Infra/lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,349 Commits 4 Branches 45 Tags
Commit Graph

1238 Commits

Author SHA1 Message Date
kevgliss
dc34652efd Source plugin (#962) 
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.
 2017-10-06 08:49:05 -07:00
kevgliss
e0d2fb0de1 Ensuring that we have default options for source plugins. (#961) 2017-10-05 17:27:45 -07:00
kevgliss
e0d9443141 Ensuring existing users are also given the default role. (#960) 2017-10-05 16:47:52 -07:00
kevgliss
a6305a5cae Adding Digicert CIS Sourceplugin (#959) 
* Adding necessary features to complete backfill

* Fixing pagination logic.
 2017-10-04 16:56:01 -07:00
kevgliss
9e2578be1e Adding necessary features to complete backfill (#958) 2017-10-04 14:57:57 -07:00
kevgliss
09b8f532a7 Adding cli to mass revoke certificates. (#955) 2017-10-03 10:51:53 -07:00
kevgliss
e0939a2856 Adding some default data to put. (#950) 2017-09-29 14:49:07 -07:00
kevgliss
90f4b458e3 Adding the lemur identity to be able to re-issue certificates. (#949) 2017-09-29 14:07:40 -07:00
kevgliss
f5213deb67 Removing revocation comments for now. (#947) 2017-09-29 10:53:15 -07:00
kevgliss
bb08b1e637 Initial work allowing certificates to be revoked. (#941) 
* Initial work allowing for certificates to be revoked.
 2017-09-28 18:27:56 -07:00
Marti Raudsepp
54ff4cddbf Disallow issuing certificates from inactive authority (#936) 2017-09-25 15:34:49 -07:00
Marti Raudsepp
645641f4bd Avoid redundant key_view log entries (#937) 
Don't re-request private key when it's already loaded in frontend.
 2017-09-25 15:34:07 -07:00
Marti Raudsepp
97d83890e0 Various minor cleanups and fixes (#938) 
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
 2017-09-25 15:33:42 -07:00
Marti Raudsepp
ec5dec4a16 Add option to disable owner email address in CSR subject (#939) 2017-09-25 15:32:08 -07:00
Horatiu Eugen Vlad
f766871824 Create default rotation policy with name (#924) 2017-09-18 09:09:59 -07:00
Rick Breidenstein
fc9b1e5b12 server_default from "False" to sa.false() (#913) 2017-09-11 09:19:19 -07:00
Marti Raudsepp
dafed86179 Improve certificate name normalization: remove Unicode characters, etc. (#906) 
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
 2017-09-08 10:52:22 -07:00
Ian Stahnke
79d12578c7 basic ldap support (#842) 2017-09-03 20:41:43 -07:00
kevgliss
ff87c487c8 It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as default are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. (#891) 2017-08-28 17:57:39 -07:00
Marti Raudsepp
82b43b5a9d Create signal hooks and handler for dumping CSR and certificate details (#882) 2017-08-28 17:35:56 -07:00
Marti Raudsepp
bb1c339655 Fix ability to remove all roles from authority (#880) 2017-08-28 17:35:01 -07:00
Marti Raudsepp
e7efaf4365 Prevent creation of empty SubjAltNames extension in CSR (#883) 2017-08-18 09:10:56 -07:00
Marti Raudsepp
c6d76f580e Disable unused Flask Principal sessions (#881) 
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
 2017-08-17 09:24:35 -07:00
Marti Raudsepp
941df0366d Fix roles display on user screen and fix removing user roles (#879) 2017-08-17 09:24:10 -07:00
Marti Raudsepp
7762d6ed52 Reworked sensitive domain name and restriction logic (#878) 
* This is a fix for a potential security issue; the old code had edge
  cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
  is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
  CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
  be valid domain names.
 2017-08-16 19:24:49 -07:00
Marti Raudsepp
cf805f530f Prevent unintended access to sensitive fields (passwords, private keys) (#876) 
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.

The filter() function allowed guessing the content of password hashes
one character at a time.

The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
 2017-08-16 09:38:42 -07:00
Rick Breidenstein
f5e120ad2e Update readme.txt (#869) 2017-08-04 12:42:27 -07:00
kevgliss
f5082e2d3a Starting transition away from not_before and not_after. (#854) 2017-07-14 09:24:59 -07:00
kevgliss
61c493fc91 Adding additional failure conditions to sentry tracking. (#853) 
* Adding additional failure conditions to sentry tracking.

* Removing sentry extension as a circular import.
 2017-07-13 14:49:04 -07:00
kevgliss
6779e19ac9 Adding enum migration. (#852) 2017-07-13 13:12:53 -07:00
kevgliss
443eb43d1f Adding the ability to specify a per-certificate rotation policy. (#851) 2017-07-12 16:46:11 -07:00
Paul Van de Vreede
53113e5eeb Add auditing for creating or updating a cert. (#845) 2017-07-04 06:39:16 -07:00
kevgliss
169dcb86e2 supporting the ability to push exceptions to sentry (#843) 2017-06-29 14:12:38 -07:00
Ian Stahnke
e4f5224f42 set ses email content type to utf-8 instead of string (#841) 2017-06-28 09:44:19 -07:00
kevgliss
98907e66e9 Minor fixes to S3.put signature (#840) 2017-06-27 16:18:34 -07:00
kevgliss
c05343d58e Adds the ability for destination plugins to be sub-classed from Expor… (#839) 
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807.

* fixing tests
 2017-06-26 12:03:24 -07:00
Paul Borg
541fbc9a6d Use named kwargs rather than args when calling s3 put (#830) 2017-06-20 11:28:19 -07:00
Asbjørn Kjær
35cc7ef8d7 Adding support for private DigiCert certificates (#835) 2017-06-14 09:20:24 -07:00
Asbjørn Kjær
e77382864b Fixing KeyError on error handling (#834) 2017-06-14 09:07:27 -07:00
kevgliss
d4d6d832b1 Fixing audit filtering and sorting. (#827) 2017-06-02 09:07:22 -07:00
kevgliss
9c92138f2d Fixing autorotation failures. (#825) 
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
 2017-06-02 08:59:42 -07:00
kevgliss
5a4806bc43 Allowing description to be optional. (#826) 2017-06-01 17:09:04 -07:00
kevgliss
07969f7e10 Ensuring IPAddresses and IPNetworks are correctly serialized. (#818) 2017-05-26 10:48:26 -07:00
Michael LoSapio
3141b47fba Catch OAuth providers that want the params sent as data (#800) 2017-05-25 10:21:29 -07:00
kevgliss
21d48b32c9 Fixing an issue with uploading to cloudfront. (#815) 2017-05-25 10:10:12 -07:00
kevgliss
11bd42af82 Correct status code for basic-auth (#813) 
* ensuring those using basic auth recieve a correct status code when their password is incorrect

* Fixing oauth status codes
 2017-05-23 09:48:31 -07:00
Paul Borg
f6b5012f56 Add Check of DB connections on healthcheck URL (#812) 2017-05-22 17:15:41 -07:00
kevgliss
f9b388c658 Modifying the was s3 uploading works. (#810) 
* Modiying the was s3 uploading works.

* Fixing pep8
 2017-05-20 12:07:44 -07:00
kevgliss
4093f4669a Switching remaining uses of boto to boto3. (#809) 2017-05-20 11:09:55 -07:00
kevgliss
9594f2cd8d Upgrading moto and fixing test that break due to deprecation. (#808) 
* Upgrading moto and fixing test that break due to deprecation.

* Adding region.
 2017-05-20 10:40:22 -07:00