The "Description" field can now display multi-line text content.
The "Authority" field now displays the authority name in Lemur (if
known) as well as issuer's name. For imported certs, "Imported" is
displayed.
This commit fixes the ability to assign roles to people in the ui
when the user is SSO. The idea is if a role is ever assigned via
SSO it becomes a "SSO Role" or a "Third Party" Role. by setting
third_party to true on the role object.
Once a role is marked as third party it can no longer be controlled
through the ui for SSO Users. (for ui users this poses no functional
change). It must be controlled via SSO.
* Adding some niceties around the way users are associated with tokens.
- Includes user typeahead
- Tooltips
- User information displayed in table
- Default to current user when no user is passed
Adds in per user api keys to the backend of lemur.
the basics are:
- API Keys are really just JWTs with custom second length TTLs.
- API Keys are provided in the exact same ways JWTs are now.
- API Keys can be revoked/unrevoked at any time by their creator
as well as have their TTL Change at anytime.
- Users can create/view/list their own API Keys at will, and
an admin role has permission to modify all api keys in the
instance.
Adds in support for lemur api keys to the frontend of lemur.
doing this required a few changes to the backend as well, but it is
now all working (maybe not the best way though, review will determine
that).
- fixes inconsistency in moduleauthor name I inputted during the
first commit.
- Allows the revoke schema to optionally allow a full api_key object.
- Adds `/users/:user_id/api_keys/:api_key` and `/users/:user_id/api_keys`
endpoints.
- normalizes use of `userId` vs `userId`
- makes `put` call respond with a JWT so the frontend can show
the token on updating.
- adds in the API Key views for clicking "API Keys" on the main nav.
- adds in the API Key views for clicking into a users edit page.
- adds tests for the API Key backend views I added.
This plugin allows a certificate to be exported as a CSR via OpenSSL
x509. The workflow will be:
* Create self-signed cert via Cryptography authority
* Export CSR via this plugin
* Sign your own cert outside of Lemur
* Import new cert with private key
Change-Id: Id3f7db2506bd959236cd3a6df622841058abda5a
* Changes required for functional Route53 operations
* Changes required for functional ACME operations with Route53
* Changes required for functional ACME operations with Route53, need external ID
* Added ability to ignore cert for oauth2 provider
This is useful for development environments where the OAuth provider
doesn't have a valid cert!
* Setting default for OAUTH2_VERIFY_CERT to true
* Documentation fixes
* Various docstring and help string fixes
* Minor code cleanups
* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes#807.
* fixing tests
* Fixes for Bandit
This commit fixes a couple of issues so that Bandit can run
cleanly using medium+ severity and confidence filtering.
* Adding Lemur Bandit job to TravisCI
* Ensures that both AKI serial/issue _and_ keyid won't be included.
Validation issues crop up if both types of AKI fields are present.
* Ensure that SAN extension includes the certificate's common name
* Fix scenario where subAltNames are getting dropped when applying a template
* Ensure that SAN includes the CN
* Ensuring that getting here without a SAN extension won't break things.
* New cleaner approach
* Some bits of handling the extensions are a bit hacky, requiring access to attributes inside the objects in x509.
I think this is pretty clean though.
* lintian check
* Fixing tests
* Allow owner to be specified when syncing certs.
* Ensuring non-endpoint plugins don't fail to complete syncing.
* Adding in some additional error handling.
* Adds additional constraints to the max notification time. With an increasing number of certificates we need to limit the max notification time to reduce the number of certificates that need to be analyzed for notification eligibility.
* UI adjustments to make Key Agreement, Encipher Only, and Decipher Only relationship more user-friendly
* whitespace typo
* Issue #663 switching Encipher/Decipher Only options to be mutually exclusive and un-checkable radio buttons.
* Found a bug in the fields schema that was dropping Key Agreement bit if encipher/decipher only weren't checked
* subAltNames were getting wiped out every time a template was selected
* isCritical variables aren't presented in the UI, nor is this information used in determining to use them.
* Renaming the function so it sounds less root-specific
* Refactoring lemur_cryptography
* Adding to the certificate interface an easy way to request the subject and public_key of a certificate
* Turning the create authority functionality into a wrapper of creating a CSR in the certificate codebase and issueing that certificate in this plugin. (Dependent on https://github.com/Netflix/lemur/pull/666 changes first)
* Ensuring that intermediate certificates and signed certificates retain their chain cert data
* Handling extensions that are the responsibility of the CA
Implementing authority_key_identifier for lemur_cryptography signatures and including skeletons of handling the certificate_info_access and crl_distribution_points
* Fixing errors found with linter
* Updating plugin unit tests
* Changing this for Python3. Underlying cryptography library expects these to be bytes now.
* Updating tests to match new function names/interfaces
* Another naming update in the plugin tests
* Appears that create_csr won't like this input without an owner.
* Undoing last commit and putting it into the right place this time.
* create_csr should be good now with these options, and chain certs will be blank in tests
* This won't be blank in issue_certificate, like it will in creating an authority.
* Much cleaner
* unnecessary import
* Allowing that create_csr can be called with an additional flag in the csr_config to adjust the BasicConstraints for a CA.
* If there are no SANs, skip adding a blank list of SANs.
* Adding handling for all the extended key usage, key usage, and subject key identifier extensions.
* Fixing lint checks. I was overly verbose.
* This implements marshalling of the certificate extensions into x509 ExtensionType objects in the schema validation code.
* Will create x509 ExtensionType objects in the schema validation stage
* Allows errors parsing incoming options to bubble up to the requestor as ValidationErrors.
* Cleans up create_csr a lot in the certificates/service.py
* Makes BasicConstraints _just another extension_, rather than a hard-coded one
* Adds BasicConstraints option for path_length to the UI for creating an authority
* Removes SAN types which cannot be handled from the UI for authorities and certificates.
* Fixes Certificate() object model so that it doesn't just hard-code only SAN records in the extensions property and actually returns the extensions how you expect to see them. Since Lemur is focused on using these data in the "CSR" phase of things, extensions that don't get populated until signing will be in dict() form.* Trying out schema validation of extensions
* Aligning certificate creation between authority and certificate workflows
* Correctly missing and mis-named fields in schemas
* Re-ordering KeyUsage and ExtendedKeyUsage for consistency and clarity
* Adding client authentication to the authority options.
* Missing blank lines for pyflakes linting
* Updating tests for new fields/names/typos
* is_critical wasn't in the schema, so was getting dropped.
* isCritical in the Javascript wasn't getting assigned if it was unchecked. Now, it will be assumed false if missing.
* The display of critical or not in the list of added custom OIDs was unclear when it was just true/false with no heading. Now it will be displayed as critical or nothing instead.
* The namespace for the checkbox for isCritical was wrong, and didn't get processed with the oid/type/value variables.
* Combining Authority Key Identifier extension options in the schema.
This makes processing them in the cert/csr generation stage make more sense because they are two options in the same x.509 extension. They were already in the same part of the schema for authorities, but this makes the certificates follow the same pattern, and it allows them to share the same schema/validation layout.
* Updating schema tests to match changes
* Fixing an idiot typo
* I promise to stop using Travis as a typo-corrector soon.
* Fixing an IAM syncing issue. Were duplicates were not properly sync'd with Lemur. This resulted in a visibility gap. Even 'duplicates' need to sync'd to Lemur such that we can track rotation correctly. Failing on duplicates lead to missing those certificates and the endpoints onto which they were deployed. This commit removes the duplicate handling altogether.
* Fixing tests.
kevgliss
Marti Raudsepp
Zach Seils
Eric
Johannes Langer
James Chuong
Daniel Pramann
Horatiu Eugen Vlad
Rick Breidenstein
Ian Stahnke
Paul Van de Vreede
Paul Borg
Asbjørn Kjær
Michael LoSapio
Michael Treacher
Travis McPeak
Neil Schelly
Gus E
Nevins
Tom Lianza