Commit Graph

665 Commits

Author SHA1 Message Date
kevgliss
2f5f82d797 Ensures that in-active users are not allowed to login. (#618) 2016-12-19 22:58:57 -08:00
kevgliss
c7fdb2acd7 adding required variables (#611) 2016-12-18 18:21:22 -08:00
kevgliss
51c7216b70 Fixing configuration value. (#610)
* Fixing and configuration value.

* Pinning fake factory.
2016-12-18 18:21:12 -08:00
Marti Raudsepp
0f3ffaade0 Fall back to CN for CA name when organization is not available (#607)
In-house CAs may not have the organization field filled out.
2016-12-16 16:27:25 -08:00
kevgliss
156b98f7f0 Ensuring that rotation only happens for certificates with endpoints to rotate. (#606) 2016-12-15 15:20:21 -08:00
kevgliss
a09faac9a7 Endpoint sync fixes (#604) 2016-12-15 10:26:59 -08:00
kevgliss
d20c552248 Fixing issues with rotation. (#603)
* Fixing issues with rotation.

* Fixing tests
2016-12-14 17:30:13 -08:00
Marti Raudsepp
b327963925 Plugin base classes: update method signatures & fix raise (#598)
This way IDEs can verify method overrides in subclasses, otherwise these
are flagged as erroneous.

Changed base classes to properly raise NotImplementedError; previously
they would cause "TypeError: exceptions must derive from BaseException"

Also fixed exception handling in sources.service.clean().
2016-12-14 13:42:29 -08:00
Marti Raudsepp
1eb3d563c6 Fix error reporting for certs without private key (#599) 2016-12-14 13:25:56 -08:00
kevgliss
02991c70a9 Allow Lemur "start" to use the global config. (#596)
* allowing our runserver to use the config specified by -c

* Maintaining config for gunicorn
2016-12-14 13:23:50 -08:00
Marti Raudsepp
71ddbb409c Minor documentation fixes/tweaks (#597)
Mostly typos, grammar errors and inconsistent indentation in code
examples.

Some errors detected using Topy (https://github.com/intgr/topy), all
changes verified by hand.
2016-12-14 09:29:04 -08:00
kevgliss
565c9ae98d adding missing init (#587) 2016-12-13 09:21:31 -08:00
kevgliss
03d5a6cfe1 Refactors how notifications are generated. (#584) 2016-12-12 11:22:49 -08:00
kevgliss
1c3ac21291 Ensuring the digicert session is handled correctly (#579) 2016-12-11 08:38:59 -08:00
kevgliss
968dd52f6f Fixes (#576)
* Fixing email notification

* Adding endpoint expiration

* Fixing endpoint type for ELBs

* Allowing verisign to include additional SANs
2016-12-08 15:52:27 -08:00
kevgliss
a4b32b0d31 Fixing up notification testing (#575) 2016-12-08 11:33:40 -08:00
kevgliss
be1415fbd4 Ensuring new cli is available (#574) 2016-12-08 09:11:19 -08:00
kevgliss
b5901a1570 adding needed migration files (#573) 2016-12-07 17:31:59 -08:00
kevgliss
bdc6dc8683 Fixing a bug were extensions got a default value (#572) 2016-12-07 17:28:18 -08:00
kevgliss
5087fa67dc skipping a few tests that aren't ready yet (#571) 2016-12-07 16:52:00 -08:00
kevgliss
fc205713c8 Certificate rotation enhancements (#570) 2016-12-07 16:24:59 -08:00
kevgliss
9adc5ad59e Adding last updated time (#569) 2016-12-07 15:43:57 -08:00
kevgliss
f63ccd033d Ensuring that endpoints without output_schema work as expected (#568) 2016-12-07 15:40:29 -08:00
kevgliss
00da52f32e Ensuring that CSRs are correctly validated under python3 (#565) 2016-12-06 12:25:43 -08:00
kevgliss
e94cf6ddc9 Ensuring that certificates returned from digicert are in the proper format (#564) 2016-12-06 12:05:18 -08:00
kevgliss
81272a2f7a Moving validation to server start. (#563) 2016-12-05 16:43:38 -08:00
kevgliss
e622a49b72 Adding better error handling around certificate rotation (#562) 2016-12-05 15:12:55 -08:00
kevgliss
9030aed8a4 Ensuring that our syncing process can find duplicate certifcates that do no need to be sync'd (#560) 2016-12-05 11:08:29 -08:00
kevgliss
344abbda66 fixing signature (#556) 2016-12-02 13:48:50 -08:00
kevgliss
834814f867 adding additional status code metrics (#555) 2016-12-02 13:02:59 -08:00
kevgliss
7f823a04cd Ensuring that acme and cryptography respect different key types (#554) 2016-12-02 10:54:18 -08:00
kevgliss
0f5e925a1a Ensuring that default-issuer is set (#553) 2016-12-02 09:54:16 -08:00
kevgliss
a40bc65fd4 Default authority. (#549)
* Enabling the specification of a default authority, if no default is found then the first available authority is selected

* PEP8

* Skipping tests relying on keytool
2016-12-01 15:42:03 -08:00
kevgliss
81bf98c746 Enabling RSA2048 and RSA4096 as available key types (#551)
* Enabling RSA2048 and RSA4096 as available key types

* Fixing re-issuance
2016-12-01 15:41:53 -08:00
kevgliss
e1bbf9d80c Improving endpoint rotation logic (#545) 2016-11-30 15:11:17 -08:00
kevgliss
abb91fbb65 fixing a few minor issue with cloning (#544) 2016-11-30 10:54:53 -08:00
kevgliss
f9b16a2110 csr as string (#542) 2016-11-29 18:50:20 -08:00
kevgliss
588ac1d6a6 Digicert cis fixes (#540) 2016-11-29 17:15:39 -08:00
kevgliss
058d2938fb migrating off of openssl (#539) 2016-11-29 11:30:44 -08:00
kevgliss
3db3214cbe installing the digicert CIS plugin (#537) 2016-11-29 10:02:40 -08:00
kevgliss
bfc80f982c minor fixes and downgrading requests (#535) 2016-11-28 16:50:26 -08:00
kevgliss
727bc87ede Log fixes (#534)
* tying up some loose ends with event logging

* Ensuring creators can access
2016-11-28 14:13:16 -08:00
kevgliss
e2143d3ee8 tweaking the way data is returned (#532) 2016-11-28 12:29:03 -08:00
kevgliss
b46ff4158a Initial workon the digicert high issuance api. (#531) 2016-11-28 10:50:58 -08:00
kevgliss
250558baf3 Ensuring that authority owners can access certificates issued by that… (#526)
* Ensuring that authority owners can access certificates issued by that authority
2016-11-25 20:35:07 -08:00
kevgliss
8e5323e2d7 migrating flask imports (#525) 2016-11-22 21:11:20 -08:00
kevgliss
d5d036b412 adding a work around for new gunicorn (#523) 2016-11-22 16:47:29 -08:00
kevgliss
9d03e75d9b tweaking a few things to support the new marshmallow (#522) 2016-11-22 15:14:19 -08:00
kevgliss
06a3f3ea0d version bump (#520) 2016-11-21 15:29:31 -08:00
kevgliss
12ae0a587d teaking the way exceptions are handled (#519) 2016-11-21 15:26:17 -08:00
kevgliss
b3aa057d58 Upgrade deps. (#517) 2016-11-21 14:29:20 -08:00
kevgliss
dd6d332166 Removing python2 compatibility. (#518) 2016-11-21 14:03:04 -08:00
kevgliss
6eca2eb147 Re-working the way audit logs work.
* Adding more checks.
2016-11-21 11:28:11 -08:00
kevgliss
744e204817 Initial work on #74. (#514)
* Initial work on #74.

* Fixing tests.

* Adding migration script.

* Excluding migrations from coverage report.
2016-11-21 09:19:14 -08:00
kevgliss
d45e7d6b85 [WIP] - 422 elb rotate (#493)
* Initial work on certificate rotation.

* Adding ability to get additional certificate info.

* - Adding endpoint rotation.
- Removes the g requirement from all services to enable easier testing.
2016-11-18 11:27:46 -08:00
kevgliss
6fd47edbe3 Adds the ability to clone existing certificates. (#513) 2016-11-17 16:19:52 -08:00
kevgliss
a616310eb7 Fixing an issue were aws certificates plugins might not have a chain. (#512) 2016-11-17 14:47:10 -08:00
kevgliss
2130029f90 Adding new notification templates. (#511) 2016-11-17 14:16:59 -08:00
kevgliss
d11f254476 Closes: #469 (#510) 2016-11-17 12:16:30 -08:00
kevgliss
a9361fe428 Endpoints should be visible to all. (#508) 2016-11-17 10:45:26 -08:00
kevgliss
5345170a4f Ensuring that the passed in configuration has precedence over the environment config. (#507) 2016-11-17 09:31:37 -08:00
Sakti Dwi Cahyono
520404c215 fix string -> byte conversion on python2 (#472) 2016-11-16 16:03:38 -08:00
kevgliss
9ac1756011 removing new 'active' logic for the time being (#505) 2016-11-16 15:56:24 -08:00
kevgliss
851d74da3d Ensuring that private key is in string format before it gets stored (#504)
* Ensuring that private key is in string format before it gets stored

* Fixing failing test.
2016-11-16 15:05:25 -08:00
kevgliss
3f2691c5d4 Minor fixes. (#502) 2016-11-16 13:23:35 -08:00
kevgliss
eaf34b1c8b Disabling the protect active flag (#498) 2016-11-16 09:31:02 -08:00
kevgliss
e9219adfb5 Ensuring model's have a basic __repr__. (#499) 2016-11-16 09:30:54 -08:00
kevgliss
9eddaf66cb adding human readable string (#500) 2016-11-16 09:30:46 -08:00
kevgliss
0a29a3fa2a Adding release notes. (#459) 2016-11-15 16:44:40 -08:00
kevgliss
9bb0787410 Ensuring that duplicates are migrated correctly. (#496)
* Ensuring that duplicates are migrated correctly.

* fixing typo
2016-11-15 16:43:45 -08:00
JohnTheodore
dd14fd202d clean out ADMINS references (#495)
* add variables to the documentation forwq oauth2

* remove old reference to ADMINS to get rid of any confusion
2016-11-15 16:43:28 -08:00
kevgliss
114deba06e Adding the ability to silence notifications on creation. (#490) 2016-11-12 09:29:42 -08:00
kevgliss
0334f1094d fixing documentation typo (#489) 2016-11-11 13:35:24 -08:00
kevgliss
7af68c3cc0 Adding additional metric gathering for failed sync operations. (#488) 2016-11-11 13:28:01 -08:00
kevgliss
953d3a08e7 Adding example request to documentation. (#487) 2016-11-11 12:54:12 -08:00
kevgliss
94d619cfa6 Minor errors. (#484) 2016-11-10 14:34:45 -08:00
kevgliss
89470a0ce0 Adding default validity and retry logic. (#483) 2016-11-10 11:23:37 -08:00
kevgliss
e6b291d034 Time (#482)
* adding python 3.5 as a target

* adding env flag

* Aligning on arrow dates.
2016-11-09 10:56:22 -08:00
kevgliss
25a6c722b6 Adding digicert documentation. (#480) 2016-11-08 14:56:05 -08:00
kevgliss
67a5993926 fixing type in ciphers (#479) 2016-11-08 12:23:21 -08:00
kevgliss
aa979e31fd Digicert plugin (#478)
* Initial work on digicert plugin.

* Adding certificate pickup, to digicert plugin.

* Removing and rotating test api key.
2016-11-07 14:40:00 -08:00
kevgliss
b74df2b3e4 Minor changes for python3. (#477) 2016-11-07 14:33:07 -08:00
kevgliss
4afedaf537 Fixes (#476)
* Ensures that Vault can accept bytes and strings.

* Make restricted domains optional.

* Fixing notify flag.
2016-11-04 09:16:41 -07:00
Neil Schelly
2b79474060 Trying this to fix defaulting org to Netflix (#475) 2016-11-02 09:12:47 -07:00
kevgliss
a6360ebfe5 Adding pending certificate metric. (#473) 2016-11-01 14:24:45 -07:00
kevgliss
d99681904e Fixing test to take python3 into account. (#460)
* Fixing test to take python3 into account.
2016-10-31 17:02:08 -07:00
kevgliss
1ac1a44e83 San alt name (#468) 2016-10-31 11:00:15 -07:00
cviecco
490d5b6e6c python2.x .base64url_decode has a single parameter and incoming data is utf-8.. need to convert so string (#463) 2016-10-26 00:50:00 -07:00
Terin Stock
4b7fc8551c fix(web): send JSON for all errors (#464)
Configure werkzeug to output JSON error messages for the benefit of
downstream clients. This also allows for metrics collection in all cases
where werkzeug is outputting an exception.
2016-10-26 00:46:43 -07:00
Charles Hendrie
cd9c112218 Implement a CFSSL issuer plugin (#452)
* Implement CFSSL issuer plugin

Implement a Lemur plugin for generating certificates from the open
source certificate authority CFSSL
(https://github.com/cloudflare/cfssl). The plugin interacts with CFSSL
through the CFSSL REST API. The CFSSL configuration is defined in the
lemur.conf.py property file using property names prefixed with "CFSSL_".

* Update documentation to include CFSSL plugin
2016-10-22 00:52:18 -07:00
kevgliss
a8f44944b1 Closes #415 2016-10-17 23:23:14 -07:00
kevgliss
d31c9b19ce Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 03:56:13 -07:00
kevgliss
fb178866f4 Fixes an issue with the source tests failing. (#456) 2016-10-16 03:55:37 -07:00
kevgliss
f921b67fff Removing the ability to use spaces in custom names. (#455) 2016-10-15 04:56:25 -07:00
kevgliss
c367e4f73f Prevents the silencing of notifications that are actively deployed. (#454)
* Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint.

* Adding migration script to alter 'active' column.
2016-10-15 00:12:11 -07:00
kevgliss
dcb18a57c4 Adds option to restrict certificate expiration dates to weekdays. (#453)
* Adding ability to restrict certificate creation to weekdays.

* Ensuring that we test for weekends.
2016-10-15 00:04:35 -07:00
Mike Grima
10d833e598 Added Symantec plugin error checking for invalid domain suffix (#449) 2016-10-13 15:23:56 -07:00
kevgliss
708d85abeb Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-11 21:08:13 -07:00
kevgliss
ee028382df Show only roles that the user is a member of, in list view, for other views show all roles such that certificates and authorities can be shared across teams/groups. (#446) 2016-10-11 17:56:38 -07:00
kevgliss
c05a49f8c9 Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-11 17:24:15 -07:00
Charles Hendrie
f179e74a4a Fix Java export default password generator (#441)
When exporting a certificate, the password is an optional parameter.
When a password is not supplied by the caller, a default password is
generated by the method. The generation library creates the random
password as a bytes object. The bytes object raises an error in the
'keytool' command used to export the certificate. The keytool is
expecting the password to be a str object.

The fix is to decode the generated password from a bytes object to a str
object.

The associated Java plugin tests have been updated to verify the export
method returns the password as a str object. In addition, the tests have
been updated to correctly test the export methods response object. The
original tests treated the response as a single object. The current
export methods return a tuple of data (type, password, data).

In order to make the tests compatible with both Python2 and Python3, the
'six' library was used to test the password is in fact a string.
2016-10-10 22:43:23 -07:00
Charles Hendrie
9065aa3750 Update the private key regex validation (#435)
* Update the private key regex validation

Private keys provided by the Let's Encrypt certificate authority as part
of their certificate bundle fail the import/upload certificate private
key validation. The validation is looking for a specific character
sequence at the begin of the certificate. In order to support valid
Let's Encrypt private keys, the regex has been updated to check for both
the existing sequence and the Let's Encrypt character sequence.

Example Let's Encrypt private key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvsiwV8A5+r0tQ
QzUAJO0DfoEb9tMWvoFi0DLs9tx88IwMqItPPl9+RNzQnv9qqZR1h4W97sxP8aWY
...
AeS667IJO/2DMKaGiEldaVZtgqdUhCL8Rm4XUFVb1GjLa03E4VRU6W7eQ4hgT2a7
cHDAR8MiovNyfT0fm8Xz3ac=
-----END PRIVATE KEY-----

* Add private key regex for footer

Update the import/upload private key validation regex to verify both the
header and footer are matching.
2016-10-10 22:42:09 -07:00
kevgliss
96e42c793e Refactors the default notification option. Also ensures that notifications and destinations are easier to test. (#437) 2016-10-09 00:06:53 -07:00
kevgliss
72a390c563 Ensure the openssl and cryptography work under python3. (#438) 2016-10-09 00:06:15 -07:00
kevgliss
a19c918c68 Closes #411 (#439) 2016-10-09 00:06:03 -07:00
Charles Hendrie
5cbf5365c5 Active S3 destination plugin (#433)
* Activate the AWS S3 destination plugin

Add the AWS S3 destination plugin to the list of available Lemur
plugins.

Update the S3 destination plugin's "accountNumber" option to be of type
'str' to handle account numbers starting with zeros.

Update Lemur's utils for parsing certificates to correctly encode the
X509 certificates before loading for python3.

* Add S3 destination plugin test

Added simple test to verify S3 destination plugin is available.
2016-10-08 17:06:20 -07:00
Charles Hendrie
3ad7a37f95 Fix import certificate private key encoding (#434)
When importing a certificate, the private key is passed to the
import/upload process from the UI as a str object. In Python3 this
raises two issues when processing the private key - the private key
validation fails and database insert of the certificate fails.

The fix in both cases is to correctly encode the private key as a bytes
object.
2016-10-08 17:04:54 -07:00
Mike Grima
6cac2838e3 Fix for missing profile pic. (#429) 2016-09-27 13:02:01 -07:00
Charles Hendrie
fbbf7f90f6 Fix test certificates module hanging issue (#427)
* Fix test certificates module hanging issue

When executing the lemur/tests/test_certificates.py module's tests, all
tests are executed, but the test process appears to hang and never
completes with the display of the results for the tests.

The hanging issue is traced to the two test methods:
test_import(logged_in_user) and test_upload(logged_in_user). The issue
has to do with the test methods' using the logged_in_user(app) fixture from
the conftest.py module as the method parameter.

The test methods at issue require the session, db, and app fixtures to
be initialized for the tests to complete successfully. The
logged_in_user() fixture only initializes the app fixture. Updating the
test_import() and test_upload() methods parameters to be the "session"
fixture fixes the hanging issue and the tests complete successfully.

This is the command being used to execute the tests...
$ py.test -s -v lemur/tests/test_certificates.py

* Update fix for test certificates hanging issue

Based on feedback from the original pull request for this fix, added the
session fixture to the logged_in_user fixture and reverted the
test_import() and test_upload() methods to use the logged_in_user
(instead of the session fixture).
2016-09-27 13:01:37 -07:00
Terin Stock
1ea75a5d2d fix(certificates): import re module (#428) 2016-09-21 22:54:46 -07:00
Terin Stock
39645a1a84 feat(certificates): add support for restricted domains (#424)
Lemur's documentation already mentions LEMUR_RESTRICTED_DOMAINS, a list
of regular expressions matching domains only administrators can issue
certificates for. An option to mark domains as sensitive existed in the
API, however the configuration option was not implemented.

Now both ways of sensitivity are checked in the same place.
2016-09-12 16:59:14 -07:00
kevgliss
a60e372c5a Ensuring that password hashes are compared correctly under python3 2016-09-07 13:25:51 -07:00
kevgliss
76cece7b90 Ensuring that private keys are retrieved correctly under python3. (#422) 2016-09-07 12:34:50 -07:00
kevgliss
ca2944d566 Ensuring the inactive certificates are not alerted on. (#418) 2016-08-29 15:46:35 -07:00
kevgliss
53d0636574 Python3 (#417)
* Fixing tests.

* Fixing issue where decrypted credentials were not returning valid strings.

* Fixing issues with python3 authentication.
2016-08-29 08:58:53 -07:00
kevgliss
7e6278684c Python3 (#416)
* Fixing issue where decrypted credentials were not returning valid strings.
2016-08-26 16:02:23 -07:00
kevgliss
2d7a6ccf3c Owner email (#414)
* Ensuring python2 works with unicode strings.

* adding in owner DN

* fixing tests

* Upgrading requests.

* Fixing tests.
2016-08-25 10:09:46 -07:00
kevgliss
18b99c0de4 Fixing an issue where openssl can't find the certificates to create PKCS12 files (#408) 2016-08-17 10:33:59 -07:00
kevgliss
29a330b1f4 Orphaned certificates (#406)
* Fixing whitespace.

* Fixing syncing.

* Fixing tests
2016-07-28 13:08:24 -07:00
kevgliss
a644f45625 Adding some simplified reporting. (#403)
* Adding issuance report.

* Fixing whitespace.
2016-07-27 12:41:32 -07:00
kevgliss
3db669b24d Ensuring that the temporary certificate is created correctly (#400) 2016-07-12 18:07:11 -07:00
kevgliss
f38868a97f Fixing various problems with the syncing of endpoints, throttling sta… (#398)
* Fixing various problems with the syncing of endpoints, throttling stale endpoints etc.
2016-07-12 08:40:49 -07:00
kevgliss
4f3dc5422c Allowing the role-user associated to be updated. (#396)
* Allowing the role-user associated to be updated.

* Fixing tests

* Fixing tests, for real.
2016-07-07 13:03:10 -07:00
kevgliss
1ba7181067 Fixed an issue were default notifications were added even when updati… (#395)
* Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications.

* Ensuring imported certificates get the same treatment.
2016-07-07 11:44:11 -07:00
kevgliss
74bf54cb8f Slack spruce up (#394)
* Formatting slack message.

* Tweaking tests.
2016-07-06 10:27:13 -07:00
kevgliss
d4732d3ab0 Closes #335. (#392) 2016-07-04 16:08:16 -07:00
kevgliss
cb9631b122 Closes #356. (#391) 2016-07-04 15:38:51 -07:00
kevgliss
4077893d08 Ensuring that destinations require private keys by default. (#390)
* Ensuring that destinations require private keys by default.
2016-07-04 15:30:20 -07:00
kevgliss
4ee1c21144 Closes #372 (#389)
* Closes #372
2016-07-04 14:32:46 -07:00
kevgliss
c8eca56690 Closes #366 (#387) 2016-07-04 13:03:46 -07:00
kevgliss
300e2d0b7d Adding plugin tests. (#385)
* Adding plugin tests.

* Fixing some python 2/3 incompatibilities.
2016-07-01 11:32:19 -07:00
kevgliss
e34de921b6 Target Individuals for Certificates (#384)
* Allowing individual users to be targeted for a role.

* Ensuring that even new users get a per user-role
2016-07-01 09:04:39 -07:00
kevgliss
9aec899bfd Fixing a few errors.
* Fixing organizational_unit and common name

* FIxing organization name and allow creaters to view CA.
2016-06-29 16:16:37 -07:00
kevgliss
54b888bb08 Adding a toy certificate authority. (#378) 2016-06-29 09:05:39 -07:00
kevgliss
eefff8497a Adding a new default issuer. 2016-06-28 17:46:26 -07:00
kevgliss
ecbab64c35 Adding endpoint migration script. (#376) 2016-06-28 16:12:56 -07:00
kevgliss
c8447dea3d Fixing a few issues with startup. (#374) 2016-06-28 14:28:05 -07:00
kevgliss
5021e8ba91 Adding ACME Support (#178) 2016-06-27 15:57:53 -07:00
kevgliss
f846d78778 S3 destination (#371) 2016-06-27 15:11:46 -07:00
kevgliss
fe9703dd94 Closes #284 (#336) 2016-06-27 14:40:46 -07:00
mik373
b44a7c73d8 Kubernetes desination plugin (#357)
* Kubernetes desination plugin

* fixing build warnings

* fixing build warnings
2016-06-27 14:40:01 -07:00
kevgliss
19b928d663 Fixes #367 2016-06-23 13:29:59 -07:00
kevgliss
daea8f6ae4 Bug fixes (#355)
* we should not require password to update users

* Fixing an issue were roles would not be added.
2016-06-13 17:22:45 -07:00
Roi Martin
41d1fe9191 Using UTC time in JWT token creation (#354)
As stated in PyJWT's documentation [1] and JWT specification [2][3], UTC
times must be used. This commit fixes JWT decoding in servers not using
UTC time.

[1] https://pypi.python.org/pypi/PyJWT/1.4.0
[2] https://tools.ietf.org/html/rfc7519#section-4.1.6
[3] https://tools.ietf.org/html/rfc7519#section-2
2016-06-13 11:18:07 -07:00
Mike Grima
9a653403ae Fix for Issue #352. 2016-06-08 16:41:31 -07:00
kevgliss
77f13c9edb Fixing issue were, after a user changes their mind validity years wil… (#349) 2016-06-06 12:11:40 -07:00
kevgliss
d9cc4980e8 Fixing destination upload. (#347)
* Fixing an issue where uploaded certificates would have a name of 'None'

* Clarifying comment.

* Improving order.
2016-06-03 18:45:58 -07:00
kevgliss
5e987fa8b6 Adding additional data migrations. (#346) 2016-06-03 17:56:32 -07:00
kevgliss
42001be9ec Fixing the way filters were toggled. (#345) 2016-06-03 09:24:17 -07:00
kevgliss
dc198fec8c Docs (#344)
* Adding release info.

* adding some fields

* Adding Source Plugin change.

* Updating docs
2016-06-03 08:28:09 -07:00
kevgliss
acd47d5ec9 Fixing an issue were authorities were not related to their roles (#342) 2016-06-02 09:07:17 -07:00
kevgliss
72e3fb5bfe Fixing several small issues. (#341)
* Fixing several small issues.

* Fixing tests.
2016-06-01 11:18:00 -07:00
kevgliss
b2539b843b Fixing and error causing duplicate roles to be created. (#339)
* Fixing and error causing duplicate roles to be created.

* Fixing python3

* Fixing python2 and python3
2016-05-31 15:44:54 -07:00
kevgliss
be5dff8472 Adding a visualization for authorities. (#338)
* Adding a visualization for authorities.

* Fixing some lint.

* Fixing some lint.
2016-05-30 21:52:34 -07:00
kevgliss
76037e8b3a Fixing certificate names. (#337) 2016-05-27 12:00:10 -07:00
kevgliss
11f4bd503b Fixes (#332)
* Ensuring domains are returned correctly.

* Ensuring certificates receive owner role
2016-05-24 17:10:19 -07:00
kevgliss
6688b279e7 Fixing some bad renaming. (#331) 2016-05-24 10:43:40 -07:00
kevgliss
1ca38015bc Fixes (#329)
* Modifying the way roles are assigned.

* Adding migration scripts.

* Adding endpoints field for future use.

* Fixing dropdowns.
2016-05-23 18:38:04 -07:00
kevgliss
656269ff17 Closes #147 (#328)
* Closes #147

* Fixing tests

* Ensuring we can validate max dates.
2016-05-23 11:28:25 -07:00
kevgliss
bd727b825d Making roles more apparent for certificates and authorities. (#327) 2016-05-20 12:48:12 -07:00
kevgliss
e04c1e7dc9 Fixing a few things, adding tests. (#326) 2016-05-20 09:03:34 -07:00
kevgliss
615df76dd5 Closes 262 (#324)
Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities.
2016-05-19 13:37:05 -07:00
kevgliss
112c6252d6 Adding password reset command to the cli. (#325) 2016-05-19 10:07:15 -07:00
kevgliss
b13370bf0d Making dropdowns look a bit better. (#322)
* Making dropdowns look a bit better.

* Pleasing Lint.
2016-05-19 09:04:50 -07:00
kevgliss
88aa5d3fdb Making nested notifications less verbose (#321) 2016-05-19 08:48:55 -07:00
kevgliss
b187d8f836 Adding a better comparison. (#320) 2016-05-16 19:03:10 -07:00
kevgliss
1763a1a717 254 duplication certificate name (#319) 2016-05-16 15:59:40 -07:00
kevgliss
62b61ed980 Fixing various issues. (#318)
* Fixing various issues.

* Fixing tests
2016-05-16 11:09:50 -07:00
kevgliss
c11034b9bc Fixes various issues. (#317) 2016-05-16 09:23:48 -07:00
kevgliss
58e8fe0bd0 Fixes various issues. (#316) 2016-05-13 14:35:38 -07:00
kevgliss
a0c8765588 Various bug fixes. (#314) 2016-05-12 12:38:44 -07:00
kevgliss
9022059dc6 Marshmallowing roles (#313) 2016-05-10 14:22:22 -07:00
kevgliss
7f790be1e4 Marsmallowing users (#312) 2016-05-10 14:19:24 -07:00
kevgliss
93791c999d Marsmallowing destinations (#311) 2016-05-10 13:43:26 -07:00
kevgliss
5e9f1437ad Marsmallowing sources (#310) 2016-05-10 13:16:33 -07:00
kevgliss
f9655213b3 Marshmallowing notifications. (#308) 2016-05-10 11:27:57 -07:00
kevgliss
008d608ec4 Fixing error in notifications. (#307) 2016-05-09 17:35:18 -07:00
kevgliss
78c8d12ad8 Cleaning up the way authorities are selected and upgrading uib dependencies. 2016-05-09 17:17:00 -07:00
kevgliss
df0ad4d875 Authorities marshmallow addition (#303) 2016-05-09 11:00:16 -07:00
Harm Weites
776e0fcd11 Slack plugin for notifications (#305) 2016-05-08 09:07:16 -07:00
kevgliss
6ec3bad49a Closes #278 (#298)
* Closes #278
2016-05-05 15:28:17 -07:00
kevgliss
52f44c3ea6 Closes #278 and #199, Starting transition to marshmallow (#299)
* Closes #278  and #199, Starting transition to marshmallow
2016-05-05 12:52:08 -07:00
kevgliss
db8243b4b4 Closes #301 2016-05-04 16:56:05 -07:00
kevgliss
8e1b7c0036 Removing validation because regex is hard 2016-04-25 16:13:33 -07:00
kevgliss
9b0e0fa9c2 removing validtion from openssl 2016-04-25 16:11:37 -07:00
kevgliss
b9fe359d23 Fixes #285 Renames sync_sources function to sync to align documentation. 2016-04-25 11:21:25 -07:00
kevgliss
dbd1279226 Fixes #289 and #275 2016-04-21 16:22:19 -07:00
kevgliss
82b4f5125d Fixes an issue where custom OIDs would clear out san extensions 2016-04-11 11:17:18 -07:00
kevgliss
3f89d6d009 Merge pull request #271 from kevgliss/195
Closes #195
2016-04-08 12:01:10 -07:00
kevgliss
c2387dc120 Fixes an issue where custom OIDs would clear out san extensions 2016-04-07 10:29:08 -07:00
kevgliss
dbc4964e94 Fixing an issue were metrics would not be sent 2016-04-05 10:23:33 -07:00
kevgliss
62d03b0d41 Closes #216 2016-04-01 16:54:33 -07:00
kevgliss
b5a4b293a9 Merge pull request #270 from kevgliss/248
Closes #248
2016-04-01 14:28:52 -07:00
kevgliss
bfcfdb83a7 Closes #195 2016-04-01 14:27:57 -07:00
kevgliss
4ccbfa8164 Closes #248 2016-04-01 13:29:08 -07:00
kevgliss
2cde7336dc Closes #263 2016-04-01 13:01:56 -07:00
kevgliss
3ceb297276 Merge pull request #267 from kevgliss/261
Closes #261
2016-04-01 10:12:10 -07:00
kevgliss
5958bac2a2 Merge pull request #265 from kevgliss/257
Closes #257
2016-04-01 10:11:32 -07:00
kevgliss
47891d2953 Closes #261 2016-04-01 09:58:19 -07:00
kevgliss
939194158a Closes #257 2016-04-01 09:49:44 -07:00
kevgliss
576265e09c Closes #246 2016-04-01 09:19:36 -07:00
Mike Grima
ba666ddbfa Removed deprecated auth api endpoint. 2016-02-16 15:04:53 -08:00
kevgliss
ac1f493338 version bump 2016-02-05 13:12:21 -08:00
kevgliss
e8e7bdf9e0 adding changelog 2016-02-05 13:00:59 -08:00
kevgliss
028d86c0bb Adding a new flag to export plugins 'requires_key' that specifies whether the export plugin needs access to the private key. Defaults to True. 2016-01-29 12:45:18 -08:00
kevgliss
f8b6830013 Merge pull request #239 from kevgliss/228-filter-values
Fixing documentation for filter format
2016-01-29 11:54:13 -08:00
kevgliss
2ba48995fe Fixing documentation for filter format 2016-01-29 11:47:16 -08:00
kevgliss
3cc8ade6d8 associating new authorities with the owner roles 2016-01-29 10:59:04 -08:00
kevgliss
39c9a0a299 Merge pull request #237 from kevgliss/218_password_regex
relaxing keystore password validation
2016-01-29 10:37:49 -08:00
kevgliss
3ad317fb6d Merge pull request #236 from kevgliss/migration_script_fixups
Removing per 2.0 migration scripts
2016-01-29 10:30:41 -08:00
kevgliss
bd46440d12 relaxing keystore password validation 2016-01-29 10:29:04 -08:00
kevgliss
9f8f64b9ec removing pre 2.0 migration scripts, and adding documentation for correct path during init 2016-01-29 09:22:12 -08:00
kevgliss
1e524a49c0 making 'replacements' a non-require attribute for importing. Closes #226 2016-01-29 09:02:51 -08:00
Edward Barker
b36e72bfcc Minor spelling fix
Using the possessive “Your” rather than “You’re” in “Your passphrase
is:”
2016-01-12 22:04:42 -08:00
kevgliss
48f8b33d7d Adding a rolling metric count 2016-01-11 15:26:32 -08:00
kevgliss
d87ace8c89 Merge pull request #211 from kevgliss/hotfix
fixing an issue were urllib does not like unicode
2016-01-11 10:38:45 -08:00
kevgliss
b1326d4145 fixing an issue were urllib does not like unicode 2016-01-11 10:31:58 -08:00
kevgliss
7c2862c958 Merge pull request #210 from kevgliss/hotfix
Fixes an assumption that 'subAltNames' are always passed to the API.
2016-01-11 09:08:38 -08:00
kevgliss
0a4f5ad64d Fixing an assumption that 'subAltNames' are always passed to the API. 2016-01-10 17:33:19 -08:00
kevgliss
c617a11c55 Merge pull request #209 from kevgliss/migrate_chain
Adding command to transparently rotate the chain on an ELB
2016-01-10 14:37:29 -08:00
kevgliss
053167965a Adding command to transparently rotate the chain on an ELB 2016-01-10 14:20:36 -08:00
kevgliss
a7ac45b937 Merge pull request #206 from kevgliss/syncing
Fixing issue where we were seeing AWS API errors due to certificates …
2016-01-08 16:39:51 -08:00
kevgliss
5482bbf4bd Fixing issue where we were seeing AWS API errors due to certificates not having private keys and could not be uploaded or 'synced' 2016-01-07 13:42:46 -08:00
Robert Picard
a1395a5808 Fix how the provider settings are passed to Satellizer 2016-01-05 17:26:09 -08:00
kevgliss
685e2c8b6d fixing typo 2016-01-05 09:40:53 -08:00
kevgliss
967c7ded8d Improving documentation layout 2015-12-31 11:12:56 -08:00
kevgliss
d6917155e8 Fixing tests 2015-12-30 15:32:01 -08:00
kevgliss
3f024c1ef4 Adds ability for domains to be marked as sensitive and only be allowed to be issued by an admin closes #5 2015-12-30 15:11:08 -08:00
kevgliss
9b166fb9a9 version bump 2015-12-30 09:15:11 -08:00
kevgliss
ca82b227b9 0.2.1 release info 2015-12-30 09:11:19 -08:00
Matthias Hähnel
8bb9a8c5d1 Define ACTIVE_PROVIDERS in default config
The configuration item ACTIVE_PROVIDERS must be initialized

Workaround for this error:
2015-12-30 13:58:48,073 ERROR: Internal Error [in /www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py:299]
Traceback (most recent call last):
  File "/www/lemur/local/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/www/lemur/local/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 462, in wrapper
    resp = resource(*args, **kwargs)
  File "/www/lemur/local/lib/python2.7/site-packages/flask/views.py", line 84, in view
    return self.dispatch_request(*args, **kwargs)
  File "/www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 572, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/www/lemur/lemur/auth/views.py", line 276, in get
    for provider in current_app.config.get("ACTIVE_PROVIDERS"):
TypeError: 'NoneType' object is not iterable
2015-12-30 14:56:59 +01:00
kevgliss
00cb66484b Merge pull request #188 from kevgliss/csr
Adding the ability to submit a third party CSR
2015-12-29 12:11:11 -08:00
kevgliss
cabe2ae18d Adding the ability to issue third party created CSRs 2015-12-29 10:49:33 -08:00
kevgliss
3b5d7eaab6 More Linting 2015-12-27 18:08:17 -05:00
kevgliss
aa2358aa03 Fixing linting 2015-12-27 18:02:38 -05:00
kevgliss
a7decc1948 Fixing some issues with dynamically supporting multiple SSO providers 2015-12-27 17:54:11 -05:00
Robert Picard
60856cb7b9 Add an endpoint to return active authentication providers
This endpoint can be used by Angular to figure out what authentication
options to display to the user. It returns a dictionary of configuration
details that the front-end needs for each provider.
2015-12-22 18:03:56 -05:00
Robert Picard
350d013043 Add Google SSO
This pull request adds Google SSO support. There are two main changes:

1. Add the Google auth view resource
2. Make passwords optional when creating a new user. This allows an admin
to create a user without a password so that they can only login via Google.
2015-12-22 13:44:30 -05:00
kevgliss
6211b126a9 Fixing py3 syntax error 2015-12-18 11:01:08 -05:00
kevgliss
54c3fcc72a Adding rotate command 2015-12-17 23:17:27 -05:00
kevgliss
b8c2d42cad Closes #176 2015-12-17 14:52:20 -08:00
kevgliss
2896ce0dad Closes #172 2015-12-16 08:18:01 -08:00
kevgliss
29bcde145c 0.2.1 release 2015-12-14 10:42:51 -08:00
kevgliss
6d17e4d538 Fixing templates 2015-12-04 09:51:38 -08:00
kevgliss
de9478a992 Disabling one-time binding 2015-12-03 16:57:37 -08:00
kevgliss
78037dc9ec Fixing the startup port 2015-12-02 17:13:52 -08:00
kevgliss
041382b02f Version bump 2015-12-02 14:53:46 -08:00
kevgliss
aa18b88a61 Making the notification email template cleaner 2015-12-01 17:13:43 -08:00
kevgliss
b1e842ae47 Merge pull request #162 from kevgliss/160-startup
Closes #160
2015-12-01 10:08:03 -08:00
kevgliss
e2524e43cf adding exports 2015-12-01 09:44:41 -08:00