Commit Graph

1595 Commits

Author SHA1 Message Date
Hossein Shafagh adabe18c90 metric tags, to be able to track which domains where failing during the LetsEncrypt domain validation 2019-07-25 18:56:28 -07:00
Hossein Shafagh 429e6a967c better error handling for redis 2019-07-25 18:49:19 -07:00
Kush Bavishi 252410c6e9 Updated TTL from 300 to 5 2019-07-22 16:00:20 -07:00
Kush Bavishi 51f3b7dde0 Added the Record class for UltraDNS 2019-07-22 14:23:40 -07:00
Kush Bavishi 0b52aa8c59 Added Zone class to handle ultradns zones 2019-07-22 11:47:48 -07:00
Hossein Shafagh 36ebba6491 source is not dict 2019-07-18 15:16:01 -07:00
Kush Bavishi e37a7c775e Initial commit for the UltraDNS plugin to support Lets Encrypt 2019-07-18 14:29:54 -07:00
Hossein Shafagh 09c0fa0f94 updating the function declaration 2019-07-16 17:21:01 -07:00
Hossein Shafagh cd1aeb15f1 adding testing for redis 2019-07-12 11:50:12 -07:00
Hossein Shafagh 1b1bdbb261 spacing 2019-07-12 10:25:37 -07:00
Hossein Shafagh 97d74bfa1d fixing the app context issue. we will create an app if no current_app available 2019-07-12 08:47:39 -07:00
Hossein Shafagh 2628ed1a82 better alerting 2019-07-11 23:00:35 -07:00
Curtis Castrapel 8eb639e366 Initial LetsEncrypt / Celery docs 2019-07-09 11:13:11 -07:00
Curtis Castrapel 0c5a8f2039 Relax celery time limit for source syncing; Ensure metric tags are string 2019-07-01 08:35:04 -07:00
Hossein Shafagh 0e037973b2
Revert "Faster permalink" 2019-06-26 10:31:58 -07:00
Curtis 850620c2a2
Merge branch 'master' into restore-manage-shebang 2019-06-25 09:41:08 -07:00
Curtis 5df06501f6
Merge pull request #2814 from intgr/expose-cert-hasprivaatekey
Expose new certificate field hasPrivateKey
2019-06-25 09:40:27 -07:00
Curtis 8fbff00850
Merge branch 'master' into restore-manage-shebang 2019-06-25 09:29:06 -07:00
Hossein Shafagh 404b7a25bc
Merge branch 'master' into restore-manage-shebang 2019-06-25 09:27:08 -07:00
alwaysjolley 86a1fb41ac lint fix 2019-06-25 06:56:37 -04:00
alwaysjolley 55a96ba790 type none 2019-06-24 15:10:10 -04:00
alwaysjolley 6699833297 fixing empty chain 2019-06-24 13:10:08 -04:00
Marti Raudsepp 2319858586 Expose new certificate field hasPrivateKey
We can also now disable the 'private key' tab when cert doesn't have a
private key.
2019-06-22 15:38:28 +03:00
Danny Thomas 4565bd7dc6
Update SAN text 2019-06-21 13:33:55 -07:00
Kush Bavishi 960064d5c6 Color change for Show Expired button 2019-06-21 11:32:16 -07:00
Hossein Shafagh 23caac5576
Merge branch 'master' into temp-ExpiredToggle-3 2019-06-21 08:59:53 -07:00
Hossein Shafagh 39d65db7fd
Merge branch 'master' into generalizing-api 2019-06-20 16:13:04 -07:00
Hossein Shafagh 162a300e53
Merge branch 'master' into temp-ExpiredToggle-3 2019-06-20 16:12:55 -07:00
Hossein Shafagh 34cdd29a50 removing the rotation enabled requirement, to keep the endpoint generic 2019-06-20 16:06:26 -07:00
Kush Bavishi de0462e54f Added missing semi-colon and changed double quotes to single quotes 2019-06-20 15:41:32 -07:00
Kush Bavishi 68815b8f44 UI changes - Button to show / hide expired certs. 2019-06-20 15:05:26 -07:00
alwaysjolley bbf50cf0b0 updated dest as well as src 2019-06-20 08:26:32 -04:00
alwaysjolley 02719a1de7 Merge branch 'master' into vault_regex
fixed conflicts:
	lemur/plugins/lemur_vault_dest/plugin.py
2019-06-19 09:53:08 -04:00
alwaysjolley 56917614a2 fixing regex to be more flexable 2019-06-19 09:46:44 -04:00
Marti Raudsepp 8a08edb0f3 manage.py: Restore shebang line
This is an executable file but cannot be executed without the interpreter.

The shebang line was lost in commit 8cbc6b8325
2019-06-18 10:51:11 +03:00
Kush Bavishi f836c6fff6 API additions for viewing expired certs as well. Default behavior modified to show only valid certs and those which have expired less than 1 month ago. 2019-06-17 14:29:48 -07:00
Kush Bavishi c0f8fbb24f Modified Permalink behavior to access a newer, faster API 2019-06-11 15:53:47 -07:00
Kush Bavishi 57016f2f45 Merge branch 'master' of https://github.com/Netflix/lemur into FasterPermalink 2019-06-11 14:33:58 -07:00
Kush Bavishi 491d048948 Modified the behavior of Permalink to access a newer, faster API 2019-06-10 09:47:29 -07:00
Curtis 0446aea20e
Update messaging.py 2019-06-06 13:35:45 -07:00
Hossein Shafagh 1ed41d03ea
Merge branch 'master' into duplicate-notifications-(alternative) 2019-06-06 09:10:57 -07:00
Hossein Shafagh 28e26a1baf to prevent duplicate emails, we might better remove owner and security email address from the notification recipient 2019-06-05 17:57:11 -07:00
Kush Bavishi 45231c2423 Added code to automatically add the common name as a DNS name while creating a certificate. 2019-05-31 14:08:28 -07:00
Curtis 7eb9c80fb2
Merge pull request #2798 from castrapel/domains_enhancements
Enhance domains query and sensitive domain checking code
2019-05-30 10:31:24 -07:00
Curtis Castrapel 8b821d0023 Enhance domains query and sensitive domain checking code; Allow creation of opt-out roles via config 2019-05-30 10:21:44 -07:00
Hossein Shafagh 071c083eae hiding expired certs after 6 months from the main page 2019-05-30 10:21:03 -07:00
Hossein Shafagh b4d9ab9f0c Merge branch 'master' of github.com:Netflix/lemur into improving-cert-lookup-time 2019-05-30 08:55:49 -07:00
Hossein Shafagh 13d46ae42e indexing the not after field in the cert table 2019-05-30 08:55:30 -07:00
Curtis 8bc23f6deb
Merge pull request #2797 from castrapel/get_or_increase_name_simplify
Make get_or_increase_name queries less demanding
2019-05-29 12:50:06 -07:00
Curtis 6e4306b3bb
Merge pull request #2795 from ardichoke/fix_vault_api_v2_append
Fix Certificate Appending With v2 Vault API
2019-05-29 12:49:36 -07:00
Curtis Castrapel 5e389f3f48 Add certificate1 to test DB 2019-05-29 12:38:17 -07:00
Curtis Castrapel f81adb1371 Make get_or_increase_name queries less demanding 2019-05-29 12:20:05 -07:00
Curtis Castrapel fd35a26955 Support read replicas 2019-05-28 12:45:39 -07:00
Ryan DeShone 09c7076e79 Handle double data field in API v2 2019-05-22 17:12:10 -04:00
Curtis Castrapel 1423ac0d98 More metrics 2019-05-21 12:55:33 -07:00
Curtis Castrapel 34c7e5230b Set a limit on number of retries 2019-05-21 12:52:41 -07:00
Curtis Castrapel 4fac726cf4 Add support for JSON logging 2019-05-17 08:48:26 -07:00
Curtis Castrapel 0320c04be2 nosec comment 2019-05-16 08:14:46 -07:00
Curtis Castrapel 68fd1556b2 Black lint all the things 2019-05-16 07:57:02 -07:00
Curtis Castrapel e3c5490d25 Expose exact response from digicert as error 2019-05-15 13:36:40 -07:00
Curtis Castrapel 26d10e8b98 change ordering in more places 2019-05-15 11:47:53 -07:00
Curtis Castrapel 7e92edc70a Set resolved cert ID before resolving cert; Ignore sentry exceptions when no records on deletion 2019-05-15 11:43:59 -07:00
Curtis 6eb3836abc
Merge branch 'master' into fast-valid-cert-lookup 2019-05-15 10:20:17 -07:00
Curtis Castrapel 5d8f71c3e4 nt 2019-05-14 13:02:24 -07:00
Curtis Castrapel 565142f985 Add soft timeouts to celery jobs; Check for PEM in LE order 2019-05-14 12:52:30 -07:00
Hossein Shafagh f452a7ce68 adding a new API for faster certificate lookup.
The new API api/1/certificates/valid returns only non-expired (not_after >= today) certs which have auto-rotate enabled:

cn is a required parameter:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com
cn can also be a database string wildcard ('%'):

http://localhost:8000/api/1/certificates/valid?filter=cn;%
owner is the additional parameter, and must be the email address of the owner:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com&owner=hossein@example.com
given owner  and a database string wildcard ('%') one can retrieve all certs for that owner, which are still valid, and have auto-rotate enabled:

http://localhost:8000/api/1/certificates/valid?filter=cn;%&owner=hossein@example.com
2019-05-11 18:06:51 -07:00
Curtis Castrapel ed18df22db remove permalink change 2019-05-09 14:54:44 -07:00
Curtis Castrapel e33a103ca1 Allow searching for certificates by name via API 2019-05-09 14:36:56 -07:00
Curtis c9c782684d
Merge branch 'master' into add_metrics_reissue_rotate 2019-05-08 07:48:44 -07:00
Curtis Castrapel 87470602fd Gather more metrics on certificate reissue/rotate jobs 2019-05-08 07:48:08 -07:00
Curtis 317c84800c
Merge branch 'master' into jwks_validation_error_control 2019-05-08 06:50:56 -07:00
Curtis Castrapel 0eacbd42d7 Converting userinfo authorization to a config var 2019-05-07 15:31:42 -07:00
Jose Plana 4e6e7edf27 Rename return variable for better readability 2019-05-07 22:53:01 +02:00
Hossein Shafagh b7ce9ab901
Merge branch 'master' into jwks_validation_error_control 2019-05-07 13:09:02 -07:00
Hossein Shafagh ff583981b1
Merge branch 'master' into aid_openid_roles_provider_integration 2019-05-07 09:06:02 -07:00
Hossein Shafagh e58ff476c9
Merge branch 'master' into jwks_validation_error_control 2019-05-07 09:05:41 -07:00
Curtis 22caaa0c95
Merge branch 'master' into fix_userinfo_authorization 2019-05-07 07:48:47 -07:00
Curtis e65154b48e
Merge branch 'master' into develop 2019-05-07 07:36:51 -07:00
alwaysjolley ef7a8587fe Merge branch 'lemur_vault_source' of github.com:/alwaysjolley/lemur into lemur_vault_source 2019-05-07 10:06:09 -04:00
alwaysjolley b0c8901b0a lint cleanup 2019-05-07 10:05:01 -04:00
alwaysjolley 36ce1cc7ef
Merge branch 'master' into lemur_vault_source 2019-05-07 09:41:50 -04:00
alwaysjolley fb3f0bd72a adding Vault Source plugin 2019-05-07 09:37:30 -04:00
Daniel Iancu a7af3cf8d2 Fix Cloudflare DNS 2019-05-07 03:05:24 +03:00
Jose Plana deed1b9685 Don't fail if googleGroups is not found in user profile 2019-05-06 12:30:25 +02:00
Jose Plana 6c99e76c9a Better error management in jwks token validation 2019-05-06 12:27:43 +02:00
Jose Plana 2063baefc9 Fixes userinfo using Bearer token 2019-05-06 12:23:24 +02:00
Curtis Castrapel 3a1da72419 nt 2019-04-29 13:57:04 -07:00
Curtis Castrapel 6e3f394cff Updated requirements ; Revert change and require DNS validation by provider 2019-04-29 13:55:26 -07:00
Curtis Castrapel 1a90e71884 Move ACME host validation logic prior to R53 host modification 2019-04-26 17:27:44 -07:00
Curtis Castrapel 333ba8030a Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname 2019-04-26 15:45:04 -07:00
Curtis Castrapel 1a3ba46873 More retry changes 2019-04-26 10:18:54 -07:00
Curtis Castrapel 1e64851d79 Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries 2019-04-26 10:16:18 -07:00
Curtis 8eef95b58e
Merge branch 'master' into expose_verisign_exception 2019-04-25 19:15:55 -07:00
Curtis Castrapel dcdfb32883 Expose verisign exceptions 2019-04-25 19:14:15 -07:00
Curtis Castrapel 39584f214b Process DNS Challenges appropriately (1 challenge -> 1 domain) 2019-04-25 15:12:52 -07:00
Curtis Castrapel 2bc604e5a9 Better metrics and error reporting 2019-04-25 13:50:41 -07:00
Curtis Castrapel 272285f64a Better exception handling, logging, and metrics for ACME flow 2019-04-24 15:26:23 -07:00
Curtis 0f9b0f39f7
Merge branch 'master' into add-pending-certificate-upload 2019-04-24 09:34:35 -07:00
alwaysjolley a801112cf6
Merge branch 'master' into lemur_vault_plugin 2019-04-23 07:07:39 -04:00
alwaysjolley 85efb6a99e cleanup tmp files 2019-04-23 07:06:52 -04:00
Hossein Shafagh 9b38761153
Merge branch 'master' into add-pending-certificate-upload 2019-04-22 11:47:02 -07:00
alwaysjolley f9dadb2670 fixing validation 2019-04-22 09:38:44 -04:00
alwaysjolley 8dccaaf544 simpler validation 2019-04-22 07:58:01 -04:00
alwaysjolley 1667c05742 removed unused functions 2019-04-18 13:57:10 -04:00
alwaysjolley b39e2e3f66 Merge branch 'master' into lemur_vault_plugin 2019-04-18 13:55:45 -04:00
alwaysjolley fb3b0e8cd7 adding regex filtering 2019-04-18 13:52:40 -04:00
Jose Plana 7dd9268ca7 Allow uploading a signed cert for a pending certificate. 2019-04-18 00:46:39 +02:00
Curtis 8177e12f3f
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-17 10:43:44 -07:00
Hossein Shafagh 52f939658f
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-17 10:31:58 -07:00
Curtis f6afcc6d21
Merge branch 'master' into master 2019-04-17 10:28:46 -07:00
Javier Ramos 58dd424de8
Prevent potential NoneType not subscriptable
Fix when data['extensions']['subAltNames']['names'] is none
2019-04-17 18:33:52 +02:00
Jose Plana 771f2ebc47 Use SAN_CERT_CSR 2019-04-13 11:01:36 +02:00
Jose Plana 770729a72e Allow csr to be empty during upload 2019-04-13 01:17:12 +02:00
Hossein Shafagh 2ff811ae71 updating cryptography API call, to create right signing algorithm object. 2019-04-13 00:57:48 +02:00
Hossein Shafagh 09796cf7c9 the check_cert_signature() method was attempting to compare RSA and ECC signatures.
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
2019-04-13 00:57:48 +02:00
Jose Plana 406753fcde Fix PEP8 2019-04-13 00:49:35 +02:00
Jose Plana a5570d07bc Added some documentation for API users. 2019-04-13 00:48:19 +02:00
Jose Plana c1b02cc8a5 Allow uploading csr along with certificates 2019-04-13 00:48:19 +02:00
Hossein Shafagh df8d4e0892
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-12 09:38:50 -07:00
Hossein Shafagh ceb335f3ab
Merge branch 'master' into master 2019-04-12 09:38:41 -07:00
alwaysjolley 9ecc19c481 adding san filter 2019-04-12 09:53:06 -04:00
Hossein Shafagh 6d67ec7e34 removing unused import 2019-04-11 17:34:02 -07:00
Hossein Shafagh 512e1a0bdd fixing typos 2019-04-11 17:17:28 -07:00
Hossein Shafagh 6ec84a398c checking for None 2019-04-11 17:13:47 -07:00
Hossein Shafagh 69c00c4db5 upon creating a new destination, we also add it as source, if the plugin defines this as an option 2019-04-11 17:13:47 -07:00
Hossein Shafagh d7abf2ec18 adding a new util method for setting options 2019-04-11 17:13:47 -07:00
Hossein Shafagh 557fac39b5 refactoring the sync job into a service method that we can also call when adding a new destination 2019-04-11 17:13:47 -07:00
Hossein Shafagh d1ead4b79c removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh 5900828051 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh 818da6653d removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh e1a67e9b4e simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh 84dfdd0600 removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh ba691a26d4 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh b66fac0494 removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh 1bda246df2 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh 9a210c055a
Merge branch 'master' into hshafagh-src-dst-register 2019-04-11 15:36:48 -07:00
Hossein Shafagh 2459234147 removing lines 2019-04-11 14:34:26 -07:00
Hossein Shafagh 60edab9f6d cleaning up 2019-04-11 14:12:31 -07:00
Hossein Shafagh ec3d2d7316 fixing typo 2019-04-11 13:51:43 -07:00
Hossein Shafagh 83d408b238
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-04-11 13:30:12 -07:00
Hossein Shafagh 266c83367d avoiding hard-coded plugin names 2019-04-11 13:29:37 -07:00
Hossein Shafagh f185df4f1e bringing class AWSDestinationPlugin(DestinationPlugin) after AWSSourcePlugin.slug, such that we can do: sync_as_source_name = AWSSourcePlugin.slug 2019-04-11 13:28:58 -07:00
Curtis Castrapel 2ff57e932c Update requirements - upgrade to py37 2019-04-10 15:40:48 -07:00
Hossein Shafagh d628e97035
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-04-10 09:47:06 -07:00
Hossein Shafagh bc8c7e114a
Merge branch 'master' into hshafagh-src-dst-register 2019-04-09 20:52:33 -07:00
Hossein Shafagh f3d0536800 removing hardcoded rules, to give more flexibility into defining new source-destinations 2019-04-09 20:49:07 -07:00
Javier Ramos bfc4f940da
Merge branch 'master' into master 2019-04-09 18:06:09 +02:00
Hossein Shafagh 64c6bb2475
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-09 08:28:05 -07:00
Marti Raudsepp dbf34a4d48 Rewrite Java Keystore/Truststore support based on pyjks library 2019-04-06 20:24:46 +03:00
Javier Ramos d80a6bb405 Added tests for CSR parsing into CertificateInputSchema 2019-04-01 08:44:40 +02:00
Ryan DeShone e10007ef7b Add support for Vault KV API v2
This adds the ability to target KV API v1 or v2.
2019-03-29 10:32:49 -04:00
Javier Ramos b86e381e20 Parse SubjectAlternativeNames from CSR into Lemur Certificate 2019-03-27 13:46:33 +01:00
Hossein Shafagh d2e969b836 better synching of source and destinations 2019-03-26 18:20:14 -07:00
Curtis 4018c68d49
Merge branch 'master' into authority_validation_LE_errors 2019-03-25 08:34:10 -07:00
Curtis Castrapel c2158ff8fb Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs 2019-03-25 08:28:23 -07:00
Curtis 8a42cfa345
Merge branch 'master' into ghjaramos/master 2019-03-21 08:07:44 -07:00
alwaysjolley fa4a5122bc fixing file read to trim line endings and cleanup 2019-03-20 14:59:04 -04:00
alwaysjolley f99b11d50e refactor url and token to support muiltiple instances of vault 2019-03-20 13:51:06 -04:00
Javier Ramos 9e5496b484
Update schemas.py 2019-03-15 10:19:25 +01:00
Javier Ramos f7452e8379 Parse DNSNames from CSR into Lemur Certificate 2019-03-15 09:29:23 +01:00
alwaysjolley 157db684c3
Merge branch 'master' into lemur_vault_plugin 2019-03-14 11:09:01 -04:00
Curtis c445297357
Update celery.py 2019-03-12 15:41:24 -07:00
Curtis f38e5b0879
Update celery.py 2019-03-12 15:29:04 -07:00
Curtis 1a5a91ccc7
Update celery.py 2019-03-12 15:11:13 -07:00
Curtis 3b3faa66f4
Merge branch 'master' into skip_duplicate_tasks 2019-03-12 14:53:42 -07:00
Curtis Castrapel d220e9326c Skip a task if similar task already active 2019-03-12 14:45:43 -07:00
alwaysjolley 57d3f3d5a5
Merge branch 'master' into lemur_vault_plugin 2019-03-08 07:08:56 -05:00
alwaysjolley f1c09a6f8f fixed comments 2019-03-07 15:58:34 -05:00
Hossein Shafagh 93ce259fb2
Merge branch 'master' into verify-cert-chain 2019-03-07 12:46:19 -08:00
alwaysjolley 7b0a3cf781 Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin 2019-03-07 15:42:40 -05:00
alwaysjolley 752c9a086b fixing error handling and better data formating 2019-03-07 15:41:29 -05:00
Hossein Shafagh 92b60b279a
Merge branch 'master' into verify-cert-chain 2019-03-06 11:15:32 -08:00
Hossein Shafagh 43b1d6217a
Merge branch 'master' into allow-cert-deletion 2019-03-06 10:59:33 -08:00
Hossein Shafagh 98ece58342
Merge branch 'master' into lemur_vault_plugin 2019-03-06 10:59:03 -08:00
Hossein Shafagh 45cb0f0513
Merge branch 'master' into allow-cert-deletion 2019-03-06 09:35:10 -08:00
Kevin Glisson cc6d53fdeb Ensuring that configs passed via the command line are respected. 2019-03-05 15:39:37 -08:00
alwaysjolley a1cb8ee266 fixing lint 2019-03-05 07:37:04 -05:00
alwaysjolley 880eaad6cb Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin 2019-03-05 07:22:18 -05:00
alwaysjolley 4a027797e0 fixing linting issues 2019-03-05 07:19:22 -05:00
Hossein Shafagh 54ad3ba777
Merge branch 'master' into verify-cert-chain 2019-03-04 17:55:36 -08:00
Hossein Shafagh c9bcd29082
Merge branch 'master' into lemur_vault_plugin 2019-03-04 17:55:00 -08:00
Curtis Castrapel dd2900bdbc Relax search;update requirements 2019-03-04 10:04:06 -08:00
Marti Raudsepp 10cec063c2 Check that stored certificate chain matches certificate
Similar to how the private key is checked.
2019-03-04 17:10:59 +02:00
alwaysjolley 20518bc377
Merge branch 'master' into lemur_vault_plugin 2019-03-01 09:58:43 -05:00
alwaysjolley 5d2f603c84 renamed vault destination plugin to avoid conflict with vault pki plugin 2019-03-01 09:49:52 -05:00
Ronald Moesbergen 63de8047ce Return 'already deleted' instead of 'not found' when cert has already been deleted 2019-02-27 09:38:25 +01:00
Ronald Moesbergen a9735e129c Merge branch 'master' into allow-cert-deletion 2019-02-27 09:28:48 +01:00
Hossein Shafagh 658c58e4b6 clarifying comments 2019-02-26 17:04:43 -08:00
Hossein Shafagh 9dbae39604 updating cryptography API call, to create right signing algorithm object. 2019-02-26 16:42:26 -08:00
Hossein Shafagh 16a18cc4b7 adding more edge test cases for EC-certs 2019-02-26 16:42:26 -08:00
Hossein Shafagh aec7c7b0bc
Merge branch 'master' into fixing-signature-verify-ecc 2019-02-26 09:28:48 -08:00
alwaysjolley 53301728fa Moved url to config file instead of plugin option. One one url can be supported
unless both the token and url are moved to the plugin options.
2019-02-26 09:15:12 -05:00
Hossein Shafagh 40fac02d8b the check_cert_signature() method was attempting to compare RSA and ECC signatures.
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
2019-02-25 19:05:54 -08:00
alwaysjolley cd65a36437 - support multiple bundle configuration, nginx, apache, cert only
- update vault destination to support multi cert under one object
- added san list as key value
- read and update object with new keys, keeping other keys, allowing
us to keep an iterable list of keys in an object for deploying multiple
certs to a single node
2019-02-25 09:42:07 -05:00
Ronald Moesbergen ef0c08dfd9 Fix: when no alias is entered when exporting a certificate, the alias is set to 'blah'.
This fix sets it to the common name instead.
2019-02-21 16:33:43 +01:00
alwaysjolley eaa73998a0 adding lemur_vault destination plugin 2019-02-19 15:03:15 -05:00
Ronald Moesbergen 29bda6c00d Fix typo's 2019-02-14 11:58:29 +01:00
Ronald Moesbergen 8abf95063c Implement a ALLOW_CERT_DELETION option (boolean, default False). When enabled, the certificate delete API call will work and the UI
will no longer display deleted certificates. When disabled (the default), the delete API call will not work (405 method not allowed)
 and the UI will show all certificates, regardless of the 'deleted' flag.
2019-02-14 11:57:27 +01:00
Hossein Shafagh e034771e36
Merge branch 'master' into special-issuer-for-selfsigned-certs 2019-02-11 12:04:33 -08:00
Hossein Shafagh 605663704b
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-02-05 12:41:33 -08:00
Hossein Shafagh e139b92b24
Merge branch 'master' into hshafagh-src-dst-register 2019-02-05 12:41:26 -08:00
Hossein Shafagh 6d1ef933c4 creating a new celery task to sync sources with destinations. This is as a measure to make sure important new destinations are also present as sources. 2019-02-05 10:48:52 -08:00
Hossein Shafagh 2107d58050
Merge branch 'master' into get_by_attributes 2019-02-05 10:31:35 -08:00
Hossein Shafagh 8d261b4120
Merge branch 'master' into special-issuer-for-selfsigned-certs 2019-02-05 10:29:20 -08:00
Marti Raudsepp 51248c1938 Use special issuer values <selfsigned> and <unknown> in special cases
This way it's easy to find/distinguish selfsigned certificates stored in
Lemur.
2019-02-05 16:56:09 +02:00
Hossein Shafagh 1d2771b014
Merge branch 'master' into get_by_attributes 2019-02-04 21:07:09 -08:00
Hossein Shafagh f249a82d71 renaming destination to source. 2019-02-04 16:10:48 -08:00
Hossein Shafagh 44a060b159 adding support for creating a source while creating a new dst, while the destination is from AWS 2019-02-04 15:36:39 -08:00
sirferl c1cf8d7a92
Merge branch 'master' into ADCS-plugin 2019-02-02 19:21:22 +01:00
Hossein Shafagh 45fbaf159a
Merge branch 'master' into master 2019-02-01 16:50:09 -08:00
Hossein Shafagh 8e93d007be
Merge branch 'master' into get_by_attributes 2019-02-01 16:48:50 -08:00
Hossein Shafagh 6705a0e030
Merge branch 'master' into ADCS-plugin 2019-02-01 16:38:39 -08:00
sirferl 36ab1c0bec
Merge branch 'master' into ADCS-plugin 2019-02-01 19:10:46 +01:00
Marti Raudsepp e24a94d798 Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
2019-01-30 18:11:24 +02:00
Curtis e475d90e2e
Merge branch 'master' into master 2019-01-30 07:20:44 -08:00
Hossein Shafagh e5ddf08f48
Merge branch 'master' into master 2019-01-29 16:37:29 -08:00
Hossein Shafagh 7f4f4ffded
Merge branch 'master' into master 2019-01-29 16:30:15 -08:00
Hossein Shafagh 48ad20faca moving the 2 year validity issue to the Verisign plugin, and address it there 2019-01-29 16:17:08 -08:00
Curtis 1e708bf1c7
Merge branch 'master' into password_noninteractive 2019-01-29 15:21:34 -08:00
Curtis Castrapel d2317acfc5 allowing create_user with noninteractive PW;updating reqs 2019-01-29 15:17:40 -08:00
Curtis 29638c7f3b
Merge branch 'master' into master 2019-01-29 14:59:55 -08:00
Curtis 93021a5d89
Merge branch 'master' into expose-cert-distinguished-name 2019-01-29 14:56:31 -08:00
alwaysjolley c68a9cf80a fixing linting issues 2019-01-29 11:10:56 -05:00
alwaysjolley 254a3079f2 fix whitespace 2019-01-29 11:01:55 -05:00
alwaysjolley b4d1b80e04 Adding support for cfssl auth mode signing 2019-01-29 10:13:44 -05:00
sirferl c77ccdf46e
Merge branch 'master' into ADCS-plugin 2019-01-28 17:57:46 +01:00
Hossein Shafagh c47fa0f9a2 adjusting the tests to reflect on the new full year convert limit! 2019-01-24 17:52:22 -08:00
Hossein Shafagh a9724e7383 Resolving the 2 years error from UI during cert creation:
Though a CA would accept two year validity, we were getting error for being beyond 2 years.
This is because our current conversion is just current date plus 2 years,
1/25/2019 + 2 years ==> 1/25/2019
This is more strictly seen two years and 1 day extra, violating the 2 year's limit.
2019-01-24 17:23:40 -08:00
Marti Raudsepp 4b893ab5b4 Expose full certificate RFC 4514 Distinguished Name string
Using rfc4514_string() method added in cryptography version 2.5.
2019-01-23 10:03:40 +02:00
Ronald Moesbergen 4c4fbf3e48 Implement certificates delete API call by marking a cert as 'deleted' in the database. Only certificates that have expired can be deleted. 2019-01-21 10:25:28 +01:00
Ronald Moesbergen cb35f19d6c Add 'delete_cert' to enum log_type in logs table 2019-01-21 10:22:03 +01:00
Curtis Castrapel 0336d68ee2 Merge remote-tracking branch 'upstream/master' 2019-01-17 14:56:12 -08:00
Curtis Castrapel 7f88c24e83 Fix LetsEncrypt Dyn flow for duplicate CN/SAN 2019-01-17 14:56:04 -08:00
Hossein Shafagh d3284a4006 adjusting the query to filter authorities based on matching CN 2019-01-14 17:52:06 -08:00
Curtis Castrapel 3567a768d5 Compare certificate hashes to determine if Lemur already has a synced certificate 2019-01-14 13:35:55 -08:00
Curtis Castrapel 31a86687e7 Reduce the expense of joins 2019-01-14 09:20:02 -08:00
Curtis Castrapel c4e6e7c59b Optimize DB cert filtering 2019-01-14 08:02:27 -08:00
Curtis 638a8450a3
Merge branch 'master' into more_retries 2019-01-11 11:25:00 -08:00
Curtis Castrapel 0e02e6da79 Be more forgiving to throttling 2019-01-11 11:13:43 -08:00
sirferl a1ca61d813 changed a too long comment 2019-01-09 09:50:26 +01:00
sirferl a43476bc87 minor errors after lint fix 2019-01-07 11:04:27 +01:00
sirferl 054685fc38
Merge branch 'master' into ADCS-plugin 2019-01-07 10:23:18 +01:00
sirferl c62bcd1456 repaired several lint errors 2019-01-07 10:02:37 +01:00
Marti Raudsepp 542e953919 Check that stored private keys match certificates
This is done in two places:
* Certificate import validator -- throws validation errors.
* Certificate model constructor -- to ensure integrity of Lemur's data
  even when issuer plugins or other code paths have bugs.
2018-12-31 16:28:20 +02:00
Curtis 6a31856d0d
Update plugin.py 2018-12-21 12:33:47 -08:00
Curtis b5d6abb01f
Merge branch 'master' into kubernetes-improvment 2018-12-21 12:06:09 -08:00
Curtis b7332957e7
Merge branch 'master' into unicode-in-issuer-name 2018-12-21 07:59:20 -08:00
Curtis 70381c4c89
Merge branch 'master' into kubernetes-fix 2018-12-21 07:44:11 -08:00
Curtis a14fe08a63
Merge branch 'master' into kubernetes-improvment 2018-12-21 07:42:13 -08:00
Curtis fb7605e34b
Merge branch 'master' into unicode-in-issuer-name 2018-12-21 07:41:08 -08:00
Marti Raudsepp 72f6fdb17d Properly handle Unicode in issuer name sanitization
If the point of sanitization is to get rid of all non-alphanumeric
characters then Unicode characters should probably be forbidden too.

We can re-use the same sanitization function as used for cert 'name'
2018-12-21 16:34:12 +02:00
Marti Raudsepp 0f2e30cdae Deduplicate rows before notification associations unique constraint migration 2018-12-21 12:11:33 +02:00
sirferl f02178c154 added ADCS issuer and source plugin 2018-12-20 11:54:47 +01:00
Wesley Hartford fbf48316b1 Minor changes for code review suggestions. 2018-12-18 22:43:32 -05:00
Wesley Hartford 073d05ae21 Merge branch 'kubernetes-fix' into kubernetes-improvment 2018-12-18 22:26:03 -05:00
Wesley Hartford e7313da03e Minor changes for code review suggestions. 2018-12-18 22:24:48 -05:00
Curtis 425a07e988
Merge branch 'master' into destination-tpl-fix 2018-12-18 12:27:35 -08:00
Curtis 513e876e2e
Merge branch 'master' into master 2018-12-18 12:18:38 -08:00
Wesley Hartford bc621c1468 Improve the Kubernetes Destination plugin
The plugin now supports loading details from local files rather than requiring them to be entered through the UI. This is especially relaent when Lemur is deployed on Kubernetes as the certificate, token, and current namespace will be injected into the pod. The location these details are injected are the defaults if no configuration details are supplied.

The plugin now supports deploying the secret in three different formats:
* Full - matches the formate used by the plugin prior to these changes.
* TLS - creates a secret of type kubernetes.io/tls and includes the certificate chain and private key, this format is used by many kubernetes features.
* Certificate - creates a secret containing only the certificate chain, suitable for use as trust authority where private keys should _NOT_ be deployed.

The deployed secret can now have a name set through the configuration options; the setting allows the insertion of the placeholder '{common_name}' which will be replaced by the certificate's common name value.

Debug level logging has been added.
2018-12-12 13:25:36 -08:00
sirferl a50d80992c updated query to ignore empty parameters 2018-12-12 12:45:48 +01:00
Wesley Hartford 060c78fd91 Fix Kubernetes Destination Plugin
The Kubernetes plugin was broken. There were two major issues:
* The server certificate was entered in a string input making it impossible (as far as I know) to enter a valid PEM certificate.
* The base64 encoding calls were passing strings where bytes were expected.

The fix to the first issue depends on #2218 and a change in the options structure. I've also included some improved input validation and logging.
2018-12-10 15:33:04 -08:00
Wesley Hartford 437d918cf7 Fix textarea and validation on destination page
The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that.
2018-12-10 12:04:16 -08:00
Ronald Moesbergen dcf5ce0eec
Merge branch 'master' into master 2018-12-07 13:57:59 +01:00
Curtis Castrapel c32e20b6fc Fix notifications - Ensure that notifcation e-mails are sent appropriately 2018-12-06 12:25:43 -08:00
Ronald Moesbergen e0ac749734 When parsing SAN's, ignore unknown san_types, because in some cases they can contain unparsable/serializable values, resulting in a TypeError(repr(o) + " is not JSON serializable") 2018-12-06 16:47:53 +01:00
Curtis Castrapel 2a235fb0e2 Prefer DNS provider with longest matching zone 2018-11-30 12:44:52 -08:00
Curtis Castrapel a90154e0ae LetsEncrypt Celery Flow 2018-11-29 09:29:05 -08:00
Curtis Castrapel 39b76d18dc add countdown to async call 2018-11-28 14:41:56 -08:00
Curtis Castrapel e074a14ee9 unit test 2018-11-28 14:27:03 -08:00
Curtis Castrapel 2381d0a4bb Add async call to create pending cert when needed 2018-11-28 11:32:52 -08:00
Ronald Moesbergen da10913045 Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True 2018-11-20 10:37:36 +01:00
Ronald Moesbergen 61839f4aca Add support for nested group membership in ldap authenticator 2018-11-19 13:42:42 +01:00
Curtis Castrapel 3ce8abe46e Left outer join on domains tables to avoid missing results 2018-11-13 14:33:17 -08:00
Curtis Castrapel 92a771f5ed More accurate db count functionality 2018-11-13 09:14:21 -08:00
Curtis 29be647911
Merge branch 'master' into no_csr_reissue 2018-11-12 09:54:47 -08:00
Curtis Castrapel a7a05e26bc Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler 2018-11-12 09:52:11 -08:00
Curtis Castrapel 6f0005c78e Avoid colliding LetsEncrypt jobs 2018-11-09 10:31:27 -08:00
Curtis Castrapel 1643650685 Changing essential part of query 2018-11-07 16:02:04 -08:00
Curtis Castrapel 08a2a2b0e5 Optimize certificate filtering by name 2018-11-07 15:34:25 -08:00
Curtis Castrapel a3f96b96ee Add fixture to failing function 2018-11-05 15:16:09 -08:00
Curtis Castrapel 75183ef2f2 Unpin most dependencies, and fix moto 2018-11-05 14:37:52 -08:00
Curtis Castrapel 61738dde9e Run query on DB 2018-11-05 13:15:53 -08:00
Curtis Castrapel 52e773230d Add new gin index to optimize ILIKE queries 2018-11-05 10:29:11 -08:00
Curtis Castrapel 0277e4dc05 get_or_increase_name fix for pendingcertificates 2018-10-29 13:53:30 -07:00
Curtis Castrapel 50761d9d3b safer reissue, fix celery sync job 2018-10-29 13:22:50 -07:00
Curtis Castrapel 56ed416cb7 Celery task for sync job 2018-10-29 09:10:43 -07:00
Curtis a8b357965e
Merge branch 'master' into get_by_attributes 2018-10-29 08:15:42 -07:00
Curtis 2138930102
Merge branch 'master' into get_by_attributes 2018-10-24 07:20:46 -07:00
James Chuong 75069cd52a Add CSR to certificiates
Add csr column to certificates field, as pending certificates have
exposed the CSR already.  This is required as generating CSR from
existing certificate is will not include SANs due to OpenSSL bug:
https://github.com/openssl/openssl/issues/6481

Change-Id: I9ea86c4f87067ee6d791d77dc1cce8f469cb2a22
2018-10-23 17:46:04 -07:00
Curtis Castrapel b709eed3c3 Only resolve pending cert if not attempted in last 5 min 2018-10-23 13:08:43 -07:00
Curtis Castrapel 054cc64ee8 Prevent dashes from appearing at end of cert name in AWS 2018-10-23 12:49:58 -07:00
Curtis Castrapel 73ed5164cd deps 2018-10-22 14:51:13 -07:00
Curtis b058508478
Merge branch 'master' into get_by_attributes 2018-10-22 09:09:55 -07:00
Curtis Castrapel e83699b6ae Add unique constraint to sources table - label column 2018-10-19 15:34:34 -07:00
Non Sequitur 81d114092e Merge branch 'github' into get_by_attributes 2018-10-17 12:00:36 -04:00
Non Sequitur 48017a9d4c Added get_by_attributes to the certificates service, for fetching certs based on arbitrary attributes. Also associated test and extra tests for other service methods 2018-10-17 11:42:09 -04:00
Curtis Castrapel a912c3488d python fix to retrigger tests 2018-10-12 07:25:58 -07:00
Curtis Castrapel 89a077e54c minor change to pass stuck github check 2018-10-12 07:14:31 -07:00
Curtis Castrapel 13ef965666 nit: comments 2018-10-12 05:56:14 -07:00
Curtis Castrapel 6073f9e7b6 datetime ref fix 2018-10-12 05:51:30 -07:00
Curtis Castrapel 4b3d458dba Celery task to delete old pending certs 2018-10-12 05:47:16 -07:00
Curtis Castrapel cc18a68c00 Lemur LetsEncrypt Polling Support 2018-10-11 22:01:05 -07:00
Curtis Castrapel e91d8ec81b add indexes to domains and certificates tables to optimize load time 2018-10-11 11:36:50 -07:00
Non Sequitur 79033f42b4
Merge branch 'master' into improved_verify 2018-10-02 09:19:24 -04:00
Non Sequitur 40f4444099 Flake8 fix in test_verify.py 2018-10-01 22:04:31 -04:00
Curtis Castrapel 56282845fa Enable optional verisign cloud transparency configuration 2018-10-01 09:20:50 -07:00
Non Sequitur 50919d85a8 Merge remote-tracking branch 'upstream/master' into improved_verify 2018-09-27 11:19:06 -04:00
Mike Culbertson 590fac4aa8 docstring update in verify.py 2018-09-27 10:11:13 -04:00
Mike Culbertson f19b6382bc Updated verify tests 2018-09-27 10:10:04 -04:00
Mike Culbertson 11f2210894 Merge branch 'improved_verify' of github.com:explody/lemur into improved_verify 2018-09-27 09:28:45 -04:00
Mike Culbertson 652d7f65dd flake8 tweak 2018-09-27 09:28:21 -04:00
Curtis Castrapel 563f0fb9b2 Celery refactoring, celery beat job in configuration 2018-09-17 10:52:12 -07:00
Curtis Castrapel 23382b2777 Celery integration 2018-09-13 10:35:54 -07:00
Curtis c09d8ae630
Merge branch 'master' into fix_import_v1 2018-09-10 10:35:31 -07:00
Curtis Castrapel 7d42e4ce67 Fix certificate import issues 2018-09-10 10:34:47 -07:00
Curtis Castrapel f6a130b09d Add more logging to messaging 2018-09-10 09:13:31 -07:00
Curtis c9836fbf25
Merge branch 'master' into improved_verify 2018-09-06 07:33:55 -07:00
Gus Esquivel 82e69db0c5 fix error message typo 2018-09-04 10:21:34 -05:00
Mike Culbertson 2815ddf6c8 Moved cert object to be passed to both ocsp/crl methods so we can report in better detail on the certs. Ensured proper returns of False (revoked) True (good) None (unknown) throughout the methods. 2018-08-31 13:34:55 -04:00
Mike Culbertson 34c88494b8 More specific exception catch for cert parsing. line shortening. 2018-08-31 12:19:55 -04:00
Mike Culbertson 7dbca821c3 Reducing the stacked exceptions plus a bit of pep8 2018-08-31 12:01:49 -04:00
Curtis Castrapel d82a615e17 Validate config - fix for issue#1629 2018-08-28 09:15:28 -07:00
Curtis Castrapel 453bb43157 recommit https://github.com/Netflix/lemur/pull/1612 2018-08-27 09:50:02 -07:00
Curtis 1b77dfa47a
Revert "Precommit - Fix linty things" 2018-08-22 13:21:35 -07:00
Curtis Castrapel 3e9726d9db Precommit work 2018-08-22 10:38:09 -07:00
Curtis Castrapel 6abf274680 Allow case insensitive role matching for cert permissions 2018-08-20 08:55:04 -07:00
Curtis Castrapel 9f64f0523b Increase timeouts 2018-08-17 15:36:56 -07:00
Curtis Castrapel 43ae6c39e3 wait right here 2018-08-17 12:14:02 -07:00
Curtis Castrapel 7f9a035802 Fix private key bytecode issue 2018-08-17 10:59:01 -07:00
Curtis Castrapel a6b1f33208 Ensure owner names are lowercase for new / updated certificates 2018-08-17 10:41:55 -07:00
Curtis Castrapel 1ad61b1550 allow null validity periods 2018-08-17 07:57:55 -07:00
Curtis Castrapel be9d683e46 fix merge 2018-08-16 10:15:48 -07:00
Curtis Castrapel da99bcda68 Better zone handling 2018-08-16 10:12:19 -07:00
Curtis Castrapel 2c22c9c2f1 Allow proper detection of zones, fix certificate detection 2018-08-14 14:37:45 -07:00
Curtis Castrapel 1a5abe6550 fix lint 2018-08-13 15:11:57 -07:00
Curtis Castrapel cc836433fb formatting 2018-08-13 15:06:16 -07:00
Curtis Castrapel 5829794d82 typo fix 2018-08-13 14:25:54 -07:00
Curtis Castrapel bb026b8b59 Allow LetsEncrypt renewals and requesting certificates without specifying DNS provider 2018-08-13 14:22:59 -07:00
Curtis ab37189022
Merge branch 'master' into unittests-use-valid-certs 2018-08-07 09:42:39 -07:00
Curtis cf71f88680
Merge branch 'master' into fill-missing-rotation-policy 2018-08-07 08:23:29 -07:00
Curtis f9a7b97839
Merge branch 'master' into unittests-use-valid-certs 2018-08-07 07:45:45 -07:00
Cyril Dangerville 2869042f38 Fixed invalid JSON payloads (making API requests fail in particular) (#1522) 2018-08-03 15:26:48 -07:00
Marti Raudsepp 82158aece6 Fill in missing cert rotation_policy; don't ignore validation errors when re-issuing certs
CertificateInputSchema requires the rotation_policy field, but
certificates created before the field existed have set to NULL. Thus
saving such certificates failed and probably caused other errors.

Made cert re-issuing (get_certificate_primitives) more strict so such
errors are harder to miss in the future.
2018-08-03 20:06:21 +03:00
Marti Raudsepp 1f0f432327 Fix unit tests certificates to have correct chains and private keys
In preparation for certificate integrity-checking: invalid certificate
chains and mismatching private keys will no longer be allowed anywhere
in Lemur code.

The test vector certs were generated using the Lemur "cryptography"
authority plugin.

* Certificates are now more similar to real-world usage: long serial
  numbers, etc.
* Private key is included for all certs, so it's easy to re-generate
  anything if needed.
2018-08-03 19:45:13 +03:00
Marti Raudsepp acd2701fa2 Delete dead code in unit tests (#1510) 2018-08-03 08:21:55 -07:00
Curtis 025d177565
Merge branch 'master' into letsencrypt_account_support 2018-07-30 15:28:29 -07:00
Curtis Castrapel 44192d4494 remove debug print 2018-07-30 15:27:23 -07:00
Curtis Castrapel 0889076d3b Support LetsEncrypt accounts 2018-07-30 15:25:02 -07:00
Mike Grima d6b482755b Proper flask_restful boolean parsing.
This is documented here: https://github.com/flask-restful/flask-restful/issues/488
2018-07-30 13:49:41 -07:00
Curtis Castrapel caf99d36d6 fix deletion 2018-07-27 15:52:22 -07:00
Curtis Castrapel e16c1de001 Error logging 2018-07-27 14:17:50 -07:00
Curtis Castrapel 2a6dda07eb Show and send error for pending certs 2018-07-27 14:15:14 -07:00
Curtis Castrapel 9b29f9f819 Adding pessimistic sqlalchemy disconnection handling 2018-07-23 10:57:22 -07:00
Curtis Castrapel 2f51fea743 no bare except 2018-07-20 13:43:47 -07:00
Curtis Castrapel c78077d8d6 Explicit capture exception during create failure 2018-07-20 13:43:47 -07:00
Steven Reiling bd9203fcbc Adds an optional interval variable to notification service's
create_default_expiration_notifications and introduces a new optional
configuration variable, LEMUR_SECURITY_TEAM_EMAIL_INTERVALS, to allow admins
control over the centralized email notification defaults.
2018-07-20 13:43:47 -07:00
Marti Raudsepp d071d85486 Clean up module imports
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-20 13:43:47 -07:00
Marti Raudsepp 04ee1656ee Cache parsed certificate instead of re-parsing for each field
Use @cached_property decorator to cache the results of parse_certificate().

This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-20 13:43:47 -07:00
root 56372c55b4 initial commit 2018-07-20 13:43:47 -07:00
Marti Raudsepp 149caa5602 Clean up module imports
Example:
* import lemur.common.utils -> from lemur.common import utils
* import sqlalchemy.types as types -> from sqlalchemy import types
2018-07-12 11:21:18 -07:00
Marti Raudsepp b472e5e648 Cache parsed certificate instead of re-parsing for each field
Use @cached_property decorator to cache the results of parse_certificate().

This significantly cuts down on the number of times certs need to be
parsed for a list view.
2018-07-12 11:21:18 -07:00
Marti Raudsepp 64132ba92b Expose certificate dateCreated via API 2018-07-12 11:21:18 -07:00
Curtis Castrapel 9ef356f59d reformat code (noop) 2018-07-12 11:21:17 -07:00
Curtis Castrapel 3397fb6560 R53: Extend only TXT records 2018-06-20 10:33:35 -07:00
Curtis Castrapel 3efc709e03 tests 2018-06-19 21:16:35 -07:00
Curtis Castrapel dda7f54a16 lint 2018-06-19 20:58:00 -07:00
Curtis Castrapel 2d33d3e2b8 lint 2018-06-19 20:35:00 -07:00
Curtis d50c9c7748
Merge branch 'master' into acme_validation_dns_provider_option 2018-06-19 16:45:25 -07:00
Curtis Castrapel a141b8c5ea Support concurrent issuance in Route53 for LetsEncrypt 2018-06-19 16:27:58 -07:00
Curtis b2bc431823
Merge branch 'master' into dyn2 2018-06-14 08:06:31 -07:00
Curtis Castrapel 4e72cb96c9 Graceful cancellation of pending cert and order details in log for acme failure 2018-06-14 08:02:34 -07:00
Dmitry Zykov b99aad743b remove linuxdst plugin 2018-06-13 15:15:09 -07:00
Curtis Castrapel 135f2b710c Limit dns queries to 10 attempts 2018-06-13 15:14:48 -07:00
Curtis Castrapel 065e0edc5f lint 2018-06-13 14:22:45 -07:00
Curtis Castrapel d72792ff37 Fix unique dyn situation where zone does not match tld, and there's a deeper zone 2018-06-13 14:08:39 -07:00
Curtis 038f5dc554
Merge branch 'master' into linuxdst 2018-06-12 07:40:40 -07:00
Curtis Castrapel 7f5d1a0b6b sync error 2018-06-11 15:40:15 -07:00
Curtis Castrapel 92860cffca Default configuration for DNS providers 2018-06-11 13:32:53 -07:00
Curtis 80e3331596
Merge branch 'master' into master 2018-05-30 08:24:00 -07:00
kevgliss 2a3af5214e
Merge branch 'master' into linuxdst 2018-05-29 18:54:37 -07:00
James Chuong 4911d713a5 Fix import metrics in notifications/messaging.py (#1254)
`from lemur import metrics` is incorrect for notifications/messaging.py
because that is importing the `metrics` module rather than the
instanciated `lemur.extensions.metrics` object.  This will cause errors
if you import notifications/messaging.py elsewhere, since it can cause
circular dependencies.

Change-Id: Ice28c480373601420fc83bae2d27bb6467cdb752
2018-05-29 18:54:16 -07:00
Curtis Castrapel 5e24f685c1 lint error 2018-05-29 10:46:24 -07:00
Curtis Castrapel 97d3621705 convert description to TEXT column 2018-05-29 10:23:01 -07:00
Curtis Castrapel 544a02ca3f Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 10:23:01 -07:00
Curtis ae26e44cc2
Merge branch 'master' into master 2018-05-25 11:09:23 -07:00
Curtis Castrapel b0f9d33b32 Requirements update 2018-05-25 11:07:26 -07:00
Curtis Castrapel 5e3add0b81 docstring 2018-05-24 15:21:38 -07:00
Curtis Castrapel 9fc6c9aaf7 Sort and page 2018-05-24 12:55:52 -07:00
James Chuong a47b6c330d Use serial_number instead of serial (#1251)
* Add code coverage badge to README

* fixing docs (#1231)

* Change cert.serial to serial_number

This fixes deprecation warning coming from cryptography package about
using cert.serial instead of serial_number.

Change-Id: I252820974c77cc1b80639920a5e8c2e874819dda
2018-05-23 16:04:30 -07:00
Curtis Castrapel de52fa7f48 fix v1 backwards compatibility 2018-05-16 08:00:33 -07:00
Curtis Castrapel 680f4966a1 acme v2 support 2018-05-16 07:46:37 -07:00
Curtis Castrapel a9b9b27a0b fix tests 2018-05-10 12:58:04 -07:00
Curtis Castrapel 52e7ff9919 Allow specification of dns provider name only 2018-05-10 12:58:04 -07:00
Curtis f4a010e505
Merge branch 'master' into master 2018-05-09 07:52:07 -07:00
Curtis Castrapel 0bd14488bb Update requirements, handle more lemur_acme exceptions, and remove take a tour button 2018-05-08 15:35:03 -07:00
Curtis Castrapel 6500559f8e Fix issue with automatically renewing acme certificates 2018-05-08 14:54:10 -07:00
Curtis 642dbd4098
Merge branch 'master' into linuxdst 2018-05-08 12:09:05 -07:00
Curtis Castrapel a8187d15c6 quick lint 2018-05-08 11:04:25 -07:00
Curtis Castrapel df5168765b more tests 2018-05-08 11:03:17 -07:00
kevgliss c26ae16060
fixing docs (#1231) 2018-05-08 10:58:48 -07:00
Curtis Castrapel 9ccb8fb838 Alembic simplification 2018-05-07 15:14:32 -07:00
Curtis Castrapel e68b3d2cbd 0.7 release 2018-05-07 09:58:24 -07:00
Curtis Castrapel 1be3f8368f dyn support 2018-05-04 15:01:01 -07:00
Curtis Castrapel 3e64dd4653 Additional work 2018-05-04 15:01:01 -07:00
Curtis 74ca13861c
Merge branch 'master' into master 2018-04-27 11:19:23 -07:00
Curtis Castrapel 532872b3c6 dns_provider ui 2018-04-27 11:18:51 -07:00
Zach Seils 0579b2935c Print variable value instead of name (#1227)
* Print variable value instead of name

* Fixed ordering and variable name for stdout string
2018-04-26 09:39:42 -07:00
Curtis c5cb01bd33
Merge branch 'master' into master 2018-04-26 09:16:31 -07:00
Curtis Castrapel efd5836e43 fix test 2018-04-26 09:04:13 -07:00
Curtis Castrapel f0f2092fb4 Some unit tests 2018-04-25 11:19:34 -07:00
kevgliss e09b7eb978
Selectively enable CORS. (#1220) 2018-04-24 17:10:38 -07:00
Zach Seils 3e5db9eedb Check for default rotation policy before updating db (#1223) 2018-04-24 16:55:26 -07:00
Zach Seils 91500d1022 Minor comment & stdout corrections (#1225) 2018-04-24 16:53:51 -07:00
Curtis Castrapel 38b8df4a07 lint 2018-04-24 09:48:14 -07:00
Curtis Castrapel 7704f51441 Working acme flow. Pending DNS providers UI 2018-04-24 09:38:57 -07:00
Curtis 81e349e07d
Merge branch 'master' into hackday 2018-04-23 10:11:49 -07:00
Curtis Castrapel 44e3b33aaa More stuff. Will prioritize this more next week 2018-04-20 14:49:54 -07:00
Curtis Castrapel fbce1ef7c7 temp digicert fix 2018-04-13 15:50:55 -07:00
Curtis Castrapel 309d10c4e2 stuff 2018-04-13 15:50:55 -07:00
Curtis Castrapel 4d05a09a20 fix_changes 2018-04-13 15:50:55 -07:00
Curtis Castrapel 3538f1a629 fix_errors 2018-04-13 15:50:55 -07:00
Curtis Castrapel 993958c356 up-reqs 2018-04-13 15:50:55 -07:00
Curtis Castrapel 2d6d2357b5 DNS Providers list returned 2018-04-13 15:50:55 -07:00
Curtis Castrapel a66d85b63d clean up a bit 2018-04-13 15:50:55 -07:00
Curtis Castrapel b0bd0435c4 more stuff 2018-04-13 15:50:54 -07:00
Curtis Castrapel b2e6938815 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-13 15:50:54 -07:00
Curtis Castrapel 5dd03098e5 actually update deps 2018-04-13 15:50:53 -07:00
Curtis Castrapel c03133622f Correct validities 2018-04-13 15:18:17 -07:00
Curtis Castrapel 8303cfbd2b Fix datetime 2018-04-13 14:53:45 -07:00
Curtis 3ef550f738
Merge branch 'master' into hackday 2018-04-12 12:49:52 -07:00
Curtis Castrapel f6fd262618 DNS Providers list returned 2018-04-11 15:56:00 -07:00
Curtis Castrapel 5125990c4c clean up a bit 2018-04-11 07:48:04 -07:00
Will Bengtson 52cb145333 ecc: add the support for ECC (#1191)
* ecc: add the support for ECC

update generate_private_key to support ECC.  Move key types to constant.  Update UI for the new key types

* ecc: Remove extra line to fix linting

* ecc: Fix flake8 lint problems

* Update options.tpl.html
2018-04-10 16:54:17 -07:00
Curtis Castrapel 5beb319b27 more stuff 2018-04-10 16:04:07 -07:00
kevgliss 12622d5847
Adding metrics for request timings. (#1190) 2018-04-10 15:55:02 -07:00
Mihir Jham a9baaf4da4 add(plugins): Added a statsd plugin for lemur (#1189) 2018-04-10 15:15:03 -07:00
Curtis Castrapel f61098b874 WIP: Add support for Acme/LetsEncrypt with DNS Provider integration 2018-04-10 14:28:53 -07:00
Will Bengtson 8ca4f730e8 lemur_digicert: Do not truncate valid_to anymore (#1187)
* lemur_digicert: Do not truncate valid_to anymore

The valid_to field for Digicert supports YYYY-MM-DDTHH:MM:SSZ so we should stop truncating

* lemur_digicert: Update unit tests for valid_to
2018-04-10 13:23:09 -07:00
Marti Raudsepp 8e2b2123f1 Fix filtering on boolean columns, broken with SQLAlchemy 1.2 upgrade
SQLAlchemy 1.2 does not allow comparing string values to boolean
columns. This caused errors like:

    sqlalchemy.exc.StatementError: (builtins.TypeError) Not a boolean value: 'true'

For more details see http://docs.sqlalchemy.org/en/latest/changelog/migration_12.html#boolean-datatype-now-enforces-strict-true-false-none-values
2018-04-09 18:59:23 +03:00
Dmitry Zykov 28614b5793 remove linuxdst plugin 2018-04-04 14:49:25 +03:00
Dmitry Zykov 4a0103a88d SFTP destination plugin (#1170)
* add sftp destination plugin
2018-04-03 10:30:19 -07:00
Curtis 259800ce35
Merge branch 'master' into issue_1089 2018-03-29 08:48:52 -07:00
Curtis Castrapel b814a4f009 Remove get_pending_certificates from verisign issuer 2018-03-28 08:56:28 -07:00
Curtis Castrapel c3a2781507 Allow quotes for exact match 2018-03-28 08:33:43 -07:00
iTitou a316cbba73 [add] Docs and default config for metric plugins (#1148) 2018-03-27 15:51:32 -07:00
Curtis Castrapel 844202f36b check if user active properly 2018-03-26 13:14:22 -07:00
kevgliss c51fed5307
allowing null basic contraints (#1131) 2018-03-23 11:38:47 -07:00
kevgliss db746f1296
Adds support for CDLDistributionPoints. (#1130) 2018-03-23 08:51:18 -07:00
Curtis Castrapel e15836e9ca Update more dependencies. Remove hashes 2018-03-21 14:48:51 -07:00
Curtis Castrapel d67542d7f5 actually update deps 2018-03-21 12:46:30 -07:00
Curtis Castrapel 4087f1c03b Update auth keys, change python version to satisfy tests 2018-03-21 11:57:19 -07:00
iTitou bbacb7e210 [fix] No internal server error when trying to Google Auth an unregistered user (#1109) 2018-03-21 11:57:19 -07:00
cjwaian 19cf8f6bdd Remove non-ASCII character (#1104) 2018-03-21 11:57:19 -07:00
Curtis Castrapel 74a516cde0 nt 2018-03-16 14:15:03 -07:00
Curtis Castrapel 58da68d72f Revert "Requirements and Elasticsearch logging configuration"
This reverts commit c08d3dd82f.
2018-03-16 14:10:12 -07:00
Curtis Castrapel c7ca3949f6 info level, and new variable name 2018-03-16 11:55:53 -07:00
Curtis Castrapel bbf5e95186 fix unusued import 2018-03-16 10:07:47 -07:00
Curtis 462e757f92
Merge branch 'master' into requirements_logging 2018-03-16 08:51:25 -07:00
Curtis Castrapel c08d3dd82f Requirements and Elasticsearch logging configuration 2018-03-16 08:36:10 -07:00
Curtis Castrapel 18c64fafe4 address comment 2018-02-27 12:34:18 -08:00
Curtis Castrapel 77a1600c13 Fix cloned notifications 2018-02-27 10:57:43 -08:00
Curtis Castrapel 5fe28f6503 Description modification 2018-02-26 12:37:31 -08:00
Curtis Castrapel 1f641c0ba6 Description modification 2018-02-26 12:36:40 -08:00
Curtis Castrapel cca3797669 comments on alembic changes. resolve invalid usage of log_service.create 2018-02-26 12:08:31 -08:00
Curtis Castrapel a28fdac242 fix pending cert db changes 2018-02-26 09:43:08 -08:00
Curtis 7032abf2e7
Merge branch 'master' into unq-const 2018-02-26 08:03:31 -08:00
Curtis Castrapel 9e8fa5827d unq constraint 2018-02-24 23:15:39 -08:00
Harm Weites 5d18838868 Use Cloudflare as DNS provider for LE certs (#945)
* Use Cloudflare as DNS provider for LE certs

* Better handle dns_provider plugins
2018-02-22 08:17:28 -08:00
James Chuong 2578970f7d Async Certificate Issuing using Pending Certificates (#1037)
* Add PendingCertificate model

This change creates a DB table called pending_certificates and
associated mapping relationship tables from pending certificate to
roles, rotation policy, destination, sources, etc.

The table is generated on initialization of Lemur. A pending
certificate holds most of the information of a Certificate, while it has
not be issued so that it can later backfill the information when the CA
has issued the certificate.

Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0
Tickets: PBL-36499

* Create a PendingCertificate if cert is empty

IssuePlugins should return empty cert bodies if the request failed to
complete immediately (such as Digicert).  This way, we can immediately
return the certificate, or if not just place into PendingCertificates
for later processing.

+ Fix relation from Certificate to Pending Certificate, as view only.
There is no real need for anything more than that since Pending cert
only needs to know the cert to replace when it is issued later.

+ Made PendingCertificate private key be empty: UI does not allow
private key on 'Create' but only on 'Import'.  For Instart, we require
the private key but upstream does not necessarily need it.  Thus, if
someone at Instart wants to create a CSR / key combo, they should
manually issue the cert themselves and import later.  Otherwise you
should let Lemur generate that.  This keeps the workflow transparent for
upstream Lemur users.

Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26
Tickets: PBL-36343

* Fix empty private_key when create Pending Cert

On creation of a certificate with a CSR, there is no option for private
key.  In this case, we actually have a dictionary with private_key as
key, but the value is None.  This fixes the strip() called on NoneType.

Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199
Tickets: PBL-36499

* Source sync finds and uses pending certificate

When a source syncs certificates, it will check for a pending
certificate.  If that is found via external_id (given by digicert as
order_id) then it will use the found Pending Certificate's fields to
create a new certificate.  Then the pending certificate is deleted.

Tickets: PBL-36343
Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9

* Add Lemur static files and views for pending certs

This adds the basic static files to view pending certificates in a
table.

Tickets: PBL-36343
Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9

* Add CLI and plugin based pending fetch

This change uses the adds a new function to issuer plugins to fetch
certificates like source, but for one order.  This way, we can control
which pending certificates to try and populate instead of getting all
certificates from source.

Tickets: PBL-36343
Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6

* Revert source using Pending Certificate

Tickets: PBL-36343
Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51

* Fix PendingCertificate init getting authority id

Should get authority id from authority.id instead of the authority_id
key in kwargs.

Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623
Tickets: n/a

* Add fixtures and basic test for PendingCertificate

Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34
Tickets: PBL-36343

* Add User to create_certificate parameters

create_certificate now takes a User, which will be used to populate the
'creator' field in certificates.service.upload().  This allows the UI
populate with the current user if the owner does not exist in Lemur.

+ Fix chain being replaced with version from pending certificate, which
may be empty (depends on plugin implementation).

Change-Id: I516027b36bc643c4978b9c4890060569e03f3049
Tickets: n/a

* Fix permalink and filters to pending certs

Fixes the permalink button to get a single pending certificate
Add argument filter parsing for the pending certificate API
Fix comment on API usage
Added get_by_name for pending_certificate (currently unused, but useful
for CLI, instead of using IDs)

Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db
Tickets: PBL-36910

* Update displayed fields for Pending Certificates

There are a number of unused / unpopulated fields from Certificate UI
that does apply to Pending Certificates.  Those ones were removed, and
added other useful fields:
Owner, number of attempts to fetch and date created

Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b
Tickets: PBL-36910

* Add common name (cn) to Pending Certificate model

Fixes the UI missing the CN for Pending Certificate, as it was
originally being parsed from the generated certificate.  In the case of
pending certificate, the CN from the user generates the request, which
means a pending cert can trust the original user putting in the CN
instead of having to parse the not-yet-generated certificate.  There is
no real possibility to return a certificate from a pending certificate
where the CN has changed since it was initially ordered.

Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab
Tickets: PBL-36910

* Fix missing imports for service filter

+ Removed duplicate get_by_name function from old merge

Change-Id: I04ae6852533aa42988433338de74390e2868d69b
Tickets: PBL-36910

* Add private key viewing to Pending Certificates

Add private key API for Pending Certificates, with the same
authorization as Certificates (only owner, creator or owner-roles can
view private key).

Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b
Tickets: PBL-36910

* Add edit capability to pending certificates

Like editing certificates, we should be able to modify some parts of a
pending certificate so the resulting certificate has the right
references, owner, etc.

+ Added API to update pending certificate
+ Fix UI to use pending certificate scope instead of reusing Certificate
+ Change pending_certificate.replaces to non-passive association, so
that updates do affect it (similar to roles/notifications/etc)

Tickets: PBL-36910
Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6

* Add common_name parsing instead using kwargs

To fix tests where common name may not be passed in, use the CSR
generated to find the official common name.

Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4
Tickets: PBL-36343

* Add Cancel to pending certificates and plugins

This allows pending certificates to be cancelled, which will be handled
by the issuer plugin.

Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9
Tickets: PBL-36910

* Add API for Cancelling Pending Certificate

Added the DELETE handler for pending_certificates, which will cancel and
delete the pending certificate from the pending certs table on
successful cancellation via Issuer Plugin.

+ Add UT for testing cancel API

Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4
Tickets: PBL-36910

* Remove Export from Pending Certificates

Pending Certificates doesn't need an export since it should just be
fetched by Lemur via plugins, and the CSR is viewable via the UI.

Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae
Tickets: PBL-36910

* Add cancel button functionality to UI

This adds the Cancel option to the dropdown of pending certificates.

+ Adds modal window for Note (may not be required for all issuers, just
Digicert)
+ Add schema for cancel input
+ Fix Digitcert plugin for non-existant orders

When an order is actually issued, then attempting to cancel will return
a 403 from Digicert.  This is a case where it should only be done once
we know the pending cert has been sitting for too long.

Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0
Tickets: PBL-36910

* Fix test_pending_cancel UT

This change creates and injects a pending cert, which will then be used
for the ID so it can be canceled by the unit test.

Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346
Tickets: PBL-36343

* Fix test_digicert on non-existent order

cancelling a non-existent order is fine since we're cancelling it

Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c
Tickets: PBL-36343

* Add migrations for PendingCertificates

Added revision for Pending Certificates table and foreign key mapping
tables.

Change-Id: Ife8202cef1e6b99db377851264639ba540b749db
Tickets: n/a

* Fix relationship copy from Pending to Certificate

When a Pending Certificate is changed to a full Certificate, the
relationship fields are not copied via vars() function, as it's not a
column but mapped via association table.  This adds an explicit copy for
these relations.  Which will properly copy them to the new Certificate,
and thus also update destinations.

Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685
Tickets: PBL-36343

* Fix renaming of certificates and unit tests

The rename flag was not used to rename certificates on creation as
expected.

Fixed unit test, instead of expunging the session, just copy the
pending_certificate so we don't have a weird reference to the object
that can't be copied via vars() function.

Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0
Tickets: PBL-36343

* Updated developer docs for async certs

Added blurb for implementing new issuer functions.

Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c
Tickets: n/a
2018-02-22 08:13:16 -08:00
pincushionman f44fe81573 fix for https://github.com/Netflix/lemur/issues/1045 (#1056) 2018-02-20 08:28:11 -08:00
Curtis f262c93912 Option to suppress SSL errors (#1044) 2018-01-17 09:17:03 -08:00
James Chuong 763c5e8356 Add DIGICERT_ORDER_TYPE to Digicert plugin (#1025)
* Add DIGICERT_ORDER_TYPE to Digicert plugin

This allows lemur.conf.py to control which kind of certificate to
order.  User defined options are not currently supported in the the UI,
so we cannot create multiple Digicert authorities at runtime for
separate certificate types.

Change-Id: I06c216ec3c476e0001b240530626a86464be999e

* Fix Mock URL for Digicert test

Change-Id: Ida7c0ed1bd120c9024bea091c03b7d1ecfa66498

* Add documentation for DIGICERT_ORDER_TYPE

Change-Id: I0bc347883b628416eb7f13a7c60c937dcb6ae0c2
2018-01-13 18:06:17 -08:00
James Chuong 050295ea20 Fix DigiCert issuer plugin revoke URL (#1041)
The URL for revoking DigiCert certificates was incorrect.

Change-Id: I39fb7d290a2a649ab08a47e7dcbe18a8c0bd8a59
2018-01-11 17:12:21 -08:00
kevgliss eea413a90f
Modifying the way we report metrics. Relying on metric tags instead of the the metric name for additional dimensions. (#1036) 2018-01-02 15:26:31 -08:00
kevgliss 8cad2f9f56
Version bump. (#1034) 2018-01-02 14:08:56 -08:00
kevgliss 64ac32f683
6.0 release. (#1033) 2018-01-02 14:03:38 -08:00
Marti Raudsepp 1287c3dc4a CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
2018-01-02 13:39:02 -08:00
Marti Raudsepp 99b10c436a CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 13:11:17 -08:00
kevgliss 9a0ada75fa
Upgrading satellizer library. (#1031) 2018-01-02 09:12:06 -08:00
kevgliss 848ce8c978
Refactoring authentincation to support GET and POST requests. Closes #990. (#1030) 2018-01-01 19:11:29 -08:00
Zach Seils 7b8df16c9e Fix typo in default SSH key path. (#1026) 2017-12-20 09:09:56 -08:00
Marti Raudsepp 7a84f38db9 Don't write files from the test suite (#1020)
The lemur_email.tests.test_render test would fail when running unittests
from a read-only source tree.
2017-12-12 10:14:39 -08:00
Marti Raudsepp ba4de07ad8 Improve certificate details view, make information more concise (#1021)
The "Description" field can now display multi-line text content.

The "Authority" field now displays the authority name in Lemur (if
known) as well as issuer's name. For imported certs, "Imported" is
displayed.
2017-12-12 09:49:30 -08:00
Marti Raudsepp b2d87940d6 Allow sorting and filtering by camelCase field names (#1019)
The API exposes camelCase field names everywhere, but only accepted
underscore_field_names in 'filter' or 'sort' GET attributes. Now both
are allowed.
2017-12-12 09:44:53 -08:00
Eric 6edc5180c7 fix roles assigned in the ui for sso (#1017)
This commit fixes the ability to assign roles to people in the ui
when the user is SSO. The idea is if a role is ever assigned via
SSO it becomes a "SSO Role" or a "Third Party" Role. by setting
third_party to true on the role object.

Once a role is marked as third party it can no longer be controlled
through the ui for SSO Users. (for ui users this poses no functional
change). It must be controlled via SSO.
2017-12-11 13:51:45 -08:00
Marti Raudsepp e1f241bd55 Don't send notifications that are marked inactive (#1015)
Apparently previously Lemur ignored the "active" flag of notifications.
2017-12-06 08:32:24 -08:00
kevgliss ad88637f22
Adding some niceties around the way users are associated with tokens. (#1012)
* Adding some niceties around the way users are associated with tokens.

- Includes user typeahead
- Tooltips
- User information displayed in table
- Default to current user when no user is passed
2017-12-05 10:57:17 -08:00
kevgliss a756a74b49
Ensures we can get multiple endpoints with the same name but different ports. (#1011) 2017-12-04 13:13:02 -08:00
kevgliss ecc0934657
Adding cli command to clear out pending symantec certificates. (#1009) 2017-12-04 10:04:12 -08:00
Eric c402f1ff87 add per user api keys to the backend (#995)
Adds in per user api keys to the backend of lemur.
the basics are:
  - API Keys are really just JWTs with custom second length TTLs.
  - API Keys are provided in the exact same ways JWTs are now.
  - API Keys can be revoked/unrevoked at any time by their creator
    as well as have their TTL Change at anytime.
  - Users can create/view/list their own API Keys at will, and
    an admin role has permission to modify all api keys in the
    instance.

Adds in support for lemur api keys to the frontend of lemur.
doing this required a few changes to the backend as well, but it is
now all working (maybe not the best way though, review will determine
that).

  - fixes inconsistency in moduleauthor name I inputted during the
    first commit.
  - Allows the revoke schema to optionally allow a full api_key object.
  - Adds `/users/:user_id/api_keys/:api_key` and `/users/:user_id/api_keys`
    endpoints.
  - normalizes use of `userId` vs `userId`
  - makes `put` call respond with a JWT so the frontend can show
    the token on updating.
  - adds in the API Key views for clicking "API Keys" on the main nav.
  - adds in the API Key views for clicking into a users edit page.
  - adds tests for the API Key backend views I added.
2017-12-04 08:50:31 -08:00
Johannes Langer 5ac3ecb85e Added revoke support to cfssl plugin (#1007)
* Added revoke support to cfssl plugin
2017-11-29 14:33:22 -08:00
kevgliss c2b2ce1f11
Allowing the export of CAs that don't have a chain. (#1000) 2017-11-21 11:42:23 -08:00
kevgliss cecfe47540
Adding the ability to revoke enmasse (#999) 2017-11-21 09:36:10 -08:00
James Chuong 4b544ae207 CSR Export Plugin (#988)
This plugin allows a certificate to be exported as a CSR via OpenSSL
x509.  The workflow will be:
* Create self-signed cert via Cryptography authority
* Export CSR via this plugin
* Sign your own cert outside of Lemur
* Import new cert with private key

Change-Id: Id3f7db2506bd959236cd3a6df622841058abda5a
2017-11-14 10:11:06 -08:00
kevgliss e30e17038b
Removing unused import. (#989) 2017-11-14 09:24:26 -08:00
Daniel Pramann 7e2c16ee38 Fixes for using ACME with Route53 (#986)
* Changes required for functional Route53 operations

* Changes required for functional ACME operations with Route53

* Changes required for functional ACME operations with Route53, need external ID
2017-11-13 10:19:54 -08:00
Johannes Langer 041f3a22fa Added ability to set custom roles for users logging in via oauth provider (#985) 2017-11-10 08:38:33 -08:00
kevgliss f990ef27cf Adding sentry tracking to issued with certificate deployment. (#978) 2017-10-26 15:21:13 -07:00
kevgliss d4209510c2 Adding some additional exception capturing during certificate parsing. (#976) 2017-10-25 08:19:07 -07:00
kevgliss 620e279453 Caa (#975)
* Adding verisign error code for a CAA failure.

* Tweaking error msg.
2017-10-24 14:46:33 -07:00
kevgliss bbf73c48a3 Adding health exception tracking. (#977) 2017-10-24 14:04:51 -07:00
Johannes Langer 9319dda0ec Added ability to ignore cert for oauth2 provider (#971)
* Added ability to ignore cert for oauth2 provider

This is useful for development environments where the OAuth provider
doesn't have a valid cert!

* Setting default for OAUTH2_VERIFY_CERT to true
2017-10-20 16:36:14 -07:00
kevgliss 14f5340802 During higher loads, retrying the connection attempt is often required for the CIS api. (#972) 2017-10-12 10:37:58 -07:00
kevgliss 0152985e64 Adding serial numbers when certificates with the same name are encoun… (#970)
* Adding serial numbers when certificates with the same name are encountered.
2017-10-11 13:20:19 -07:00
kevgliss e43268f585 Source plugin (#965)
* Ensure that None values aren't passed.
2017-10-09 10:37:44 -07:00
kevgliss 7ef788752e Source plugin (#964)
* Another minor fix.
2017-10-06 17:39:31 -07:00
kevgliss b66d7ce1fd Source plugin (#963)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.

* Minor fix.
2017-10-06 13:22:03 -07:00
kevgliss dc34652efd Source plugin (#962)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.
2017-10-06 08:49:05 -07:00
kevgliss e0d2fb0de1 Ensuring that we have default options for source plugins. (#961) 2017-10-05 17:27:45 -07:00
kevgliss e0d9443141 Ensuring existing users are also given the default role. (#960) 2017-10-05 16:47:52 -07:00
kevgliss a6305a5cae Adding Digicert CIS Sourceplugin (#959)
* Adding necessary features to complete backfill

* Fixing pagination logic.
2017-10-04 16:56:01 -07:00
kevgliss 9e2578be1e Adding necessary features to complete backfill (#958) 2017-10-04 14:57:57 -07:00
kevgliss 09b8f532a7 Adding cli to mass revoke certificates. (#955) 2017-10-03 10:51:53 -07:00
kevgliss e0939a2856 Adding some default data to put. (#950) 2017-09-29 14:49:07 -07:00
kevgliss 90f4b458e3 Adding the lemur identity to be able to re-issue certificates. (#949) 2017-09-29 14:07:40 -07:00
kevgliss f5213deb67 Removing revocation comments for now. (#947) 2017-09-29 10:53:15 -07:00
kevgliss bb08b1e637 Initial work allowing certificates to be revoked. (#941)
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
Marti Raudsepp 54ff4cddbf Disallow issuing certificates from inactive authority (#936) 2017-09-25 15:34:49 -07:00
Marti Raudsepp 645641f4bd Avoid redundant key_view log entries (#937)
Don't re-request private key when it's already loaded in frontend.
2017-09-25 15:34:07 -07:00
Marti Raudsepp 97d83890e0 Various minor cleanups and fixes (#938)
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Marti Raudsepp ec5dec4a16 Add option to disable owner email address in CSR subject (#939) 2017-09-25 15:32:08 -07:00
Horatiu Eugen Vlad f766871824 Create default rotation policy with name (#924) 2017-09-18 09:09:59 -07:00
Rick Breidenstein fc9b1e5b12 server_default from "False" to sa.false() (#913) 2017-09-11 09:19:19 -07:00
Marti Raudsepp dafed86179 Improve certificate name normalization: remove Unicode characters, etc. (#906)
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
Ian Stahnke 79d12578c7 basic ldap support (#842) 2017-09-03 20:41:43 -07:00
kevgliss ff87c487c8 It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as `default` are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. (#891) 2017-08-28 17:57:39 -07:00
Marti Raudsepp 82b43b5a9d Create signal hooks and handler for dumping CSR and certificate details (#882) 2017-08-28 17:35:56 -07:00
Marti Raudsepp bb1c339655 Fix ability to remove all roles from authority (#880) 2017-08-28 17:35:01 -07:00
Marti Raudsepp e7efaf4365 Prevent creation of empty SubjAltNames extension in CSR (#883) 2017-08-18 09:10:56 -07:00
Marti Raudsepp c6d76f580e Disable unused Flask Principal sessions (#881)
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
2017-08-17 09:24:35 -07:00
Marti Raudsepp 941df0366d Fix roles display on user screen and fix removing user roles (#879) 2017-08-17 09:24:10 -07:00
Marti Raudsepp 7762d6ed52 Reworked sensitive domain name and restriction logic (#878)
* This is a fix for a potential security issue; the old code had edge
  cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
  is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
  CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
  be valid domain names.
2017-08-16 19:24:49 -07:00
Marti Raudsepp cf805f530f Prevent unintended access to sensitive fields (passwords, private keys) (#876)
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.

The filter() function allowed guessing the content of password hashes
one character at a time.

The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
Rick Breidenstein f5e120ad2e Update readme.txt (#869) 2017-08-04 12:42:27 -07:00
kevgliss f5082e2d3a Starting transition away from not_before and not_after. (#854) 2017-07-14 09:24:59 -07:00
kevgliss 61c493fc91 Adding additional failure conditions to sentry tracking. (#853)
* Adding additional failure conditions to sentry tracking.

* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
kevgliss 6779e19ac9 Adding enum migration. (#852) 2017-07-13 13:12:53 -07:00
kevgliss 443eb43d1f Adding the ability to specify a per-certificate rotation policy. (#851) 2017-07-12 16:46:11 -07:00
Paul Van de Vreede 53113e5eeb Add auditing for creating or updating a cert. (#845) 2017-07-04 06:39:16 -07:00
kevgliss 169dcb86e2 supporting the ability to push exceptions to sentry (#843) 2017-06-29 14:12:38 -07:00
Ian Stahnke e4f5224f42 set ses email content type to utf-8 instead of string (#841) 2017-06-28 09:44:19 -07:00
kevgliss 98907e66e9 Minor fixes to S3.put signature (#840) 2017-06-27 16:18:34 -07:00
kevgliss c05343d58e Adds the ability for destination plugins to be sub-classed from Expor… (#839)
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807.

* fixing tests
2017-06-26 12:03:24 -07:00
Paul Borg 541fbc9a6d Use named kwargs rather than args when calling s3 put (#830) 2017-06-20 11:28:19 -07:00
Asbjørn Kjær 35cc7ef8d7 Adding support for private DigiCert certificates (#835) 2017-06-14 09:20:24 -07:00
Asbjørn Kjær e77382864b Fixing KeyError on error handling (#834) 2017-06-14 09:07:27 -07:00
kevgliss d4d6d832b1 Fixing audit filtering and sorting. (#827) 2017-06-02 09:07:22 -07:00
kevgliss 9c92138f2d Fixing autorotation failures. (#825)
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
kevgliss 5a4806bc43 Allowing description to be optional. (#826) 2017-06-01 17:09:04 -07:00
kevgliss 07969f7e10 Ensuring IPAddresses and IPNetworks are correctly serialized. (#818) 2017-05-26 10:48:26 -07:00