -07:00
kevgliss 90f4b458e3 Adding the lemur identity to be able to re-issue certificates. (#949) 2017-09-29 14:07:40 -07:00
kevgliss f5213deb67 Removing revocation comments for now. (#947) 2017-09-29 10:53:15 -07:00
kevgliss bb08b1e637 Initial work allowing certificates to be revoked. (#941)
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
Marti Raudsepp 54ff4cddbf Disallow issuing certificates from inactive authority (#936) 2017-09-25 15:34:49 -07:00
Marti Raudsepp 97d83890e0 Various minor cleanups and fixes (#938)
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Marti Raudsepp ec5dec4a16 Add option to disable owner email address in CSR subject (#939) 2017-09-25 15:32:08 -07:00