Hossein Shafagh
1d4da0e3d8
another polish
2020-03-17 16:59:09 -07:00
Hossein Shafagh
ecca003ab4
improving the documentation and method naming
2020-03-17 16:55:36 -07:00
csine-nflx
9de89ec96a
Merge branch 'master' into new_clean_cert_cli
2020-03-17 13:38:32 -07:00
csine-nflx
07dc31bed7
cleaning up whitespace changes
2020-03-16 11:41:05 -07:00
csine-nflx
1a19e250bb
updating and cleaning up tests
2020-03-16 11:24:17 -07:00
Hossein Shafagh
34d23503de
fixing the data bug
2020-03-14 20:41:03 -07:00
Hossein Shafagh
b28b4f9a28
adding to new cli commands for cleaning certificates from source:
...
a) either about to expire in X days and not attached to an endpoint
a) or issued since X days but still not attached to an endpoint
2020-03-14 20:19:26 -07:00
Hossein Shafagh
c96695c966
refactor
2020-03-14 20:18:07 -07:00
Hossein Shafagh
593c35776c
adding new methods for getting pending clean
2020-03-14 20:17:05 -07:00
csine-nflx
921d52b360
fixing get_dns_challenge() logic so duplicate domains (such as wildcard and not wildcard) do not match the wrong authorziations
2020-03-13 00:03:31 -07:00
Ilya Makarov
be722fb1b3
Fix lint
2020-03-11 20:51:10 +03:00
Ilya Makarov
92a8942727
Fix lint
2020-03-11 15:37:11 +03:00
Ilya Makarov
a6c3b85fe1
Fix lint
2020-03-11 15:15:56 +03:00
Ilya Makarov
ba8e315eed
Fix typo
2020-03-11 14:22:04 +03:00
Ilya Makarov
729ed3843d
Fix bug wth get_options and slash in name
2020-03-11 14:16:29 +03:00
Ilya Makarov
d3cb0b517a
Add format support
2020-03-11 02:27:31 +03:00
Ilya Makarov
ad86cf1fd9
Merge remote-tracking branch 'upstream/master'
2020-03-11 00:29:07 +03:00
csine-nflx
e1e7efc96e
Merge branch 'master' into powerdnsplugin_01
2020-03-05 15:25:40 -08:00
csine-nflx
771e72187a
updates based on feedback
2020-03-05 15:24:56 -08:00
csine-nflx
5dfb6acb17
adding support for ACME_POWERDNS_VERIFY option to support CA Bundles and disabling Server validation
2020-03-05 14:59:21 -08:00
csine-nflx
c0004e506e
removing 2 year option from Lemur certificate request form
2020-03-04 14:50:44 -08:00
Hossein Shafagh
4a4b3b932e
Merge branch 'master' into master
2020-03-04 10:32:10 -08:00
csine-nflx
1e81d47793
Merge branch 'renewal_validity_01' of github.com:Netflix/lemur into renewal_validity_01
2020-03-03 17:28:58 -08:00
csine-nflx
fdc1e20c23
updating config_mock defaults
2020-03-03 17:27:15 -08:00
csine-nflx
38b7d6e5e3
Merge branch 'master' into renewal_validity_01
2020-03-03 14:44:33 -08:00
csine-nflx
6c46481ffd
simplifying return statement for validity years
2020-03-03 14:40:50 -08:00
csine-nflx
318292704d
fixing default/max DigiCert validity values
2020-03-03 14:29:17 -08:00
e11it
27a86f5c18
Fix: San values #2921
...
Not sure is it correct solution
2020-03-03 21:45:33 +03:00
e11it
fe67ff2146
Update plugin.py
...
Fix lint
2020-03-02 09:18:02 +03:00
Ilya Makarov
a8c0adaa4d
Merge remote-tracking branch 'upstream/master'
2020-02-27 17:08:35 +03:00
Ilya Makarov
9612d291ed
Add path suffix options
2020-02-18 19:16:27 +03:00
Hossein Shafagh
2ee60bcdb6
Merge branch 'master' into le_Log_orderurl
2020-02-17 10:30:58 -08:00
sirferl
e75df1ddc9
Update plugin.py
2020-02-17 19:04:20 +01:00
Hossein Shafagh
d29edabefe
Merge branch 'master' into le_Log_orderurl
2020-02-17 09:24:51 -08:00
sirferl
ed3472d029
Update plugin.py
2020-02-17 15:21:29 +01:00
sirferl
3fd0d3e141
Added VERISIGN_INTERMEDIATE_<authority> parameter
...
When using the VERISIGN_PRODUCT_<authority> Parameter one also has to add this parameter:
VERISIGN_INTERMEDIATE_<authority> = """ <PEM-String of Issuing CA for this certificate Type>"""
While doing this, I also added code, so the external_id field is filled with data from CA-Answer
2020-02-17 12:40:36 +01:00
sirferl
1815c89970
Made the change more elegant
...
As suggested by @hosseinsh. This is of course more elegant.
2020-02-16 09:28:52 +01:00
sirferl
a70a49e4e9
Update plugin.py
2020-02-15 16:11:58 +01:00
sirferl
3693bc2d8b
removed whitespaces inserted by online editor
2020-02-15 16:09:25 +01:00
sirferl
bfa953270d
Fixed whitespace error
2020-02-15 16:04:44 +01:00
sirferl
fabcad1e46
New variable VERISIGN_PRODUCT_(authority.name)
...
If there is a config variable with VERISIGN_PRODUCT_<upper(authority.name)> take the value as Cert product-type
else default to "Server", to be compatoible with former versions.
This enables the use of different Verisign authorities for differnt cert-products eg. EV or Standard Certs
2020-02-15 15:52:24 +01:00
csine-nflx
a8e8924e2a
Merge branch 'master' into le_Log_orderurl
2020-02-14 17:10:38 -08:00
sirferl
8e3cc93d6a
Whitespaces in empty line 113 removed
2020-02-14 07:50:18 +01:00
csine-nflx
b521aaf579
Merge branch 'master' into le_Log_orderurl
2020-02-13 16:41:14 -08:00
csine-nflx
af21225918
adding logging on sucess and metric submission of URL for certificate issuance
2020-02-13 16:38:33 -08:00
Hossein Shafagh
a449cc2b15
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-02-13 16:05:46 -08:00
Hossein Shafagh
2b849a6520
Update plugin.py
...
making lint happy
2020-02-13 15:58:07 -08:00
Hossein Shafagh
9db1ea3307
Merge branch 'master' into master
2020-02-13 12:47:06 -08:00
sirferl
571c8bf42d
Error when validity_end date is empty #2905
...
this lines of code (114ff) in threw an error, when the validity_end date was empty:
if options.get("validity_end") > arrow.utcnow().shift(years=2):
raise Exception(
"Verisign issued certificates cannot exceed two years in validity"
)
Actually, they are not needed, because immidiately following is a check for an empty validity_end and for the length of the entered period.
When I commented it out for testing, the error was gone and everything worked as expected.
2020-02-13 07:38:04 +01:00
sirferl
6c7bb5f9b7
Fixed TLS secret format ( #2913 )
...
The Plugin handled the TLS secret format wrong: it sent chain certificate instead of requested public certificate #2913
2020-02-13 07:35:35 +01:00
csine-nflx
ca8e73286f
fixed get_domains() to remove duplicate entries, updated usage and tests
2020-02-12 15:10:24 -08:00
Hossein Shafagh
2d7284f677
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-02-10 11:23:21 -08:00
Hossein Shafagh
c0cf1c02c1
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-02-10 11:14:26 -08:00
Hossein Shafagh
b23ae60847
Merge branch 'master' into vault-k8s-auth
2020-02-10 11:12:52 -08:00
csine-nflx
bcdb3173bd
ensuring that "3" is set as an integer instead of a string
2020-02-04 18:23:17 -08:00
csine-nflx
8ea54d7db2
removing exception if domain zone not found. Logging the issue instead
2020-02-04 14:50:56 -08:00
csine-nflx
48bccd6f68
moving _check_config() lower in file, near other private methods
2020-02-03 19:08:28 -08:00
csine-nflx
c38e651eb0
Merge branch 'powerdnsplugin_01' of github.com:Netflix/lemur into powerdnsplugin_01
2020-02-03 19:04:05 -08:00
csine-nflx
53f81fb09f
updating based on suggestions in 2911
2020-02-03 18:58:31 -08:00
Ilya Labun
5e8599540e
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-02-03 20:32:41 +01:00
csine-nflx
ac0282529e
adding basic logging on success
2020-02-03 11:05:20 -08:00
csine-nflx
fecb5b6252
Merge branch 'master' into powerdnsplugin_01
2020-01-31 16:37:57 -08:00
csine-nflx
fb6d369130
removed unnecessary imports in test_dns_providers.py
2020-01-31 16:18:22 -08:00
csine-nflx
be7736d350
adding dns tests and assorted exception handling
2020-01-31 13:16:37 -08:00
csine-nflx
969a7107fe
fixed PowerDNS Tests
2020-01-29 13:12:09 -08:00
csine-nflx
b885244aa7
fixing issue where set_domains() is still called when get_all_zones() throws an exception
2020-01-29 11:26:53 -08:00
csine-nflx
ef115ef2b1
moving PowerDNS number_of_attempts to global config variable ACME_POWERDNS_RETRIES
2020-01-29 11:20:39 -08:00
csine-nflx
b91899fe99
created CLI options for testin ACME over dns. Examle: acme dnstest -d _acme-chall.foo.com -t token1
2020-01-28 19:13:28 -08:00
Hossein Shafagh
192ecb3ce0
DNS provider: adding more logging
2020-01-28 16:24:50 -08:00
sirferl
620f972635
Fixed an error
...
Found out that I introduced an error when I changed code up for publishig. The certserv.py I use does not return the ID of the certificate created. For now I just leave the field empty. I will create another issue , so that the ID is filled up.
2020-01-27 11:04:49 +01:00
Ilya Labun
5d8eb51ef4
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-01-24 11:28:55 +01:00
csine-nflx
c465062673
integrated PowerDNS plugin into dns_providers
2020-01-23 23:53:38 -08:00
rajatsharma94
9984470b58
fix fatal error in schema validator
2020-01-23 15:27:02 +01:00
csine-nflx
bddae6e428
adding PowerDNS delete_txt_record with associated tests
2020-01-22 16:18:52 -08:00
csine-nflx
52c7686d58
adding wait_for_dns_change() and tests for PowerDNS ACME plugin
2020-01-21 18:47:21 -08:00
csine-nflx
915ec0ba63
added PowerDNS support for create_txt_record and associated tests
2020-01-21 17:08:59 -08:00
Gutttlt
71f43dfcc1
Fixing "'Role' object has no attribute 'set_third_party'" error.
2020-01-21 08:40:54 +01:00
Hossein Shafagh
acf531ece3
Merge branch 'master' into vault-k8s-auth
2020-01-20 15:18:29 -08:00
Hossein Shafagh
6ee856e26d
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-01-20 15:15:25 -08:00
csine-nflx
3080a9527c
adding PowerDNS get_zones functionality and unit tests
2020-01-17 18:29:37 -08:00
Hossein Shafagh
7f119b8914
Merge branch 'master' into ilabun/optimize-certificates-sql
2020-01-17 17:18:06 -08:00
Hossein Shafagh
cb7507156c
Merge branch 'master' into vault-k8s-auth
2020-01-17 17:17:53 -08:00
Hossein Shafagh
d6f41b6a99
improving string formatting to avoid dangling white spaces and new lines
2020-01-16 13:45:13 -08:00
Hossein Shafagh
1ed6ae539d
# possibility to default to a SIGNING_ALGORITHM for a given profile
2020-01-15 16:19:48 -08:00
jenkins-x-bot
cd7d9aee55
fixed lint error
2020-01-13 23:09:58 +02:00
jenkins-x-bot
8d957f22af
changed file handling
2020-01-13 22:46:34 +02:00
Ilya Labun
bc1a2cf69c
Optimize certificates SQL query
...
Co-authored-by: Javier Ramos <javier.ramos@booking.com>
2020-01-13 14:43:41 +01:00
Ilya Labun
cc0b2d5439
Added new lowercase indexes for certificates cn, name and domains name
...
Co-authored-by: Javier Ramos <javier.ramos@booking.com>
2020-01-13 14:40:22 +01:00
jenkins-x-bot
cad56c813e
fixed lint error
2020-01-12 01:51:48 +02:00
jenkins-x-bot
409b499217
added kubernetes auth for vault
2020-01-12 01:25:22 +02:00
Hossein Shafagh
348682d5ea
Merge branch 'master' into cfssl-key-fix
2020-01-09 10:44:02 -08:00
jenkins-x-bot
8be8c95b17
handled cfssl-key type error
2020-01-09 15:16:19 +02:00
Hossein Shafagh
1537d591a8
Improved messaging to point out to the Auto Rotate option for certificate issuance and renewal.
2020-01-08 14:42:16 -08:00
Hossein Shafagh
9b9662d470
Merge branch 'master' into master
2020-01-03 13:15:58 -08:00
pmelse
45c1207d07
Merge branch 'master' into master
2019-12-27 13:30:56 -05:00
pmelse
9fb4be1273
remove trailing whitespace
2019-12-27 13:25:03 -05:00
Ilya Labun
189e8b2725
Eliminate subqueries when showing certificates list
2019-12-20 10:37:47 +01:00
Jay Zarfoss
00a0a27826
used fixedName variable to transport db lookup optimization
2019-11-20 09:44:31 -08:00
Jay Zarfoss
113c9dd657
atlas redis plugin typo cleanup and better exception handling
2019-11-06 10:42:59 -08:00
Jay Zarfoss
f803fab413
add plugin to send atlas metric via redis
2019-11-06 10:14:49 -08:00
Hossein Shafagh
0d983bd2b5
missed edge case
2019-10-18 15:39:36 -07:00
Hossein Shafagh
f077b19126
Merge branch 'master' into master
2019-10-18 11:32:21 -07:00
Hossein Shafagh
06f4aed693
keeping track of certs found by hash
2019-10-18 11:21:29 -07:00
Hossein Shafagh
11f9920ff9
Merge branch 'master' into cert-sync-endpoint-find-by-hash
2019-10-18 11:08:51 -07:00
Hossein Shafagh
14e13b512e
providing a count for conflicts
2019-10-18 11:03:28 -07:00
Hossein Shafagh
9037f88430
just in case the path varies
2019-10-18 11:02:41 -07:00
Hossein Shafagh
1768aad9e2
capturing no such entity exception.
2019-10-18 10:17:58 -07:00
Hossein Shafagh
8aea257e6a
optimizing the call to describe cert to only the few certs with the naming issue
2019-10-18 09:24:49 -07:00
Hossein Shafagh
f075c5af3d
in case no cert match via name-search, search via the cert itself (serial number, hash comparison)
2019-10-18 08:48:11 -07:00
Hossein Shafagh
d43e859c34
describing the cert for each endpoint, for better cert search
2019-10-18 08:46:01 -07:00
Hossein Shafagh
10b600424e
refactoring searching for cert
2019-10-18 08:45:32 -07:00
Hossein Shafagh
b5ab87877b
adding retry to acme setup client, since it can experience timeouts or other types of Connection Errors
2019-10-17 10:16:33 -07:00
pmelse
f0652ca6a9
bug fix for overwriting certificates
2019-10-10 15:49:31 -04:00
Hossein Shafagh
477db836f4
lint
2019-09-23 12:52:17 -07:00
Hossein Shafagh
86f661a8af
With NLBs the DNS formatting has changed, which resulted in Lemur not getting the region correctly parsed
2019-09-23 12:36:08 -07:00
Hossein Shafagh
96b2149433
removing unintended commit
2019-09-20 15:22:45 -07:00
Hossein Shafagh
8c9a1df2cf
Merge branch 'master' into up-dependencies-20Sep2019
2019-09-20 15:19:25 -07:00
Hossein Shafagh
a13c45e9cc
updating dependencies, and fixing the deprecated arrow.replaces to shift
2019-09-20 13:49:38 -07:00
Hossein Shafagh
c669cd23f0
Merge branch 'master' into check-revoke-revised
2019-09-20 10:22:04 -07:00
Hossein Shafagh
972051a61e
removing 3 and 4 years from validity range options
2019-09-20 10:16:23 -07:00
Hossein Shafagh
d0e8666267
Merge branch 'master' into better-metrics-endpoints
2019-08-21 10:01:00 -07:00
Hossein Shafagh
db91e48395
adding account number for better logging, since the endpoint is not available in Lemur DB
2019-08-21 09:54:18 -07:00
Javier Ramos
e5e395f0d9
Show number of found items in pager
...
This commit does not involve any additional query as the data is already in API calls' responses
2019-08-20 09:29:58 +02:00
Hossein Shafagh
9b04d901c4
metric for missing certificate from an endpoint
2019-08-15 19:14:08 -07:00
Hossein Shafagh
f09643f350
Merge branch 'master' into check-revoke-revised
2019-08-15 11:15:24 -07:00
Curtis Castrapel
1c6fee7292
Allow better DNS autodetection for domains that directly match a DNS hosted zone
2019-08-15 10:52:26 -07:00
Hossein Shafagh
68abf11be8
Merge branch 'master' into check-revoke-revised
2019-08-13 20:09:27 -07:00
Hossein Shafagh
296a315a3e
Merge branch 'master' into soft_time_outs
2019-08-13 19:42:22 -07:00
Hossein Shafagh
ceb2d3d796
Merge branch 'master' into check-revoke-revised
2019-08-13 14:07:57 -07:00
Hossein Shafagh
2de3f287ab
standardizing the timeouts to easier monitor any timeouts
2019-08-13 12:21:27 -07:00
Hossein Shafagh
6e17d36d76
typos
2019-08-13 12:16:23 -07:00
Hossein Shafagh
22c60fedad
cosmetics
2019-08-13 12:11:04 -07:00
Hossein Shafagh
a3dfc3ef0a
consistency
2019-08-13 11:58:58 -07:00
Hossein Shafagh
c29f282560
improved the flow for checking if the task is active
2019-08-13 11:52:56 -07:00
Hossein Shafagh
4d728738ee
handling celery tasks without any arguments
2019-08-13 11:42:43 -07:00
Hossein Shafagh
07a9c56fb8
making lint happy
2019-08-13 09:35:57 -07:00
Hossein Shafagh
bf47f87c21
preventing celery duplicate tasks
2019-08-12 13:52:01 -07:00
Hossein Shafagh
5d4413e45c
Merge branch 'master' into ultradnsPlugin
2019-08-09 08:48:24 -07:00
Hossein Shafagh
83159c2417
Merge branch 'master' into multi-profile-digicert-plugin
2019-08-09 07:32:33 -07:00
Hossein Shafagh
da9c91afb4
fixing metric bug
2019-08-08 17:56:22 -07:00
Hossein Shafagh
3b9b94623f
cleaning up
2019-08-07 18:06:59 -07:00
Hossein Shafagh
8340e0653b
making lint happy
2019-08-07 18:04:28 -07:00
Hossein Shafagh
d1519343d1
improving check revoked by only considering authorities which do support revocation and also only including not expired certs
2019-08-07 17:54:10 -07:00
Hossein Shafagh
9a02230d63
adding soft time outs for celery
2019-08-07 17:48:06 -07:00
Kush Bavishi
d9aef2da3e
Changed dummy nameserver value
2019-08-07 14:38:18 -07:00
Kush Bavishi
a97283f0a4
Fixed indentation
2019-08-07 14:23:09 -07:00
Kush Bavishi
a6bf081bec
Remove unused import
2019-08-07 14:08:27 -07:00
Kush Bavishi
43f5c8b34e
Fixed indentation
2019-08-07 14:08:06 -07:00
Kush Bavishi
cadf372f7b
Removed hardcoded value from function call
2019-08-07 14:02:10 -07:00
Kush Bavishi
b4f4e4dc24
Added extra check for return value to test_create_txt_record
2019-08-07 13:55:02 -07:00
Kush Bavishi
fa7f71d859
Modified paginate response to dummy values
2019-08-07 13:53:10 -07:00
Kush Bavishi
3ff56fc595
Blank line removed
2019-08-07 13:42:11 -07:00
Kush Bavishi
894502644c
test_wait_for_dns_change fixed!
2019-08-07 13:39:20 -07:00
Kush Bavishi
37a1b55b08
test_delete_txt_record changed to mock get_zone_name and return the value directly instead of executing the function.
2019-08-07 13:27:21 -07:00
Kush Bavishi
31c2d207a2
test_delete_txt_record fixed. Function call was missing earlier
2019-08-07 13:23:05 -07:00
Kush Bavishi
785c1ca73e
test_create_txt_record modified - get_zone_name mocked to return the zone name directly, instead of actually running the function.
2019-08-07 13:20:24 -07:00
Kush Bavishi
f2cbddf9e2
Unit tests for get_zone_name, get_zones
2019-08-07 13:17:16 -07:00
Kush Bavishi
6e84e1fd59
Unit Tests for create_txt_record, delete_txt_record, wait_for_dns_change
2019-08-07 13:04:38 -07:00
Hossein Shafagh
ff1f73f985
fixing the plugin test to include authority
2019-08-07 12:05:36 -07:00
Hossein Shafagh
bbda9b1d6f
making sure to handle when no config file provided, though we do a check for that
2019-08-07 12:05:13 -07:00
Hossein Shafagh
e2ea2ca4d1
providing sample config
2019-08-07 11:05:07 -07:00
Hossein Shafagh
b885cdf9d0
adding multi profile name support with DigiCert plug.
...
This requires that the configs are a dict, with multiple entries, where the key is the name of the Authority used to issue certs with.
DIGICERT_CIS_PROFILE_NAMES = {"sha2-rsa-ecc-root": "ssl_plus"}
DIGICERT_CIS_ROOTS = {"root": "ROOT"}
DIGICERT_CIS_INTERMEDIATES = {"inter": "INTERMEDIATE_CA_CERT"}
Hence, in DB one need to add
1) the corresponding authority table, with digicert-cis-issuer. Note the names here are used to mapping in the above config
2) the corresponding intermediary in the certificate table , with root_aurhority_id set to the id of the new authority_id
2019-08-07 10:24:38 -07:00
Kush Bavishi
a7c2b970b0
Unit testing Part 1
2019-08-05 14:00:22 -07:00
Hossein Shafagh
ad6c38960a
Merge branch 'master' into ultradnsPlugin
2019-07-31 16:05:36 -07:00
Kush Bavishi
2903799b85
Changed string formatting from "{}".format() to f"{}" for consistency
2019-07-31 14:19:49 -07:00
Hossein Shafagh
e8e4f826ea
updating logging format
2019-07-31 13:09:31 -07:00
Kush Bavishi
5a401b2d87
Added the Zone class and Record class to ultradns.py and removed the respective files
2019-07-31 12:04:42 -07:00
Kush Bavishi
fe075dc9f5
Changed function comments to doc strings.
2019-07-31 12:00:31 -07:00
Kush Bavishi
503df999fa
Updated metrics.send to send function named, followed by status, separated by a period
2019-07-31 11:32:04 -07:00
Kush Bavishi
11cd095131
Reduced the number of calls to get_public_authoritative_nameserver by using a variable
2019-07-31 11:12:28 -07:00
Kush Bavishi
3ba7fdbd49
Updated logger to log a dictionary instead of a string
2019-07-31 11:11:39 -07:00
Hossein Shafagh
0f591e9a3d
Merge branch 'master' into moving-cronjobs-to-celery-v2
2019-07-30 14:13:59 -07:00
Hossein Shafagh
6bf920e66c
Merge branch 'master' into ultradnsPlugin
2019-07-30 14:13:45 -07:00
Hossein Shafagh
7810095796
Merge branch 'master' into better-error-handling-dyn
2019-07-30 13:27:43 -07:00
Kush Bavishi
44bc562e8b
Update ultradns.py
...
Minor logging changes in wait_for_dns_change
2019-07-30 13:08:16 -07:00
Kush Bavishi
3d48b422b5
Removed TODO
2019-07-30 11:39:35 -07:00
Hossein Shafagh
a89cbe9332
moving all cron jobs to become celery jobs
2019-07-30 09:57:15 -07:00
Kush Bavishi
3ad791e1ec
Dynamically obtain the authoritative nameserver for the domain
2019-07-29 18:01:28 -07:00
Kush Bavishi
e993194b4f
Check ultraDNS authoritative server first. Upon success, check Googles DNS server.
2019-07-29 14:59:28 -07:00
Hossein Shafagh
adabe18c90
metric tags, to be able to track which domains where failing during the LetsEncrypt domain validation
2019-07-25 18:56:28 -07:00
Hossein Shafagh
429e6a967c
better error handling for redis
2019-07-25 18:49:19 -07:00
Kush Bavishi
252410c6e9
Updated TTL from 300 to 5
2019-07-22 16:00:20 -07:00
Kush Bavishi
51f3b7dde0
Added the Record class for UltraDNS
2019-07-22 14:23:40 -07:00
Kush Bavishi
0b52aa8c59
Added Zone class to handle ultradns zones
2019-07-22 11:47:48 -07:00
Hossein Shafagh
36ebba6491
source is not dict
2019-07-18 15:16:01 -07:00
Kush Bavishi
e37a7c775e
Initial commit for the UltraDNS plugin to support Lets Encrypt
2019-07-18 14:29:54 -07:00
Hossein Shafagh
09c0fa0f94
updating the function declaration
2019-07-16 17:21:01 -07:00
Hossein Shafagh
cd1aeb15f1
adding testing for redis
2019-07-12 11:50:12 -07:00
Hossein Shafagh
1b1bdbb261
spacing
2019-07-12 10:25:37 -07:00
Hossein Shafagh
97d74bfa1d
fixing the app context issue. we will create an app if no current_app available
2019-07-12 08:47:39 -07:00
Hossein Shafagh
2628ed1a82
better alerting
2019-07-11 23:00:35 -07:00
Curtis Castrapel
8eb639e366
Initial LetsEncrypt / Celery docs
2019-07-09 11:13:11 -07:00
Curtis Castrapel
0c5a8f2039
Relax celery time limit for source syncing; Ensure metric tags are string
2019-07-01 08:35:04 -07:00
Hossein Shafagh
0e037973b2
Revert "Faster permalink"
2019-06-26 10:31:58 -07:00
Curtis
850620c2a2
Merge branch 'master' into restore-manage-shebang
2019-06-25 09:41:08 -07:00
Curtis
5df06501f6
Merge pull request #2814 from intgr/expose-cert-hasprivaatekey
...
Expose new certificate field hasPrivateKey
2019-06-25 09:40:27 -07:00
Curtis
8fbff00850
Merge branch 'master' into restore-manage-shebang
2019-06-25 09:29:06 -07:00
Hossein Shafagh
404b7a25bc
Merge branch 'master' into restore-manage-shebang
2019-06-25 09:27:08 -07:00
alwaysjolley
86a1fb41ac
lint fix
2019-06-25 06:56:37 -04:00
alwaysjolley
55a96ba790
type none
2019-06-24 15:10:10 -04:00
alwaysjolley
6699833297
fixing empty chain
2019-06-24 13:10:08 -04:00
Marti Raudsepp
2319858586
Expose new certificate field hasPrivateKey
...
We can also now disable the 'private key' tab when cert doesn't have a
private key.
2019-06-22 15:38:28 +03:00
Danny Thomas
4565bd7dc6
Update SAN text
2019-06-21 13:33:55 -07:00
Kush Bavishi
960064d5c6
Color change for Show Expired button
2019-06-21 11:32:16 -07:00
Hossein Shafagh
23caac5576
Merge branch 'master' into temp-ExpiredToggle-3
2019-06-21 08:59:53 -07:00
Hossein Shafagh
39d65db7fd
Merge branch 'master' into generalizing-api
2019-06-20 16:13:04 -07:00
Hossein Shafagh
162a300e53
Merge branch 'master' into temp-ExpiredToggle-3
2019-06-20 16:12:55 -07:00
Hossein Shafagh
34cdd29a50
removing the rotation enabled requirement, to keep the endpoint generic
2019-06-20 16:06:26 -07:00
Kush Bavishi
de0462e54f
Added missing semi-colon and changed double quotes to single quotes
2019-06-20 15:41:32 -07:00
Kush Bavishi
68815b8f44
UI changes - Button to show / hide expired certs.
2019-06-20 15:05:26 -07:00
alwaysjolley
bbf50cf0b0
updated dest as well as src
2019-06-20 08:26:32 -04:00
alwaysjolley
02719a1de7
Merge branch 'master' into vault_regex
...
fixed conflicts:
lemur/plugins/lemur_vault_dest/plugin.py
2019-06-19 09:53:08 -04:00
alwaysjolley
56917614a2
fixing regex to be more flexable
2019-06-19 09:46:44 -04:00
Marti Raudsepp
8a08edb0f3
manage.py: Restore shebang line
...
This is an executable file but cannot be executed without the interpreter.
The shebang line was lost in commit 8cbc6b8325
2019-06-18 10:51:11 +03:00
Kush Bavishi
f836c6fff6
API additions for viewing expired certs as well. Default behavior modified to show only valid certs and those which have expired less than 1 month ago.
2019-06-17 14:29:48 -07:00
Kush Bavishi
c0f8fbb24f
Modified Permalink behavior to access a newer, faster API
2019-06-11 15:53:47 -07:00
Kush Bavishi
57016f2f45
Merge branch 'master' of https://github.com/Netflix/lemur into FasterPermalink
2019-06-11 14:33:58 -07:00
Kush Bavishi
491d048948
Modified the behavior of Permalink to access a newer, faster API
2019-06-10 09:47:29 -07:00
Curtis
0446aea20e
Update messaging.py
2019-06-06 13:35:45 -07:00
Hossein Shafagh
1ed41d03ea
Merge branch 'master' into duplicate-notifications-(alternative)
2019-06-06 09:10:57 -07:00
Hossein Shafagh
28e26a1baf
to prevent duplicate emails, we might better remove owner and security email address from the notification recipient
2019-06-05 17:57:11 -07:00
Kush Bavishi
45231c2423
Added code to automatically add the common name as a DNS name while creating a certificate.
2019-05-31 14:08:28 -07:00
Curtis
7eb9c80fb2
Merge pull request #2798 from castrapel/domains_enhancements
...
Enhance domains query and sensitive domain checking code
2019-05-30 10:31:24 -07:00
Curtis Castrapel
8b821d0023
Enhance domains query and sensitive domain checking code; Allow creation of opt-out roles via config
2019-05-30 10:21:44 -07:00
Hossein Shafagh
071c083eae
hiding expired certs after 6 months from the main page
2019-05-30 10:21:03 -07:00
Hossein Shafagh
b4d9ab9f0c
Merge branch 'master' of github.com:Netflix/lemur into improving-cert-lookup-time
2019-05-30 08:55:49 -07:00
Hossein Shafagh
13d46ae42e
indexing the not after field in the cert table
2019-05-30 08:55:30 -07:00
Curtis
8bc23f6deb
Merge pull request #2797 from castrapel/get_or_increase_name_simplify
...
Make get_or_increase_name queries less demanding
2019-05-29 12:50:06 -07:00
Curtis
6e4306b3bb
Merge pull request #2795 from ardichoke/fix_vault_api_v2_append
...
Fix Certificate Appending With v2 Vault API
2019-05-29 12:49:36 -07:00
Curtis Castrapel
5e389f3f48
Add certificate1 to test DB
2019-05-29 12:38:17 -07:00
Curtis Castrapel
f81adb1371
Make get_or_increase_name queries less demanding
2019-05-29 12:20:05 -07:00
Curtis Castrapel
fd35a26955
Support read replicas
2019-05-28 12:45:39 -07:00
Ryan DeShone
09c7076e79
Handle double data field in API v2
2019-05-22 17:12:10 -04:00
Curtis Castrapel
1423ac0d98
More metrics
2019-05-21 12:55:33 -07:00
Curtis Castrapel
34c7e5230b
Set a limit on number of retries
2019-05-21 12:52:41 -07:00
Curtis Castrapel
4fac726cf4
Add support for JSON logging
2019-05-17 08:48:26 -07:00
Curtis Castrapel
0320c04be2
nosec comment
2019-05-16 08:14:46 -07:00
Curtis Castrapel
68fd1556b2
Black lint all the things
2019-05-16 07:57:02 -07:00
Curtis Castrapel
e3c5490d25
Expose exact response from digicert as error
2019-05-15 13:36:40 -07:00
Curtis Castrapel
26d10e8b98
change ordering in more places
2019-05-15 11:47:53 -07:00
Curtis Castrapel
7e92edc70a
Set resolved cert ID before resolving cert; Ignore sentry exceptions when no records on deletion
2019-05-15 11:43:59 -07:00
Curtis
6eb3836abc
Merge branch 'master' into fast-valid-cert-lookup
2019-05-15 10:20:17 -07:00
Curtis Castrapel
5d8f71c3e4
nt
2019-05-14 13:02:24 -07:00
Curtis Castrapel
565142f985
Add soft timeouts to celery jobs; Check for PEM in LE order
2019-05-14 12:52:30 -07:00
Hossein Shafagh
f452a7ce68
adding a new API for faster certificate lookup.
...
The new API api/1/certificates/valid returns only non-expired (not_after >= today) certs which have auto-rotate enabled:
cn is a required parameter:
http://localhost:8000/api/1/certificates/valid?filter=cn;example.com
cn can also be a database string wildcard ('%'):
http://localhost:8000/api/1/certificates/valid?filter=cn;%
owner is the additional parameter, and must be the email address of the owner:
http://localhost:8000/api/1/certificates/valid?filter=cn;example.com&owner=hossein@example.com
given owner and a database string wildcard ('%') one can retrieve all certs for that owner, which are still valid, and have auto-rotate enabled:
http://localhost:8000/api/1/certificates/valid?filter=cn;%&owner=hossein@example.com
2019-05-11 18:06:51 -07:00
Curtis Castrapel
ed18df22db
remove permalink change
2019-05-09 14:54:44 -07:00
Curtis Castrapel
e33a103ca1
Allow searching for certificates by name via API
2019-05-09 14:36:56 -07:00
Curtis
c9c782684d
Merge branch 'master' into add_metrics_reissue_rotate
2019-05-08 07:48:44 -07:00
Curtis Castrapel
87470602fd
Gather more metrics on certificate reissue/rotate jobs
2019-05-08 07:48:08 -07:00
Curtis
317c84800c
Merge branch 'master' into jwks_validation_error_control
2019-05-08 06:50:56 -07:00
Curtis Castrapel
0eacbd42d7
Converting userinfo authorization to a config var
2019-05-07 15:31:42 -07:00
Jose Plana
4e6e7edf27
Rename return variable for better readability
2019-05-07 22:53:01 +02:00
Hossein Shafagh
b7ce9ab901
Merge branch 'master' into jwks_validation_error_control
2019-05-07 13:09:02 -07:00
Hossein Shafagh
ff583981b1
Merge branch 'master' into aid_openid_roles_provider_integration
2019-05-07 09:06:02 -07:00
Hossein Shafagh
e58ff476c9
Merge branch 'master' into jwks_validation_error_control
2019-05-07 09:05:41 -07:00
Curtis
22caaa0c95
Merge branch 'master' into fix_userinfo_authorization
2019-05-07 07:48:47 -07:00
Curtis
e65154b48e
Merge branch 'master' into develop
2019-05-07 07:36:51 -07:00
alwaysjolley
ef7a8587fe
Merge branch 'lemur_vault_source' of github.com:/alwaysjolley/lemur into lemur_vault_source
2019-05-07 10:06:09 -04:00
alwaysjolley
b0c8901b0a
lint cleanup
2019-05-07 10:05:01 -04:00
alwaysjolley
36ce1cc7ef
Merge branch 'master' into lemur_vault_source
2019-05-07 09:41:50 -04:00
alwaysjolley
fb3f0bd72a
adding Vault Source plugin
2019-05-07 09:37:30 -04:00
Daniel Iancu
a7af3cf8d2
Fix Cloudflare DNS
2019-05-07 03:05:24 +03:00
Jose Plana
deed1b9685
Don't fail if googleGroups is not found in user profile
2019-05-06 12:30:25 +02:00
Jose Plana
6c99e76c9a
Better error management in jwks token validation
2019-05-06 12:27:43 +02:00
Jose Plana
2063baefc9
Fixes userinfo using Bearer token
2019-05-06 12:23:24 +02:00
Curtis Castrapel
3a1da72419
nt
2019-04-29 13:57:04 -07:00
Curtis Castrapel
6e3f394cff
Updated requirements ; Revert change and require DNS validation by provider
2019-04-29 13:55:26 -07:00
Curtis Castrapel
1a90e71884
Move ACME host validation logic prior to R53 host modification
2019-04-26 17:27:44 -07:00
Curtis Castrapel
333ba8030a
Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname
2019-04-26 15:45:04 -07:00
Curtis Castrapel
1a3ba46873
More retry changes
2019-04-26 10:18:54 -07:00
Curtis Castrapel
1e64851d79
Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries
2019-04-26 10:16:18 -07:00
Curtis
8eef95b58e
Merge branch 'master' into expose_verisign_exception
2019-04-25 19:15:55 -07:00
Curtis Castrapel
dcdfb32883
Expose verisign exceptions
2019-04-25 19:14:15 -07:00
Curtis Castrapel
39584f214b
Process DNS Challenges appropriately (1 challenge -> 1 domain)
2019-04-25 15:12:52 -07:00
Curtis Castrapel
2bc604e5a9
Better metrics and error reporting
2019-04-25 13:50:41 -07:00
Curtis Castrapel
272285f64a
Better exception handling, logging, and metrics for ACME flow
2019-04-24 15:26:23 -07:00
Curtis
0f9b0f39f7
Merge branch 'master' into add-pending-certificate-upload
2019-04-24 09:34:35 -07:00
alwaysjolley
a801112cf6
Merge branch 'master' into lemur_vault_plugin
2019-04-23 07:07:39 -04:00
alwaysjolley
85efb6a99e
cleanup tmp files
2019-04-23 07:06:52 -04:00
Hossein Shafagh
9b38761153
Merge branch 'master' into add-pending-certificate-upload
2019-04-22 11:47:02 -07:00
alwaysjolley
f9dadb2670
fixing validation
2019-04-22 09:38:44 -04:00
alwaysjolley
8dccaaf544
simpler validation
2019-04-22 07:58:01 -04:00
alwaysjolley
1667c05742
removed unused functions
2019-04-18 13:57:10 -04:00
alwaysjolley
b39e2e3f66
Merge branch 'master' into lemur_vault_plugin
2019-04-18 13:55:45 -04:00
alwaysjolley
fb3b0e8cd7
adding regex filtering
2019-04-18 13:52:40 -04:00
Jose Plana
7dd9268ca7
Allow uploading a signed cert for a pending certificate.
2019-04-18 00:46:39 +02:00
Curtis
8177e12f3f
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-17 10:43:44 -07:00
Hossein Shafagh
52f939658f
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-17 10:31:58 -07:00
Curtis
f6afcc6d21
Merge branch 'master' into master
2019-04-17 10:28:46 -07:00
Javier Ramos
58dd424de8
Prevent potential NoneType not subscriptable
...
Fix when data['extensions']['subAltNames']['names'] is none
2019-04-17 18:33:52 +02:00
Jose Plana
771f2ebc47
Use SAN_CERT_CSR
2019-04-13 11:01:36 +02:00
Jose Plana
770729a72e
Allow csr to be empty during upload
2019-04-13 01:17:12 +02:00
Hossein Shafagh
2ff811ae71
updating cryptography API call, to create right signing algorithm object.
2019-04-13 00:57:48 +02:00
Hossein Shafagh
09796cf7c9
the check_cert_signature() method was attempting to compare RSA and ECC signatures.
...
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
2019-04-13 00:57:48 +02:00
Jose Plana
406753fcde
Fix PEP8
2019-04-13 00:49:35 +02:00
Jose Plana
a5570d07bc
Added some documentation for API users.
2019-04-13 00:48:19 +02:00
Jose Plana
c1b02cc8a5
Allow uploading csr along with certificates
2019-04-13 00:48:19 +02:00
Hossein Shafagh
df8d4e0892
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-12 09:38:50 -07:00
Hossein Shafagh
ceb335f3ab
Merge branch 'master' into master
2019-04-12 09:38:41 -07:00
alwaysjolley
9ecc19c481
adding san filter
2019-04-12 09:53:06 -04:00
Hossein Shafagh
6d67ec7e34
removing unused import
2019-04-11 17:34:02 -07:00
Hossein Shafagh
512e1a0bdd
fixing typos
2019-04-11 17:17:28 -07:00
Hossein Shafagh
6ec84a398c
checking for None
2019-04-11 17:13:47 -07:00
Hossein Shafagh
69c00c4db5
upon creating a new destination, we also add it as source, if the plugin defines this as an option
2019-04-11 17:13:47 -07:00
Hossein Shafagh
d7abf2ec18
adding a new util method for setting options
2019-04-11 17:13:47 -07:00
Hossein Shafagh
557fac39b5
refactoring the sync job into a service method that we can also call when adding a new destination
2019-04-11 17:13:47 -07:00
Hossein Shafagh
d1ead4b79c
removing the announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
5900828051
simple hardcoded announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
818da6653d
removing the announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
e1a67e9b4e
simple hardcoded announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
84dfdd0600
removing the announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
ba691a26d4
simple hardcoded announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
b66fac0494
removing the announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
1bda246df2
simple hardcoded announcement
2019-04-11 17:13:47 -07:00
Hossein Shafagh
9a210c055a
Merge branch 'master' into hshafagh-src-dst-register
2019-04-11 15:36:48 -07:00
Hossein Shafagh
2459234147
removing lines
2019-04-11 14:34:26 -07:00
Hossein Shafagh
60edab9f6d
cleaning up
2019-04-11 14:12:31 -07:00
Hossein Shafagh
ec3d2d7316
fixing typo
2019-04-11 13:51:43 -07:00
Hossein Shafagh
83d408b238
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst
2019-04-11 13:30:12 -07:00
Hossein Shafagh
266c83367d
avoiding hard-coded plugin names
2019-04-11 13:29:37 -07:00
Hossein Shafagh
f185df4f1e
bringing class AWSDestinationPlugin(DestinationPlugin) after AWSSourcePlugin.slug, such that we can do: sync_as_source_name = AWSSourcePlugin.slug
2019-04-11 13:28:58 -07:00
Curtis Castrapel
2ff57e932c
Update requirements - upgrade to py37
2019-04-10 15:40:48 -07:00
Hossein Shafagh
d628e97035
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst
2019-04-10 09:47:06 -07:00
Hossein Shafagh
bc8c7e114a
Merge branch 'master' into hshafagh-src-dst-register
2019-04-09 20:52:33 -07:00
Hossein Shafagh
f3d0536800
removing hardcoded rules, to give more flexibility into defining new source-destinations
2019-04-09 20:49:07 -07:00
Javier Ramos
bfc4f940da
Merge branch 'master' into master
2019-04-09 18:06:09 +02:00
Hossein Shafagh
64c6bb2475
Merge branch 'master' into rewrite-java-keystore-use-pyjks
2019-04-09 08:28:05 -07:00
Marti Raudsepp
dbf34a4d48
Rewrite Java Keystore/Truststore support based on pyjks library
2019-04-06 20:24:46 +03:00
Javier Ramos
d80a6bb405
Added tests for CSR parsing into CertificateInputSchema
2019-04-01 08:44:40 +02:00
Ryan DeShone
e10007ef7b
Add support for Vault KV API v2
...
This adds the ability to target KV API v1 or v2.
2019-03-29 10:32:49 -04:00
Javier Ramos
b86e381e20
Parse SubjectAlternativeNames from CSR into Lemur Certificate
2019-03-27 13:46:33 +01:00
Hossein Shafagh
d2e969b836
better synching of source and destinations
2019-03-26 18:20:14 -07:00
Curtis
4018c68d49
Merge branch 'master' into authority_validation_LE_errors
2019-03-25 08:34:10 -07:00
Curtis Castrapel
c2158ff8fb
Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs
2019-03-25 08:28:23 -07:00
Curtis
8a42cfa345
Merge branch 'master' into ghjaramos/master
2019-03-21 08:07:44 -07:00
alwaysjolley
fa4a5122bc
fixing file read to trim line endings and cleanup
2019-03-20 14:59:04 -04:00
alwaysjolley
f99b11d50e
refactor url and token to support muiltiple instances of vault
2019-03-20 13:51:06 -04:00
Javier Ramos
9e5496b484
Update schemas.py
2019-03-15 10:19:25 +01:00
Javier Ramos
f7452e8379
Parse DNSNames from CSR into Lemur Certificate
2019-03-15 09:29:23 +01:00
alwaysjolley
157db684c3
Merge branch 'master' into lemur_vault_plugin
2019-03-14 11:09:01 -04:00
Curtis
c445297357
Update celery.py
2019-03-12 15:41:24 -07:00
Curtis
f38e5b0879
Update celery.py
2019-03-12 15:29:04 -07:00
Curtis
1a5a91ccc7
Update celery.py
2019-03-12 15:11:13 -07:00
Curtis
3b3faa66f4
Merge branch 'master' into skip_duplicate_tasks
2019-03-12 14:53:42 -07:00
Curtis Castrapel
d220e9326c
Skip a task if similar task already active
2019-03-12 14:45:43 -07:00
alwaysjolley
57d3f3d5a5
Merge branch 'master' into lemur_vault_plugin
2019-03-08 07:08:56 -05:00
alwaysjolley
f1c09a6f8f
fixed comments
2019-03-07 15:58:34 -05:00
Hossein Shafagh
93ce259fb2
Merge branch 'master' into verify-cert-chain
2019-03-07 12:46:19 -08:00
alwaysjolley
7b0a3cf781
Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin
2019-03-07 15:42:40 -05:00
alwaysjolley
752c9a086b
fixing error handling and better data formating
2019-03-07 15:41:29 -05:00
Hossein Shafagh
92b60b279a
Merge branch 'master' into verify-cert-chain
2019-03-06 11:15:32 -08:00
Hossein Shafagh
43b1d6217a
Merge branch 'master' into allow-cert-deletion
2019-03-06 10:59:33 -08:00
Hossein Shafagh
98ece58342
Merge branch 'master' into lemur_vault_plugin
2019-03-06 10:59:03 -08:00
Hossein Shafagh
45cb0f0513
Merge branch 'master' into allow-cert-deletion
2019-03-06 09:35:10 -08:00
Kevin Glisson
cc6d53fdeb
Ensuring that configs passed via the command line are respected.
2019-03-05 15:39:37 -08:00
alwaysjolley
a1cb8ee266
fixing lint
2019-03-05 07:37:04 -05:00
alwaysjolley
880eaad6cb
Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin
2019-03-05 07:22:18 -05:00
alwaysjolley
4a027797e0
fixing linting issues
2019-03-05 07:19:22 -05:00
Hossein Shafagh
54ad3ba777
Merge branch 'master' into verify-cert-chain
2019-03-04 17:55:36 -08:00
Hossein Shafagh
c9bcd29082
Merge branch 'master' into lemur_vault_plugin
2019-03-04 17:55:00 -08:00
Curtis Castrapel
dd2900bdbc
Relax search;update requirements
2019-03-04 10:04:06 -08:00
Marti Raudsepp
10cec063c2
Check that stored certificate chain matches certificate
...
Similar to how the private key is checked.
2019-03-04 17:10:59 +02:00
alwaysjolley
20518bc377
Merge branch 'master' into lemur_vault_plugin
2019-03-01 09:58:43 -05:00
alwaysjolley
5d2f603c84
renamed vault destination plugin to avoid conflict with vault pki plugin
2019-03-01 09:49:52 -05:00
Ronald Moesbergen
63de8047ce
Return 'already deleted' instead of 'not found' when cert has already been deleted
2019-02-27 09:38:25 +01:00
Ronald Moesbergen
a9735e129c
Merge branch 'master' into allow-cert-deletion
2019-02-27 09:28:48 +01:00
Hossein Shafagh
658c58e4b6
clarifying comments
2019-02-26 17:04:43 -08:00
Hossein Shafagh
9dbae39604
updating cryptography API call, to create right signing algorithm object.
2019-02-26 16:42:26 -08:00
Hossein Shafagh
16a18cc4b7
adding more edge test cases for EC-certs
2019-02-26 16:42:26 -08:00
Hossein Shafagh
aec7c7b0bc
Merge branch 'master' into fixing-signature-verify-ecc
2019-02-26 09:28:48 -08:00
alwaysjolley
53301728fa
Moved url to config file instead of plugin option. One one url can be supported
...
unless both the token and url are moved to the plugin options.
2019-02-26 09:15:12 -05:00
Hossein Shafagh
40fac02d8b
the check_cert_signature() method was attempting to compare RSA and ECC signatures.
...
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
2019-02-25 19:05:54 -08:00
alwaysjolley
cd65a36437
- support multiple bundle configuration, nginx, apache, cert only
...
- update vault destination to support multi cert under one object
- added san list as key value
- read and update object with new keys, keeping other keys, allowing
us to keep an iterable list of keys in an object for deploying multiple
certs to a single node
2019-02-25 09:42:07 -05:00
Ronald Moesbergen
ef0c08dfd9
Fix: when no alias is entered when exporting a certificate, the alias is set to 'blah'.
...
This fix sets it to the common name instead.
2019-02-21 16:33:43 +01:00
alwaysjolley
eaa73998a0
adding lemur_vault destination plugin
2019-02-19 15:03:15 -05:00
Ronald Moesbergen
29bda6c00d
Fix typo's
2019-02-14 11:58:29 +01:00
Ronald Moesbergen
8abf95063c
Implement a ALLOW_CERT_DELETION option (boolean, default False). When enabled, the certificate delete API call will work and the UI
...
will no longer display deleted certificates. When disabled (the default), the delete API call will not work (405 method not allowed)
and the UI will show all certificates, regardless of the 'deleted' flag.
2019-02-14 11:57:27 +01:00
Hossein Shafagh
e034771e36
Merge branch 'master' into special-issuer-for-selfsigned-certs
2019-02-11 12:04:33 -08:00
Hossein Shafagh
605663704b
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst
2019-02-05 12:41:33 -08:00
Hossein Shafagh
e139b92b24
Merge branch 'master' into hshafagh-src-dst-register
2019-02-05 12:41:26 -08:00
Hossein Shafagh
6d1ef933c4
creating a new celery task to sync sources with destinations. This is as a measure to make sure important new destinations are also present as sources.
2019-02-05 10:48:52 -08:00
Hossein Shafagh
2107d58050
Merge branch 'master' into get_by_attributes
2019-02-05 10:31:35 -08:00
Hossein Shafagh
8d261b4120
Merge branch 'master' into special-issuer-for-selfsigned-certs
2019-02-05 10:29:20 -08:00
Marti Raudsepp
51248c1938
Use special issuer values <selfsigned> and <unknown> in special cases
...
This way it's easy to find/distinguish selfsigned certificates stored in
Lemur.
2019-02-05 16:56:09 +02:00
Hossein Shafagh
1d2771b014
Merge branch 'master' into get_by_attributes
2019-02-04 21:07:09 -08:00
Hossein Shafagh
f249a82d71
renaming destination to source.
2019-02-04 16:10:48 -08:00
Hossein Shafagh
44a060b159
adding support for creating a source while creating a new dst, while the destination is from AWS
2019-02-04 15:36:39 -08:00
sirferl
c1cf8d7a92
Merge branch 'master' into ADCS-plugin
2019-02-02 19:21:22 +01:00
Hossein Shafagh
45fbaf159a
Merge branch 'master' into master
2019-02-01 16:50:09 -08:00
Hossein Shafagh
8e93d007be
Merge branch 'master' into get_by_attributes
2019-02-01 16:48:50 -08:00
Hossein Shafagh
6705a0e030
Merge branch 'master' into ADCS-plugin
2019-02-01 16:38:39 -08:00
sirferl
36ab1c0bec
Merge branch 'master' into ADCS-plugin
2019-02-01 19:10:46 +01:00
Marti Raudsepp
e24a94d798
Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes
...
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
2019-01-30 18:11:24 +02:00
Curtis
e475d90e2e
Merge branch 'master' into master
2019-01-30 07:20:44 -08:00
Hossein Shafagh
e5ddf08f48
Merge branch 'master' into master
2019-01-29 16:37:29 -08:00
Hossein Shafagh
7f4f4ffded
Merge branch 'master' into master
2019-01-29 16:30:15 -08:00
Hossein Shafagh
48ad20faca
moving the 2 year validity issue to the Verisign plugin, and address it there
2019-01-29 16:17:08 -08:00
Curtis
1e708bf1c7
Merge branch 'master' into password_noninteractive
2019-01-29 15:21:34 -08:00
Curtis Castrapel
d2317acfc5
allowing create_user with noninteractive PW;updating reqs
2019-01-29 15:17:40 -08:00
Curtis
29638c7f3b
Merge branch 'master' into master
2019-01-29 14:59:55 -08:00
Curtis
93021a5d89
Merge branch 'master' into expose-cert-distinguished-name
2019-01-29 14:56:31 -08:00
alwaysjolley
c68a9cf80a
fixing linting issues
2019-01-29 11:10:56 -05:00
alwaysjolley
254a3079f2
fix whitespace
2019-01-29 11:01:55 -05:00
alwaysjolley
b4d1b80e04
Adding support for cfssl auth mode signing
2019-01-29 10:13:44 -05:00
sirferl
c77ccdf46e
Merge branch 'master' into ADCS-plugin
2019-01-28 17:57:46 +01:00
Hossein Shafagh
c47fa0f9a2
adjusting the tests to reflect on the new full year convert limit!
2019-01-24 17:52:22 -08:00
Hossein Shafagh
a9724e7383
Resolving the 2 years error from UI during cert creation:
...
Though a CA would accept two year validity, we were getting error for being beyond 2 years.
This is because our current conversion is just current date plus 2 years,
1/25/2019 + 2 years ==> 1/25/2019
This is more strictly seen two years and 1 day extra, violating the 2 year's limit.
2019-01-24 17:23:40 -08:00
Marti Raudsepp
4b893ab5b4
Expose full certificate RFC 4514 Distinguished Name string
...
Using rfc4514_string() method added in cryptography version 2.5.
2019-01-23 10:03:40 +02:00
Ronald Moesbergen
4c4fbf3e48
Implement certificates delete API call by marking a cert as 'deleted' in the database. Only certificates that have expired can be deleted.
2019-01-21 10:25:28 +01:00
Ronald Moesbergen
cb35f19d6c
Add 'delete_cert' to enum log_type in logs table
2019-01-21 10:22:03 +01:00
Curtis Castrapel
0336d68ee2
Merge remote-tracking branch 'upstream/master'
2019-01-17 14:56:12 -08:00
Curtis Castrapel
7f88c24e83
Fix LetsEncrypt Dyn flow for duplicate CN/SAN
2019-01-17 14:56:04 -08:00
Hossein Shafagh
d3284a4006
adjusting the query to filter authorities based on matching CN
2019-01-14 17:52:06 -08:00
Curtis Castrapel
3567a768d5
Compare certificate hashes to determine if Lemur already has a synced certificate
2019-01-14 13:35:55 -08:00
Curtis Castrapel
31a86687e7
Reduce the expense of joins
2019-01-14 09:20:02 -08:00
Curtis Castrapel
c4e6e7c59b
Optimize DB cert filtering
2019-01-14 08:02:27 -08:00
Curtis
638a8450a3
Merge branch 'master' into more_retries
2019-01-11 11:25:00 -08:00
Curtis Castrapel
0e02e6da79
Be more forgiving to throttling
2019-01-11 11:13:43 -08:00
sirferl
a1ca61d813
changed a too long comment
2019-01-09 09:50:26 +01:00
sirferl
a43476bc87
minor errors after lint fix
2019-01-07 11:04:27 +01:00
sirferl
054685fc38
Merge branch 'master' into ADCS-plugin
2019-01-07 10:23:18 +01:00
sirferl
c62bcd1456
repaired several lint errors
2019-01-07 10:02:37 +01:00
Marti Raudsepp
542e953919
Check that stored private keys match certificates
...
This is done in two places:
* Certificate import validator -- throws validation errors.
* Certificate model constructor -- to ensure integrity of Lemur's data
even when issuer plugins or other code paths have bugs.
2018-12-31 16:28:20 +02:00
Curtis
6a31856d0d
Update plugin.py
2018-12-21 12:33:47 -08:00
Curtis
b5d6abb01f
Merge branch 'master' into kubernetes-improvment
2018-12-21 12:06:09 -08:00
Curtis
b7332957e7
Merge branch 'master' into unicode-in-issuer-name
2018-12-21 07:59:20 -08:00
Curtis
70381c4c89
Merge branch 'master' into kubernetes-fix
2018-12-21 07:44:11 -08:00
Curtis
a14fe08a63
Merge branch 'master' into kubernetes-improvment
2018-12-21 07:42:13 -08:00
Curtis
fb7605e34b
Merge branch 'master' into unicode-in-issuer-name
2018-12-21 07:41:08 -08:00
Marti Raudsepp
72f6fdb17d
Properly handle Unicode in issuer name sanitization
...
If the point of sanitization is to get rid of all non-alphanumeric
characters then Unicode characters should probably be forbidden too.
We can re-use the same sanitization function as used for cert 'name'
2018-12-21 16:34:12 +02:00
Marti Raudsepp
0f2e30cdae
Deduplicate rows before notification associations unique constraint migration
2018-12-21 12:11:33 +02:00
sirferl
f02178c154
added ADCS issuer and source plugin
2018-12-20 11:54:47 +01:00
Wesley Hartford
fbf48316b1
Minor changes for code review suggestions.
2018-12-18 22:43:32 -05:00
Wesley Hartford
073d05ae21
Merge branch 'kubernetes-fix' into kubernetes-improvment
2018-12-18 22:26:03 -05:00
Wesley Hartford
e7313da03e
Minor changes for code review suggestions.
2018-12-18 22:24:48 -05:00
Curtis
425a07e988
Merge branch 'master' into destination-tpl-fix
2018-12-18 12:27:35 -08:00
Curtis
513e876e2e
Merge branch 'master' into master
2018-12-18 12:18:38 -08:00
Wesley Hartford
bc621c1468
Improve the Kubernetes Destination plugin
...
The plugin now supports loading details from local files rather than requiring them to be entered through the UI. This is especially relaent when Lemur is deployed on Kubernetes as the certificate, token, and current namespace will be injected into the pod. The location these details are injected are the defaults if no configuration details are supplied.
The plugin now supports deploying the secret in three different formats:
* Full - matches the formate used by the plugin prior to these changes.
* TLS - creates a secret of type kubernetes.io/tls and includes the certificate chain and private key, this format is used by many kubernetes features.
* Certificate - creates a secret containing only the certificate chain, suitable for use as trust authority where private keys should _NOT_ be deployed.
The deployed secret can now have a name set through the configuration options; the setting allows the insertion of the placeholder '{common_name}' which will be replaced by the certificate's common name value.
Debug level logging has been added.
2018-12-12 13:25:36 -08:00
sirferl
a50d80992c
updated query to ignore empty parameters
2018-12-12 12:45:48 +01:00
Wesley Hartford
060c78fd91
Fix Kubernetes Destination Plugin
...
The Kubernetes plugin was broken. There were two major issues:
* The server certificate was entered in a string input making it impossible (as far as I know) to enter a valid PEM certificate.
* The base64 encoding calls were passing strings where bytes were expected.
The fix to the first issue depends on #2218 and a change in the options structure. I've also included some improved input validation and logging.
2018-12-10 15:33:04 -08:00
Wesley Hartford
437d918cf7
Fix textarea and validation on destination page
...
The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that.
2018-12-10 12:04:16 -08:00
Ronald Moesbergen
dcf5ce0eec
Merge branch 'master' into master
2018-12-07 13:57:59 +01:00
Curtis Castrapel
c32e20b6fc
Fix notifications - Ensure that notifcation e-mails are sent appropriately
2018-12-06 12:25:43 -08:00
Ronald Moesbergen
e0ac749734
When parsing SAN's, ignore unknown san_types, because in some cases they can contain unparsable/serializable values, resulting in a TypeError(repr(o) + " is not JSON serializable")
2018-12-06 16:47:53 +01:00
Curtis Castrapel
2a235fb0e2
Prefer DNS provider with longest matching zone
2018-11-30 12:44:52 -08:00
Curtis Castrapel
a90154e0ae
LetsEncrypt Celery Flow
2018-11-29 09:29:05 -08:00
Curtis Castrapel
39b76d18dc
add countdown to async call
2018-11-28 14:41:56 -08:00
Curtis Castrapel
e074a14ee9
unit test
2018-11-28 14:27:03 -08:00
Curtis Castrapel
2381d0a4bb
Add async call to create pending cert when needed
2018-11-28 11:32:52 -08:00
Ronald Moesbergen
da10913045
Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True
2018-11-20 10:37:36 +01:00
Ronald Moesbergen
61839f4aca
Add support for nested group membership in ldap authenticator
2018-11-19 13:42:42 +01:00
Curtis Castrapel
3ce8abe46e
Left outer join on domains tables to avoid missing results
2018-11-13 14:33:17 -08:00
Curtis Castrapel
92a771f5ed
More accurate db count functionality
2018-11-13 09:14:21 -08:00
Curtis
29be647911
Merge branch 'master' into no_csr_reissue
2018-11-12 09:54:47 -08:00
Curtis Castrapel
a7a05e26bc
Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler
2018-11-12 09:52:11 -08:00
Curtis Castrapel
6f0005c78e
Avoid colliding LetsEncrypt jobs
2018-11-09 10:31:27 -08:00
Curtis Castrapel
1643650685
Changing essential part of query
2018-11-07 16:02:04 -08:00
Curtis Castrapel
08a2a2b0e5
Optimize certificate filtering by name
2018-11-07 15:34:25 -08:00
Curtis Castrapel
a3f96b96ee
Add fixture to failing function
2018-11-05 15:16:09 -08:00
Curtis Castrapel
75183ef2f2
Unpin most dependencies, and fix moto
2018-11-05 14:37:52 -08:00
Curtis Castrapel
61738dde9e
Run query on DB
2018-11-05 13:15:53 -08:00
Curtis Castrapel
52e773230d
Add new gin index to optimize ILIKE queries
2018-11-05 10:29:11 -08:00
Curtis Castrapel
0277e4dc05
get_or_increase_name fix for pendingcertificates
2018-10-29 13:53:30 -07:00
Curtis Castrapel
50761d9d3b
safer reissue, fix celery sync job
2018-10-29 13:22:50 -07:00
Curtis Castrapel
56ed416cb7
Celery task for sync job
2018-10-29 09:10:43 -07:00
Curtis
a8b357965e
Merge branch 'master' into get_by_attributes
2018-10-29 08:15:42 -07:00
Curtis
2138930102
Merge branch 'master' into get_by_attributes
2018-10-24 07:20:46 -07:00
James Chuong
75069cd52a
Add CSR to certificiates
...
Add csr column to certificates field, as pending certificates have
exposed the CSR already. This is required as generating CSR from
existing certificate is will not include SANs due to OpenSSL bug:
https://github.com/openssl/openssl/issues/6481
Change-Id: I9ea86c4f87067ee6d791d77dc1cce8f469cb2a22
2018-10-23 17:46:04 -07:00
Curtis Castrapel
b709eed3c3
Only resolve pending cert if not attempted in last 5 min
2018-10-23 13:08:43 -07:00
Curtis Castrapel
054cc64ee8
Prevent dashes from appearing at end of cert name in AWS
2018-10-23 12:49:58 -07:00
Curtis Castrapel
73ed5164cd
deps
2018-10-22 14:51:13 -07:00
Curtis
b058508478
Merge branch 'master' into get_by_attributes
2018-10-22 09:09:55 -07:00
Curtis Castrapel
e83699b6ae
Add unique constraint to sources table - label column
2018-10-19 15:34:34 -07:00
Non Sequitur
81d114092e
Merge branch 'github' into get_by_attributes
2018-10-17 12:00:36 -04:00
Non Sequitur
48017a9d4c
Added get_by_attributes to the certificates service, for fetching certs based on arbitrary attributes. Also associated test and extra tests for other service methods
2018-10-17 11:42:09 -04:00
Curtis Castrapel
a912c3488d
python fix to retrigger tests
2018-10-12 07:25:58 -07:00
Curtis Castrapel
89a077e54c
minor change to pass stuck github check
2018-10-12 07:14:31 -07:00
Curtis Castrapel
13ef965666
nit: comments
2018-10-12 05:56:14 -07:00
Curtis Castrapel
6073f9e7b6
datetime ref fix
2018-10-12 05:51:30 -07:00
Curtis Castrapel
4b3d458dba
Celery task to delete old pending certs
2018-10-12 05:47:16 -07:00
Curtis Castrapel
cc18a68c00
Lemur LetsEncrypt Polling Support
2018-10-11 22:01:05 -07:00
Curtis Castrapel
e91d8ec81b
add indexes to domains and certificates tables to optimize load time
2018-10-11 11:36:50 -07:00
Non Sequitur
79033f42b4
Merge branch 'master' into improved_verify
2018-10-02 09:19:24 -04:00
Non Sequitur
40f4444099
Flake8 fix in test_verify.py
2018-10-01 22:04:31 -04:00
Curtis Castrapel
56282845fa
Enable optional verisign cloud transparency configuration
2018-10-01 09:20:50 -07:00
Non Sequitur
50919d85a8
Merge remote-tracking branch 'upstream/master' into improved_verify
2018-09-27 11:19:06 -04:00
Mike Culbertson
590fac4aa8
docstring update in verify.py
2018-09-27 10:11:13 -04:00
Mike Culbertson
f19b6382bc
Updated verify tests
2018-09-27 10:10:04 -04:00
Mike Culbertson
11f2210894
Merge branch 'improved_verify' of github.com:explody/lemur into improved_verify
2018-09-27 09:28:45 -04:00
Mike Culbertson
652d7f65dd
flake8 tweak
2018-09-27 09:28:21 -04:00
Curtis Castrapel
563f0fb9b2
Celery refactoring, celery beat job in configuration
2018-09-17 10:52:12 -07:00
Curtis Castrapel
23382b2777
Celery integration
2018-09-13 10:35:54 -07:00
Curtis
c09d8ae630
Merge branch 'master' into fix_import_v1
2018-09-10 10:35:31 -07:00
Curtis Castrapel
7d42e4ce67
Fix certificate import issues
2018-09-10 10:34:47 -07:00
Curtis Castrapel
f6a130b09d
Add more logging to messaging
2018-09-10 09:13:31 -07:00
Curtis
c9836fbf25
Merge branch 'master' into improved_verify
2018-09-06 07:33:55 -07:00
Gus Esquivel
82e69db0c5
fix error message typo
2018-09-04 10:21:34 -05:00
Mike Culbertson
2815ddf6c8
Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods.
2018-08-31 13:34:55 -04:00
Mike Culbertson
34c88494b8
More specific exception catch for cert parsing. line shortening.
2018-08-31 12:19:55 -04:00
Mike Culbertson
7dbca821c3
Reducing the stacked exceptions plus a bit of pep8
2018-08-31 12:01:49 -04:00
Curtis Castrapel
d82a615e17
Validate config - fix for issue#1629
2018-08-28 09:15:28 -07:00
Curtis Castrapel
453bb43157
recommit https://github.com/Netflix/lemur/pull/1612
2018-08-27 09:50:02 -07:00
Curtis
1b77dfa47a
Revert "Precommit - Fix linty things"
2018-08-22 13:21:35 -07:00
Curtis Castrapel
3e9726d9db
Precommit work
2018-08-22 10:38:09 -07:00
Curtis Castrapel
6abf274680
Allow case insensitive role matching for cert permissions
2018-08-20 08:55:04 -07:00
Curtis Castrapel
9f64f0523b
Increase timeouts
2018-08-17 15:36:56 -07:00
Curtis Castrapel
43ae6c39e3
wait right here
2018-08-17 12:14:02 -07:00
Curtis Castrapel
7f9a035802
Fix private key bytecode issue
2018-08-17 10:59:01 -07:00
Curtis Castrapel
a6b1f33208
Ensure owner names are lowercase for new / updated certificates
2018-08-17 10:41:55 -07:00
Curtis Castrapel
1ad61b1550
allow null validity periods
2018-08-17 07:57:55 -07:00
Curtis Castrapel
be9d683e46
fix merge
2018-08-16 10:15:48 -07:00
Curtis Castrapel
da99bcda68
Better zone handling
2018-08-16 10:12:19 -07:00
Curtis Castrapel
2c22c9c2f1
Allow proper detection of zones, fix certificate detection
2018-08-14 14:37:45 -07:00
Curtis Castrapel
1a5abe6550
fix lint
2018-08-13 15:11:57 -07:00
Curtis Castrapel
cc836433fb
formatting
2018-08-13 15:06:16 -07:00
Curtis Castrapel
5829794d82
typo fix
2018-08-13 14:25:54 -07:00
Curtis Castrapel
bb026b8b59
Allow LetsEncrypt renewals and requesting certificates without specifying DNS provider
2018-08-13 14:22:59 -07:00
Curtis
ab37189022
Merge branch 'master' into unittests-use-valid-certs
2018-08-07 09:42:39 -07:00
Curtis
cf71f88680
Merge branch 'master' into fill-missing-rotation-policy
2018-08-07 08:23:29 -07:00
Curtis
f9a7b97839
Merge branch 'master' into unittests-use-valid-certs
2018-08-07 07:45:45 -07:00
Cyril Dangerville
2869042f38
Fixed invalid JSON payloads (making API requests fail in particular) ( #1522 )
2018-08-03 15:26:48 -07:00
Marti Raudsepp
82158aece6
Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs
...
CertificateInputSchema requires the rotation_policy field, but
certificates created before the field existed have set to NULL. Thus
saving such certificates failed and probably caused other errors.
Made cert re-issuing (get_certificate_primitives) more strict so such
errors are harder to miss in the future.
2018-08-03 20:06:21 +03:00
Marti Raudsepp
1f0f432327
Fix unit tests certificates to have correct chains and private keys
...
In preparation for certificate integrity-checking: invalid certificate
chains and mismatching private keys will no longer be allowed anywhere
in Lemur code.
The test vector certs were generated using the Lemur "cryptography"
authority plugin.
* Certificates are now more similar to real-world usage: long serial
numbers, etc.
* Private key is included for all certs, so it's easy to re-generate
anything if needed.
2018-08-03 19:45:13 +03:00
Marti Raudsepp
acd2701fa2
Delete dead code in unit tests ( #1510 )
2018-08-03 08:21:55 -07:00
Curtis
025d177565
Merge branch 'master' into letsencrypt_account_support
2018-07-30 15:28:29 -07:00
Curtis Castrapel
44192d4494
remove debug print
2018-07-30 15:27:23 -07:00
Curtis Castrapel
0889076d3b
Support LetsEncrypt accounts
2018-07-30 15:25:02 -07:00
Mike Grima
d6b482755b
Proper flask_restful boolean parsing.
...
This is documented here: https://github.com/flask-restful/flask-restful/issues/488
2018-07-30 13:49:41 -07:00
Curtis Castrapel
caf99d36d6
fix deletion
2018-07-27 15:52:22 -07:00
Curtis Castrapel
e16c1de001
Error logging
2018-07-27 14:17:50 -07:00
Curtis Castrapel
2a6dda07eb
Show and send error for pending certs
2018-07-27 14:15:14 -07:00
Curtis Castrapel
9b29f9f819
Adding pessimistic sqlalchemy disconnection handling
2018-07-23 10:57:22 -07:00
Curtis Castrapel
2f51fea743
no bare except
2018-07-20 13:43:47 -07:00
Curtis Castrapel
c78077d8d6
Explicit capture exception during create failure
2018-07-20 13:43:47 -07:00
Steven Reiling
bd9203fcbc
Adds an optional interval variable to notification service's
...
create_default_expiration_notifications and introduces a new optional
configuration variable, LEMUR_SECURITY_TEAM_EMAIL_INTERVALS, to allow admins
control over the centralized email notification defaults.
2018-07-20 13:43:47 -07:00
Marti Raudsepp
d071d85486
Clean up module imports
...
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-20 13:43:47 -07:00
Marti Raudsepp
04ee1656ee
Cache parsed certificate instead of re-parsing for each field
...
Use @cached_property decorator to cache the results of parse_certificate().
This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-20 13:43:47 -07:00
root
56372c55b4
initial commit
2018-07-20 13:43:47 -07:00
Marti Raudsepp
149caa5602
Clean up module imports
...
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-12 11:21:18 -07:00
Marti Raudsepp
b472e5e648
Cache parsed certificate instead of re-parsing for each field
...
Use @cached_property decorator to cache the results of parse_certificate().
This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-12 11:21:18 -07:00
Marti Raudsepp
64132ba92b
Expose certificate dateCreated via API
2018-07-12 11:21:18 -07:00
Curtis Castrapel
9ef356f59d
reformat code (noop)
2018-07-12 11:21:17 -07:00
Curtis Castrapel
3397fb6560
R53: Extend only TXT records
2018-06-20 10:33:35 -07:00
Curtis Castrapel
3efc709e03
tests
2018-06-19 21:16:35 -07:00
Curtis Castrapel
dda7f54a16
lint
2018-06-19 20:58:00 -07:00
Curtis Castrapel
2d33d3e2b8
lint
2018-06-19 20:35:00 -07:00
Curtis
d50c9c7748
Merge branch 'master' into acme_validation_dns_provider_option
2018-06-19 16:45:25 -07:00
Curtis Castrapel
a141b8c5ea
Support concurrent issuance in Route53 for LetsEncrypt
2018-06-19 16:27:58 -07:00
Curtis
b2bc431823
Merge branch 'master' into dyn2
2018-06-14 08:06:31 -07:00
Curtis Castrapel
4e72cb96c9
Graceful cancellation of pending cert and order details in log for acme failure
2018-06-14 08:02:34 -07:00
Dmitry Zykov
b99aad743b
remove linuxdst plugin
2018-06-13 15:15:09 -07:00
Curtis Castrapel
135f2b710c
Limit dns queries to 10 attempts
2018-06-13 15:14:48 -07:00
Curtis Castrapel
065e0edc5f
lint
2018-06-13 14:22:45 -07:00
Curtis Castrapel
d72792ff37
Fix unique dyn situation where zone does not match tld, and there's a deeper zone
2018-06-13 14:08:39 -07:00
Curtis
038f5dc554
Merge branch 'master' into linuxdst
2018-06-12 07:40:40 -07:00
Curtis Castrapel
7f5d1a0b6b
sync error
2018-06-11 15:40:15 -07:00
Curtis Castrapel
92860cffca
Default configuration for DNS providers
2018-06-11 13:32:53 -07:00
Curtis
80e3331596
Merge branch 'master' into master
2018-05-30 08:24:00 -07:00
kevgliss
2a3af5214e
Merge branch 'master' into linuxdst
2018-05-29 18:54:37 -07:00
James Chuong
4911d713a5
Fix import metrics in notifications/messaging.py ( #1254 )
...
`from lemur import metrics` is incorrect for notifications/messaging.py
because that is importing the `metrics` module rather than the
instanciated `lemur.extensions.metrics` object. This will cause errors
if you import notifications/messaging.py elsewhere, since it can cause
circular dependencies.
Change-Id: Ice28c480373601420fc83bae2d27bb6467cdb752
2018-05-29 18:54:16 -07:00
Curtis Castrapel
5e24f685c1
lint error
2018-05-29 10:46:24 -07:00
Curtis Castrapel
97d3621705
convert description to TEXT column
2018-05-29 10:23:01 -07:00
Curtis Castrapel
544a02ca3f
Addressing comments. Updating copyrights. Added function to determine authorative name server
2018-05-29 10:23:01 -07:00
Curtis
ae26e44cc2
Merge branch 'master' into master
2018-05-25 11:09:23 -07:00
Curtis Castrapel
b0f9d33b32
Requirements update
2018-05-25 11:07:26 -07:00
Curtis Castrapel
5e3add0b81
docstring
2018-05-24 15:21:38 -07:00
Curtis Castrapel
9fc6c9aaf7
Sort and page
2018-05-24 12:55:52 -07:00
James Chuong
a47b6c330d
Use serial_number instead of serial ( #1251 )
...
* Add code coverage badge to README
* fixing docs (#1231 )
* Change cert.serial to serial_number
This fixes deprecation warning coming from cryptography package about
using cert.serial instead of serial_number.
Change-Id: I252820974c77cc1b80639920a5e8c2e874819dda
2018-05-23 16:04:30 -07:00
Curtis Castrapel
de52fa7f48
fix v1 backwards compatibility
2018-05-16 08:00:33 -07:00
Curtis Castrapel
680f4966a1
acme v2 support
2018-05-16 07:46:37 -07:00
Curtis Castrapel
a9b9b27a0b
fix tests
2018-05-10 12:58:04 -07:00
Curtis Castrapel
52e7ff9919
Allow specification of dns provider name only
2018-05-10 12:58:04 -07:00
Curtis
f4a010e505
Merge branch 'master' into master
2018-05-09 07:52:07 -07:00
Curtis Castrapel
0bd14488bb
Update requirements, handle more lemur_acme exceptions, and remove take a tour button
2018-05-08 15:35:03 -07:00
Curtis Castrapel
6500559f8e
Fix issue with automatically renewing acme certificates
2018-05-08 14:54:10 -07:00
Curtis
642dbd4098
Merge branch 'master' into linuxdst
2018-05-08 12:09:05 -07:00
Curtis Castrapel
a8187d15c6
quick lint
2018-05-08 11:04:25 -07:00
Curtis Castrapel
df5168765b
more tests
2018-05-08 11:03:17 -07:00
kevgliss
c26ae16060
fixing docs ( #1231 )
2018-05-08 10:58:48 -07:00
Curtis Castrapel
9ccb8fb838
Alembic simplification
2018-05-07 15:14:32 -07:00
Curtis Castrapel
e68b3d2cbd
0.7 release
2018-05-07 09:58:24 -07:00
Curtis Castrapel
1be3f8368f
dyn support
2018-05-04 15:01:01 -07:00
Curtis Castrapel
3e64dd4653
Additional work
2018-05-04 15:01:01 -07:00
Curtis
74ca13861c
Merge branch 'master' into master
2018-04-27 11:19:23 -07:00
Curtis Castrapel
532872b3c6
dns_provider ui
2018-04-27 11:18:51 -07:00
Zach Seils
0579b2935c
Print variable value instead of name ( #1227 )
...
* Print variable value instead of name
* Fixed ordering and variable name for stdout string
2018-04-26 09:39:42 -07:00
Curtis
c5cb01bd33
Merge branch 'master' into master
2018-04-26 09:16:31 -07:00
Curtis Castrapel
efd5836e43
fix test
2018-04-26 09:04:13 -07:00
Curtis Castrapel
f0f2092fb4
Some unit tests
2018-04-25 11:19:34 -07:00
kevgliss
e09b7eb978
Selectively enable CORS. ( #1220 )
2018-04-24 17:10:38 -07:00
Zach Seils
3e5db9eedb
Check for default rotation policy before updating db ( #1223 )
2018-04-24 16:55:26 -07:00
Zach Seils
91500d1022
Minor comment & stdout corrections ( #1225 )
2018-04-24 16:53:51 -07:00
Curtis Castrapel
38b8df4a07
lint
2018-04-24 09:48:14 -07:00
Curtis Castrapel
7704f51441
Working acme flow. Pending DNS providers UI
2018-04-24 09:38:57 -07:00
Curtis
81e349e07d
Merge branch 'master' into hackday
2018-04-23 10:11:49 -07:00
Curtis Castrapel
44e3b33aaa
More stuff. Will prioritize this more next week
2018-04-20 14:49:54 -07:00
Curtis Castrapel
fbce1ef7c7
temp digicert fix
2018-04-13 15:50:55 -07:00
Curtis Castrapel
309d10c4e2
stuff
2018-04-13 15:50:55 -07:00
Curtis Castrapel
4d05a09a20
fix_changes
2018-04-13 15:50:55 -07:00
Curtis Castrapel
3538f1a629
fix_errors
2018-04-13 15:50:55 -07:00
Curtis Castrapel
993958c356
up-reqs
2018-04-13 15:50:55 -07:00
Curtis Castrapel
2d6d2357b5
DNS Providers list returned
2018-04-13 15:50:55 -07:00
Curtis Castrapel
a66d85b63d
clean up a bit
2018-04-13 15:50:55 -07:00
Curtis Castrapel
b0bd0435c4
more stuff
2018-04-13 15:50:54 -07:00
Curtis Castrapel
b2e6938815
WIP: Add support for Acme/LetsEncrypt with DNS Provider integration
2018-04-13 15:50:54 -07:00
Curtis Castrapel
5dd03098e5
actually update deps
2018-04-13 15:50:53 -07:00
Curtis Castrapel
c03133622f
Correct validities
2018-04-13 15:18:17 -07:00
Curtis Castrapel
8303cfbd2b
Fix datetime
2018-04-13 14:53:45 -07:00
Curtis
3ef550f738
Merge branch 'master' into hackday
2018-04-12 12:49:52 -07:00
Curtis Castrapel
f6fd262618
DNS Providers list returned
2018-04-11 15:56:00 -07:00
Curtis Castrapel
5125990c4c
clean up a bit
2018-04-11 07:48:04 -07:00
Will Bengtson
52cb145333
ecc: add the support for ECC ( #1191 )
...
* ecc: add the support for ECC
update generate_private_key to support ECC. Move key types to constant. Update UI for the new key types
* ecc: Remove extra line to fix linting
* ecc: Fix flake8 lint problems
* Update options.tpl.html
2018-04-10 16:54:17 -07:00
Curtis Castrapel
5beb319b27
more stuff
2018-04-10 16:04:07 -07:00
kevgliss
12622d5847
Adding metrics for request timings. ( #1190 )
2018-04-10 15:55:02 -07:00
Mihir Jham
a9baaf4da4
add(plugins): Added a statsd plugin for lemur ( #1189 )
2018-04-10 15:15:03 -07:00
Curtis Castrapel
f61098b874
WIP: Add support for Acme/LetsEncrypt with DNS Provider integration
2018-04-10 14:28:53 -07:00
Will Bengtson
8ca4f730e8
lemur_digicert: Do not truncate valid_to anymore ( #1187 )
...
* lemur_digicert: Do not truncate valid_to anymore
The valid_to field for Digicert supports YYYY-MM-DDTHH:MM:SSZ so we should stop truncating
* lemur_digicert: Update unit tests for valid_to
2018-04-10 13:23:09 -07:00
Marti Raudsepp
8e2b2123f1
Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade
...
SQLAlchemy 1.2 does not allow comparing string values to boolean
columns. This caused errors like:
sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true'
For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values
2018-04-09 18:59:23 +03:00
Dmitry Zykov
28614b5793
remove linuxdst plugin
2018-04-04 14:49:25 +03:00
Dmitry Zykov
4a0103a88d
SFTP destination plugin ( #1170 )
...
* add sftp destination plugin
2018-04-03 10:30:19 -07:00
Curtis
259800ce35
Merge branch 'master' into issue_1089
2018-03-29 08:48:52 -07:00
Curtis Castrapel
b814a4f009
Remove get_pending_certificates from verisign issuer
2018-03-28 08:56:28 -07:00
Curtis Castrapel
c3a2781507
Allow quotes for exact match
2018-03-28 08:33:43 -07:00
iTitou
a316cbba73
[add] Docs and default config for metric plugins ( #1148 )
2018-03-27 15:51:32 -07:00
Curtis Castrapel
844202f36b
check if user active properly
2018-03-26 13:14:22 -07:00
kevgliss
c51fed5307
allowing null basic contraints ( #1131 )
2018-03-23 11:38:47 -07:00
kevgliss
db746f1296
Adds support for CDLDistributionPoints. ( #1130 )
2018-03-23 08:51:18 -07:00
Curtis Castrapel
e15836e9ca
Update more dependencies. Remove hashes
2018-03-21 14:48:51 -07:00
Curtis Castrapel
d67542d7f5
actually update deps
2018-03-21 12:46:30 -07:00
Curtis Castrapel
4087f1c03b
Update auth keys, change python version to satisfy tests
2018-03-21 11:57:19 -07:00
iTitou
bbacb7e210
[fix] No internal server error when trying to Google Auth an unregistered user ( #1109 )
2018-03-21 11:57:19 -07:00
cjwaian
19cf8f6bdd
Remove non-ASCII character ( #1104 )
2018-03-21 11:57:19 -07:00
Curtis Castrapel
74a516cde0
nt
2018-03-16 14:15:03 -07:00
Curtis Castrapel
58da68d72f
Revert "Requirements and Elasticsearch logging configuration"
...
This reverts commit c08d3dd82f
2018-03-16 14:10:12 -07:00
Curtis Castrapel
c7ca3949f6
info level, and new variable name
2018-03-16 11:55:53 -07:00
Curtis Castrapel
bbf5e95186
fix unusued import
2018-03-16 10:07:47 -07:00
Curtis
462e757f92
Merge branch 'master' into requirements_logging
2018-03-16 08:51:25 -07:00
Curtis Castrapel
c08d3dd82f
Requirements and Elasticsearch logging configuration
2018-03-16 08:36:10 -07:00
Curtis Castrapel
18c64fafe4
address comment
2018-02-27 12:34:18 -08:00
Curtis Castrapel
77a1600c13
Fix cloned notifications
2018-02-27 10:57:43 -08:00
Curtis Castrapel
5fe28f6503
Description modification
2018-02-26 12:37:31 -08:00
Curtis Castrapel
1f641c0ba6
Description modification
2018-02-26 12:36:40 -08:00
Curtis Castrapel
cca3797669
comments on alembic changes. resolve invalid usage of log_service.create
2018-02-26 12:08:31 -08:00
Curtis Castrapel
a28fdac242
fix pending cert db changes
2018-02-26 09:43:08 -08:00
Curtis
7032abf2e7
Merge branch 'master' into unq-const
2018-02-26 08:03:31 -08:00
Curtis Castrapel
9e8fa5827d
unq constraint
2018-02-24 23:15:39 -08:00
Harm Weites
5d18838868
Use Cloudflare as DNS provider for LE certs ( #945 )
...
* Use Cloudflare as DNS provider for LE certs
* Better handle dns_provider plugins
2018-02-22 08:17:28 -08:00
James Chuong
2578970f7d
Async Certificate Issuing using Pending Certificates ( #1037 )
...
* Add PendingCertificate model
This change creates a DB table called pending_certificates and
associated mapping relationship tables from pending certificate to
roles, rotation policy, destination, sources, etc.
The table is generated on initialization of Lemur. A pending
certificate holds most of the information of a Certificate, while it has
not be issued so that it can later backfill the information when the CA
has issued the certificate.
Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0
Tickets: PBL-36499
* Create a PendingCertificate if cert is empty
IssuePlugins should return empty cert bodies if the request failed to
complete immediately (such as Digicert). This way, we can immediately
return the certificate, or if not just place into PendingCertificates
for later processing.
+ Fix relation from Certificate to Pending Certificate, as view only.
There is no real need for anything more than that since Pending cert
only needs to know the cert to replace when it is issued later.
+ Made PendingCertificate private key be empty: UI does not allow
private key on 'Create' but only on 'Import'. For Instart, we require
the private key but upstream does not necessarily need it. Thus, if
someone at Instart wants to create a CSR / key combo, they should
manually issue the cert themselves and import later. Otherwise you
should let Lemur generate that. This keeps the workflow transparent for
upstream Lemur users.
Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26
Tickets: PBL-36343
* Fix empty private_key when create Pending Cert
On creation of a certificate with a CSR, there is no option for private
key. In this case, we actually have a dictionary with private_key as
key, but the value is None. This fixes the strip() called on NoneType.
Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199
Tickets: PBL-36499
* Source sync finds and uses pending certificate
When a source syncs certificates, it will check for a pending
certificate. If that is found via external_id (given by digicert as
order_id) then it will use the found Pending Certificate's fields to
create a new certificate. Then the pending certificate is deleted.
Tickets: PBL-36343
Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9
* Add Lemur static files and views for pending certs
This adds the basic static files to view pending certificates in a
table.
Tickets: PBL-36343
Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9
* Add CLI and plugin based pending fetch
This change uses the adds a new function to issuer plugins to fetch
certificates like source, but for one order. This way, we can control
which pending certificates to try and populate instead of getting all
certificates from source.
Tickets: PBL-36343
Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6
* Revert source using Pending Certificate
Tickets: PBL-36343
Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51
* Fix PendingCertificate init getting authority id
Should get authority id from authority.id instead of the authority_id
key in kwargs.
Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623
Tickets: n/a
* Add fixtures and basic test for PendingCertificate
Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34
Tickets: PBL-36343
* Add User to create_certificate parameters
create_certificate now takes a User, which will be used to populate the
'creator' field in certificates.service.upload(). This allows the UI
populate with the current user if the owner does not exist in Lemur.
+ Fix chain being replaced with version from pending certificate, which
may be empty (depends on plugin implementation).
Change-Id: I516027b36bc643c4978b9c4890060569e03f3049
Tickets: n/a
* Fix permalink and filters to pending certs
Fixes the permalink button to get a single pending certificate
Add argument filter parsing for the pending certificate API
Fix comment on API usage
Added get_by_name for pending_certificate (currently unused, but useful
for CLI, instead of using IDs)
Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db
Tickets: PBL-36910
* Update displayed fields for Pending Certificates
There are a number of unused / unpopulated fields from Certificate UI
that does apply to Pending Certificates. Those ones were removed, and
added other useful fields:
Owner, number of attempts to fetch and date created
Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b
Tickets: PBL-36910
* Add common name (cn) to Pending Certificate model
Fixes the UI missing the CN for Pending Certificate, as it was
originally being parsed from the generated certificate. In the case of
pending certificate, the CN from the user generates the request, which
means a pending cert can trust the original user putting in the CN
instead of having to parse the not-yet-generated certificate. There is
no real possibility to return a certificate from a pending certificate
where the CN has changed since it was initially ordered.
Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab
Tickets: PBL-36910
* Fix missing imports for service filter
+ Removed duplicate get_by_name function from old merge
Change-Id: I04ae6852533aa42988433338de74390e2868d69b
Tickets: PBL-36910
* Add private key viewing to Pending Certificates
Add private key API for Pending Certificates, with the same
authorization as Certificates (only owner, creator or owner-roles can
view private key).
Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b
Tickets: PBL-36910
* Add edit capability to pending certificates
Like editing certificates, we should be able to modify some parts of a
pending certificate so the resulting certificate has the right
references, owner, etc.
+ Added API to update pending certificate
+ Fix UI to use pending certificate scope instead of reusing Certificate
+ Change pending_certificate.replaces to non-passive association, so
that updates do affect it (similar to roles/notifications/etc)
Tickets: PBL-36910
Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6
* Add common_name parsing instead using kwargs
To fix tests where common name may not be passed in, use the CSR
generated to find the official common name.
Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4
Tickets: PBL-36343
* Add Cancel to pending certificates and plugins
This allows pending certificates to be cancelled, which will be handled
by the issuer plugin.
Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9
Tickets: PBL-36910
* Add API for Cancelling Pending Certificate
Added the DELETE handler for pending_certificates, which will cancel and
delete the pending certificate from the pending certs table on
successful cancellation via Issuer Plugin.
+ Add UT for testing cancel API
Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4
Tickets: PBL-36910
* Remove Export from Pending Certificates
Pending Certificates doesn't need an export since it should just be
fetched by Lemur via plugins, and the CSR is viewable via the UI.
Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae
Tickets: PBL-36910
* Add cancel button functionality to UI
This adds the Cancel option to the dropdown of pending certificates.
+ Adds modal window for Note (may not be required for all issuers, just
Digicert)
+ Add schema for cancel input
+ Fix Digitcert plugin for non-existant orders
When an order is actually issued, then attempting to cancel will return
a 403 from Digicert. This is a case where it should only be done once
we know the pending cert has been sitting for too long.
Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0
Tickets: PBL-36910
* Fix test_pending_cancel UT
This change creates and injects a pending cert, which will then be used
for the ID so it can be canceled by the unit test.
Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346
Tickets: PBL-36343
* Fix test_digicert on non-existent order
cancelling a non-existent order is fine since we're cancelling it
Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c
Tickets: PBL-36343
* Add migrations for PendingCertificates
Added revision for Pending Certificates table and foreign key mapping
tables.
Change-Id: Ife8202cef1e6b99db377851264639ba540b749db
Tickets: n/a
* Fix relationship copy from Pending to Certificate
When a Pending Certificate is changed to a full Certificate, the
relationship fields are not copied via vars() function, as it's not a
column but mapped via association table. This adds an explicit copy for
these relations. Which will properly copy them to the new Certificate,
and thus also update destinations.
Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685
Tickets: PBL-36343
* Fix renaming of certificates and unit tests
The rename flag was not used to rename certificates on creation as
expected.
Fixed unit test, instead of expunging the session, just copy the
pending_certificate so we don't have a weird reference to the object
that can't be copied via vars() function.
Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0
Tickets: PBL-36343
* Updated developer docs for async certs
Added blurb for implementing new issuer functions.
Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c
Tickets: n/a
2018-02-22 08:13:16 -08:00
pincushionman
f44fe81573
fix for https://github.com/Netflix/lemur/issues/1045 ( #1056 )
2018-02-20 08:28:11 -08:00
Curtis
f262c93912
Option to suppress SSL errors ( #1044 )
2018-01-17 09:17:03 -08:00
