dafed86179
Improve certificate name normalization: remove Unicode characters, etc. ( #906 )
...
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
79d12578c7
basic ldap support ( #842 )
2017-09-03 20:41:43 -07:00
ff87c487c8
It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as default are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. ( #891 )
2017-08-28 17:57:39 -07:00
82b43b5a9d
Create signal hooks and handler for dumping CSR and certificate details ( #882 )
2017-08-28 17:35:56 -07:00
bb1c339655
Fix ability to remove all roles from authority ( #880 )
2017-08-28 17:35:01 -07:00
e7efaf4365
Prevent creation of empty SubjAltNames extension in CSR ( #883 )
2017-08-18 09:10:56 -07:00
c6d76f580e
Disable unused Flask Principal sessions ( #881 )
...
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
2017-08-17 09:24:35 -07:00
941df0366d
Fix roles display on user screen and fix removing user roles ( #879 )
2017-08-17 09:24:10 -07:00
7762d6ed52
Reworked sensitive domain name and restriction logic ( #878 )
...
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
2017-08-16 19:24:49 -07:00
cf805f530f
Prevent unintended access to sensitive fields (passwords, private keys) ( #876 )
...
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
f5e120ad2e
Update readme.txt ( #869 )
2017-08-04 12:42:27 -07:00
f5082e2d3a
Starting transition away from not_before and not_after. ( #854 )
2017-07-14 09:24:59 -07:00
61c493fc91
Adding additional failure conditions to sentry tracking. ( #853 )
...
* Adding additional failure conditions to sentry tracking.
* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
6779e19ac9
Adding enum migration. ( #852 )
2017-07-13 13:12:53 -07:00
443eb43d1f
Adding the ability to specify a per-certificate rotation policy. ( #851 )
2017-07-12 16:46:11 -07:00
53113e5eeb
Add auditing for creating or updating a cert. ( #845 )
2017-07-04 06:39:16 -07:00
169dcb86e2
supporting the ability to push exceptions to sentry ( #843 )
2017-06-29 14:12:38 -07:00
e4f5224f42
set ses email content type to utf-8 instead of string ( #841 )
2017-06-28 09:44:19 -07:00
98907e66e9
Minor fixes to S3.put signature ( #840 )
2017-06-27 16:18:34 -07:00
c05343d58e
Adds the ability for destination plugins to be sub-classed from Expor… ( #839 )
...
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807 .
* fixing tests
2017-06-26 12:03:24 -07:00
541fbc9a6d
Use named kwargs rather than args when calling s3 put ( #830 )
2017-06-20 11:28:19 -07:00
35cc7ef8d7
Adding support for private DigiCert certificates ( #835 )
2017-06-14 09:20:24 -07:00
e77382864b
Fixing KeyError on error handling ( #834 )
2017-06-14 09:07:27 -07:00
d4d6d832b1
Fixing audit filtering and sorting. ( #827 )
2017-06-02 09:07:22 -07:00
9c92138f2d
Fixing autorotation failures. ( #825 )
...
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
5a4806bc43
Allowing description to be optional. ( #826 )
2017-06-01 17:09:04 -07:00
07969f7e10
Ensuring IPAddresses and IPNetworks are correctly serialized. ( #818 )
2017-05-26 10:48:26 -07:00
3141b47fba
Catch OAuth providers that want the params sent as data ( #800 )
2017-05-25 10:21:29 -07:00
21d48b32c9
Fixing an issue with uploading to cloudfront. ( #815 )
2017-05-25 10:10:12 -07:00
11bd42af82
Correct status code for basic-auth ( #813 )
...
* ensuring those using basic auth recieve a correct status code when their password is incorrect
* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
f6b5012f56
Add Check of DB connections on healthcheck URL ( #812 )
2017-05-22 17:15:41 -07:00
f9b388c658
Modifying the was s3 uploading works. ( #810 )
...
* Modiying the was s3 uploading works.
* Fixing pep8
2017-05-20 12:07:44 -07:00
4093f4669a
Switching remaining uses of boto to boto3. ( #809 )
2017-05-20 11:09:55 -07:00
9594f2cd8d
Upgrading moto and fixing test that break due to deprecation. ( #808 )
...
* Upgrading moto and fixing test that break due to deprecation.
* Adding region.
2017-05-20 10:40:22 -07:00
380203eb53
Adding the ability to upload to cloudfront via the 'path' parameter. Cloudfront destinations must be created separately. ( #805 )
...
Closes #277
2017-05-18 13:49:17 -07:00
307a73c752
Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. ( #804 )
...
Closes #767
2017-05-18 13:20:17 -07:00
3050aca3e6
Minor fixes to the domains UI. ( #798 )
...
* Fixes checkbox input.
* Fixes notification message.
2017-05-15 19:14:12 -07:00
8c41c6785d
Fixes issue where domains without any associated certificates are not searchable. ( #797 )
2017-05-15 19:07:32 -07:00
092ce0f9d8
Closes #792 . ( #796 )
2017-05-15 19:07:16 -07:00
914de78576
Adds migration to fix keys on unique index. Closes #743 . ( #785 )
2017-05-10 12:13:42 -07:00
ecf00fe9d6
Splitting out the default date issuance logic for CIS and CC. CIS assumes years is converted to validity_end while CC prefers validity_years over validity_end. ( #784 )
2017-05-10 12:05:03 -07:00
c71b3a319d
Log the audit logs ( #781 )
2017-05-08 09:43:26 -07:00
767147aef1
Check for unknown as status is no longer represented as a boolean ( #780 )
2017-05-08 09:43:19 -07:00
ce5a45037a
Fix for status representation in the view ( #778 )
2017-05-05 11:04:40 -07:00
9c9ca37586
Enabling hex serial numbers without breaking backward compatibility. ( #779 )
...
* Enabling hex serial numbers without breaking backward compatibility.
* Fixing tests.
2017-05-05 11:04:09 -07:00
5c41dafc97
fix unit and interval transposition in schemas.py ( #752 ) ( #774 )
2017-04-30 12:23:34 -07:00
989e3733a2
Add docker setup for running tests on a docker enabled dev environment. ( #771 )
2017-04-28 09:28:06 -07:00
fbc24ea400
There is an issue when iterating over extensions where certificates might not have been issued in adherence with basic constraints. Here we log these errors instead of failing out right. ( #770 )
2017-04-27 17:45:34 -07:00
4905020e77
ensuring stdout has a default log level ( #766 )
2017-04-27 10:11:47 -07:00
75787d20bc
ensuring that lemur's default user has a valid email ( #765 )
2017-04-27 09:53:35 -07:00
