941df0366d
Fix roles display on user screen and fix removing user roles ( #879 )
2017-08-17 09:24:10 -07:00
7762d6ed52
Reworked sensitive domain name and restriction logic ( #878 )
...
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
2017-08-16 19:24:49 -07:00
cf805f530f
Prevent unintended access to sensitive fields (passwords, private keys) ( #876 )
...
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
f5e120ad2e
Update readme.txt ( #869 )
2017-08-04 12:42:27 -07:00
f5082e2d3a
Starting transition away from not_before and not_after. ( #854 )
2017-07-14 09:24:59 -07:00
61c493fc91
Adding additional failure conditions to sentry tracking. ( #853 )
...
* Adding additional failure conditions to sentry tracking.
* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
6779e19ac9
Adding enum migration. ( #852 )
2017-07-13 13:12:53 -07:00
443eb43d1f
Adding the ability to specify a per-certificate rotation policy. ( #851 )
2017-07-12 16:46:11 -07:00
53113e5eeb
Add auditing for creating or updating a cert. ( #845 )
2017-07-04 06:39:16 -07:00
169dcb86e2
supporting the ability to push exceptions to sentry ( #843 )
2017-06-29 14:12:38 -07:00
e4f5224f42
set ses email content type to utf-8 instead of string ( #841 )
2017-06-28 09:44:19 -07:00
98907e66e9
Minor fixes to S3.put signature ( #840 )
2017-06-27 16:18:34 -07:00
c05343d58e
Adds the ability for destination plugins to be sub-classed from Expor… ( #839 )
...
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807 .
* fixing tests
2017-06-26 12:03:24 -07:00
541fbc9a6d
Use named kwargs rather than args when calling s3 put ( #830 )
2017-06-20 11:28:19 -07:00
35cc7ef8d7
Adding support for private DigiCert certificates ( #835 )
2017-06-14 09:20:24 -07:00
e77382864b
Fixing KeyError on error handling ( #834 )
2017-06-14 09:07:27 -07:00
d4d6d832b1
Fixing audit filtering and sorting. ( #827 )
2017-06-02 09:07:22 -07:00
9c92138f2d
Fixing autorotation failures. ( #825 )
...
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
5a4806bc43
Allowing description to be optional. ( #826 )
2017-06-01 17:09:04 -07:00
07969f7e10
Ensuring IPAddresses and IPNetworks are correctly serialized. ( #818 )
2017-05-26 10:48:26 -07:00
3141b47fba
Catch OAuth providers that want the params sent as data ( #800 )
2017-05-25 10:21:29 -07:00
21d48b32c9
Fixing an issue with uploading to cloudfront. ( #815 )
2017-05-25 10:10:12 -07:00
11bd42af82
Correct status code for basic-auth ( #813 )
...
* ensuring those using basic auth recieve a correct status code when their password is incorrect
* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
f6b5012f56
Add Check of DB connections on healthcheck URL ( #812 )
2017-05-22 17:15:41 -07:00
f9b388c658
Modifying the was s3 uploading works. ( #810 )
...
* Modiying the was s3 uploading works.
* Fixing pep8
2017-05-20 12:07:44 -07:00
4093f4669a
Switching remaining uses of boto to boto3. ( #809 )
2017-05-20 11:09:55 -07:00
9594f2cd8d
Upgrading moto and fixing test that break due to deprecation. ( #808 )
...
* Upgrading moto and fixing test that break due to deprecation.
* Adding region.
2017-05-20 10:40:22 -07:00
380203eb53
Adding the ability to upload to cloudfront via the 'path' parameter. Cloudfront destinations must be created separately. ( #805 )
...
Closes #277
2017-05-18 13:49:17 -07:00
307a73c752
Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. ( #804 )
...
Closes #767
2017-05-18 13:20:17 -07:00
3050aca3e6
Minor fixes to the domains UI. ( #798 )
...
* Fixes checkbox input.
* Fixes notification message.
2017-05-15 19:14:12 -07:00
8c41c6785d
Fixes issue where domains without any associated certificates are not searchable. ( #797 )
2017-05-15 19:07:32 -07:00
092ce0f9d8
Closes #792 . ( #796 )
2017-05-15 19:07:16 -07:00
914de78576
Adds migration to fix keys on unique index. Closes #743 . ( #785 )
2017-05-10 12:13:42 -07:00
ecf00fe9d6
Splitting out the default date issuance logic for CIS and CC. CIS assumes years is converted to validity_end while CC prefers validity_years over validity_end. ( #784 )
2017-05-10 12:05:03 -07:00
c71b3a319d
Log the audit logs ( #781 )
2017-05-08 09:43:26 -07:00
767147aef1
Check for unknown as status is no longer represented as a boolean ( #780 )
2017-05-08 09:43:19 -07:00
ce5a45037a
Fix for status representation in the view ( #778 )
2017-05-05 11:04:40 -07:00
9c9ca37586
Enabling hex serial numbers without breaking backward compatibility. ( #779 )
...
* Enabling hex serial numbers without breaking backward compatibility.
* Fixing tests.
2017-05-05 11:04:09 -07:00
5c41dafc97
fix unit and interval transposition in schemas.py ( #752 ) ( #774 )
2017-04-30 12:23:34 -07:00
989e3733a2
Add docker setup for running tests on a docker enabled dev environment. ( #771 )
2017-04-28 09:28:06 -07:00
fbc24ea400
There is an issue when iterating over extensions where certificates might not have been issued in adherence with basic constraints. Here we log these errors instead of failing out right. ( #770 )
2017-04-27 17:45:34 -07:00
4905020e77
ensuring stdout has a default log level ( #766 )
2017-04-27 10:11:47 -07:00
75787d20bc
ensuring that lemur's default user has a valid email ( #765 )
2017-04-27 09:53:35 -07:00
ca9f120988
fixing some pep8 issues ( #764 )
2017-04-27 09:44:39 -07:00
e86954e8ea
Destination Plugin/Lemur_linuxdst ( #736 )
...
* Added lemur_linuxdst
* Revert "Added lemur_linuxdst"
This reverts commit 010c19bd1937320189ee5a0660f9e356221121f3.
* added plugin\lemur_linuxdst
Destination plugin for a target linux host
* Update remote_host.py
* Update plugin.py
* Update remote_host.py
* Update plugin.py
* Update plugin.py
* chaning var and funct names
* Write data with local temp
* .
* .
* typo
* tested plugin successfully
* Update plugin.py
* Update remote_host.py
* removed whitespace
* set permissions on exported keys to 600
sftp.chmod(dst_dir_cn + '/' + dst_file, (stat.S_IRUSR))
* Update plugin.py
* Update remote_host.py
* Update plugin.py
* added 'paramiko==2.1.2'
required for lemur_linuxdst plugin
* data stored in clear text at rest
* Update plugin.py
* Update plugin.py
* Update remote_host.py
2017-04-27 09:19:49 -07:00
604cd60dbe
Return correct intermediate certificate on digicert creation. ( #762 )
...
This commit also removes the unused DIGICERT_INTERMEDIATE env
var as it is not used.
2017-04-27 09:14:20 -07:00
05f4ae8e58
Hexify cert serial ( #763 )
...
* Hexify serial at the serialization layer
* Fix for flakey test. Change test to test for uppercased string
2017-04-27 09:13:04 -07:00
88ac783fd2
PEP8 Fixes ( #760 )
2017-04-25 09:23:18 -07:00
bc66ede9aa
Fixing Bandit findings and adding travis Bandit job ( #759 )
...
* Fixes for Bandit
This commit fixes a couple of issues so that Bandit can run
cleanly using medium+ severity and confidence filtering.
* Adding Lemur Bandit job to TravisCI
2017-04-24 18:37:03 -07:00
1c295896e6
Add test for when there are no notifications on a certificate ( #757 )
2017-04-24 09:04:49 -07:00
