Commit Graph

425 Commits

Author SHA1 Message Date
Curtis Castrapel 1ad61b1550 allow null validity periods 2018-08-17 07:57:55 -07:00
Curtis Castrapel bb026b8b59 Allow LetsEncrypt renewals and requesting certificates without specifying DNS provider 2018-08-13 14:22:59 -07:00
Marti Raudsepp 82158aece6 Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs
CertificateInputSchema requires the rotation_policy field, but
certificates created before the field existed have set to NULL. Thus
saving such certificates failed and probably caused other errors.

Made cert re-issuing (get_certificate_primitives) more strict so such
errors are harder to miss in the future.
2018-08-03 20:06:21 +03:00
Mike Grima d6b482755b Proper flask_restful boolean parsing.
This is documented here: https://github.com/flask-restful/flask-restful/issues/488
2018-07-30 13:49:41 -07:00
Curtis Castrapel f93e938cda no bare except 2018-07-20 10:53:47 -07:00
Curtis Castrapel 5a01840784 Explicit capture exception during create failure 2018-07-20 10:47:19 -07:00
Steven Reiling 7f3454128d Adds an optional interval variable to notification service's
create_default_expiration_notifications and introduces a new optional
configuration variable, LEMUR_SECURITY_TEAM_EMAIL_INTERVALS, to allow admins
control over the centralized email notification defaults.
2018-07-13 14:08:31 -07:00
Marti Raudsepp 0398c6e723 Clean up module imports
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-07 23:56:23 +03:00
Marti Raudsepp d690ea32bc Cache parsed certificate instead of re-parsing for each field
Use @cached_property decorator to cache the results of parse_certificate().

This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-03 17:31:44 +03:00
Marti Raudsepp 50846eb682 Expose certificate dateCreated via API 2018-07-02 18:24:18 +03:00
Curtis Castrapel 544a02ca3f Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 10:23:01 -07:00
Curtis Castrapel a9b9b27a0b fix tests 2018-05-10 12:58:04 -07:00
Curtis Castrapel 52e7ff9919 Allow specification of dns provider name only 2018-05-10 12:58:04 -07:00
Curtis f4a010e505
Merge branch 'master' into master 2018-05-09 07:52:07 -07:00
Curtis Castrapel 6500559f8e Fix issue with automatically renewing acme certificates 2018-05-08 14:54:10 -07:00
kevgliss c26ae16060
fixing docs (#1231) 2018-05-08 10:58:48 -07:00
Curtis Castrapel e68b3d2cbd 0.7 release 2018-05-07 09:58:24 -07:00
Curtis Castrapel 1be3f8368f dyn support 2018-05-04 15:01:01 -07:00
Curtis Castrapel 3e64dd4653 Additional work 2018-05-04 15:01:01 -07:00
Curtis Castrapel 532872b3c6 dns_provider ui 2018-04-27 11:18:51 -07:00
Curtis Castrapel 7704f51441 Working acme flow. Pending DNS providers UI 2018-04-24 09:38:57 -07:00
Curtis Castrapel 44e3b33aaa More stuff. Will prioritize this more next week 2018-04-20 14:49:54 -07:00
Curtis Castrapel 2d6d2357b5 DNS Providers list returned 2018-04-13 15:50:55 -07:00
Curtis Castrapel b2e6938815 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-13 15:50:54 -07:00
Curtis Castrapel f6fd262618 DNS Providers list returned 2018-04-11 15:56:00 -07:00
Curtis Castrapel f61098b874 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-10 14:28:53 -07:00
Marti Raudsepp 8e2b2123f1 Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade
SQLAlchemy 1.2 does not allow comparing string values to boolean
columns. This caused errors like:

    sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true'

For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values
2018-04-09 18:59:23 +03:00
Curtis Castrapel c3a2781507 Allow quotes for exact match 2018-03-28 08:33:43 -07:00
kevgliss db746f1296
Adds support for CDLDistributionPoints. (#1130) 2018-03-23 08:51:18 -07:00
Curtis Castrapel 18c64fafe4 address comment 2018-02-27 12:34:18 -08:00
Curtis Castrapel 77a1600c13 Fix cloned notifications 2018-02-27 10:57:43 -08:00
Curtis Castrapel cca3797669 comments on alembic changes. resolve invalid usage of log_service.create 2018-02-26 12:08:31 -08:00
James Chuong 2578970f7d Async Certificate Issuing using Pending Certificates (#1037)
* Add PendingCertificate model

This change creates a DB table called pending_certificates and
associated mapping relationship tables from pending certificate to
roles, rotation policy, destination, sources, etc.

The table is generated on initialization of Lemur. A pending
certificate holds most of the information of a Certificate, while it has
not be issued so that it can later backfill the information when the CA
has issued the certificate.

Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0
Tickets: PBL-36499

* Create a PendingCertificate if cert is empty

IssuePlugins should return empty cert bodies if the request failed to
complete immediately (such as Digicert).  This way, we can immediately
return the certificate, or if not just place into PendingCertificates
for later processing.

+ Fix relation from Certificate to Pending Certificate, as view only.
There is no real need for anything more than that since Pending cert
only needs to know the cert to replace when it is issued later.

+ Made PendingCertificate private key be empty: UI does not allow
private key on 'Create' but only on 'Import'.  For Instart, we require
the private key but upstream does not necessarily need it.  Thus, if
someone at Instart wants to create a CSR / key combo, they should
manually issue the cert themselves and import later.  Otherwise you
should let Lemur generate that.  This keeps the workflow transparent for
upstream Lemur users.

Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26
Tickets: PBL-36343

* Fix empty private_key when create Pending Cert

On creation of a certificate with a CSR, there is no option for private
key.  In this case, we actually have a dictionary with private_key as
key, but the value is None.  This fixes the strip() called on NoneType.

Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199
Tickets: PBL-36499

* Source sync finds and uses pending certificate

When a source syncs certificates, it will check for a pending
certificate.  If that is found via external_id (given by digicert as
order_id) then it will use the found Pending Certificate's fields to
create a new certificate.  Then the pending certificate is deleted.

Tickets: PBL-36343
Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9

* Add Lemur static files and views for pending certs

This adds the basic static files to view pending certificates in a
table.

Tickets: PBL-36343
Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9

* Add CLI and plugin based pending fetch

This change uses the adds a new function to issuer plugins to fetch
certificates like source, but for one order.  This way, we can control
which pending certificates to try and populate instead of getting all
certificates from source.

Tickets: PBL-36343
Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6

* Revert source using Pending Certificate

Tickets: PBL-36343
Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51

* Fix PendingCertificate init getting authority id

Should get authority id from authority.id instead of the authority_id
key in kwargs.

Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623
Tickets: n/a

* Add fixtures and basic test for PendingCertificate

Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34
Tickets: PBL-36343

* Add User to create_certificate parameters

create_certificate now takes a User, which will be used to populate the
'creator' field in certificates.service.upload().  This allows the UI
populate with the current user if the owner does not exist in Lemur.

+ Fix chain being replaced with version from pending certificate, which
may be empty (depends on plugin implementation).

Change-Id: I516027b36bc643c4978b9c4890060569e03f3049
Tickets: n/a

* Fix permalink and filters to pending certs

Fixes the permalink button to get a single pending certificate
Add argument filter parsing for the pending certificate API
Fix comment on API usage
Added get_by_name for pending_certificate (currently unused, but useful
for CLI, instead of using IDs)

Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db
Tickets: PBL-36910

* Update displayed fields for Pending Certificates

There are a number of unused / unpopulated fields from Certificate UI
that does apply to Pending Certificates.  Those ones were removed, and
added other useful fields:
Owner, number of attempts to fetch and date created

Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b
Tickets: PBL-36910

* Add common name (cn) to Pending Certificate model

Fixes the UI missing the CN for Pending Certificate, as it was
originally being parsed from the generated certificate.  In the case of
pending certificate, the CN from the user generates the request, which
means a pending cert can trust the original user putting in the CN
instead of having to parse the not-yet-generated certificate.  There is
no real possibility to return a certificate from a pending certificate
where the CN has changed since it was initially ordered.

Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab
Tickets: PBL-36910

* Fix missing imports for service filter

+ Removed duplicate get_by_name function from old merge

Change-Id: I04ae6852533aa42988433338de74390e2868d69b
Tickets: PBL-36910

* Add private key viewing to Pending Certificates

Add private key API for Pending Certificates, with the same
authorization as Certificates (only owner, creator or owner-roles can
view private key).

Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b
Tickets: PBL-36910

* Add edit capability to pending certificates

Like editing certificates, we should be able to modify some parts of a
pending certificate so the resulting certificate has the right
references, owner, etc.

+ Added API to update pending certificate
+ Fix UI to use pending certificate scope instead of reusing Certificate
+ Change pending_certificate.replaces to non-passive association, so
that updates do affect it (similar to roles/notifications/etc)

Tickets: PBL-36910
Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6

* Add common_name parsing instead using kwargs

To fix tests where common name may not be passed in, use the CSR
generated to find the official common name.

Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4
Tickets: PBL-36343

* Add Cancel to pending certificates and plugins

This allows pending certificates to be cancelled, which will be handled
by the issuer plugin.

Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9
Tickets: PBL-36910

* Add API for Cancelling Pending Certificate

Added the DELETE handler for pending_certificates, which will cancel and
delete the pending certificate from the pending certs table on
successful cancellation via Issuer Plugin.

+ Add UT for testing cancel API

Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4
Tickets: PBL-36910

* Remove Export from Pending Certificates

Pending Certificates doesn't need an export since it should just be
fetched by Lemur via plugins, and the CSR is viewable via the UI.

Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae
Tickets: PBL-36910

* Add cancel button functionality to UI

This adds the Cancel option to the dropdown of pending certificates.

+ Adds modal window for Note (may not be required for all issuers, just
Digicert)
+ Add schema for cancel input
+ Fix Digitcert plugin for non-existant orders

When an order is actually issued, then attempting to cancel will return
a 403 from Digicert.  This is a case where it should only be done once
we know the pending cert has been sitting for too long.

Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0
Tickets: PBL-36910

* Fix test_pending_cancel UT

This change creates and injects a pending cert, which will then be used
for the ID so it can be canceled by the unit test.

Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346
Tickets: PBL-36343

* Fix test_digicert on non-existent order

cancelling a non-existent order is fine since we're cancelling it

Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c
Tickets: PBL-36343

* Add migrations for PendingCertificates

Added revision for Pending Certificates table and foreign key mapping
tables.

Change-Id: Ife8202cef1e6b99db377851264639ba540b749db
Tickets: n/a

* Fix relationship copy from Pending to Certificate

When a Pending Certificate is changed to a full Certificate, the
relationship fields are not copied via vars() function, as it's not a
column but mapped via association table.  This adds an explicit copy for
these relations.  Which will properly copy them to the new Certificate,
and thus also update destinations.

Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685
Tickets: PBL-36343

* Fix renaming of certificates and unit tests

The rename flag was not used to rename certificates on creation as
expected.

Fixed unit test, instead of expunging the session, just copy the
pending_certificate so we don't have a weird reference to the object
that can't be copied via vars() function.

Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0
Tickets: PBL-36343

* Updated developer docs for async certs

Added blurb for implementing new issuer functions.

Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c
Tickets: n/a
2018-02-22 08:13:16 -08:00
kevgliss eea413a90f
Modifying the way we report metrics. Relying on metric tags instead of the the metric name for additional dimensions. (#1036) 2018-01-02 15:26:31 -08:00
Marti Raudsepp 1287c3dc4a CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
2018-01-02 13:39:02 -08:00
Marti Raudsepp 99b10c436a CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 13:11:17 -08:00
kevgliss ecc0934657
Adding cli command to clear out pending symantec certificates. (#1009) 2017-12-04 10:04:12 -08:00
kevgliss cecfe47540
Adding the ability to revoke enmasse (#999) 2017-11-21 09:36:10 -08:00
kevgliss f990ef27cf Adding sentry tracking to issued with certificate deployment. (#978) 2017-10-26 15:21:13 -07:00
kevgliss 0152985e64 Adding serial numbers when certificates with the same name are encoun… (#970)
* Adding serial numbers when certificates with the same name are encountered.
2017-10-11 13:20:19 -07:00
kevgliss b66d7ce1fd Source plugin (#963)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.

* Minor fix.
2017-10-06 13:22:03 -07:00
kevgliss dc34652efd Source plugin (#962)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.
2017-10-06 08:49:05 -07:00
kevgliss a6305a5cae Adding Digicert CIS Sourceplugin (#959)
* Adding necessary features to complete backfill

* Fixing pagination logic.
2017-10-04 16:56:01 -07:00
kevgliss 09b8f532a7 Adding cli to mass revoke certificates. (#955) 2017-10-03 10:51:53 -07:00
kevgliss 90f4b458e3 Adding the lemur identity to be able to re-issue certificates. (#949) 2017-09-29 14:07:40 -07:00
kevgliss f5213deb67 Removing revocation comments for now. (#947) 2017-09-29 10:53:15 -07:00
kevgliss bb08b1e637 Initial work allowing certificates to be revoked. (#941)
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
Marti Raudsepp 54ff4cddbf Disallow issuing certificates from inactive authority (#936) 2017-09-25 15:34:49 -07:00
Marti Raudsepp 97d83890e0 Various minor cleanups and fixes (#938)
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Marti Raudsepp ec5dec4a16 Add option to disable owner email address in CSR subject (#939) 2017-09-25 15:32:08 -07:00
Marti Raudsepp dafed86179 Improve certificate name normalization: remove Unicode characters, etc. (#906)
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
Marti Raudsepp 82b43b5a9d Create signal hooks and handler for dumping CSR and certificate details (#882) 2017-08-28 17:35:56 -07:00
Marti Raudsepp e7efaf4365 Prevent creation of empty SubjAltNames extension in CSR (#883) 2017-08-18 09:10:56 -07:00
Marti Raudsepp 7762d6ed52 Reworked sensitive domain name and restriction logic (#878)
* This is a fix for a potential security issue; the old code had edge
  cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
  is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
  CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
  be valid domain names.
2017-08-16 19:24:49 -07:00
Marti Raudsepp cf805f530f Prevent unintended access to sensitive fields (passwords, private keys) (#876)
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.

The filter() function allowed guessing the content of password hashes
one character at a time.

The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
kevgliss f5082e2d3a Starting transition away from not_before and not_after. (#854) 2017-07-14 09:24:59 -07:00
kevgliss 61c493fc91 Adding additional failure conditions to sentry tracking. (#853)
* Adding additional failure conditions to sentry tracking.

* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
kevgliss 443eb43d1f Adding the ability to specify a per-certificate rotation policy. (#851) 2017-07-12 16:46:11 -07:00
Paul Van de Vreede 53113e5eeb Add auditing for creating or updating a cert. (#845) 2017-07-04 06:39:16 -07:00
kevgliss 9c92138f2d Fixing autorotation failures. (#825)
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
kevgliss 5a4806bc43 Allowing description to be optional. (#826) 2017-06-01 17:09:04 -07:00
kevgliss 307a73c752 Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. (#804)
Closes #767
2017-05-18 13:20:17 -07:00
Michael Treacher ce5a45037a Fix for status representation in the view (#778) 2017-05-05 11:04:40 -07:00
kevgliss 9c9ca37586 Enabling hex serial numbers without breaking backward compatibility. (#779)
* Enabling hex serial numbers without breaking backward compatibility.

* Fixing tests.
2017-05-05 11:04:09 -07:00
kevgliss fbc24ea400 There is an issue when iterating over extensions where certificates might not have been issued in adherence with basic constraints. Here we log these errors instead of failing out right. (#770) 2017-04-27 17:45:34 -07:00
Michael Treacher 05f4ae8e58 Hexify cert serial (#763)
* Hexify serial at the serialization layer

* Fix for flakey test. Change test to test for uppercased string
2017-04-27 09:13:04 -07:00
kevgliss b0ea027769 Underscores should not be in hostnames (#728) 2017-03-15 08:41:06 -07:00
kevgliss 3c5b2618c0 Rely on the lemur generating the correct name for rotated certificates. (#714)
* Rely on the lemur generating the correct name for rotated certificates.

* Fixing tests.
2017-03-09 13:09:20 -08:00
kevgliss 310e1d4501 Adds support for filtering by UI. Closes #702. (#706) 2017-03-03 15:07:26 -08:00
kevgliss fc957b63ff Source syncing tweaks. (#705)
* Allow owner to be specified when syncing certs.

* Ensuring non-endpoint plugins don't fail to complete syncing.

* Adding in some additional error handling.
2017-03-03 14:53:56 -08:00
Gus E 08bb9c73a0 allow attributes to be excluded from a cert subject (#690)
* allow more flexibility in cert subject name

* clean up logic/remove unnecessary code
2017-02-16 13:21:52 -08:00
kevgliss 8afcb50a39 Fixing the re-issuance process. Ensuring that certificates that are r… (#686)
* Fixing the re-issuance process. Ensuring that certificates that are re-issued go through the normal schema validation.

* Fixing tests.
2017-02-03 11:21:53 -08:00
Neil Schelly 117009c0a2 Lemur cryptography refactor and updates (#668)
* Renaming the function so it sounds less root-specific

* Refactoring lemur_cryptography
* Adding to the certificate interface an easy way to request the subject and public_key of a certificate
* Turning the create authority functionality into a wrapper of creating a CSR in the certificate codebase and issueing that certificate in this plugin. (Dependent on https://github.com/Netflix/lemur/pull/666 changes first)
* Ensuring that intermediate certificates and signed certificates retain their chain cert data

* Handling extensions that are the responsibility of the CA
Implementing authority_key_identifier for lemur_cryptography signatures and including skeletons of handling the certificate_info_access and crl_distribution_points

* Fixing errors found with linter

* Updating plugin unit tests

* Changing this for Python3. Underlying cryptography library expects these to be bytes now.

* Updating tests to match new function names/interfaces

* Another naming update in the plugin tests

* Appears that create_csr won't like this input without an owner.

* Undoing last commit and putting it into the right place this time.

* create_csr should be good now with these options, and chain certs will be blank in tests

* This won't be blank in issue_certificate, like it will in creating an authority.

* Much cleaner

* unnecessary import
2017-02-01 10:34:24 -08:00
kevgliss a59bc1f436 Fixes (#680)
* Adding some additional logging.
2017-01-28 16:40:37 -08:00
kevgliss bc94353850 Closes #648, also fixes several issues #666. (#678) 2017-01-27 21:05:25 -08:00
Neil Schelly f13a3505f3 X509 extensions issue#646 (#666)
* Allowing that create_csr can be called with an additional flag in the csr_config to adjust the BasicConstraints for a CA.

* If there are no SANs, skip adding a blank list of SANs.

* Adding handling for all the extended key usage, key usage, and subject key identifier extensions.

* Fixing lint checks. I was overly verbose.

* This implements marshalling of the certificate extensions into x509 ExtensionType objects in the schema validation code.

* Will create x509 ExtensionType objects in the schema validation stage
* Allows errors parsing incoming options to bubble up to the requestor as ValidationErrors.
* Cleans up create_csr a lot in the certificates/service.py
* Makes BasicConstraints _just another extension_, rather than a hard-coded one
* Adds BasicConstraints option for path_length to the UI for creating an authority
* Removes SAN types which cannot be handled from the UI for authorities and certificates.
* Fixes Certificate() object model so that it doesn't just hard-code only SAN records in the extensions property and actually returns the extensions how you expect to see them. Since Lemur is focused on using these data in the "CSR" phase of things, extensions that don't get populated until signing will be in dict() form.* Trying out schema validation of extensions
2017-01-27 12:31:29 -08:00
Nevins 162d5ccb62 Gracefully handle importing certificates with missing data (#674)
* fixing index out of range issue

* catching exceptions is common values aren't set

* fixing lint errors

* fixing unrelated lint/import error
2017-01-24 13:48:53 -08:00
kevgliss 83128f3019 Fixing elb sync issues. (#641)
* Fixing elb sync issues.

* Fixing de-duplications of names.
2017-01-05 16:06:34 -08:00
kevgliss e5dee2d7e6 Adding additional metrics for when destinations fail to upload. (#637) 2016-12-28 09:52:23 -08:00
kevgliss de7cec35c6 Clean refactor (#635)
* Adding rotation to the UI.

* Removing spinkit dependency.

* refactoring source cleaning
2016-12-27 10:31:33 -08:00
kevgliss 700c57b807 Rotation ui (#633)
* Adding rotation to the UI.

* Removing spinkit dependency.
2016-12-26 15:55:11 -08:00
kevgliss ce75bba2c3 Replacement refactor. (#631)
* Deprecating replacement keyword.

* Def renaming.
2016-12-26 11:09:50 -08:00
kevgliss 46f8ebd136 Modifying the way rotation works. (#629)
* Modifying the way rotation works.

* Adding docs.

* Fixing tests.
2016-12-23 13:18:42 -08:00
kevgliss 072ca4da4f Adding some additional output to rotation command. (#627) 2016-12-21 13:34:14 -08:00
kevgliss cdcae4efb0 Closes #594 (#621) 2016-12-20 14:26:39 -08:00
kevgliss f7c795c7f6 Closes #577. (#622) 2016-12-20 14:26:29 -08:00
kevgliss beba2ba092 Adding additional reporting and refactoring existing setup. (#620) 2016-12-20 12:48:14 -08:00
kevgliss 156b98f7f0 Ensuring that rotation only happens for certificates with endpoints to rotate. (#606) 2016-12-15 15:20:21 -08:00
kevgliss d20c552248 Fixing issues with rotation. (#603)
* Fixing issues with rotation.

* Fixing tests
2016-12-14 17:30:13 -08:00
Marti Raudsepp 1eb3d563c6 Fix error reporting for certs without private key (#599) 2016-12-14 13:25:56 -08:00
Marti Raudsepp 71ddbb409c Minor documentation fixes/tweaks (#597)
Mostly typos, grammar errors and inconsistent indentation in code
examples.

Some errors detected using Topy (https://github.com/intgr/topy), all
changes verified by hand.
2016-12-14 09:29:04 -08:00
kevgliss 03d5a6cfe1 Refactors how notifications are generated. (#584) 2016-12-12 11:22:49 -08:00
kevgliss 968dd52f6f Fixes (#576)
* Fixing email notification

* Adding endpoint expiration

* Fixing endpoint type for ELBs

* Allowing verisign to include additional SANs
2016-12-08 15:52:27 -08:00
kevgliss a4b32b0d31 Fixing up notification testing (#575) 2016-12-08 11:33:40 -08:00
kevgliss fc205713c8 Certificate rotation enhancements (#570) 2016-12-07 16:24:59 -08:00
kevgliss e94cf6ddc9 Ensuring that certificates returned from digicert are in the proper format (#564) 2016-12-06 12:05:18 -08:00
kevgliss e622a49b72 Adding better error handling around certificate rotation (#562) 2016-12-05 15:12:55 -08:00
kevgliss 9030aed8a4 Ensuring that our syncing process can find duplicate certifcates that do no need to be sync'd (#560) 2016-12-05 11:08:29 -08:00
kevgliss 7f823a04cd Ensuring that acme and cryptography respect different key types (#554) 2016-12-02 10:54:18 -08:00
kevgliss 81bf98c746 Enabling RSA2048 and RSA4096 as available key types (#551)
* Enabling RSA2048 and RSA4096 as available key types

* Fixing re-issuance
2016-12-01 15:41:53 -08:00
kevgliss 588ac1d6a6 Digicert cis fixes (#540) 2016-11-29 17:15:39 -08:00
kevgliss 058d2938fb migrating off of openssl (#539) 2016-11-29 11:30:44 -08:00
kevgliss 727bc87ede Log fixes (#534)
* tying up some loose ends with event logging

* Ensuring creators can access
2016-11-28 14:13:16 -08:00
kevgliss 250558baf3 Ensuring that authority owners can access certificates issued by that… (#526)
* Ensuring that authority owners can access certificates issued by that authority
2016-11-25 20:35:07 -08:00
kevgliss 8e5323e2d7 migrating flask imports (#525) 2016-11-22 21:11:20 -08:00
kevgliss 6eca2eb147 Re-working the way audit logs work.
* Adding more checks.
2016-11-21 11:28:11 -08:00
kevgliss 744e204817 Initial work on #74. (#514)
* Initial work on #74.

* Fixing tests.

* Adding migration script.

* Excluding migrations from coverage report.
2016-11-21 09:19:14 -08:00
kevgliss d45e7d6b85 [WIP] - 422 elb rotate (#493)
* Initial work on certificate rotation.

* Adding ability to get additional certificate info.

* - Adding endpoint rotation.
- Removes the g requirement from all services to enable easier testing.
2016-11-18 11:27:46 -08:00
kevgliss 6fd47edbe3 Adds the ability to clone existing certificates. (#513) 2016-11-17 16:19:52 -08:00
kevgliss a616310eb7 Fixing an issue were aws certificates plugins might not have a chain. (#512) 2016-11-17 14:47:10 -08:00
kevgliss 9ac1756011 removing new 'active' logic for the time being (#505) 2016-11-16 15:56:24 -08:00
kevgliss 851d74da3d Ensuring that private key is in string format before it gets stored (#504)
* Ensuring that private key is in string format before it gets stored

* Fixing failing test.
2016-11-16 15:05:25 -08:00
kevgliss eaf34b1c8b Disabling the protect active flag (#498) 2016-11-16 09:31:02 -08:00
kevgliss e9219adfb5 Ensuring model's have a basic __repr__. (#499) 2016-11-16 09:30:54 -08:00
kevgliss 114deba06e Adding the ability to silence notifications on creation. (#490) 2016-11-12 09:29:42 -08:00
kevgliss 0334f1094d fixing documentation typo (#489) 2016-11-11 13:35:24 -08:00
kevgliss 953d3a08e7 Adding example request to documentation. (#487) 2016-11-11 12:54:12 -08:00
kevgliss e6b291d034 Time (#482)
* adding python 3.5 as a target

* adding env flag

* Aligning on arrow dates.
2016-11-09 10:56:22 -08:00
kevgliss 4afedaf537 Fixes (#476)
* Ensures that Vault can accept bytes and strings.

* Make restricted domains optional.

* Fixing notify flag.
2016-11-04 09:16:41 -07:00
kevgliss 1ac1a44e83 San alt name (#468) 2016-10-31 11:00:15 -07:00
kevgliss a8f44944b1 Closes #415 2016-10-17 23:23:14 -07:00
kevgliss f921b67fff Removing the ability to use spaces in custom names. (#455) 2016-10-15 04:56:25 -07:00
kevgliss c367e4f73f Prevents the silencing of notifications that are actively deployed. (#454)
* Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint.

* Adding migration script to alter 'active' column.
2016-10-15 00:12:11 -07:00
kevgliss dcb18a57c4 Adds option to restrict certificate expiration dates to weekdays. (#453)
* Adding ability to restrict certificate creation to weekdays.

* Ensuring that we test for weekends.
2016-10-15 00:04:35 -07:00
kevgliss c05a49f8c9 Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-11 17:24:15 -07:00
kevgliss 72a390c563 Ensure the openssl and cryptography work under python3. (#438) 2016-10-09 00:06:15 -07:00
Charles Hendrie 3ad7a37f95 Fix import certificate private key encoding (#434)
When importing a certificate, the private key is passed to the
import/upload process from the UI as a str object. In Python3 this
raises two issues when processing the private key - the private key
validation fails and database insert of the certificate fails.

The fix in both cases is to correctly encode the private key as a bytes
object.
2016-10-08 17:04:54 -07:00
kevgliss 2d7a6ccf3c Owner email (#414)
* Ensuring python2 works with unicode strings.

* adding in owner DN

* fixing tests

* Upgrading requests.

* Fixing tests.
2016-08-25 10:09:46 -07:00
kevgliss 29a330b1f4 Orphaned certificates (#406)
* Fixing whitespace.

* Fixing syncing.

* Fixing tests
2016-07-28 13:08:24 -07:00
kevgliss f38868a97f Fixing various problems with the syncing of endpoints, throttling sta… (#398)
* Fixing various problems with the syncing of endpoints, throttling stale endpoints etc.
2016-07-12 08:40:49 -07:00
kevgliss 1ba7181067 Fixed an issue were default notifications were added even when updati… (#395)
* Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications.

* Ensuring imported certificates get the same treatment.
2016-07-07 11:44:11 -07:00
kevgliss 4077893d08 Ensuring that destinations require private keys by default. (#390)
* Ensuring that destinations require private keys by default.
2016-07-04 15:30:20 -07:00
kevgliss 54b888bb08 Adding a toy certificate authority. (#378) 2016-06-29 09:05:39 -07:00
kevgliss fe9703dd94 Closes #284 (#336) 2016-06-27 14:40:46 -07:00
kevgliss 19b928d663 Fixes #367 2016-06-23 13:29:59 -07:00
kevgliss d9cc4980e8 Fixing destination upload. (#347)
* Fixing an issue where uploaded certificates would have a name of 'None'

* Clarifying comment.

* Improving order.
2016-06-03 18:45:58 -07:00
kevgliss dc198fec8c Docs (#344)
* Adding release info.

* adding some fields

* Adding Source Plugin change.

* Updating docs
2016-06-03 08:28:09 -07:00
kevgliss 72e3fb5bfe Fixing several small issues. (#341)
* Fixing several small issues.

* Fixing tests.
2016-06-01 11:18:00 -07:00
kevgliss b2539b843b Fixing and error causing duplicate roles to be created. (#339)
* Fixing and error causing duplicate roles to be created.

* Fixing python3

* Fixing python2 and python3
2016-05-31 15:44:54 -07:00
kevgliss 11f4bd503b Fixes (#332)
* Ensuring domains are returned correctly.

* Ensuring certificates receive owner role
2016-05-24 17:10:19 -07:00
kevgliss 1ca38015bc Fixes (#329)
* Modifying the way roles are assigned.

* Adding migration scripts.

* Adding endpoints field for future use.

* Fixing dropdowns.
2016-05-23 18:38:04 -07:00
kevgliss 656269ff17 Closes #147 (#328)
* Closes #147

* Fixing tests

* Ensuring we can validate max dates.
2016-05-23 11:28:25 -07:00
kevgliss bd727b825d Making roles more apparent for certificates and authorities. (#327) 2016-05-20 12:48:12 -07:00
kevgliss e04c1e7dc9 Fixing a few things, adding tests. (#326) 2016-05-20 09:03:34 -07:00
kevgliss 615df76dd5 Closes 262 (#324)
Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities.
2016-05-19 13:37:05 -07:00
kevgliss b187d8f836 Adding a better comparison. (#320) 2016-05-16 19:03:10 -07:00
kevgliss 1763a1a717 254 duplication certificate name (#319) 2016-05-16 15:59:40 -07:00
kevgliss 62b61ed980 Fixing various issues. (#318)
* Fixing various issues.

* Fixing tests
2016-05-16 11:09:50 -07:00
kevgliss a0c8765588 Various bug fixes. (#314) 2016-05-12 12:38:44 -07:00
kevgliss f9655213b3 Marshmallowing notifications. (#308) 2016-05-10 11:27:57 -07:00
kevgliss df0ad4d875 Authorities marshmallow addition (#303) 2016-05-09 11:00:16 -07:00
kevgliss 6ec3bad49a Closes #278 (#298)
* Closes #278
2016-05-05 15:28:17 -07:00
kevgliss 52f44c3ea6 Closes #278 and #199, Starting transition to marshmallow (#299)
* Closes #278  and #199, Starting transition to marshmallow
2016-05-05 12:52:08 -07:00
kevgliss 3f89d6d009 Merge pull request #271 from kevgliss/195
Closes #195
2016-04-08 12:01:10 -07:00
kevgliss 62d03b0d41 Closes #216 2016-04-01 16:54:33 -07:00
kevgliss bfcfdb83a7 Closes #195 2016-04-01 14:27:57 -07:00
kevgliss 576265e09c Closes #246 2016-04-01 09:19:36 -07:00
kevgliss 028d86c0bb Adding a new flag to export plugins 'requires_key' that specifies whether the export plugin needs access to the private key. Defaults to True. 2016-01-29 12:45:18 -08:00
kevgliss 2ba48995fe Fixing documentation for filter format 2016-01-29 11:47:16 -08:00
kevgliss 1e524a49c0 making 'replacements' a non-require attribute for importing. Closes #226 2016-01-29 09:02:51 -08:00
kevgliss 0a4f5ad64d Fixing an assumption that 'subAltNames' are always passed to the API. 2016-01-10 17:33:19 -08:00
kevgliss 3f024c1ef4 Adds ability for domains to be marked as sensitive and only be allowed to be issued by an admin closes #5 2015-12-30 15:11:08 -08:00
kevgliss cabe2ae18d Adding the ability to issue third party created CSRs 2015-12-29 10:49:33 -08:00
kevgliss 9cadebcd50 adding example requests 2015-11-30 13:51:27 -08:00
kevgliss ec896461a7 Adding final touches to #125 2015-11-30 09:47:36 -08:00
kevgliss 8eeed821d3 Adding UI elements 2015-11-27 13:27:14 -08:00
kevgliss 920d595c12 Initial work on #125 2015-11-25 14:54:08 -08:00
kevgliss 1c6e9caa40 Closes #144 2015-11-24 16:07:44 -08:00
kevgliss d6b3f5af81 Closes #122 2015-11-24 14:53:22 -08:00
Robert Picard 40eb950e94 Use MultiFernet for encryption
Facilitates key rotation and uses more secure encryption than what
sqlalchemy-utils does.

Fixes #117 and #119.
2015-10-13 16:58:58 -07:00
kevgliss 168f46a436 Adding the ability to track a certificates signing key algorithm 2015-10-06 12:51:59 -07:00
kevgliss 5cfa9d4bc5 description should be optional 2015-09-29 16:37:32 -07:00
kevgliss 7ebd0bf5d4 making fields required 2015-09-24 08:42:31 -07:00
kevgliss 06a69c09a0 Fixing a bug where notifications associated during certificate creation would not be respected. 2015-09-22 13:01:05 -07:00
kevgliss be6a5b859e adding notification example 2015-09-22 09:46:54 -07:00
kevgliss aaae4d5a1f unifying lemur defaults 2015-09-04 15:52:56 -07:00
kevgliss 3b109ec578 Cleaning up temporary file creation, and revocation checking 2015-09-02 09:19:06 -07:00
kevgliss 45158c64a2 cleaning up temporary file creation 2015-09-02 09:19:06 -07:00
kevgliss aca69ce03c Closes #53 2015-09-02 09:15:11 -07:00
kevgliss bf8ce354e5 Closes #55 2015-09-02 09:13:47 -07:00
kevgliss 8d09d865b1 Closes #57 2015-09-02 09:13:47 -07:00
kevgliss 8977c5ddbf Ensuring notifications follow owner 2015-08-29 12:02:50 -07:00
kevgliss 9a04371680 Adding ability to define distinguished names in config 2015-08-27 12:59:40 -07:00
kevgliss a07db5625b Fixing an issue were extensions were implicitly required 2015-08-22 10:22:36 -07:00
kevgliss 4b7a55c89f Fixing issue with a certificate with no role not being viewable 2015-08-21 16:08:53 -07:00
kevgliss 6b2da2fe6b Fixes #35 2015-08-19 18:05:18 -07:00
kevgliss eb55d5465f Making LEMUR_DEFAULT_SECURITY_EMAIL optional 2015-08-17 16:03:57 -07:00
kevgliss 32ef793c4d Switch to relying on the configuration key in the configuration file 2015-08-08 16:12:29 -07:00
kevgliss fc68552d0f Making Lemur py3 compatible 2015-08-03 21:07:28 -07:00
kevgliss 7d169f7c4c Fixing up some of the sync related code 2015-08-03 13:51:27 -07:00
kevgliss cdb3814469 Fixing notification deduplication and roll up 2015-08-02 09:14:27 -07:00
kevgliss c9e9a9ed7c Fixing upload description 2015-08-02 07:45:10 -07:00
kevgliss 02b717dd7c Fixing upload, and removing old unneeded code 2015-08-02 05:57:26 -07:00
kevgliss aef1587635 Adding default notifications 2015-08-01 19:08:46 -07:00
kevgliss 46652ba117 Purging ELB and Listener specific models 2015-08-01 15:47:14 -07:00
kevgliss e247d635fc Adding backend code for sources models 2015-08-01 15:29:34 -07:00
kevgliss c5a6a0570a adding link to python packaging documentation 2015-07-31 19:02:44 -07:00
kevgliss 1e748a64d7 Initial support for notification plugins closes #8, closes #9, closes #7, closes #4, closes #16 2015-07-29 17:13:06 -07:00
kevgliss c02390d63b PEP8 2015-07-23 09:08:07 -07:00
kevgliss a4ed83cb62 Refactoring out challenge 2015-07-23 08:52:30 -07:00
kevgliss 8d576aa3d8 Fixing tests 2015-07-22 10:51:55 -07:00
kevgliss c75e20a1ea Pleasing the PEP8 gods 2015-07-21 13:06:13 -07:00
kevgliss 0c7204cdb9 Refactored 'accounts' to be more general with 'destinations' 2015-07-10 17:06:57 -07:00
kevgliss 5156371913 Modify the naming structure for certificates. AWS is pretty picky about what is a valid name. 2015-07-08 16:39:00 -07:00
kevgliss 002f83092d Changing the signature of save_cert, we don't create a csr_config anymore so it doesn't make sense to store it. Additionally 'challenge' is a verisign specific thing and should be factored out. We have stopped saving it as well. 2015-07-08 16:37:48 -07:00
kevgliss f660450043 Aligning config variables 2015-07-07 17:23:46 -07:00
kevgliss 8239aa55e1 fixing conflicts 2015-07-07 16:26:37 -07:00
kevgliss 82c4be29a4 fixing merge conflict 2015-07-07 15:36:39 -07:00
kevgliss c59bf3f257 Fixing tests 2015-07-06 10:53:12 -07:00
kevgliss 3f49bb95ff Starting to move to new plugin architecture. 2015-07-04 12:47:57 -07:00
kevgliss b17e12bed4 Doc fix 2015-07-03 12:59:48 -07:00
kevgliss 95bab9331d Enabling CSR generation and reducing complexity of encryption/decrypting the 'key' dir. 2015-07-03 10:30:17 -07:00
kevgliss 8cbc6b8325 Initial work at removing openssl 2015-07-02 15:48:56 -07:00
Kevin Glisson bc0f9534c2 Refactoring 'create_name' out of our certificate class, fixed an issuer were key size was being calculated and removing unused functions 2015-07-02 15:48:56 -07:00
Kevin Glisson 096d88bc9b Ensuring a 404 is returned when we can't find the specified certificate 2015-07-02 15:48:56 -07:00
Kevin Glisson f28d3a54c5 API change in cryptography 2015-07-02 15:48:55 -07:00
Kevin Glisson 37669b906c Fixes an issue where the issuer has special chars in the name. AWS dislikes special chars in certificate names so we strip them out here. In general we want to have the name tracked by Lemur be the same as what is uploaded to various destinations. 2015-07-02 15:48:54 -07:00
kevgliss 1a01209e78 Merge pull request #10 from kevgliss/tests
Tests
2015-06-29 14:10:54 -07:00
Kevin Glisson 964d1c1c52 Refactoring 'create_name' out of our certificate class, fixed an issuer were key size was being calculated and removing unused functions 2015-06-26 16:18:31 -07:00
Kevin Glisson 1f9d943a4c Ensuring a 404 is returned when we can't find the specified certificate 2015-06-26 16:17:22 -07:00
Kevin Glisson c6ae689dc8 Adding role tests 2015-06-26 10:31:55 -07:00
kevgliss b1f93c5dd2 Merge pull request #3 from kevgliss/hotfix/upload
API change in cryptography
2015-06-25 13:57:45 -07:00
Kevin Glisson e92113d28f API change in cryptography 2015-06-25 13:50:46 -07:00
Kevin Glisson be97f3dcc2 Fixes an issue where the issuer has special chars in the name. AWS dislikes special chars in certificate names so we strip them out here. In general we want to have the name tracked by Lemur be the same as what is uploaded to various destinations. 2015-06-24 16:51:44 -07:00
Kevin Glisson 4330ac9c05 initial commit 2015-06-22 13:47:27 -07:00