Infra/lemur
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,349 Commits 4 Branches 45 Tags 7.5 MiB
cf3298d1ad
Commit Graph

1238 Commits

Author SHA1 Message Date
Curtis Castrapel
0320c04be2 nosec comment 2019-05-16 08:14:46 -07:00
Curtis Castrapel
68fd1556b2 Black lint all the things 2019-05-16 07:57:02 -07:00
Curtis Castrapel
e3c5490d25 Expose exact response from digicert as error 2019-05-15 13:36:40 -07:00
Curtis Castrapel
26d10e8b98 change ordering in more places 2019-05-15 11:47:53 -07:00
Curtis Castrapel
7e92edc70a Set resolved cert ID before resolving cert; Ignore sentry exceptions when no records on deletion 2019-05-15 11:43:59 -07:00
Curtis
6eb3836abc
Merge branch 'master' into fast-valid-cert-lookup 2019-05-15 10:20:17 -07:00
Curtis Castrapel
5d8f71c3e4 nt 2019-05-14 13:02:24 -07:00
Curtis Castrapel
565142f985 Add soft timeouts to celery jobs; Check for PEM in LE order 2019-05-14 12:52:30 -07:00
Hossein Shafagh
f452a7ce68 adding a new API for faster certificate lookup. 
The new API api/1/certificates/valid returns only non-expired (not_after >= today) certs which have auto-rotate enabled:

cn is a required parameter:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com
cn can also be a database string wildcard ('%'):

http://localhost:8000/api/1/certificates/valid?filter=cn;%
owner is the additional parameter, and must be the email address of the owner:

http://localhost:8000/api/1/certificates/valid?filter=cn;example.com&owner=hossein@example.com
given owner  and a database string wildcard ('%') one can retrieve all certs for that owner, which are still valid, and have auto-rotate enabled:

http://localhost:8000/api/1/certificates/valid?filter=cn;%&owner=hossein@example.com
 2019-05-11 18:06:51 -07:00
Curtis Castrapel
ed18df22db remove permalink change 2019-05-09 14:54:44 -07:00
Curtis Castrapel
e33a103ca1 Allow searching for certificates by name via API 2019-05-09 14:36:56 -07:00
Curtis
c9c782684d
Merge branch 'master' into add_metrics_reissue_rotate 2019-05-08 07:48:44 -07:00
Curtis Castrapel
87470602fd Gather more metrics on certificate reissue/rotate jobs 2019-05-08 07:48:08 -07:00
Curtis
317c84800c
Merge branch 'master' into jwks_validation_error_control 2019-05-08 06:50:56 -07:00
Curtis Castrapel
0eacbd42d7 Converting userinfo authorization to a config var 2019-05-07 15:31:42 -07:00
Jose Plana
4e6e7edf27 Rename return variable for better readability 2019-05-07 22:53:01 +02:00
Hossein Shafagh
b7ce9ab901
Merge branch 'master' into jwks_validation_error_control 2019-05-07 13:09:02 -07:00
Hossein Shafagh
ff583981b1
Merge branch 'master' into aid_openid_roles_provider_integration 2019-05-07 09:06:02 -07:00
Hossein Shafagh
e58ff476c9
Merge branch 'master' into jwks_validation_error_control 2019-05-07 09:05:41 -07:00
Curtis
22caaa0c95
Merge branch 'master' into fix_userinfo_authorization 2019-05-07 07:48:47 -07:00
Curtis
e65154b48e
Merge branch 'master' into develop 2019-05-07 07:36:51 -07:00
alwaysjolley
ef7a8587fe Merge branch 'lemur_vault_source' of github.com:/alwaysjolley/lemur into lemur_vault_source 2019-05-07 10:06:09 -04:00
alwaysjolley
b0c8901b0a lint cleanup 2019-05-07 10:05:01 -04:00
alwaysjolley
36ce1cc7ef
Merge branch 'master' into lemur_vault_source 2019-05-07 09:41:50 -04:00
alwaysjolley
fb3f0bd72a adding Vault Source plugin 2019-05-07 09:37:30 -04:00
Daniel Iancu
a7af3cf8d2 Fix Cloudflare DNS 2019-05-07 03:05:24 +03:00
Jose Plana
deed1b9685 Don't fail if googleGroups is not found in user profile 2019-05-06 12:30:25 +02:00
Jose Plana
6c99e76c9a Better error management in jwks token validation 2019-05-06 12:27:43 +02:00
Jose Plana
2063baefc9 Fixes userinfo using Bearer token 2019-05-06 12:23:24 +02:00
Curtis Castrapel
3a1da72419 nt 2019-04-29 13:57:04 -07:00
Curtis Castrapel
6e3f394cff Updated requirements ; Revert change and require DNS validation by provider 2019-04-29 13:55:26 -07:00
Curtis Castrapel
1a90e71884 Move ACME host validation logic prior to R53 host modification 2019-04-26 17:27:44 -07:00
Curtis Castrapel
333ba8030a Ensure hostname is lowercase when comparing DNS challenges. ACME will automatically lowercase the hostname 2019-04-26 15:45:04 -07:00
Curtis Castrapel
1a3ba46873 More retry changes 2019-04-26 10:18:54 -07:00
Curtis Castrapel
1e64851d79 Strip out self-polling logic and rely on ACME; Enhance ELB logging and retries 2019-04-26 10:16:18 -07:00
Curtis
8eef95b58e
Merge branch 'master' into expose_verisign_exception 2019-04-25 19:15:55 -07:00
Curtis Castrapel
dcdfb32883 Expose verisign exceptions 2019-04-25 19:14:15 -07:00
Curtis Castrapel
39584f214b Process DNS Challenges appropriately (1 challenge -> 1 domain) 2019-04-25 15:12:52 -07:00
Curtis Castrapel
2bc604e5a9 Better metrics and error reporting 2019-04-25 13:50:41 -07:00
Curtis Castrapel
272285f64a Better exception handling, logging, and metrics for ACME flow 2019-04-24 15:26:23 -07:00
Curtis
0f9b0f39f7
Merge branch 'master' into add-pending-certificate-upload 2019-04-24 09:34:35 -07:00
alwaysjolley
a801112cf6
Merge branch 'master' into lemur_vault_plugin 2019-04-23 07:07:39 -04:00
alwaysjolley
85efb6a99e cleanup tmp files 2019-04-23 07:06:52 -04:00
Hossein Shafagh
9b38761153
Merge branch 'master' into add-pending-certificate-upload 2019-04-22 11:47:02 -07:00
alwaysjolley
f9dadb2670 fixing validation 2019-04-22 09:38:44 -04:00
alwaysjolley
8dccaaf544 simpler validation 2019-04-22 07:58:01 -04:00
alwaysjolley
1667c05742 removed unused functions 2019-04-18 13:57:10 -04:00
alwaysjolley
b39e2e3f66 Merge branch 'master' into lemur_vault_plugin 2019-04-18 13:55:45 -04:00
alwaysjolley
fb3b0e8cd7 adding regex filtering 2019-04-18 13:52:40 -04:00
Jose Plana
7dd9268ca7 Allow uploading a signed cert for a pending certificate. 2019-04-18 00:46:39 +02:00
Curtis
8177e12f3f
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-17 10:43:44 -07:00
Hossein Shafagh
52f939658f
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-17 10:31:58 -07:00
Curtis
f6afcc6d21
Merge branch 'master' into master 2019-04-17 10:28:46 -07:00
Javier Ramos
58dd424de8
Prevent potential NoneType not subscriptable 
Fix when data['extensions']['subAltNames']['names'] is none
 2019-04-17 18:33:52 +02:00
Jose Plana
771f2ebc47 Use SAN_CERT_CSR 2019-04-13 11:01:36 +02:00
Jose Plana
770729a72e Allow csr to be empty during upload 2019-04-13 01:17:12 +02:00
Hossein Shafagh
2ff811ae71 updating cryptography API call, to create right signing algorithm object. 2019-04-13 00:57:48 +02:00
Hossein Shafagh
09796cf7c9 the check_cert_signature() method was attempting to compare RSA and ECC signatures. 
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
 2019-04-13 00:57:48 +02:00
Jose Plana
406753fcde Fix PEP8 2019-04-13 00:49:35 +02:00
Jose Plana
a5570d07bc Added some documentation for API users. 2019-04-13 00:48:19 +02:00
Jose Plana
c1b02cc8a5 Allow uploading csr along with certificates 2019-04-13 00:48:19 +02:00
Hossein Shafagh
df8d4e0892
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-12 09:38:50 -07:00
Hossein Shafagh
ceb335f3ab
Merge branch 'master' into master 2019-04-12 09:38:41 -07:00
alwaysjolley
9ecc19c481 adding san filter 2019-04-12 09:53:06 -04:00
Hossein Shafagh
6d67ec7e34 removing unused import 2019-04-11 17:34:02 -07:00
Hossein Shafagh
512e1a0bdd fixing typos 2019-04-11 17:17:28 -07:00
Hossein Shafagh
6ec84a398c checking for None 2019-04-11 17:13:47 -07:00
Hossein Shafagh
69c00c4db5 upon creating a new destination, we also add it as source, if the plugin defines this as an option 2019-04-11 17:13:47 -07:00
Hossein Shafagh
d7abf2ec18 adding a new util method for setting options 2019-04-11 17:13:47 -07:00
Hossein Shafagh
557fac39b5 refactoring the sync job into a service method that we can also call when adding a new destination 2019-04-11 17:13:47 -07:00
Hossein Shafagh
d1ead4b79c removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
5900828051 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
818da6653d removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
e1a67e9b4e simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
84dfdd0600 removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
ba691a26d4 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
b66fac0494 removing the announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
1bda246df2 simple hardcoded announcement 2019-04-11 17:13:47 -07:00
Hossein Shafagh
9a210c055a
Merge branch 'master' into hshafagh-src-dst-register 2019-04-11 15:36:48 -07:00
Hossein Shafagh
2459234147 removing lines 2019-04-11 14:34:26 -07:00
Hossein Shafagh
60edab9f6d cleaning up 2019-04-11 14:12:31 -07:00
Hossein Shafagh
ec3d2d7316 fixing typo 2019-04-11 13:51:43 -07:00
Hossein Shafagh
83d408b238
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-04-11 13:30:12 -07:00
Hossein Shafagh
266c83367d avoiding hard-coded plugin names 2019-04-11 13:29:37 -07:00
Hossein Shafagh
f185df4f1e bringing class AWSDestinationPlugin(DestinationPlugin) after AWSSourcePlugin.slug, such that we can do: sync_as_source_name = AWSSourcePlugin.slug 2019-04-11 13:28:58 -07:00
Curtis Castrapel
2ff57e932c Update requirements - upgrade to py37 2019-04-10 15:40:48 -07:00
Hossein Shafagh
d628e97035
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-04-10 09:47:06 -07:00
Hossein Shafagh
bc8c7e114a
Merge branch 'master' into hshafagh-src-dst-register 2019-04-09 20:52:33 -07:00
Hossein Shafagh
f3d0536800 removing hardcoded rules, to give more flexibility into defining new source-destinations 2019-04-09 20:49:07 -07:00
Javier Ramos
bfc4f940da
Merge branch 'master' into master 2019-04-09 18:06:09 +02:00
Hossein Shafagh
64c6bb2475
Merge branch 'master' into rewrite-java-keystore-use-pyjks 2019-04-09 08:28:05 -07:00
Marti Raudsepp
dbf34a4d48 Rewrite Java Keystore/Truststore support based on pyjks library 2019-04-06 20:24:46 +03:00
Javier Ramos
d80a6bb405 Added tests for CSR parsing into CertificateInputSchema 2019-04-01 08:44:40 +02:00
Ryan DeShone
e10007ef7b Add support for Vault KV API v2 
This adds the ability to target KV API v1 or v2.
 2019-03-29 10:32:49 -04:00
Javier Ramos
b86e381e20 Parse SubjectAlternativeNames from CSR into Lemur Certificate 2019-03-27 13:46:33 +01:00
Hossein Shafagh
d2e969b836 better synching of source and destinations 2019-03-26 18:20:14 -07:00
Curtis
4018c68d49
Merge branch 'master' into authority_validation_LE_errors 2019-03-25 08:34:10 -07:00
Curtis Castrapel
c2158ff8fb Add order URI during LE cert creation failure; Fail properly when invalid CA passed; Update reqs 2019-03-25 08:28:23 -07:00
Curtis
8a42cfa345
Merge branch 'master' into ghjaramos/master 2019-03-21 08:07:44 -07:00
alwaysjolley
fa4a5122bc fixing file read to trim line endings and cleanup 2019-03-20 14:59:04 -04:00
alwaysjolley
f99b11d50e refactor url and token to support muiltiple instances of vault 2019-03-20 13:51:06 -04:00
Javier Ramos
9e5496b484
Update schemas.py 2019-03-15 10:19:25 +01:00
Javier Ramos
f7452e8379 Parse DNSNames from CSR into Lemur Certificate 2019-03-15 09:29:23 +01:00
alwaysjolley
157db684c3
Merge branch 'master' into lemur_vault_plugin 2019-03-14 11:09:01 -04:00
Curtis
c445297357
Update celery.py 2019-03-12 15:41:24 -07:00
Curtis
f38e5b0879
Update celery.py 2019-03-12 15:29:04 -07:00
Curtis
1a5a91ccc7
Update celery.py 2019-03-12 15:11:13 -07:00
Curtis
3b3faa66f4
Merge branch 'master' into skip_duplicate_tasks 2019-03-12 14:53:42 -07:00
Curtis Castrapel
d220e9326c Skip a task if similar task already active 2019-03-12 14:45:43 -07:00
alwaysjolley
57d3f3d5a5
Merge branch 'master' into lemur_vault_plugin 2019-03-08 07:08:56 -05:00
alwaysjolley
f1c09a6f8f fixed comments 2019-03-07 15:58:34 -05:00
Hossein Shafagh
93ce259fb2
Merge branch 'master' into verify-cert-chain 2019-03-07 12:46:19 -08:00
alwaysjolley
7b0a3cf781 Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin 2019-03-07 15:42:40 -05:00
alwaysjolley
752c9a086b fixing error handling and better data formating 2019-03-07 15:41:29 -05:00
Hossein Shafagh
92b60b279a
Merge branch 'master' into verify-cert-chain 2019-03-06 11:15:32 -08:00
Hossein Shafagh
43b1d6217a
Merge branch 'master' into allow-cert-deletion 2019-03-06 10:59:33 -08:00
Hossein Shafagh
98ece58342
Merge branch 'master' into lemur_vault_plugin 2019-03-06 10:59:03 -08:00
Hossein Shafagh
45cb0f0513
Merge branch 'master' into allow-cert-deletion 2019-03-06 09:35:10 -08:00
Kevin Glisson
cc6d53fdeb Ensuring that configs passed via the command line are respected. 2019-03-05 15:39:37 -08:00
alwaysjolley
a1cb8ee266 fixing lint 2019-03-05 07:37:04 -05:00
alwaysjolley
880eaad6cb Merge branch 'lemur_vault_plugin' of github.com:/alwaysjolley/lemur into lemur_vault_plugin 2019-03-05 07:22:18 -05:00
alwaysjolley
4a027797e0 fixing linting issues 2019-03-05 07:19:22 -05:00
Hossein Shafagh
54ad3ba777
Merge branch 'master' into verify-cert-chain 2019-03-04 17:55:36 -08:00
Hossein Shafagh
c9bcd29082
Merge branch 'master' into lemur_vault_plugin 2019-03-04 17:55:00 -08:00
Curtis Castrapel
dd2900bdbc Relax search;update requirements 2019-03-04 10:04:06 -08:00
Marti Raudsepp
10cec063c2 Check that stored certificate chain matches certificate 
Similar to how the private key is checked.
 2019-03-04 17:10:59 +02:00
alwaysjolley
20518bc377
Merge branch 'master' into lemur_vault_plugin 2019-03-01 09:58:43 -05:00
alwaysjolley
5d2f603c84 renamed vault destination plugin to avoid conflict with vault pki plugin 2019-03-01 09:49:52 -05:00
Ronald Moesbergen
63de8047ce Return 'already deleted' instead of 'not found' when cert has already been deleted 2019-02-27 09:38:25 +01:00
Ronald Moesbergen
a9735e129c Merge branch 'master' into allow-cert-deletion 2019-02-27 09:28:48 +01:00
Hossein Shafagh
658c58e4b6 clarifying comments 2019-02-26 17:04:43 -08:00
Hossein Shafagh
9dbae39604 updating cryptography API call, to create right signing algorithm object. 2019-02-26 16:42:26 -08:00
Hossein Shafagh
16a18cc4b7 adding more edge test cases for EC-certs 2019-02-26 16:42:26 -08:00
Hossein Shafagh
aec7c7b0bc
Merge branch 'master' into fixing-signature-verify-ecc 2019-02-26 09:28:48 -08:00
alwaysjolley
53301728fa Moved url to config file instead of plugin option. One one url can be supported 
unless both the token and url are moved to the plugin options.
 2019-02-26 09:15:12 -05:00
Hossein Shafagh
40fac02d8b the check_cert_signature() method was attempting to compare RSA and ECC signatures. 
If a ec public-key certificate is signed with an RSA key, then it can't be a self-signed certificate, in which case we just raise InvalidSignature.
 2019-02-25 19:05:54 -08:00
alwaysjolley
cd65a36437 - support multiple bundle configuration, nginx, apache, cert only 
- update vault destination to support multi cert under one object
- added san list as key value
- read and update object with new keys, keeping other keys, allowing
us to keep an iterable list of keys in an object for deploying multiple
certs to a single node
 2019-02-25 09:42:07 -05:00
Ronald Moesbergen
ef0c08dfd9 Fix: when no alias is entered when exporting a certificate, the alias is set to 'blah'. 
This fix sets it to the common name instead.
 2019-02-21 16:33:43 +01:00
alwaysjolley
eaa73998a0 adding lemur_vault destination plugin 2019-02-19 15:03:15 -05:00
Ronald Moesbergen
29bda6c00d Fix typo's 2019-02-14 11:58:29 +01:00
Ronald Moesbergen
8abf95063c Implement a ALLOW_CERT_DELETION option (boolean, default False). When enabled, the certificate delete API call will work and the UI 
will no longer display deleted certificates. When disabled (the default), the delete API call will not work (405 method not allowed)
 and the UI will show all certificates, regardless of the 'deleted' flag.
 2019-02-14 11:57:27 +01:00
Hossein Shafagh
e034771e36
Merge branch 'master' into special-issuer-for-selfsigned-certs 2019-02-11 12:04:33 -08:00
Hossein Shafagh
605663704b
Merge branch 'master' into hosseinsh-celeryjob-sync-src-dst 2019-02-05 12:41:33 -08:00
Hossein Shafagh
e139b92b24
Merge branch 'master' into hshafagh-src-dst-register 2019-02-05 12:41:26 -08:00
Hossein Shafagh
6d1ef933c4 creating a new celery task to sync sources with destinations. This is as a measure to make sure important new destinations are also present as sources. 2019-02-05 10:48:52 -08:00
Hossein Shafagh
2107d58050
Merge branch 'master' into get_by_attributes 2019-02-05 10:31:35 -08:00
Hossein Shafagh
8d261b4120
Merge branch 'master' into special-issuer-for-selfsigned-certs 2019-02-05 10:29:20 -08:00
Marti Raudsepp
51248c1938 Use special issuer values <selfsigned> and <unknown> in special cases 
This way it's easy to find/distinguish selfsigned certificates stored in
Lemur.
 2019-02-05 16:56:09 +02:00
Hossein Shafagh
1d2771b014
Merge branch 'master' into get_by_attributes 2019-02-04 21:07:09 -08:00
Hossein Shafagh
f249a82d71 renaming destination to source. 2019-02-04 16:10:48 -08:00
Hossein Shafagh
44a060b159 adding support for creating a source while creating a new dst, while the destination is from AWS 2019-02-04 15:36:39 -08:00
sirferl
c1cf8d7a92
Merge branch 'master' into ADCS-plugin 2019-02-02 19:21:22 +01:00
Hossein Shafagh
45fbaf159a
Merge branch 'master' into master 2019-02-01 16:50:09 -08:00
Hossein Shafagh
8e93d007be
Merge branch 'master' into get_by_attributes 2019-02-01 16:48:50 -08:00
Hossein Shafagh
6705a0e030
Merge branch 'master' into ADCS-plugin 2019-02-01 16:38:39 -08:00
sirferl
36ab1c0bec
Merge branch 'master' into ADCS-plugin 2019-02-01 19:10:46 +01:00
Marti Raudsepp
e24a94d798 Enforce that PEM strings (certs, keys, CSR) are internally passed as str, not bytes 
This was already true in most places but not 100%, leading to lots of redundant checks and conversions.
 2019-01-30 18:11:24 +02:00
Curtis
e475d90e2e
Merge branch 'master' into master 2019-01-30 07:20:44 -08:00
Hossein Shafagh
e5ddf08f48
Merge branch 'master' into master 2019-01-29 16:37:29 -08:00
Hossein Shafagh
7f4f4ffded
Merge branch 'master' into master 2019-01-29 16:30:15 -08:00
Hossein Shafagh
48ad20faca moving the 2 year validity issue to the Verisign plugin, and address it there 2019-01-29 16:17:08 -08:00
Curtis
1e708bf1c7
Merge branch 'master' into password_noninteractive 2019-01-29 15:21:34 -08:00
Curtis Castrapel
d2317acfc5 allowing create_user with noninteractive PW;updating reqs 2019-01-29 15:17:40 -08:00
Curtis
29638c7f3b
Merge branch 'master' into master 2019-01-29 14:59:55 -08:00
Curtis
93021a5d89
Merge branch 'master' into expose-cert-distinguished-name 2019-01-29 14:56:31 -08:00
alwaysjolley
c68a9cf80a fixing linting issues 2019-01-29 11:10:56 -05:00
alwaysjolley
254a3079f2 fix whitespace 2019-01-29 11:01:55 -05:00
alwaysjolley
b4d1b80e04 Adding support for cfssl auth mode signing 2019-01-29 10:13:44 -05:00
sirferl
c77ccdf46e
Merge branch 'master' into ADCS-plugin 2019-01-28 17:57:46 +01:00
Hossein Shafagh
c47fa0f9a2 adjusting the tests to reflect on the new full year convert limit! 2019-01-24 17:52:22 -08:00
Hossein Shafagh
a9724e7383 Resolving the 2 years error from UI during cert creation: 
Though a CA would accept two year validity, we were getting error for being beyond 2 years.
This is because our current conversion is just current date plus 2 years,
1/25/2019 + 2 years ==> 1/25/2019
This is more strictly seen two years and 1 day extra, violating the 2 year's limit.
 2019-01-24 17:23:40 -08:00
Marti Raudsepp
4b893ab5b4 Expose full certificate RFC 4514 Distinguished Name string 
Using rfc4514_string() method added in cryptography version 2.5.
 2019-01-23 10:03:40 +02:00
Ronald Moesbergen
4c4fbf3e48 Implement certificates delete API call by marking a cert as 'deleted' in the database. Only certificates that have expired can be deleted. 2019-01-21 10:25:28 +01:00
Ronald Moesbergen
cb35f19d6c Add 'delete_cert' to enum log_type in logs table 2019-01-21 10:22:03 +01:00
Curtis Castrapel
0336d68ee2 Merge remote-tracking branch 'upstream/master' 2019-01-17 14:56:12 -08:00
Curtis Castrapel
7f88c24e83 Fix LetsEncrypt Dyn flow for duplicate CN/SAN 2019-01-17 14:56:04 -08:00
Hossein Shafagh
d3284a4006 adjusting the query to filter authorities based on matching CN 2019-01-14 17:52:06 -08:00
Curtis Castrapel
3567a768d5 Compare certificate hashes to determine if Lemur already has a synced certificate 2019-01-14 13:35:55 -08:00
Curtis Castrapel
31a86687e7 Reduce the expense of joins 2019-01-14 09:20:02 -08:00
Curtis Castrapel
c4e6e7c59b Optimize DB cert filtering 2019-01-14 08:02:27 -08:00
Curtis
638a8450a3
Merge branch 'master' into more_retries 2019-01-11 11:25:00 -08:00
Curtis Castrapel
0e02e6da79 Be more forgiving to throttling 2019-01-11 11:13:43 -08:00
sirferl
a1ca61d813 changed a too long comment 2019-01-09 09:50:26 +01:00
sirferl
a43476bc87 minor errors after lint fix 2019-01-07 11:04:27 +01:00
sirferl
054685fc38
Merge branch 'master' into ADCS-plugin 2019-01-07 10:23:18 +01:00
sirferl
c62bcd1456 repaired several lint errors 2019-01-07 10:02:37 +01:00
Marti Raudsepp
542e953919 Check that stored private keys match certificates 
This is done in two places:
* Certificate import validator -- throws validation errors.
* Certificate model constructor -- to ensure integrity of Lemur's data
  even when issuer plugins or other code paths have bugs.
 2018-12-31 16:28:20 +02:00
Curtis
6a31856d0d
Update plugin.py 2018-12-21 12:33:47 -08:00
Curtis
b5d6abb01f
Merge branch 'master' into kubernetes-improvment 2018-12-21 12:06:09 -08:00
Curtis
b7332957e7
Merge branch 'master' into unicode-in-issuer-name 2018-12-21 07:59:20 -08:00
Curtis
70381c4c89
Merge branch 'master' into kubernetes-fix 2018-12-21 07:44:11 -08:00
Curtis
a14fe08a63
Merge branch 'master' into kubernetes-improvment 2018-12-21 07:42:13 -08:00
Curtis
fb7605e34b
Merge branch 'master' into unicode-in-issuer-name 2018-12-21 07:41:08 -08:00
Marti Raudsepp
72f6fdb17d Properly handle Unicode in issuer name sanitization 
If the point of sanitization is to get rid of all non-alphanumeric
characters then Unicode characters should probably be forbidden too.

We can re-use the same sanitization function as used for cert 'name'
 2018-12-21 16:34:12 +02:00
Marti Raudsepp
0f2e30cdae Deduplicate rows before notification associations unique constraint migration 2018-12-21 12:11:33 +02:00
sirferl
f02178c154 added ADCS issuer and source plugin 2018-12-20 11:54:47 +01:00
Wesley Hartford
fbf48316b1 Minor changes for code review suggestions. 2018-12-18 22:43:32 -05:00
Wesley Hartford
073d05ae21 Merge branch 'kubernetes-fix' into kubernetes-improvment 2018-12-18 22:26:03 -05:00
Wesley Hartford
e7313da03e Minor changes for code review suggestions. 2018-12-18 22:24:48 -05:00
Curtis
425a07e988
Merge branch 'master' into destination-tpl-fix 2018-12-18 12:27:35 -08:00
Curtis
513e876e2e
Merge branch 'master' into master 2018-12-18 12:18:38 -08:00
Wesley Hartford
bc621c1468 Improve the Kubernetes Destination plugin 
The plugin now supports loading details from local files rather than requiring them to be entered through the UI. This is especially relaent when Lemur is deployed on Kubernetes as the certificate, token, and current namespace will be injected into the pod. The location these details are injected are the defaults if no configuration details are supplied.

The plugin now supports deploying the secret in three different formats:
* Full - matches the formate used by the plugin prior to these changes.
* TLS - creates a secret of type kubernetes.io/tls and includes the certificate chain and private key, this format is used by many kubernetes features.
* Certificate - creates a secret containing only the certificate chain, suitable for use as trust authority where private keys should _NOT_ be deployed.

The deployed secret can now have a name set through the configuration options; the setting allows the insertion of the placeholder '{common_name}' which will be replaced by the certificate's common name value.

Debug level logging has been added.
 2018-12-12 13:25:36 -08:00
sirferl
a50d80992c updated query to ignore empty parameters 2018-12-12 12:45:48 +01:00
Wesley Hartford
060c78fd91 Fix Kubernetes Destination Plugin 
The Kubernetes plugin was broken. There were two major issues:
* The server certificate was entered in a string input making it impossible (as far as I know) to enter a valid PEM certificate.
* The base64 encoding calls were passing strings where bytes were expected.

The fix to the first issue depends on #2218 and a change in the options structure. I've also included some improved input validation and logging.
 2018-12-10 15:33:04 -08:00
Wesley Hartford
437d918cf7 Fix textarea and validation on destination page 
The destination configuration page did not previously support a textarea input as was supported on most other pages. The validation of string inputs was not being performed. This commit addresses both of those issues and corrects the validation expressions for the AWS and S3 destination plugins so that they continue to function. The SFTP destination plugin does not have any string validation. The Kubernetes plugin does not work at all as far as I can tell; there will be another PR in the coming days to address that.
 2018-12-10 12:04:16 -08:00
Ronald Moesbergen
dcf5ce0eec
Merge branch 'master' into master 2018-12-07 13:57:59 +01:00
Curtis Castrapel
c32e20b6fc Fix notifications - Ensure that notifcation e-mails are sent appropriately 2018-12-06 12:25:43 -08:00
Ronald Moesbergen
e0ac749734 When parsing SAN's, ignore unknown san_types, because in some cases they can contain unparsable/serializable values, resulting in a TypeError(repr(o) + " is not JSON serializable") 2018-12-06 16:47:53 +01:00
Curtis Castrapel
2a235fb0e2 Prefer DNS provider with longest matching zone 2018-11-30 12:44:52 -08:00
Curtis Castrapel
a90154e0ae LetsEncrypt Celery Flow 2018-11-29 09:29:05 -08:00
Curtis Castrapel
39b76d18dc add countdown to async call 2018-11-28 14:41:56 -08:00
Curtis Castrapel
e074a14ee9 unit test 2018-11-28 14:27:03 -08:00
Curtis Castrapel
2381d0a4bb Add async call to create pending cert when needed 2018-11-28 11:32:52 -08:00
Ronald Moesbergen
da10913045 Only search nested group memberships when LDAP_IS_ACTIVE_DIRECTORY is True 2018-11-20 10:37:36 +01:00
Ronald Moesbergen
61839f4aca Add support for nested group membership in ldap authenticator 2018-11-19 13:42:42 +01:00
Curtis Castrapel
3ce8abe46e Left outer join on domains tables to avoid missing results 2018-11-13 14:33:17 -08:00
Curtis Castrapel
92a771f5ed More accurate db count functionality 2018-11-13 09:14:21 -08:00
Curtis
29be647911
Merge branch 'master' into no_csr_reissue 2018-11-12 09:54:47 -08:00
Curtis Castrapel
a7a05e26bc Do not re-use CSR during certificate reissuance; Update requirement; Add more logging to celery handler 2018-11-12 09:52:11 -08:00
Curtis Castrapel
6f0005c78e Avoid colliding LetsEncrypt jobs 2018-11-09 10:31:27 -08:00
Curtis Castrapel
1643650685 Changing essential part of query 2018-11-07 16:02:04 -08:00
Curtis Castrapel
08a2a2b0e5 Optimize certificate filtering by name 2018-11-07 15:34:25 -08:00
Curtis Castrapel
a3f96b96ee Add fixture to failing function 2018-11-05 15:16:09 -08:00
Curtis Castrapel
75183ef2f2 Unpin most dependencies, and fix moto 2018-11-05 14:37:52 -08:00
Curtis Castrapel
61738dde9e Run query on DB 2018-11-05 13:15:53 -08:00
Curtis Castrapel
52e773230d Add new gin index to optimize ILIKE queries 2018-11-05 10:29:11 -08:00
Curtis Castrapel
0277e4dc05 get_or_increase_name fix for pendingcertificates 2018-10-29 13:53:30 -07:00
Curtis Castrapel
50761d9d3b safer reissue, fix celery sync job 2018-10-29 13:22:50 -07:00
Curtis Castrapel
56ed416cb7 Celery task for sync job 2018-10-29 09:10:43 -07:00
Curtis
a8b357965e
Merge branch 'master' into get_by_attributes 2018-10-29 08:15:42 -07:00
Curtis
2138930102
Merge branch 'master' into get_by_attributes 2018-10-24 07:20:46 -07:00
James Chuong
75069cd52a Add CSR to certificiates 
Add csr column to certificates field, as pending certificates have
exposed the CSR already.  This is required as generating CSR from
existing certificate is will not include SANs due to OpenSSL bug:
https://github.com/openssl/openssl/issues/6481

Change-Id: I9ea86c4f87067ee6d791d77dc1cce8f469cb2a22
 2018-10-23 17:46:04 -07:00
Curtis Castrapel
b709eed3c3 Only resolve pending cert if not attempted in last 5 min 2018-10-23 13:08:43 -07:00
Curtis Castrapel
054cc64ee8 Prevent dashes from appearing at end of cert name in AWS 2018-10-23 12:49:58 -07:00
Curtis Castrapel
73ed5164cd deps 2018-10-22 14:51:13 -07:00
Curtis
b058508478
Merge branch 'master' into get_by_attributes 2018-10-22 09:09:55 -07:00
Curtis Castrapel
e83699b6ae Add unique constraint to sources table - label column 2018-10-19 15:34:34 -07:00
Non Sequitur
81d114092e Merge branch 'github' into get_by_attributes 2018-10-17 12:00:36 -04:00
Non Sequitur
48017a9d4c Added get_by_attributes to the certificates service, for fetching certs based on arbitrary attributes. Also associated test and extra tests for other service methods 2018-10-17 11:42:09 -04:00
Curtis Castrapel
a912c3488d python fix to retrigger tests 2018-10-12 07:25:58 -07:00
Curtis Castrapel
89a077e54c minor change to pass stuck github check 2018-10-12 07:14:31 -07:00
Curtis Castrapel
13ef965666 nit: comments 2018-10-12 05:56:14 -07:00
Curtis Castrapel
6073f9e7b6 datetime ref fix 2018-10-12 05:51:30 -07:00
Curtis Castrapel
4b3d458dba Celery task to delete old pending certs 2018-10-12 05:47:16 -07:00
Curtis Castrapel
cc18a68c00 Lemur LetsEncrypt Polling Support 2018-10-11 22:01:05 -07:00
Curtis Castrapel
e91d8ec81b add indexes to domains and certificates tables to optimize load time 2018-10-11 11:36:50 -07:00
Non Sequitur
79033f42b4
Merge branch 'master' into improved_verify 2018-10-02 09:19:24 -04:00
Non Sequitur
40f4444099 Flake8 fix in test_verify.py 2018-10-01 22:04:31 -04:00
Curtis Castrapel
56282845fa Enable optional verisign cloud transparency configuration 2018-10-01 09:20:50 -07:00
Non Sequitur
50919d85a8 Merge remote-tracking branch 'upstream/master' into improved_verify 2018-09-27 11:19:06 -04:00