9e2578be1e
Adding necessary features to complete backfill ( #958 )
2017-10-04 14:57:57 -07:00
09b8f532a7
Adding cli to mass revoke certificates. ( #955 )
2017-10-03 10:51:53 -07:00
e0939a2856
Adding some default data to put. ( #950 )
2017-09-29 14:49:07 -07:00
90f4b458e3
Adding the lemur identity to be able to re-issue certificates. ( #949 )
2017-09-29 14:07:40 -07:00
f5213deb67
Removing revocation comments for now. ( #947 )
2017-09-29 10:53:15 -07:00
bb08b1e637
Initial work allowing certificates to be revoked. ( #941 )
...
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
54ff4cddbf
Disallow issuing certificates from inactive authority ( #936 )
2017-09-25 15:34:49 -07:00
645641f4bd
Avoid redundant key_view log entries ( #937 )
...
Don't re-request private key when it's already loaded in frontend.
2017-09-25 15:34:07 -07:00
97d83890e0
Various minor cleanups and fixes ( #938 )
...
* Documentation fixes
* Various docstring and help string fixes
* Minor code cleanups
* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
ec5dec4a16
Add option to disable owner email address in CSR subject ( #939 )
2017-09-25 15:32:08 -07:00
f766871824
Create default rotation policy with name ( #924 )
2017-09-18 09:09:59 -07:00
fc9b1e5b12
server_default from "False" to sa.false() ( #913 )
2017-09-11 09:19:19 -07:00
dafed86179
Improve certificate name normalization: remove Unicode characters, etc. ( #906 )
...
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
79d12578c7
basic ldap support ( #842 )
2017-09-03 20:41:43 -07:00
ff87c487c8
It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as `default` are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. ( #891 )
2017-08-28 17:57:39 -07:00
82b43b5a9d
Create signal hooks and handler for dumping CSR and certificate details ( #882 )
2017-08-28 17:35:56 -07:00
bb1c339655
Fix ability to remove all roles from authority ( #880 )
2017-08-28 17:35:01 -07:00
e7efaf4365
Prevent creation of empty SubjAltNames extension in CSR ( #883 )
2017-08-18 09:10:56 -07:00
c6d76f580e
Disable unused Flask Principal sessions ( #881 )
...
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
2017-08-17 09:24:35 -07:00
941df0366d
Fix roles display on user screen and fix removing user roles ( #879 )
2017-08-17 09:24:10 -07:00
7762d6ed52
Reworked sensitive domain name and restriction logic ( #878 )
...
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
2017-08-16 19:24:49 -07:00
cf805f530f
Prevent unintended access to sensitive fields (passwords, private keys) ( #876 )
...
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
f5e120ad2e
Update readme.txt ( #869 )
2017-08-04 12:42:27 -07:00
f5082e2d3a
Starting transition away from not_before and not_after. ( #854 )
2017-07-14 09:24:59 -07:00
61c493fc91
Adding additional failure conditions to sentry tracking. ( #853 )
...
* Adding additional failure conditions to sentry tracking.
* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
6779e19ac9
Adding enum migration. ( #852 )
2017-07-13 13:12:53 -07:00
443eb43d1f
Adding the ability to specify a per-certificate rotation policy. ( #851 )
2017-07-12 16:46:11 -07:00
53113e5eeb
Add auditing for creating or updating a cert. ( #845 )
2017-07-04 06:39:16 -07:00
169dcb86e2
supporting the ability to push exceptions to sentry ( #843 )
2017-06-29 14:12:38 -07:00
e4f5224f42
set ses email content type to utf-8 instead of string ( #841 )
2017-06-28 09:44:19 -07:00
98907e66e9
Minor fixes to S3.put signature ( #840 )
2017-06-27 16:18:34 -07:00
c05343d58e
Adds the ability for destination plugins to be sub-classed from Expor… ( #839 )
...
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807 .
* fixing tests
2017-06-26 12:03:24 -07:00
541fbc9a6d
Use named kwargs rather than args when calling s3 put ( #830 )
2017-06-20 11:28:19 -07:00
35cc7ef8d7
Adding support for private DigiCert certificates ( #835 )
2017-06-14 09:20:24 -07:00
e77382864b
Fixing KeyError on error handling ( #834 )
2017-06-14 09:07:27 -07:00
d4d6d832b1
Fixing audit filtering and sorting. ( #827 )
2017-06-02 09:07:22 -07:00
9c92138f2d
Fixing autorotation failures. ( #825 )
...
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
5a4806bc43
Allowing description to be optional. ( #826 )
2017-06-01 17:09:04 -07:00
07969f7e10
Ensuring IPAddresses and IPNetworks are correctly serialized. ( #818 )
2017-05-26 10:48:26 -07:00
3141b47fba
Catch OAuth providers that want the params sent as data ( #800 )
2017-05-25 10:21:29 -07:00
21d48b32c9
Fixing an issue with uploading to cloudfront. ( #815 )
2017-05-25 10:10:12 -07:00
11bd42af82
Correct status code for basic-auth ( #813 )
...
* ensuring those using basic auth recieve a correct status code when their password is incorrect
* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
f6b5012f56
Add Check of DB connections on healthcheck URL ( #812 )
2017-05-22 17:15:41 -07:00
f9b388c658
Modifying the was s3 uploading works. ( #810 )
...
* Modiying the was s3 uploading works.
* Fixing pep8
2017-05-20 12:07:44 -07:00
4093f4669a
Switching remaining uses of boto to boto3. ( #809 )
2017-05-20 11:09:55 -07:00
9594f2cd8d
Upgrading moto and fixing test that break due to deprecation. ( #808 )
...
* Upgrading moto and fixing test that break due to deprecation.
* Adding region.
2017-05-20 10:40:22 -07:00
380203eb53
Adding the ability to upload to cloudfront via the 'path' parameter. Cloudfront destinations must be created separately. ( #805 )
...
Closes #277
2017-05-18 13:49:17 -07:00
307a73c752
Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. ( #804 )
...
Closes #767
2017-05-18 13:20:17 -07:00
3050aca3e6
Minor fixes to the domains UI. ( #798 )
...
* Fixes checkbox input.
* Fixes notification message.
2017-05-15 19:14:12 -07:00
8c41c6785d
Fixes issue where domains without any associated certificates are not searchable. ( #797 )
2017-05-15 19:07:32 -07:00
kevgliss
Marti Raudsepp
Horatiu Eugen Vlad
Rick Breidenstein
Ian Stahnke
Paul Van de Vreede
Paul Borg
Asbjørn Kjær
Michael LoSapio