Commit Graph

1096 Commits

Author SHA1 Message Date
Curtis Castrapel d67542d7f5 actually update deps 2018-03-21 12:46:30 -07:00
Curtis Castrapel 4087f1c03b Update auth keys, change python version to satisfy tests 2018-03-21 11:57:19 -07:00
iTitou bbacb7e210 [fix] No internal server error when trying to Google Auth an unregistered user (#1109) 2018-03-21 11:57:19 -07:00
cjwaian 19cf8f6bdd Remove non-ASCII character (#1104) 2018-03-21 11:57:19 -07:00
Curtis Castrapel 74a516cde0 nt 2018-03-16 14:15:03 -07:00
Curtis Castrapel 58da68d72f Revert "Requirements and Elasticsearch logging configuration"
This reverts commit c08d3dd82f.
2018-03-16 14:10:12 -07:00
Curtis Castrapel c7ca3949f6 info level, and new variable name 2018-03-16 11:55:53 -07:00
Curtis Castrapel bbf5e95186 fix unusued import 2018-03-16 10:07:47 -07:00
Curtis 462e757f92
Merge branch 'master' into requirements_logging 2018-03-16 08:51:25 -07:00
Curtis Castrapel c08d3dd82f Requirements and Elasticsearch logging configuration 2018-03-16 08:36:10 -07:00
Curtis Castrapel 18c64fafe4 address comment 2018-02-27 12:34:18 -08:00
Curtis Castrapel 77a1600c13 Fix cloned notifications 2018-02-27 10:57:43 -08:00
Curtis Castrapel 5fe28f6503 Description modification 2018-02-26 12:37:31 -08:00
Curtis Castrapel 1f641c0ba6 Description modification 2018-02-26 12:36:40 -08:00
Curtis Castrapel cca3797669 comments on alembic changes. resolve invalid usage of log_service.create 2018-02-26 12:08:31 -08:00
Curtis Castrapel a28fdac242 fix pending cert db changes 2018-02-26 09:43:08 -08:00
Curtis 7032abf2e7
Merge branch 'master' into unq-const 2018-02-26 08:03:31 -08:00
Curtis Castrapel 9e8fa5827d unq constraint 2018-02-24 23:15:39 -08:00
Harm Weites 5d18838868 Use Cloudflare as DNS provider for LE certs (#945)
* Use Cloudflare as DNS provider for LE certs

* Better handle dns_provider plugins
2018-02-22 08:17:28 -08:00
James Chuong 2578970f7d Async Certificate Issuing using Pending Certificates (#1037)
* Add PendingCertificate model

This change creates a DB table called pending_certificates and
associated mapping relationship tables from pending certificate to
roles, rotation policy, destination, sources, etc.

The table is generated on initialization of Lemur. A pending
certificate holds most of the information of a Certificate, while it has
not be issued so that it can later backfill the information when the CA
has issued the certificate.

Change-Id: I277c16b776a71fe5edaf0fa0e76bbedc88924db0
Tickets: PBL-36499

* Create a PendingCertificate if cert is empty

IssuePlugins should return empty cert bodies if the request failed to
complete immediately (such as Digicert).  This way, we can immediately
return the certificate, or if not just place into PendingCertificates
for later processing.

+ Fix relation from Certificate to Pending Certificate, as view only.
There is no real need for anything more than that since Pending cert
only needs to know the cert to replace when it is issued later.

+ Made PendingCertificate private key be empty: UI does not allow
private key on 'Create' but only on 'Import'.  For Instart, we require
the private key but upstream does not necessarily need it.  Thus, if
someone at Instart wants to create a CSR / key combo, they should
manually issue the cert themselves and import later.  Otherwise you
should let Lemur generate that.  This keeps the workflow transparent for
upstream Lemur users.

Change-Id: Ib74722a5ed5792d4b10ca702659422739c95ae26
Tickets: PBL-36343

* Fix empty private_key when create Pending Cert

On creation of a certificate with a CSR, there is no option for private
key.  In this case, we actually have a dictionary with private_key as
key, but the value is None.  This fixes the strip() called on NoneType.

Change-Id: I7b265564d8095bfc83d9d4cd14ae13fea3c03199
Tickets: PBL-36499

* Source sync finds and uses pending certificate

When a source syncs certificates, it will check for a pending
certificate.  If that is found via external_id (given by digicert as
order_id) then it will use the found Pending Certificate's fields to
create a new certificate.  Then the pending certificate is deleted.

Tickets: PBL-36343
Change-Id: I4f7959da29275ebc47a3996741f7e98d3e2d29d9

* Add Lemur static files and views for pending certs

This adds the basic static files to view pending certificates in a
table.

Tickets: PBL-36343
Change-Id: Ia4362e6664ec730d05d280c5ef5c815a6feda0d9

* Add CLI and plugin based pending fetch

This change uses the adds a new function to issuer plugins to fetch
certificates like source, but for one order.  This way, we can control
which pending certificates to try and populate instead of getting all
certificates from source.

Tickets: PBL-36343
Change-Id: Ifc1747ccdc2cba09a81f298b31ddddebfee1b1d6

* Revert source using Pending Certificate

Tickets: PBL-36343
Change-Id: I05121bc951e0530d804070afdb9c9e09baa0bc51

* Fix PendingCertificate init getting authority id

Should get authority id from authority.id instead of the authority_id
key in kwargs.

Change-Id: Ie56df1a5fb0ab2729e91050f3ad1a831853e0623
Tickets: n/a

* Add fixtures and basic test for PendingCertificate

Change-Id: I4cca34105544d40dac1cc50a87bba93d8af9ab34
Tickets: PBL-36343

* Add User to create_certificate parameters

create_certificate now takes a User, which will be used to populate the
'creator' field in certificates.service.upload().  This allows the UI
populate with the current user if the owner does not exist in Lemur.

+ Fix chain being replaced with version from pending certificate, which
may be empty (depends on plugin implementation).

Change-Id: I516027b36bc643c4978b9c4890060569e03f3049
Tickets: n/a

* Fix permalink and filters to pending certs

Fixes the permalink button to get a single pending certificate
Add argument filter parsing for the pending certificate API
Fix comment on API usage
Added get_by_name for pending_certificate (currently unused, but useful
for CLI, instead of using IDs)

Change-Id: Iaa48909c45606bec65dfb193c13d6bd0e816f6db
Tickets: PBL-36910

* Update displayed fields for Pending Certificates

There are a number of unused / unpopulated fields from Certificate UI
that does apply to Pending Certificates.  Those ones were removed, and
added other useful fields:
Owner, number of attempts to fetch and date created

Change-Id: I3010a715f0357ba149cf539a19fdb5974c5ce08b
Tickets: PBL-36910

* Add common name (cn) to Pending Certificate model

Fixes the UI missing the CN for Pending Certificate, as it was
originally being parsed from the generated certificate.  In the case of
pending certificate, the CN from the user generates the request, which
means a pending cert can trust the original user putting in the CN
instead of having to parse the not-yet-generated certificate.  There is
no real possibility to return a certificate from a pending certificate
where the CN has changed since it was initially ordered.

Change-Id: I88a4fa28116d5d8d293e58970d9777ce73fbb2ab
Tickets: PBL-36910

* Fix missing imports for service filter

+ Removed duplicate get_by_name function from old merge

Change-Id: I04ae6852533aa42988433338de74390e2868d69b
Tickets: PBL-36910

* Add private key viewing to Pending Certificates

Add private key API for Pending Certificates, with the same
authorization as Certificates (only owner, creator or owner-roles can
view private key).

Change-Id: Ie5175154a10fe0007cc0e9f35b80c0a01ed48d5b
Tickets: PBL-36910

* Add edit capability to pending certificates

Like editing certificates, we should be able to modify some parts of a
pending certificate so the resulting certificate has the right
references, owner, etc.

+ Added API to update pending certificate
+ Fix UI to use pending certificate scope instead of reusing Certificate
+ Change pending_certificate.replaces to non-passive association, so
that updates do affect it (similar to roles/notifications/etc)

Tickets: PBL-36910
Change-Id: Ibbcb166a33f0337e1b14f426472261222f790ce6

* Add common_name parsing instead using kwargs

To fix tests where common name may not be passed in, use the CSR
generated to find the official common name.

Change-Id: I09f9258fa92c2762d095798676ce210c5d7a3da4
Tickets: PBL-36343

* Add Cancel to pending certificates and plugins

This allows pending certificates to be cancelled, which will be handled
by the issuer plugin.

Change-Id: Ibd6b5627c3977e33aca7860690cfb7f677236ca9
Tickets: PBL-36910

* Add API for Cancelling Pending Certificate

Added the DELETE handler for pending_certificates, which will cancel and
delete the pending certificate from the pending certs table on
successful cancellation via Issuer Plugin.

+ Add UT for testing cancel API

Change-Id: I11b1d87872e4284f6e4f9c366a15da4ddba38bc4
Tickets: PBL-36910

* Remove Export from Pending Certificates

Pending Certificates doesn't need an export since it should just be
fetched by Lemur via plugins, and the CSR is viewable via the UI.

Change-Id: I9a3e65ea11ac5a85316f6428e7f526c3c09178ae
Tickets: PBL-36910

* Add cancel button functionality to UI

This adds the Cancel option to the dropdown of pending certificates.

+ Adds modal window for Note (may not be required for all issuers, just
Digicert)
+ Add schema for cancel input
+ Fix Digitcert plugin for non-existant orders

When an order is actually issued, then attempting to cancel will return
a 403 from Digicert.  This is a case where it should only be done once
we know the pending cert has been sitting for too long.

Change-Id: I256c81ecd142dd51dcf8e38802d2c202829887b0
Tickets: PBL-36910

* Fix test_pending_cancel UT

This change creates and injects a pending cert, which will then be used
for the ID so it can be canceled by the unit test.

Change-Id: I686e7e0fafd68cdaeb26438fb8504d79de77c346
Tickets: PBL-36343

* Fix test_digicert on non-existent order

cancelling a non-existent order is fine since we're cancelling it

Change-Id: I70c0e82ba2f4b8723a7f65b113c19e6eeff7e68c
Tickets: PBL-36343

* Add migrations for PendingCertificates

Added revision for Pending Certificates table and foreign key mapping
tables.

Change-Id: Ife8202cef1e6b99db377851264639ba540b749db
Tickets: n/a

* Fix relationship copy from Pending to Certificate

When a Pending Certificate is changed to a full Certificate, the
relationship fields are not copied via vars() function, as it's not a
column but mapped via association table.  This adds an explicit copy for
these relations.  Which will properly copy them to the new Certificate,
and thus also update destinations.

Change-Id: I322032ce4a9e3e67773f7cf39ee4971054c92685
Tickets: PBL-36343

* Fix renaming of certificates and unit tests

The rename flag was not used to rename certificates on creation as
expected.

Fixed unit test, instead of expunging the session, just copy the
pending_certificate so we don't have a weird reference to the object
that can't be copied via vars() function.

Change-Id: I962943272ed92386ab6eab2af4ed6d074d4cffa0
Tickets: PBL-36343

* Updated developer docs for async certs

Added blurb for implementing new issuer functions.

Change-Id: I1caed6e914bcd73214eae2d241e4784e1b8a0c4c
Tickets: n/a
2018-02-22 08:13:16 -08:00
pincushionman f44fe81573 fix for https://github.com/Netflix/lemur/issues/1045 (#1056) 2018-02-20 08:28:11 -08:00
Curtis f262c93912 Option to suppress SSL errors (#1044) 2018-01-17 09:17:03 -08:00
James Chuong 763c5e8356 Add DIGICERT_ORDER_TYPE to Digicert plugin (#1025)
* Add DIGICERT_ORDER_TYPE to Digicert plugin

This allows lemur.conf.py to control which kind of certificate to
order.  User defined options are not currently supported in the the UI,
so we cannot create multiple Digicert authorities at runtime for
separate certificate types.

Change-Id: I06c216ec3c476e0001b240530626a86464be999e

* Fix Mock URL for Digicert test

Change-Id: Ida7c0ed1bd120c9024bea091c03b7d1ecfa66498

* Add documentation for DIGICERT_ORDER_TYPE

Change-Id: I0bc347883b628416eb7f13a7c60c937dcb6ae0c2
2018-01-13 18:06:17 -08:00
James Chuong 050295ea20 Fix DigiCert issuer plugin revoke URL (#1041)
The URL for revoking DigiCert certificates was incorrect.

Change-Id: I39fb7d290a2a649ab08a47e7dcbe18a8c0bd8a59
2018-01-11 17:12:21 -08:00
kevgliss eea413a90f
Modifying the way we report metrics. Relying on metric tags instead of the the metric name for additional dimensions. (#1036) 2018-01-02 15:26:31 -08:00
kevgliss 8cad2f9f56
Version bump. (#1034) 2018-01-02 14:08:56 -08:00
kevgliss 64ac32f683
6.0 release. (#1033) 2018-01-02 14:03:38 -08:00
Marti Raudsepp 1287c3dc4a CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
2018-01-02 13:39:02 -08:00
Marti Raudsepp 99b10c436a CRL verify: skip unknown URI schemes like ldap:// and add unit tests (#1027) 2018-01-02 13:11:17 -08:00
kevgliss 9a0ada75fa
Upgrading satellizer library. (#1031) 2018-01-02 09:12:06 -08:00
kevgliss 848ce8c978
Refactoring authentincation to support GET and POST requests. Closes #990. (#1030) 2018-01-01 19:11:29 -08:00
Zach Seils 7b8df16c9e Fix typo in default SSH key path. (#1026) 2017-12-20 09:09:56 -08:00
Marti Raudsepp 7a84f38db9 Don't write files from the test suite (#1020)
The lemur_email.tests.test_render test would fail when running unittests
from a read-only source tree.
2017-12-12 10:14:39 -08:00
Marti Raudsepp ba4de07ad8 Improve certificate details view, make information more concise (#1021)
The "Description" field can now display multi-line text content.

The "Authority" field now displays the authority name in Lemur (if
known) as well as issuer's name. For imported certs, "Imported" is
displayed.
2017-12-12 09:49:30 -08:00
Marti Raudsepp b2d87940d6 Allow sorting and filtering by camelCase field names (#1019)
The API exposes camelCase field names everywhere, but only accepted
underscore_field_names in 'filter' or 'sort' GET attributes. Now both
are allowed.
2017-12-12 09:44:53 -08:00
Eric 6edc5180c7 fix roles assigned in the ui for sso (#1017)
This commit fixes the ability to assign roles to people in the ui
when the user is SSO. The idea is if a role is ever assigned via
SSO it becomes a "SSO Role" or a "Third Party" Role. by setting
third_party to true on the role object.

Once a role is marked as third party it can no longer be controlled
through the ui for SSO Users. (for ui users this poses no functional
change). It must be controlled via SSO.
2017-12-11 13:51:45 -08:00
Marti Raudsepp e1f241bd55 Don't send notifications that are marked inactive (#1015)
Apparently previously Lemur ignored the "active" flag of notifications.
2017-12-06 08:32:24 -08:00
kevgliss ad88637f22
Adding some niceties around the way users are associated with tokens. (#1012)
* Adding some niceties around the way users are associated with tokens.

- Includes user typeahead
- Tooltips
- User information displayed in table
- Default to current user when no user is passed
2017-12-05 10:57:17 -08:00
kevgliss a756a74b49
Ensures we can get multiple endpoints with the same name but different ports. (#1011) 2017-12-04 13:13:02 -08:00
kevgliss ecc0934657
Adding cli command to clear out pending symantec certificates. (#1009) 2017-12-04 10:04:12 -08:00
Eric c402f1ff87 add per user api keys to the backend (#995)
Adds in per user api keys to the backend of lemur.
the basics are:
  - API Keys are really just JWTs with custom second length TTLs.
  - API Keys are provided in the exact same ways JWTs are now.
  - API Keys can be revoked/unrevoked at any time by their creator
    as well as have their TTL Change at anytime.
  - Users can create/view/list their own API Keys at will, and
    an admin role has permission to modify all api keys in the
    instance.

Adds in support for lemur api keys to the frontend of lemur.
doing this required a few changes to the backend as well, but it is
now all working (maybe not the best way though, review will determine
that).

  - fixes inconsistency in moduleauthor name I inputted during the
    first commit.
  - Allows the revoke schema to optionally allow a full api_key object.
  - Adds `/users/:user_id/api_keys/:api_key` and `/users/:user_id/api_keys`
    endpoints.
  - normalizes use of `userId` vs `userId`
  - makes `put` call respond with a JWT so the frontend can show
    the token on updating.
  - adds in the API Key views for clicking "API Keys" on the main nav.
  - adds in the API Key views for clicking into a users edit page.
  - adds tests for the API Key backend views I added.
2017-12-04 08:50:31 -08:00
Johannes Langer 5ac3ecb85e Added revoke support to cfssl plugin (#1007)
* Added revoke support to cfssl plugin
2017-11-29 14:33:22 -08:00
kevgliss c2b2ce1f11
Allowing the export of CAs that don't have a chain. (#1000) 2017-11-21 11:42:23 -08:00
kevgliss cecfe47540
Adding the ability to revoke enmasse (#999) 2017-11-21 09:36:10 -08:00
James Chuong 4b544ae207 CSR Export Plugin (#988)
This plugin allows a certificate to be exported as a CSR via OpenSSL
x509.  The workflow will be:
* Create self-signed cert via Cryptography authority
* Export CSR via this plugin
* Sign your own cert outside of Lemur
* Import new cert with private key

Change-Id: Id3f7db2506bd959236cd3a6df622841058abda5a
2017-11-14 10:11:06 -08:00
kevgliss e30e17038b
Removing unused import. (#989) 2017-11-14 09:24:26 -08:00
Daniel Pramann 7e2c16ee38 Fixes for using ACME with Route53 (#986)
* Changes required for functional Route53 operations

* Changes required for functional ACME operations with Route53

* Changes required for functional ACME operations with Route53, need external ID
2017-11-13 10:19:54 -08:00
Johannes Langer 041f3a22fa Added ability to set custom roles for users logging in via oauth provider (#985) 2017-11-10 08:38:33 -08:00
kevgliss f990ef27cf Adding sentry tracking to issued with certificate deployment. (#978) 2017-10-26 15:21:13 -07:00
kevgliss d4209510c2 Adding some additional exception capturing during certificate parsing. (#976) 2017-10-25 08:19:07 -07:00
kevgliss 620e279453 Caa (#975)
* Adding verisign error code for a CAA failure.

* Tweaking error msg.
2017-10-24 14:46:33 -07:00
kevgliss bbf73c48a3 Adding health exception tracking. (#977) 2017-10-24 14:04:51 -07:00
Johannes Langer 9319dda0ec Added ability to ignore cert for oauth2 provider (#971)
* Added ability to ignore cert for oauth2 provider

This is useful for development environments where the OAuth provider
doesn't have a valid cert!

* Setting default for OAUTH2_VERIFY_CERT to true
2017-10-20 16:36:14 -07:00
kevgliss 14f5340802 During higher loads, retrying the connection attempt is often required for the CIS api. (#972) 2017-10-12 10:37:58 -07:00
kevgliss 0152985e64 Adding serial numbers when certificates with the same name are encoun… (#970)
* Adding serial numbers when certificates with the same name are encountered.
2017-10-11 13:20:19 -07:00
kevgliss e43268f585 Source plugin (#965)
* Ensure that None values aren't passed.
2017-10-09 10:37:44 -07:00
kevgliss 7ef788752e Source plugin (#964)
* Another minor fix.
2017-10-06 17:39:31 -07:00
kevgliss b66d7ce1fd Source plugin (#963)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.

* Minor fix.
2017-10-06 13:22:03 -07:00
kevgliss dc34652efd Source plugin (#962)
* Ensuring that we have default options for source plugins.

* Handle duplicate serials. Serials are not unique across issuers.
2017-10-06 08:49:05 -07:00
kevgliss e0d2fb0de1 Ensuring that we have default options for source plugins. (#961) 2017-10-05 17:27:45 -07:00
kevgliss e0d9443141 Ensuring existing users are also given the default role. (#960) 2017-10-05 16:47:52 -07:00
kevgliss a6305a5cae Adding Digicert CIS Sourceplugin (#959)
* Adding necessary features to complete backfill

* Fixing pagination logic.
2017-10-04 16:56:01 -07:00
kevgliss 9e2578be1e Adding necessary features to complete backfill (#958) 2017-10-04 14:57:57 -07:00
kevgliss 09b8f532a7 Adding cli to mass revoke certificates. (#955) 2017-10-03 10:51:53 -07:00
kevgliss e0939a2856 Adding some default data to put. (#950) 2017-09-29 14:49:07 -07:00
kevgliss 90f4b458e3 Adding the lemur identity to be able to re-issue certificates. (#949) 2017-09-29 14:07:40 -07:00
kevgliss f5213deb67 Removing revocation comments for now. (#947) 2017-09-29 10:53:15 -07:00
kevgliss bb08b1e637 Initial work allowing certificates to be revoked. (#941)
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
Marti Raudsepp 54ff4cddbf Disallow issuing certificates from inactive authority (#936) 2017-09-25 15:34:49 -07:00
Marti Raudsepp 645641f4bd Avoid redundant key_view log entries (#937)
Don't re-request private key when it's already loaded in frontend.
2017-09-25 15:34:07 -07:00
Marti Raudsepp 97d83890e0 Various minor cleanups and fixes (#938)
* Documentation fixes

* Various docstring and help string fixes

* Minor code cleanups

* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Marti Raudsepp ec5dec4a16 Add option to disable owner email address in CSR subject (#939) 2017-09-25 15:32:08 -07:00
Horatiu Eugen Vlad f766871824 Create default rotation policy with name (#924) 2017-09-18 09:09:59 -07:00
Rick Breidenstein fc9b1e5b12 server_default from "False" to sa.false() (#913) 2017-09-11 09:19:19 -07:00
Marti Raudsepp dafed86179 Improve certificate name normalization: remove Unicode characters, etc. (#906)
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
Ian Stahnke 79d12578c7 basic ldap support (#842) 2017-09-03 20:41:43 -07:00
kevgliss ff87c487c8 It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as `default` are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. (#891) 2017-08-28 17:57:39 -07:00
Marti Raudsepp 82b43b5a9d Create signal hooks and handler for dumping CSR and certificate details (#882) 2017-08-28 17:35:56 -07:00
Marti Raudsepp bb1c339655 Fix ability to remove all roles from authority (#880) 2017-08-28 17:35:01 -07:00
Marti Raudsepp e7efaf4365 Prevent creation of empty SubjAltNames extension in CSR (#883) 2017-08-18 09:10:56 -07:00
Marti Raudsepp c6d76f580e Disable unused Flask Principal sessions (#881)
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
2017-08-17 09:24:35 -07:00
Marti Raudsepp 941df0366d Fix roles display on user screen and fix removing user roles (#879) 2017-08-17 09:24:10 -07:00
Marti Raudsepp 7762d6ed52 Reworked sensitive domain name and restriction logic (#878)
* This is a fix for a potential security issue; the old code had edge
  cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
  is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
  CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
  be valid domain names.
2017-08-16 19:24:49 -07:00
Marti Raudsepp cf805f530f Prevent unintended access to sensitive fields (passwords, private keys) (#876)
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.

The filter() function allowed guessing the content of password hashes
one character at a time.

The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
Rick Breidenstein f5e120ad2e Update readme.txt (#869) 2017-08-04 12:42:27 -07:00
kevgliss f5082e2d3a Starting transition away from not_before and not_after. (#854) 2017-07-14 09:24:59 -07:00
kevgliss 61c493fc91 Adding additional failure conditions to sentry tracking. (#853)
* Adding additional failure conditions to sentry tracking.

* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
kevgliss 6779e19ac9 Adding enum migration. (#852) 2017-07-13 13:12:53 -07:00
kevgliss 443eb43d1f Adding the ability to specify a per-certificate rotation policy. (#851) 2017-07-12 16:46:11 -07:00
Paul Van de Vreede 53113e5eeb Add auditing for creating or updating a cert. (#845) 2017-07-04 06:39:16 -07:00
kevgliss 169dcb86e2 supporting the ability to push exceptions to sentry (#843) 2017-06-29 14:12:38 -07:00
Ian Stahnke e4f5224f42 set ses email content type to utf-8 instead of string (#841) 2017-06-28 09:44:19 -07:00
kevgliss 98907e66e9 Minor fixes to S3.put signature (#840) 2017-06-27 16:18:34 -07:00
kevgliss c05343d58e Adds the ability for destination plugins to be sub-classed from Expor… (#839)
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807.

* fixing tests
2017-06-26 12:03:24 -07:00
Paul Borg 541fbc9a6d Use named kwargs rather than args when calling s3 put (#830) 2017-06-20 11:28:19 -07:00
Asbjørn Kjær 35cc7ef8d7 Adding support for private DigiCert certificates (#835) 2017-06-14 09:20:24 -07:00
Asbjørn Kjær e77382864b Fixing KeyError on error handling (#834) 2017-06-14 09:07:27 -07:00
kevgliss d4d6d832b1 Fixing audit filtering and sorting. (#827) 2017-06-02 09:07:22 -07:00
kevgliss 9c92138f2d Fixing autorotation failures. (#825)
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
kevgliss 5a4806bc43 Allowing description to be optional. (#826) 2017-06-01 17:09:04 -07:00
kevgliss 07969f7e10 Ensuring IPAddresses and IPNetworks are correctly serialized. (#818) 2017-05-26 10:48:26 -07:00
Michael LoSapio 3141b47fba Catch OAuth providers that want the params sent as data (#800) 2017-05-25 10:21:29 -07:00
kevgliss 21d48b32c9 Fixing an issue with uploading to cloudfront. (#815) 2017-05-25 10:10:12 -07:00
kevgliss 11bd42af82 Correct status code for basic-auth (#813)
* ensuring those using basic auth recieve a correct status code when their password is incorrect

* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
Paul Borg f6b5012f56 Add Check of DB connections on healthcheck URL (#812) 2017-05-22 17:15:41 -07:00
kevgliss f9b388c658 Modifying the was s3 uploading works. (#810)
* Modiying the was s3 uploading works.

* Fixing pep8
2017-05-20 12:07:44 -07:00
kevgliss 4093f4669a Switching remaining uses of boto to boto3. (#809) 2017-05-20 11:09:55 -07:00
kevgliss 9594f2cd8d Upgrading moto and fixing test that break due to deprecation. (#808)
* Upgrading moto and fixing test that break due to deprecation.

* Adding region.
2017-05-20 10:40:22 -07:00
kevgliss 380203eb53 Adding the ability to upload to cloudfront via the 'path' parameter. Cloudfront destinations must be created separately. (#805)
Closes #277
2017-05-18 13:49:17 -07:00
kevgliss 307a73c752 Fixing some confusion between 401 vs 403 error code. 401 indicates that the user should attempt to authenticate again. Where as 403 indicates the user is authenticated but not allowed to complete an action. (#804)
Closes #767
2017-05-18 13:20:17 -07:00
kevgliss 3050aca3e6 Minor fixes to the domains UI. (#798)
* Fixes checkbox input.

* Fixes notification message.
2017-05-15 19:14:12 -07:00
kevgliss 8c41c6785d Fixes issue where domains without any associated certificates are not searchable. (#797) 2017-05-15 19:07:32 -07:00
kevgliss 092ce0f9d8 Closes #792. (#796) 2017-05-15 19:07:16 -07:00
kevgliss 914de78576 Adds migration to fix keys on unique index. Closes #743. (#785) 2017-05-10 12:13:42 -07:00
kevgliss ecf00fe9d6 Splitting out the default date issuance logic for CIS and CC. CIS assumes years is converted to validity_end while CC prefers validity_years over validity_end. (#784) 2017-05-10 12:05:03 -07:00
Michael Treacher c71b3a319d Log the audit logs (#781) 2017-05-08 09:43:26 -07:00
Michael Treacher 767147aef1 Check for unknown as status is no longer represented as a boolean (#780) 2017-05-08 09:43:19 -07:00
Michael Treacher ce5a45037a Fix for status representation in the view (#778) 2017-05-05 11:04:40 -07:00
kevgliss 9c9ca37586 Enabling hex serial numbers without breaking backward compatibility. (#779)
* Enabling hex serial numbers without breaking backward compatibility.

* Fixing tests.
2017-05-05 11:04:09 -07:00
Ian Stahnke 5c41dafc97 fix unit and interval transposition in schemas.py (#752) (#774) 2017-04-30 12:23:34 -07:00
Paul Van de Vreede 989e3733a2 Add docker setup for running tests on a docker enabled dev environment. (#771) 2017-04-28 09:28:06 -07:00
kevgliss fbc24ea400 There is an issue when iterating over extensions where certificates might not have been issued in adherence with basic constraints. Here we log these errors instead of failing out right. (#770) 2017-04-27 17:45:34 -07:00
kevgliss 4905020e77 ensuring stdout has a default log level (#766) 2017-04-27 10:11:47 -07:00
kevgliss 75787d20bc ensuring that lemur's default user has a valid email (#765) 2017-04-27 09:53:35 -07:00
kevgliss ca9f120988 fixing some pep8 issues (#764) 2017-04-27 09:44:39 -07:00
Rick Breidenstein e86954e8ea Destination Plugin/Lemur_linuxdst (#736)
* Added lemur_linuxdst

* Revert "Added lemur_linuxdst"

This reverts commit 010c19bd1937320189ee5a0660f9e356221121f3.

* added plugin\lemur_linuxdst

Destination plugin for a target linux host

* Update remote_host.py

* Update plugin.py

* Update remote_host.py

* Update plugin.py

* Update plugin.py

* chaning var and funct names

* Write data with local temp

* .

* .

* typo

* tested plugin successfully

* Update plugin.py

* Update remote_host.py

* removed whitespace

* set permissions on exported keys to 600

sftp.chmod(dst_dir_cn + '/' + dst_file, (stat.S_IRUSR))

* Update plugin.py

* Update remote_host.py

* Update plugin.py

* added 'paramiko==2.1.2'

required for lemur_linuxdst plugin

* data stored in clear text at rest

* Update plugin.py

* Update plugin.py

* Update remote_host.py
2017-04-27 09:19:49 -07:00
Paul Van de Vreede 604cd60dbe Return correct intermediate certificate on digicert creation. (#762)
This commit also removes the unused DIGICERT_INTERMEDIATE env
var as it is not used.
2017-04-27 09:14:20 -07:00
Michael Treacher 05f4ae8e58 Hexify cert serial (#763)
* Hexify serial at the serialization layer

* Fix for flakey test. Change test to test for uppercased string
2017-04-27 09:13:04 -07:00
kevgliss 88ac783fd2 PEP8 Fixes (#760) 2017-04-25 09:23:18 -07:00
Travis McPeak bc66ede9aa Fixing Bandit findings and adding travis Bandit job (#759)
* Fixes for Bandit

This commit fixes a couple of issues so that Bandit can run
cleanly using medium+ severity and confidence filtering.

* Adding Lemur Bandit job to TravisCI
2017-04-24 18:37:03 -07:00
Michael Treacher 1c295896e6 Add test for when there are no notifications on a certificate (#757) 2017-04-24 09:04:49 -07:00
kevgliss 01aa372e59 Version bump. (#751) 2017-04-08 13:23:48 -07:00
kevgliss 81aff42e03 Removing this exception handling, that error should be caught above. (#749) 2017-04-07 16:01:40 -07:00
Michael Treacher 7f019583f2 Don’t set ‘custom_expiration_date’ if validity years is set in the UI. (#742)
* Don’t set ‘custom_expiration_date’ if validity years is set in the UI.

* Use single quotes instead of double quotes.
2017-04-04 17:11:17 -07:00
kevgliss f91ae5b319 Fixes bug where authority status was not set correctly. (#739) 2017-03-29 10:10:51 -07:00
kevgliss f0dde845db Adding ability to exclude certificates from expiration (#730)
* adding ability to exclude certificates from expiration

* fixing tests
2017-03-15 11:25:19 -07:00
kevgliss b0ea027769 Underscores should not be in hostnames (#728) 2017-03-15 08:41:06 -07:00
Neil Schelly 8762e1c5ae Issue #703 bugfix (#711)
* Ensures that both AKI serial/issue _and_ keyid won't be included.
Validation issues crop up if both types of AKI fields are present.

* Ensure that SAN extension includes the certificate's common name

* Fix scenario where subAltNames are getting dropped when applying a template

* Ensure that SAN includes the CN

* Ensuring that getting here without a SAN extension won't break things.

* New cleaner approach

* Some bits of handling the extensions are a bit hacky, requiring access to attributes inside the objects in x509.
I think this is pretty clean though.

* lintian check

* Fixing tests
2017-03-10 09:09:18 -08:00
kevgliss 3c5b2618c0 Rely on the lemur generating the correct name for rotated certificates. (#714)
* Rely on the lemur generating the correct name for rotated certificates.

* Fixing tests.
2017-03-09 13:09:20 -08:00
kevgliss 602c5580d3 Only validates values if present in options. Fixing authority test to parse plugin information. (#713) 2017-03-06 20:38:04 -08:00
kevgliss b715687617 Ensuring that we don't fail cleaning if it doesn't exist. (#708) 2017-03-03 16:03:52 -08:00
kevgliss c46fa5d69c Ensures the rotation has a value during migration. (#707) 2017-03-03 15:16:25 -08:00
kevgliss 310e1d4501 Adds support for filtering by UI. Closes #702. (#706) 2017-03-03 15:07:26 -08:00
kevgliss fc957b63ff Source syncing tweaks. (#705)
* Allow owner to be specified when syncing certs.

* Ensuring non-endpoint plugins don't fail to complete syncing.

* Adding in some additional error handling.
2017-03-03 14:53:56 -08:00
kevgliss d53f64890c Adding max notification constraint. (#704)
* Adds additional constraints to the max notification time. With an increasing number of certificates we need to limit the max notification time to reduce the number of certificates that need to be analyzed for notification eligibility.
2017-03-03 12:59:16 -08:00
Neil Schelly 5f5583e2cb UI adjustments for mutually exclusive (radio button version) encipher/decipher-only Key Usage #664 (#692)
* UI adjustments to make Key Agreement, Encipher Only, and Decipher Only relationship more user-friendly

* whitespace typo

* Issue #663 switching Encipher/Decipher Only options to be mutually exclusive and un-checkable radio buttons.

* Found a bug in the fields schema that was dropping Key Agreement bit if encipher/decipher only weren't checked
2017-02-16 13:26:56 -08:00
kevgliss cf6ad94509 Adjusting the way that certificates are requested. (#643)
* Adjusting the way that certificates are requested.

* Fixing tests.
2017-02-16 13:24:05 -08:00
Gus E 08bb9c73a0 allow attributes to be excluded from a cert subject (#690)
* allow more flexibility in cert subject name

* clean up logic/remove unnecessary code
2017-02-16 13:21:52 -08:00
Neil Schelly 8e49194764 Issue 688 cert templates (#689)
* subAltNames were getting wiped out every time a template was selected

* isCritical variables aren't presented in the UI, nor is this information used in determining to use them.
2017-02-10 12:43:41 -08:00
kevgliss 8afcb50a39 Fixing the re-issuance process. Ensuring that certificates that are r… (#686)
* Fixing the re-issuance process. Ensuring that certificates that are re-issued go through the normal schema validation.

* Fixing tests.
2017-02-03 11:21:53 -08:00
Nevins 0326e1031f adding generic OAuth2 provider (#685)
* adding support for Okta Oauth2

* renaming to OAuth2

* adding documentation of options

* fixing flake8 problems
2017-02-03 10:36:49 -08:00
Neil Schelly 117009c0a2 Lemur cryptography refactor and updates (#668)
* Renaming the function so it sounds less root-specific

* Refactoring lemur_cryptography
* Adding to the certificate interface an easy way to request the subject and public_key of a certificate
* Turning the create authority functionality into a wrapper of creating a CSR in the certificate codebase and issueing that certificate in this plugin. (Dependent on https://github.com/Netflix/lemur/pull/666 changes first)
* Ensuring that intermediate certificates and signed certificates retain their chain cert data

* Handling extensions that are the responsibility of the CA
Implementing authority_key_identifier for lemur_cryptography signatures and including skeletons of handling the certificate_info_access and crl_distribution_points

* Fixing errors found with linter

* Updating plugin unit tests

* Changing this for Python3. Underlying cryptography library expects these to be bytes now.

* Updating tests to match new function names/interfaces

* Another naming update in the plugin tests

* Appears that create_csr won't like this input without an owner.

* Undoing last commit and putting it into the right place this time.

* create_csr should be good now with these options, and chain certs will be blank in tests

* This won't be blank in issue_certificate, like it will in creating an authority.

* Much cleaner

* unnecessary import
2017-02-01 10:34:24 -08:00
kevgliss 317b7cabb3 Ensuring usage matched OIDs. (#681) 2017-01-28 23:22:20 -08:00
kevgliss a59bc1f436 Fixes (#680)
* Adding some additional logging.
2017-01-28 16:40:37 -08:00
kevgliss c24810b876 Modifying variable to fit epextions. (#679) 2017-01-28 14:07:12 -08:00
kevgliss bc94353850 Closes #648, also fixes several issues #666. (#678) 2017-01-27 21:05:25 -08:00
Neil Schelly f13a3505f3 X509 extensions issue#646 (#666)
* Allowing that create_csr can be called with an additional flag in the csr_config to adjust the BasicConstraints for a CA.

* If there are no SANs, skip adding a blank list of SANs.

* Adding handling for all the extended key usage, key usage, and subject key identifier extensions.

* Fixing lint checks. I was overly verbose.

* This implements marshalling of the certificate extensions into x509 ExtensionType objects in the schema validation code.

* Will create x509 ExtensionType objects in the schema validation stage
* Allows errors parsing incoming options to bubble up to the requestor as ValidationErrors.
* Cleans up create_csr a lot in the certificates/service.py
* Makes BasicConstraints _just another extension_, rather than a hard-coded one
* Adds BasicConstraints option for path_length to the UI for creating an authority
* Removes SAN types which cannot be handled from the UI for authorities and certificates.
* Fixes Certificate() object model so that it doesn't just hard-code only SAN records in the extensions property and actually returns the extensions how you expect to see them. Since Lemur is focused on using these data in the "CSR" phase of things, extensions that don't get populated until signing will be in dict() form.* Trying out schema validation of extensions
2017-01-27 12:31:29 -08:00
Tom Lianza 4af871f408 Added migration to cover what seem to be missing fields. (#676) 2017-01-27 09:07:20 -08:00
Nevins 162d5ccb62 Gracefully handle importing certificates with missing data (#674)
* fixing index out of range issue

* catching exceptions is common values aren't set

* fixing lint errors

* fixing unrelated lint/import error
2017-01-24 13:48:53 -08:00
Neil Schelly f353956353 Many fixes to authority/certificate extensions pages (#659)
* Aligning certificate creation between authority and certificate workflows
* Correctly missing and mis-named fields in schemas
* Re-ordering KeyUsage and ExtendedKeyUsage for consistency and clarity
* Adding client authentication to the authority options.

* Missing blank lines for pyflakes linting

* Updating tests for new fields/names/typos
2017-01-18 14:31:17 -08:00
Neil Schelly 02cfb2d877 Stealing this code form the attachSubAltName function in the certificates workflow. (#655)
The function was wiping out any extensions that weren't SAN names from the authority UI.
2017-01-18 14:24:15 -08:00
Neil Schelly 1b6f88f6fd Fixing handling of adding custom OIDs in UI (#653)
* is_critical wasn't in the schema, so was getting dropped.
* isCritical in the Javascript wasn't getting assigned if it was unchecked. Now, it will be assumed false if missing.
* The display of critical or not in the list of added custom OIDs was unclear when it was just true/false with no heading. Now it will be displayed as critical or nothing instead.
* The namespace for the checkbox for isCritical was wrong, and didn't get processed with the oid/type/value variables.
2017-01-18 14:20:44 -08:00
Neil Schelly 25340fd744 Combining Authority Key Identifier extension options in the schema. (#651)
* Combining Authority Key Identifier extension options in the schema.
This makes processing them in the cert/csr generation stage make more sense because they are two options in the same x.509 extension. They were already in the same part of the schema for authorities, but this makes the certificates follow the same pattern, and it allows them to share the same schema/validation layout.

* Updating schema tests to match changes

* Fixing an idiot typo

* I promise to stop using Travis as a typo-corrector soon.
2017-01-18 14:16:19 -08:00
Neil Schelly 7f2b44db04 Correcting grammar for subca ValidationError message for clarity (#657) 2017-01-18 12:34:16 -08:00
kevgliss d67b6c6120 Chains are not always a given. (#645) 2017-01-08 17:27:50 -08:00
kevgliss 83128f3019 Fixing elb sync issues. (#641)
* Fixing elb sync issues.

* Fixing de-duplications of names.
2017-01-05 16:06:34 -08:00
kevgliss 7aa5ba9c6b Fixing an IAM syncing issue. Were duplicates were not properly sync'd… (#638)
* Fixing an IAM syncing issue. Were duplicates were not properly sync'd with Lemur. This resulted in a visibility gap. Even 'duplicates' need to sync'd to Lemur such that we can track rotation correctly. Failing on duplicates lead to missing those certificates and the endpoints onto which they were deployed. This commit removes the duplicate handling altogether.

* Fixing tests.
2017-01-04 17:46:47 -08:00
kevgliss e5dee2d7e6 Adding additional metrics for when destinations fail to upload. (#637) 2016-12-28 09:52:23 -08:00
kevgliss b0232b804e Removing cloned date defaults. (#636) 2016-12-27 11:35:53 -08:00
kevgliss de7cec35c6 Clean refactor (#635)
* Adding rotation to the UI.

* Removing spinkit dependency.

* refactoring source cleaning
2016-12-27 10:31:33 -08:00
kevgliss 700c57b807 Rotation ui (#633)
* Adding rotation to the UI.

* Removing spinkit dependency.
2016-12-26 15:55:11 -08:00
kevgliss ce75bba2c3 Replacement refactor. (#631)
* Deprecating replacement keyword.

* Def renaming.
2016-12-26 11:09:50 -08:00
kevgliss 46f8ebd136 Modifying the way rotation works. (#629)
* Modifying the way rotation works.

* Adding docs.

* Fixing tests.
2016-12-23 13:18:42 -08:00
kevgliss f8279d6972 Fixes a bug where pagination was incorrect. (#628) 2016-12-21 18:39:21 -08:00
kevgliss 072ca4da4f Adding some additional output to rotation command. (#627) 2016-12-21 13:34:14 -08:00
kevgliss 8c5c30dfd4 Adding some additional output to expiration command. (#626) 2016-12-21 11:01:21 -08:00
kevgliss 74723d1a1f Adding ability to modify ELBv2 endpoints. (#624) 2016-12-21 08:23:14 -08:00
kevgliss cdcae4efb0 Closes #594 (#621) 2016-12-20 14:26:39 -08:00
kevgliss f7c795c7f6 Closes #577. (#622) 2016-12-20 14:26:29 -08:00
kevgliss beba2ba092 Adding additional reporting and refactoring existing setup. (#620) 2016-12-20 12:48:14 -08:00
kevgliss 9ac10a97ce Fix acme tests (#619)
* Ensures that in-active users are not allowed to login.

* Ensuring acme issuer loads correctly.
2016-12-19 22:59:23 -08:00
kevgliss 2f5f82d797 Ensures that in-active users are not allowed to login. (#618) 2016-12-19 22:58:57 -08:00
kevgliss c7fdb2acd7 adding required variables (#611) 2016-12-18 18:21:22 -08:00
kevgliss 51c7216b70 Fixing configuration value. (#610)
* Fixing and configuration value.

* Pinning fake factory.
2016-12-18 18:21:12 -08:00
Marti Raudsepp 0f3ffaade0 Fall back to CN for CA name when organization is not available (#607)
In-house CAs may not have the organization field filled out.
2016-12-16 16:27:25 -08:00
kevgliss 156b98f7f0 Ensuring that rotation only happens for certificates with endpoints to rotate. (#606) 2016-12-15 15:20:21 -08:00
kevgliss a09faac9a7 Endpoint sync fixes (#604) 2016-12-15 10:26:59 -08:00
kevgliss d20c552248 Fixing issues with rotation. (#603)
* Fixing issues with rotation.

* Fixing tests
2016-12-14 17:30:13 -08:00
Marti Raudsepp b327963925 Plugin base classes: update method signatures & fix raise (#598)
This way IDEs can verify method overrides in subclasses, otherwise these
are flagged as erroneous.

Changed base classes to properly raise NotImplementedError; previously
they would cause "TypeError: exceptions must derive from BaseException"

Also fixed exception handling in sources.service.clean().
2016-12-14 13:42:29 -08:00
Marti Raudsepp 1eb3d563c6 Fix error reporting for certs without private key (#599) 2016-12-14 13:25:56 -08:00
kevgliss 02991c70a9 Allow Lemur "start" to use the global config. (#596)
* allowing our runserver to use the config specified by -c

* Maintaining config for gunicorn
2016-12-14 13:23:50 -08:00
Marti Raudsepp 71ddbb409c Minor documentation fixes/tweaks (#597)
Mostly typos, grammar errors and inconsistent indentation in code
examples.

Some errors detected using Topy (https://github.com/intgr/topy), all
changes verified by hand.
2016-12-14 09:29:04 -08:00
kevgliss 565c9ae98d adding missing init (#587) 2016-12-13 09:21:31 -08:00
kevgliss 03d5a6cfe1 Refactors how notifications are generated. (#584) 2016-12-12 11:22:49 -08:00
kevgliss 1c3ac21291 Ensuring the digicert session is handled correctly (#579) 2016-12-11 08:38:59 -08:00
kevgliss 968dd52f6f Fixes (#576)
* Fixing email notification

* Adding endpoint expiration

* Fixing endpoint type for ELBs

* Allowing verisign to include additional SANs
2016-12-08 15:52:27 -08:00
kevgliss a4b32b0d31 Fixing up notification testing (#575) 2016-12-08 11:33:40 -08:00
kevgliss be1415fbd4 Ensuring new cli is available (#574) 2016-12-08 09:11:19 -08:00
kevgliss b5901a1570 adding needed migration files (#573) 2016-12-07 17:31:59 -08:00
kevgliss bdc6dc8683 Fixing a bug were extensions got a default value (#572) 2016-12-07 17:28:18 -08:00
kevgliss 5087fa67dc skipping a few tests that aren't ready yet (#571) 2016-12-07 16:52:00 -08:00
kevgliss fc205713c8 Certificate rotation enhancements (#570) 2016-12-07 16:24:59 -08:00
kevgliss 9adc5ad59e Adding last updated time (#569) 2016-12-07 15:43:57 -08:00
kevgliss f63ccd033d Ensuring that endpoints without output_schema work as expected (#568) 2016-12-07 15:40:29 -08:00
kevgliss 00da52f32e Ensuring that CSRs are correctly validated under python3 (#565) 2016-12-06 12:25:43 -08:00
kevgliss e94cf6ddc9 Ensuring that certificates returned from digicert are in the proper format (#564) 2016-12-06 12:05:18 -08:00
kevgliss 81272a2f7a Moving validation to server start. (#563) 2016-12-05 16:43:38 -08:00
kevgliss e622a49b72 Adding better error handling around certificate rotation (#562) 2016-12-05 15:12:55 -08:00
kevgliss 9030aed8a4 Ensuring that our syncing process can find duplicate certifcates that do no need to be sync'd (#560) 2016-12-05 11:08:29 -08:00
kevgliss 344abbda66 fixing signature (#556) 2016-12-02 13:48:50 -08:00
kevgliss 834814f867 adding additional status code metrics (#555) 2016-12-02 13:02:59 -08:00
kevgliss 7f823a04cd Ensuring that acme and cryptography respect different key types (#554) 2016-12-02 10:54:18 -08:00
kevgliss 0f5e925a1a Ensuring that default-issuer is set (#553) 2016-12-02 09:54:16 -08:00
kevgliss a40bc65fd4 Default authority. (#549)
* Enabling the specification of a default authority, if no default is found then the first available authority is selected

* PEP8

* Skipping tests relying on keytool
2016-12-01 15:42:03 -08:00
kevgliss 81bf98c746 Enabling RSA2048 and RSA4096 as available key types (#551)
* Enabling RSA2048 and RSA4096 as available key types

* Fixing re-issuance
2016-12-01 15:41:53 -08:00
kevgliss e1bbf9d80c Improving endpoint rotation logic (#545) 2016-11-30 15:11:17 -08:00
kevgliss abb91fbb65 fixing a few minor issue with cloning (#544) 2016-11-30 10:54:53 -08:00
kevgliss f9b16a2110 csr as string (#542) 2016-11-29 18:50:20 -08:00
kevgliss 588ac1d6a6 Digicert cis fixes (#540) 2016-11-29 17:15:39 -08:00
kevgliss 058d2938fb migrating off of openssl (#539) 2016-11-29 11:30:44 -08:00
kevgliss 3db3214cbe installing the digicert CIS plugin (#537) 2016-11-29 10:02:40 -08:00
kevgliss bfc80f982c minor fixes and downgrading requests (#535) 2016-11-28 16:50:26 -08:00
kevgliss 727bc87ede Log fixes (#534)
* tying up some loose ends with event logging

* Ensuring creators can access
2016-11-28 14:13:16 -08:00
kevgliss e2143d3ee8 tweaking the way data is returned (#532) 2016-11-28 12:29:03 -08:00
kevgliss b46ff4158a Initial workon the digicert high issuance api. (#531) 2016-11-28 10:50:58 -08:00
kevgliss 250558baf3 Ensuring that authority owners can access certificates issued by that… (#526)
* Ensuring that authority owners can access certificates issued by that authority
2016-11-25 20:35:07 -08:00
kevgliss 8e5323e2d7 migrating flask imports (#525) 2016-11-22 21:11:20 -08:00
kevgliss d5d036b412 adding a work around for new gunicorn (#523) 2016-11-22 16:47:29 -08:00
kevgliss 9d03e75d9b tweaking a few things to support the new marshmallow (#522) 2016-11-22 15:14:19 -08:00
kevgliss 06a3f3ea0d version bump (#520) 2016-11-21 15:29:31 -08:00
kevgliss 12ae0a587d teaking the way exceptions are handled (#519) 2016-11-21 15:26:17 -08:00
kevgliss b3aa057d58 Upgrade deps. (#517) 2016-11-21 14:29:20 -08:00
kevgliss dd6d332166 Removing python2 compatibility. (#518) 2016-11-21 14:03:04 -08:00
kevgliss 6eca2eb147 Re-working the way audit logs work.
* Adding more checks.
2016-11-21 11:28:11 -08:00
kevgliss 744e204817 Initial work on #74. (#514)
* Initial work on #74.

* Fixing tests.

* Adding migration script.

* Excluding migrations from coverage report.
2016-11-21 09:19:14 -08:00
kevgliss d45e7d6b85 [WIP] - 422 elb rotate (#493)
* Initial work on certificate rotation.

* Adding ability to get additional certificate info.

* - Adding endpoint rotation.
- Removes the g requirement from all services to enable easier testing.
2016-11-18 11:27:46 -08:00
kevgliss 6fd47edbe3 Adds the ability to clone existing certificates. (#513) 2016-11-17 16:19:52 -08:00
kevgliss a616310eb7 Fixing an issue were aws certificates plugins might not have a chain. (#512) 2016-11-17 14:47:10 -08:00
kevgliss 2130029f90 Adding new notification templates. (#511) 2016-11-17 14:16:59 -08:00
kevgliss d11f254476 Closes: #469 (#510) 2016-11-17 12:16:30 -08:00
kevgliss a9361fe428 Endpoints should be visible to all. (#508) 2016-11-17 10:45:26 -08:00
kevgliss 5345170a4f Ensuring that the passed in configuration has precedence over the environment config. (#507) 2016-11-17 09:31:37 -08:00
Sakti Dwi Cahyono 520404c215 fix string -> byte conversion on python2 (#472) 2016-11-16 16:03:38 -08:00
kevgliss 9ac1756011 removing new 'active' logic for the time being (#505) 2016-11-16 15:56:24 -08:00
kevgliss 851d74da3d Ensuring that private key is in string format before it gets stored (#504)
* Ensuring that private key is in string format before it gets stored

* Fixing failing test.
2016-11-16 15:05:25 -08:00
kevgliss 3f2691c5d4 Minor fixes. (#502) 2016-11-16 13:23:35 -08:00
kevgliss eaf34b1c8b Disabling the protect active flag (#498) 2016-11-16 09:31:02 -08:00
kevgliss e9219adfb5 Ensuring model's have a basic __repr__. (#499) 2016-11-16 09:30:54 -08:00
kevgliss 9eddaf66cb adding human readable string (#500) 2016-11-16 09:30:46 -08:00
kevgliss 0a29a3fa2a Adding release notes. (#459) 2016-11-15 16:44:40 -08:00
kevgliss 9bb0787410 Ensuring that duplicates are migrated correctly. (#496)
* Ensuring that duplicates are migrated correctly.

* fixing typo
2016-11-15 16:43:45 -08:00
JohnTheodore dd14fd202d clean out ADMINS references (#495)
* add variables to the documentation forwq oauth2

* remove old reference to ADMINS to get rid of any confusion
2016-11-15 16:43:28 -08:00
kevgliss 114deba06e Adding the ability to silence notifications on creation. (#490) 2016-11-12 09:29:42 -08:00
kevgliss 0334f1094d fixing documentation typo (#489) 2016-11-11 13:35:24 -08:00
kevgliss 7af68c3cc0 Adding additional metric gathering for failed sync operations. (#488) 2016-11-11 13:28:01 -08:00
kevgliss 953d3a08e7 Adding example request to documentation. (#487) 2016-11-11 12:54:12 -08:00
kevgliss 94d619cfa6 Minor errors. (#484) 2016-11-10 14:34:45 -08:00
kevgliss 89470a0ce0 Adding default validity and retry logic. (#483) 2016-11-10 11:23:37 -08:00
kevgliss e6b291d034 Time (#482)
* adding python 3.5 as a target

* adding env flag

* Aligning on arrow dates.
2016-11-09 10:56:22 -08:00
kevgliss 25a6c722b6 Adding digicert documentation. (#480) 2016-11-08 14:56:05 -08:00
kevgliss 67a5993926 fixing type in ciphers (#479) 2016-11-08 12:23:21 -08:00
kevgliss aa979e31fd Digicert plugin (#478)
* Initial work on digicert plugin.

* Adding certificate pickup, to digicert plugin.

* Removing and rotating test api key.
2016-11-07 14:40:00 -08:00
kevgliss b74df2b3e4 Minor changes for python3. (#477) 2016-11-07 14:33:07 -08:00
kevgliss 4afedaf537 Fixes (#476)
* Ensures that Vault can accept bytes and strings.

* Make restricted domains optional.

* Fixing notify flag.
2016-11-04 09:16:41 -07:00
Neil Schelly 2b79474060 Trying this to fix defaulting org to Netflix (#475) 2016-11-02 09:12:47 -07:00
kevgliss a6360ebfe5 Adding pending certificate metric. (#473) 2016-11-01 14:24:45 -07:00
kevgliss d99681904e Fixing test to take python3 into account. (#460)
* Fixing test to take python3 into account.
2016-10-31 17:02:08 -07:00
kevgliss 1ac1a44e83 San alt name (#468) 2016-10-31 11:00:15 -07:00
cviecco 490d5b6e6c python2.x .base64url_decode has a single parameter and incoming data is utf-8.. need to convert so string (#463) 2016-10-26 00:50:00 -07:00
Terin Stock 4b7fc8551c fix(web): send JSON for all errors (#464)
Configure werkzeug to output JSON error messages for the benefit of
downstream clients. This also allows for metrics collection in all cases
where werkzeug is outputting an exception.
2016-10-26 00:46:43 -07:00
Charles Hendrie cd9c112218 Implement a CFSSL issuer plugin (#452)
* Implement CFSSL issuer plugin

Implement a Lemur plugin for generating certificates from the open
source certificate authority CFSSL
(https://github.com/cloudflare/cfssl). The plugin interacts with CFSSL
through the CFSSL REST API. The CFSSL configuration is defined in the
lemur.conf.py property file using property names prefixed with "CFSSL_".

* Update documentation to include CFSSL plugin
2016-10-22 00:52:18 -07:00
kevgliss a8f44944b1 Closes #415 2016-10-17 23:23:14 -07:00
kevgliss d31c9b19ce Closes #412. Allows 'name' be a valid attribute to specify a role. (#457) 2016-10-16 03:56:13 -07:00
kevgliss fb178866f4 Fixes an issue with the source tests failing. (#456) 2016-10-16 03:55:37 -07:00
kevgliss f921b67fff Removing the ability to use spaces in custom names. (#455) 2016-10-15 04:56:25 -07:00
kevgliss c367e4f73f Prevents the silencing of notifications that are actively deployed. (#454)
* Renaming 'active' to 'notify' as this is clearer and more aligned to what this value is actually controlling. 'active' is now a property that depends on whether any endpoints were found to be using the certificate. Also added logic for issue #405 disallowing for a certificates' notifications to be silenced when it is actively deployed on an endpoint.

* Adding migration script to alter 'active' column.
2016-10-15 00:12:11 -07:00
kevgliss dcb18a57c4 Adds option to restrict certificate expiration dates to weekdays. (#453)
* Adding ability to restrict certificate creation to weekdays.

* Ensuring that we test for weekends.
2016-10-15 00:04:35 -07:00
Mike Grima 10d833e598 Added Symantec plugin error checking for invalid domain suffix (#449) 2016-10-13 15:23:56 -07:00
kevgliss 708d85abeb Fixes a bug where certificates discovered by lemur's source plugins were not given the appropriate default notifications. (#447) 2016-10-11 21:08:13 -07:00
kevgliss ee028382df Show only roles that the user is a member of, in list view, for other views show all roles such that certificates and authorities can be shared across teams/groups. (#446) 2016-10-11 17:56:38 -07:00
kevgliss c05a49f8c9 Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-11 17:24:15 -07:00
Charles Hendrie f179e74a4a Fix Java export default password generator (#441)
When exporting a certificate, the password is an optional parameter.
When a password is not supplied by the caller, a default password is
generated by the method. The generation library creates the random
password as a bytes object. The bytes object raises an error in the
'keytool' command used to export the certificate. The keytool is
expecting the password to be a str object.

The fix is to decode the generated password from a bytes object to a str
object.

The associated Java plugin tests have been updated to verify the export
method returns the password as a str object. In addition, the tests have
been updated to correctly test the export methods response object. The
original tests treated the response as a single object. The current
export methods return a tuple of data (type, password, data).

In order to make the tests compatible with both Python2 and Python3, the
'six' library was used to test the password is in fact a string.
2016-10-10 22:43:23 -07:00
Charles Hendrie 9065aa3750 Update the private key regex validation (#435)
* Update the private key regex validation

Private keys provided by the Let's Encrypt certificate authority as part
of their certificate bundle fail the import/upload certificate private
key validation. The validation is looking for a specific character
sequence at the begin of the certificate. In order to support valid
Let's Encrypt private keys, the regex has been updated to check for both
the existing sequence and the Let's Encrypt character sequence.

Example Let's Encrypt private key:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvsiwV8A5+r0tQ
QzUAJO0DfoEb9tMWvoFi0DLs9tx88IwMqItPPl9+RNzQnv9qqZR1h4W97sxP8aWY
...
AeS667IJO/2DMKaGiEldaVZtgqdUhCL8Rm4XUFVb1GjLa03E4VRU6W7eQ4hgT2a7
cHDAR8MiovNyfT0fm8Xz3ac=
-----END PRIVATE KEY-----

* Add private key regex for footer

Update the import/upload private key validation regex to verify both the
header and footer are matching.
2016-10-10 22:42:09 -07:00
kevgliss 96e42c793e Refactors the default notification option. Also ensures that notifications and destinations are easier to test. (#437) 2016-10-09 00:06:53 -07:00
kevgliss 72a390c563 Ensure the openssl and cryptography work under python3. (#438) 2016-10-09 00:06:15 -07:00
kevgliss a19c918c68 Closes #411 (#439) 2016-10-09 00:06:03 -07:00
Charles Hendrie 5cbf5365c5 Active S3 destination plugin (#433)
* Activate the AWS S3 destination plugin

Add the AWS S3 destination plugin to the list of available Lemur
plugins.

Update the S3 destination plugin's "accountNumber" option to be of type
'str' to handle account numbers starting with zeros.

Update Lemur's utils for parsing certificates to correctly encode the
X509 certificates before loading for python3.

* Add S3 destination plugin test

Added simple test to verify S3 destination plugin is available.
2016-10-08 17:06:20 -07:00
Charles Hendrie 3ad7a37f95 Fix import certificate private key encoding (#434)
When importing a certificate, the private key is passed to the
import/upload process from the UI as a str object. In Python3 this
raises two issues when processing the private key - the private key
validation fails and database insert of the certificate fails.

The fix in both cases is to correctly encode the private key as a bytes
object.
2016-10-08 17:04:54 -07:00
Mike Grima 6cac2838e3 Fix for missing profile pic. (#429) 2016-09-27 13:02:01 -07:00
Charles Hendrie fbbf7f90f6 Fix test certificates module hanging issue (#427)
* Fix test certificates module hanging issue

When executing the lemur/tests/test_certificates.py module's tests, all
tests are executed, but the test process appears to hang and never
completes with the display of the results for the tests.

The hanging issue is traced to the two test methods:
test_import(logged_in_user) and test_upload(logged_in_user). The issue
has to do with the test methods' using the logged_in_user(app) fixture from
the conftest.py module as the method parameter.

The test methods at issue require the session, db, and app fixtures to
be initialized for the tests to complete successfully. The
logged_in_user() fixture only initializes the app fixture. Updating the
test_import() and test_upload() methods parameters to be the "session"
fixture fixes the hanging issue and the tests complete successfully.

This is the command being used to execute the tests...
$ py.test -s -v lemur/tests/test_certificates.py

* Update fix for test certificates hanging issue

Based on feedback from the original pull request for this fix, added the
session fixture to the logged_in_user fixture and reverted the
test_import() and test_upload() methods to use the logged_in_user
(instead of the session fixture).
2016-09-27 13:01:37 -07:00
Terin Stock 1ea75a5d2d fix(certificates): import re module (#428) 2016-09-21 22:54:46 -07:00
Terin Stock 39645a1a84 feat(certificates): add support for restricted domains (#424)
Lemur's documentation already mentions LEMUR_RESTRICTED_DOMAINS, a list
of regular expressions matching domains only administrators can issue
certificates for. An option to mark domains as sensitive existed in the
API, however the configuration option was not implemented.

Now both ways of sensitivity are checked in the same place.
2016-09-12 16:59:14 -07:00
kevgliss a60e372c5a Ensuring that password hashes are compared correctly under python3 2016-09-07 13:25:51 -07:00
kevgliss 76cece7b90 Ensuring that private keys are retrieved correctly under python3. (#422) 2016-09-07 12:34:50 -07:00
kevgliss ca2944d566 Ensuring the inactive certificates are not alerted on. (#418) 2016-08-29 15:46:35 -07:00
kevgliss 53d0636574 Python3 (#417)
* Fixing tests.

* Fixing issue where decrypted credentials were not returning valid strings.

* Fixing issues with python3 authentication.
2016-08-29 08:58:53 -07:00
kevgliss 7e6278684c Python3 (#416)
* Fixing issue where decrypted credentials were not returning valid strings.
2016-08-26 16:02:23 -07:00
kevgliss 2d7a6ccf3c Owner email (#414)
* Ensuring python2 works with unicode strings.

* adding in owner DN

* fixing tests

* Upgrading requests.

* Fixing tests.
2016-08-25 10:09:46 -07:00
kevgliss 18b99c0de4 Fixing an issue where openssl can't find the certificates to create PKCS12 files (#408) 2016-08-17 10:33:59 -07:00
kevgliss 29a330b1f4 Orphaned certificates (#406)
* Fixing whitespace.

* Fixing syncing.

* Fixing tests
2016-07-28 13:08:24 -07:00
kevgliss a644f45625 Adding some simplified reporting. (#403)
* Adding issuance report.

* Fixing whitespace.
2016-07-27 12:41:32 -07:00
kevgliss 3db669b24d Ensuring that the temporary certificate is created correctly (#400) 2016-07-12 18:07:11 -07:00
kevgliss f38868a97f Fixing various problems with the syncing of endpoints, throttling sta… (#398)
* Fixing various problems with the syncing of endpoints, throttling stale endpoints etc.
2016-07-12 08:40:49 -07:00
kevgliss 4f3dc5422c Allowing the role-user associated to be updated. (#396)
* Allowing the role-user associated to be updated.

* Fixing tests

* Fixing tests, for real.
2016-07-07 13:03:10 -07:00
kevgliss 1ba7181067 Fixed an issue were default notifications were added even when updati… (#395)
* Fixed an issue were default notifications were added even when updating a certificate, resulting in duplicate notifications.

* Ensuring imported certificates get the same treatment.
2016-07-07 11:44:11 -07:00
kevgliss 74bf54cb8f Slack spruce up (#394)
* Formatting slack message.

* Tweaking tests.
2016-07-06 10:27:13 -07:00
kevgliss d4732d3ab0 Closes #335. (#392) 2016-07-04 16:08:16 -07:00
kevgliss cb9631b122 Closes #356. (#391) 2016-07-04 15:38:51 -07:00
kevgliss 4077893d08 Ensuring that destinations require private keys by default. (#390)
* Ensuring that destinations require private keys by default.
2016-07-04 15:30:20 -07:00
kevgliss 4ee1c21144 Closes #372 (#389)
* Closes #372
2016-07-04 14:32:46 -07:00
kevgliss c8eca56690 Closes #366 (#387) 2016-07-04 13:03:46 -07:00
kevgliss 300e2d0b7d Adding plugin tests. (#385)
* Adding plugin tests.

* Fixing some python 2/3 incompatibilities.
2016-07-01 11:32:19 -07:00
kevgliss e34de921b6 Target Individuals for Certificates (#384)
* Allowing individual users to be targeted for a role.

* Ensuring that even new users get a per user-role
2016-07-01 09:04:39 -07:00
kevgliss 9aec899bfd Fixing a few errors.
* Fixing organizational_unit and common name

* FIxing organization name and allow creaters to view CA.
2016-06-29 16:16:37 -07:00
kevgliss 54b888bb08 Adding a toy certificate authority. (#378) 2016-06-29 09:05:39 -07:00
kevgliss eefff8497a Adding a new default issuer. 2016-06-28 17:46:26 -07:00
kevgliss ecbab64c35 Adding endpoint migration script. (#376) 2016-06-28 16:12:56 -07:00
kevgliss c8447dea3d Fixing a few issues with startup. (#374) 2016-06-28 14:28:05 -07:00
kevgliss 5021e8ba91 Adding ACME Support (#178) 2016-06-27 15:57:53 -07:00
kevgliss f846d78778 S3 destination (#371) 2016-06-27 15:11:46 -07:00
kevgliss fe9703dd94 Closes #284 (#336) 2016-06-27 14:40:46 -07:00
mik373 b44a7c73d8 Kubernetes desination plugin (#357)
* Kubernetes desination plugin

* fixing build warnings

* fixing build warnings
2016-06-27 14:40:01 -07:00
kevgliss 19b928d663 Fixes #367 2016-06-23 13:29:59 -07:00
kevgliss daea8f6ae4 Bug fixes (#355)
* we should not require password to update users

* Fixing an issue were roles would not be added.
2016-06-13 17:22:45 -07:00
Roi Martin 41d1fe9191 Using UTC time in JWT token creation (#354)
As stated in PyJWT's documentation [1] and JWT specification [2][3], UTC
times must be used. This commit fixes JWT decoding in servers not using
UTC time.

[1] https://pypi.python.org/pypi/PyJWT/1.4.0
[2] https://tools.ietf.org/html/rfc7519#section-4.1.6
[3] https://tools.ietf.org/html/rfc7519#section-2
2016-06-13 11:18:07 -07:00
Mike Grima 9a653403ae Fix for Issue #352. 2016-06-08 16:41:31 -07:00
kevgliss 77f13c9edb Fixing issue were, after a user changes their mind validity years wil… (#349) 2016-06-06 12:11:40 -07:00
kevgliss d9cc4980e8 Fixing destination upload. (#347)
* Fixing an issue where uploaded certificates would have a name of 'None'

* Clarifying comment.

* Improving order.
2016-06-03 18:45:58 -07:00
kevgliss 5e987fa8b6 Adding additional data migrations. (#346) 2016-06-03 17:56:32 -07:00
kevgliss 42001be9ec Fixing the way filters were toggled. (#345) 2016-06-03 09:24:17 -07:00
kevgliss dc198fec8c Docs (#344)
* Adding release info.

* adding some fields

* Adding Source Plugin change.

* Updating docs
2016-06-03 08:28:09 -07:00
kevgliss acd47d5ec9 Fixing an issue were authorities were not related to their roles (#342) 2016-06-02 09:07:17 -07:00
kevgliss 72e3fb5bfe Fixing several small issues. (#341)
* Fixing several small issues.

* Fixing tests.
2016-06-01 11:18:00 -07:00
kevgliss b2539b843b Fixing and error causing duplicate roles to be created. (#339)
* Fixing and error causing duplicate roles to be created.

* Fixing python3

* Fixing python2 and python3
2016-05-31 15:44:54 -07:00
kevgliss be5dff8472 Adding a visualization for authorities. (#338)
* Adding a visualization for authorities.

* Fixing some lint.

* Fixing some lint.
2016-05-30 21:52:34 -07:00
kevgliss 76037e8b3a Fixing certificate names. (#337) 2016-05-27 12:00:10 -07:00
kevgliss 11f4bd503b Fixes (#332)
* Ensuring domains are returned correctly.

* Ensuring certificates receive owner role
2016-05-24 17:10:19 -07:00
kevgliss 6688b279e7 Fixing some bad renaming. (#331) 2016-05-24 10:43:40 -07:00
kevgliss 1ca38015bc Fixes (#329)
* Modifying the way roles are assigned.

* Adding migration scripts.

* Adding endpoints field for future use.

* Fixing dropdowns.
2016-05-23 18:38:04 -07:00
kevgliss 656269ff17 Closes #147 (#328)
* Closes #147

* Fixing tests

* Ensuring we can validate max dates.
2016-05-23 11:28:25 -07:00
kevgliss bd727b825d Making roles more apparent for certificates and authorities. (#327) 2016-05-20 12:48:12 -07:00
kevgliss e04c1e7dc9 Fixing a few things, adding tests. (#326) 2016-05-20 09:03:34 -07:00
kevgliss 615df76dd5 Closes 262 (#324)
Moves the authority -> role relationship from a 1 -> many to a many -> many. This will allow one role to control and have access to many authorities.
2016-05-19 13:37:05 -07:00
kevgliss 112c6252d6 Adding password reset command to the cli. (#325) 2016-05-19 10:07:15 -07:00
kevgliss b13370bf0d Making dropdowns look a bit better. (#322)
* Making dropdowns look a bit better.

* Pleasing Lint.
2016-05-19 09:04:50 -07:00
kevgliss 88aa5d3fdb Making nested notifications less verbose (#321) 2016-05-19 08:48:55 -07:00
kevgliss b187d8f836 Adding a better comparison. (#320) 2016-05-16 19:03:10 -07:00
kevgliss 1763a1a717 254 duplication certificate name (#319) 2016-05-16 15:59:40 -07:00
kevgliss 62b61ed980 Fixing various issues. (#318)
* Fixing various issues.

* Fixing tests
2016-05-16 11:09:50 -07:00
kevgliss c11034b9bc Fixes various issues. (#317) 2016-05-16 09:23:48 -07:00
kevgliss 58e8fe0bd0 Fixes various issues. (#316) 2016-05-13 14:35:38 -07:00
kevgliss a0c8765588 Various bug fixes. (#314) 2016-05-12 12:38:44 -07:00
kevgliss 9022059dc6 Marshmallowing roles (#313) 2016-05-10 14:22:22 -07:00
kevgliss 7f790be1e4 Marsmallowing users (#312) 2016-05-10 14:19:24 -07:00
kevgliss 93791c999d Marsmallowing destinations (#311) 2016-05-10 13:43:26 -07:00
kevgliss 5e9f1437ad Marsmallowing sources (#310) 2016-05-10 13:16:33 -07:00
kevgliss f9655213b3 Marshmallowing notifications. (#308) 2016-05-10 11:27:57 -07:00
kevgliss 008d608ec4 Fixing error in notifications. (#307) 2016-05-09 17:35:18 -07:00
kevgliss 78c8d12ad8 Cleaning up the way authorities are selected and upgrading uib dependencies. 2016-05-09 17:17:00 -07:00
kevgliss df0ad4d875 Authorities marshmallow addition (#303) 2016-05-09 11:00:16 -07:00
Harm Weites 776e0fcd11 Slack plugin for notifications (#305) 2016-05-08 09:07:16 -07:00
kevgliss 6ec3bad49a Closes #278 (#298)
* Closes #278
2016-05-05 15:28:17 -07:00
kevgliss 52f44c3ea6 Closes #278 and #199, Starting transition to marshmallow (#299)
* Closes #278  and #199, Starting transition to marshmallow
2016-05-05 12:52:08 -07:00
kevgliss db8243b4b4 Closes #301 2016-05-04 16:56:05 -07:00
kevgliss 8e1b7c0036 Removing validation because regex is hard 2016-04-25 16:13:33 -07:00
kevgliss 9b0e0fa9c2 removing validtion from openssl 2016-04-25 16:11:37 -07:00
kevgliss b9fe359d23 Fixes #285 Renames sync_sources function to sync to align documentation. 2016-04-25 11:21:25 -07:00
kevgliss dbd1279226 Fixes #289 and #275 2016-04-21 16:22:19 -07:00
kevgliss 82b4f5125d Fixes an issue where custom OIDs would clear out san extensions 2016-04-11 11:17:18 -07:00
kevgliss 3f89d6d009 Merge pull request #271 from kevgliss/195
Closes #195
2016-04-08 12:01:10 -07:00
kevgliss c2387dc120 Fixes an issue where custom OIDs would clear out san extensions 2016-04-07 10:29:08 -07:00
kevgliss dbc4964e94 Fixing an issue were metrics would not be sent 2016-04-05 10:23:33 -07:00
kevgliss 62d03b0d41 Closes #216 2016-04-01 16:54:33 -07:00
kevgliss b5a4b293a9 Merge pull request #270 from kevgliss/248
Closes #248
2016-04-01 14:28:52 -07:00
kevgliss bfcfdb83a7 Closes #195 2016-04-01 14:27:57 -07:00
kevgliss 4ccbfa8164 Closes #248 2016-04-01 13:29:08 -07:00
kevgliss 2cde7336dc Closes #263 2016-04-01 13:01:56 -07:00
kevgliss 3ceb297276 Merge pull request #267 from kevgliss/261
Closes #261
2016-04-01 10:12:10 -07:00
kevgliss 5958bac2a2 Merge pull request #265 from kevgliss/257
Closes #257
2016-04-01 10:11:32 -07:00
kevgliss 47891d2953 Closes #261 2016-04-01 09:58:19 -07:00
kevgliss 939194158a Closes #257 2016-04-01 09:49:44 -07:00
kevgliss 576265e09c Closes #246 2016-04-01 09:19:36 -07:00
Mike Grima ba666ddbfa Removed deprecated auth api endpoint. 2016-02-16 15:04:53 -08:00
kevgliss ac1f493338 version bump 2016-02-05 13:12:21 -08:00
kevgliss e8e7bdf9e0 adding changelog 2016-02-05 13:00:59 -08:00
kevgliss 028d86c0bb Adding a new flag to export plugins 'requires_key' that specifies whether the export plugin needs access to the private key. Defaults to True. 2016-01-29 12:45:18 -08:00
kevgliss f8b6830013 Merge pull request #239 from kevgliss/228-filter-values
Fixing documentation for filter format
2016-01-29 11:54:13 -08:00
kevgliss 2ba48995fe Fixing documentation for filter format 2016-01-29 11:47:16 -08:00
kevgliss 3cc8ade6d8 associating new authorities with the owner roles 2016-01-29 10:59:04 -08:00
kevgliss 39c9a0a299 Merge pull request #237 from kevgliss/218_password_regex
relaxing keystore password validation
2016-01-29 10:37:49 -08:00
kevgliss 3ad317fb6d Merge pull request #236 from kevgliss/migration_script_fixups
Removing per 2.0 migration scripts
2016-01-29 10:30:41 -08:00
kevgliss bd46440d12 relaxing keystore password validation 2016-01-29 10:29:04 -08:00
kevgliss 9f8f64b9ec removing pre 2.0 migration scripts, and adding documentation for correct path during init 2016-01-29 09:22:12 -08:00
kevgliss 1e524a49c0 making 'replacements' a non-require attribute for importing. Closes #226 2016-01-29 09:02:51 -08:00
Edward Barker b36e72bfcc Minor spelling fix
Using the possessive “Your” rather than “You’re” in “Your passphrase
is:”
2016-01-12 22:04:42 -08:00
kevgliss 48f8b33d7d Adding a rolling metric count 2016-01-11 15:26:32 -08:00
kevgliss d87ace8c89 Merge pull request #211 from kevgliss/hotfix
fixing an issue were urllib does not like unicode
2016-01-11 10:38:45 -08:00
kevgliss b1326d4145 fixing an issue were urllib does not like unicode 2016-01-11 10:31:58 -08:00
kevgliss 7c2862c958 Merge pull request #210 from kevgliss/hotfix
Fixes an assumption that 'subAltNames' are always passed to the API.
2016-01-11 09:08:38 -08:00
kevgliss 0a4f5ad64d Fixing an assumption that 'subAltNames' are always passed to the API. 2016-01-10 17:33:19 -08:00
kevgliss c617a11c55 Merge pull request #209 from kevgliss/migrate_chain
Adding command to transparently rotate the chain on an ELB
2016-01-10 14:37:29 -08:00
kevgliss 053167965a Adding command to transparently rotate the chain on an ELB 2016-01-10 14:20:36 -08:00
kevgliss a7ac45b937 Merge pull request #206 from kevgliss/syncing
Fixing issue where we were seeing AWS API errors due to certificates …
2016-01-08 16:39:51 -08:00
kevgliss 5482bbf4bd Fixing issue where we were seeing AWS API errors due to certificates not having private keys and could not be uploaded or 'synced' 2016-01-07 13:42:46 -08:00
Robert Picard a1395a5808 Fix how the provider settings are passed to Satellizer 2016-01-05 17:26:09 -08:00
kevgliss 685e2c8b6d fixing typo 2016-01-05 09:40:53 -08:00
kevgliss 967c7ded8d Improving documentation layout 2015-12-31 11:12:56 -08:00
kevgliss d6917155e8 Fixing tests 2015-12-30 15:32:01 -08:00
kevgliss 3f024c1ef4 Adds ability for domains to be marked as sensitive and only be allowed to be issued by an admin closes #5 2015-12-30 15:11:08 -08:00
kevgliss 9b166fb9a9 version bump 2015-12-30 09:15:11 -08:00
kevgliss ca82b227b9 0.2.1 release info 2015-12-30 09:11:19 -08:00
Matthias Hähnel 8bb9a8c5d1 Define ACTIVE_PROVIDERS in default config
The configuration item ACTIVE_PROVIDERS must be initialized

Workaround for this error:
2015-12-30 13:58:48,073 ERROR: Internal Error [in /www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py:299]
Traceback (most recent call last):
  File "/www/lemur/local/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/www/lemur/local/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 462, in wrapper
    resp = resource(*args, **kwargs)
  File "/www/lemur/local/lib/python2.7/site-packages/flask/views.py", line 84, in view
    return self.dispatch_request(*args, **kwargs)
  File "/www/lemur/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 572, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/www/lemur/lemur/auth/views.py", line 276, in get
    for provider in current_app.config.get("ACTIVE_PROVIDERS"):
TypeError: 'NoneType' object is not iterable
2015-12-30 14:56:59 +01:00
kevgliss 00cb66484b Merge pull request #188 from kevgliss/csr
Adding the ability to submit a third party CSR
2015-12-29 12:11:11 -08:00
kevgliss cabe2ae18d Adding the ability to issue third party created CSRs 2015-12-29 10:49:33 -08:00
kevgliss 3b5d7eaab6 More Linting 2015-12-27 18:08:17 -05:00
kevgliss aa2358aa03 Fixing linting 2015-12-27 18:02:38 -05:00
kevgliss a7decc1948 Fixing some issues with dynamically supporting multiple SSO providers 2015-12-27 17:54:11 -05:00
Robert Picard 60856cb7b9 Add an endpoint to return active authentication providers
This endpoint can be used by Angular to figure out what authentication
options to display to the user. It returns a dictionary of configuration
details that the front-end needs for each provider.
2015-12-22 18:03:56 -05:00
Robert Picard 350d013043 Add Google SSO
This pull request adds Google SSO support. There are two main changes:

1. Add the Google auth view resource
2. Make passwords optional when creating a new user. This allows an admin
to create a user without a password so that they can only login via Google.
2015-12-22 13:44:30 -05:00
kevgliss 6211b126a9 Fixing py3 syntax error 2015-12-18 11:01:08 -05:00
kevgliss 54c3fcc72a Adding rotate command 2015-12-17 23:17:27 -05:00
kevgliss b8c2d42cad Closes #176 2015-12-17 14:52:20 -08:00
kevgliss 2896ce0dad Closes #172 2015-12-16 08:18:01 -08:00
kevgliss 29bcde145c 0.2.1 release 2015-12-14 10:42:51 -08:00
kevgliss 6d17e4d538 Fixing templates 2015-12-04 09:51:38 -08:00
kevgliss de9478a992 Disabling one-time binding 2015-12-03 16:57:37 -08:00
kevgliss 78037dc9ec Fixing the startup port 2015-12-02 17:13:52 -08:00
kevgliss 041382b02f Version bump 2015-12-02 14:53:46 -08:00
kevgliss aa18b88a61 Making the notification email template cleaner 2015-12-01 17:13:43 -08:00
kevgliss b1e842ae47 Merge pull request #162 from kevgliss/160-startup
Closes #160
2015-12-01 10:08:03 -08:00
kevgliss e2524e43cf adding exports 2015-12-01 09:44:41 -08:00
kevgliss 6aac2d62be Closes #160 2015-12-01 09:40:27 -08:00
kevgliss 95e2636f23 Updating docs 2015-12-01 09:15:53 -08:00
kevgliss 11f2d88b16 Adding current migration files. 2015-11-30 15:43:38 -08:00
kevgliss c3091a7346 Adding missing files. 2015-11-30 14:08:17 -08:00
kevgliss 9cadebcd50 adding example requests 2015-11-30 13:51:27 -08:00
kevgliss f194e2a1be Linting 2015-11-30 10:24:53 -08:00
kevgliss ec896461a7 Adding final touches to #125 2015-11-30 09:47:36 -08:00
kevgliss 8eeed821d3 Adding UI elements 2015-11-27 13:27:14 -08:00
kevgliss 920d595c12 Initial work on #125 2015-11-25 14:54:08 -08:00
kevgliss 1c6e9caa40 Closes #144 2015-11-24 16:07:44 -08:00
kevgliss d6b3f5af81 Closes #122 2015-11-24 14:53:22 -08:00
kevgliss e14eefdc31 Added the ability to find an authority even if a user only types the name in and does not select it. 2015-11-23 16:41:31 -08:00
kevgliss f0324e4755 Merge pull request #148 from kevgliss/120-error-length
Closes #120
2015-11-23 15:25:30 -08:00
kevgliss 00f0f957c0 Lint again 2015-11-23 15:13:18 -08:00
kevgliss 9c652d784d Merge pull request #143 from kevgliss/requirements
Updating requirements
2015-11-23 14:59:31 -08:00
kevgliss eb2fa74661 Fixing test 2015-11-23 14:49:05 -08:00
kevgliss 146c599deb Lint cleanup 2015-11-23 14:47:34 -08:00
kevgliss 574c4033ab Closes #120 2015-11-23 14:30:23 -08:00
kevgliss eb0f6a04d8 Closes #140 2015-11-23 10:43:07 -08:00
kevgliss df4364714e Closes #139 2015-11-23 09:53:55 -08:00
Ryan Clough 2073090628 Use american english for consistency 2015-10-28 19:39:10 -07:00
kevgliss 0453afcb0e Fixing issuer where roles were not added correctly to user. 2015-10-26 10:59:20 -07:00
kevgliss 4b968a9474 Adding aes - fernet migration 2015-10-23 16:47:17 -07:00
Robert Picard 40eb950e94 Use MultiFernet for encryption
Facilitates key rotation and uses more secure encryption than what
sqlalchemy-utils does.

Fixes #117 and #119.
2015-10-13 16:58:58 -07:00
Robert Picard 2fc6d4cd21 Fix a handful of typos in documentation
As I was reading through the docs I made note of grammar issues and
typos I saw. Not a huge deal but might as well fix what I noticed.
2015-10-06 15:05:05 -07:00
kevgliss a20726a301 Fixing python 3.x syntax error 2015-10-06 13:11:24 -07:00
kevgliss 39727a1c9f Fixing tests 2015-10-06 13:00:06 -07:00
kevgliss 168f46a436 Adding the ability to track a certificates signing key algorithm 2015-10-06 12:51:59 -07:00
kevgliss 798a6295ee Fixes destination stat 2015-10-06 09:43:31 -07:00
kevgliss 63b7b71b49 adding clipboard functionality 2015-10-05 16:06:56 -07:00
kevgliss 9965af9ccd fixing links, and adding zeroclipboard 2015-10-05 09:48:52 -07:00
kevgliss 867be09e29 more double quotes 2015-10-05 09:24:11 -07:00
kevgliss 8362a92898 fixing double quotes 2015-10-05 09:19:14 -07:00
kevgliss 162482dbc4 Adding ui router and perma links to certificates and authorities 2015-10-05 09:00:51 -07:00
kevgliss 2187898494 adding copy and a better profile picture for non-sso users 2015-10-02 15:36:50 -07:00
kevgliss d4bc6ae7a1 Fixes #105 2015-10-02 13:46:13 -07:00
kevgliss 5cfa9d4bc5 description should be optional 2015-09-29 16:37:32 -07:00
kevgliss 7ebd0bf5d4 making fields required 2015-09-24 08:42:31 -07:00
kevgliss 06a69c09a0 Fixing a bug where notifications associated during certificate creation would not be respected. 2015-09-22 13:01:05 -07:00
kevgliss be6a5b859e adding notification example 2015-09-22 09:46:54 -07:00
Eric Mill baef329a4d Rename SSL to TLS 2015-09-21 18:16:19 -04:00
Eric Mill a3385bd2ac Rename SSL to TLS 2015-09-21 18:15:25 -04:00
kevgliss fc0a884d5f Cleaning up unneed/unused files 2015-09-20 09:49:16 -07:00
kevgliss ef72de89b3 Minor fixes 2015-09-18 15:50:59 -07:00
kevgliss a563986ce4 fixing an error where dates components were not replaced in logical order 2015-09-16 11:10:09 -07:00
kevgliss d3cf273a45 Merge pull request #72 from kevgliss/docker
[WIP] Docker
2015-09-11 15:36:25 -07:00
kevgliss 25f652c1eb fixing merge conflict 2015-09-11 08:38:48 -07:00
kevgliss 7f119e95e1 making the verisign urls more generic 2015-09-11 08:27:34 -07:00
kevgliss 1e314b505f fixing keyerror 2015-09-08 18:18:14 -07:00
kevgliss ef9a80ebfd adding actual recipients 2015-09-08 18:03:18 -07:00
kevgliss 84d0afae4c fixing email internvals 2015-09-08 17:56:20 -07:00
kevgliss 48a53ad436 fixing error in default password creation 2015-09-08 17:42:57 -07:00
kevgliss 2f4aee49e2 adding logging 2015-09-08 10:56:23 -07:00
kevgliss f3f5b9eeb3 adding password commandline option 2015-09-08 10:56:23 -07:00
kevgliss 8ab9c06778 removing more netflix 2015-09-04 15:54:52 -07:00
kevgliss 0afd4c94b4 removing more netflix 2015-09-04 15:54:02 -07:00
kevgliss aaae4d5a1f unifying lemur defaults 2015-09-04 15:52:56 -07:00
kevgliss 9da713ab06 cleaning up references to netflix 2015-09-04 15:29:57 -07:00
kevgliss 160eaa6901 Fixing issue with expiration emails not being sent 2015-09-04 09:24:55 -07:00
kevgliss 180c8228e1 adding verisign source 2015-09-02 14:37:07 -07:00
kevgliss 089c0b2b1b Merge pull request #68 from kevgliss/crons
Crons
2015-09-02 09:35:46 -07:00
kevgliss 3b109ec578 Cleaning up temporary file creation, and revocation checking 2015-09-02 09:19:06 -07:00
kevgliss 45158c64a2 cleaning up temporary file creation 2015-09-02 09:19:06 -07:00
kevgliss a350940cd1 Adding command to fetch and publish verisign units 2015-09-02 09:19:06 -07:00
kevgliss efec79d8de removing silly description validation from lemur and enforcing it on the cloudca plugin (who actually cares) 2015-09-02 09:15:12 -07:00
kevgliss 62950128a2 Adding a better error message for really long common names Fixes #38 2015-09-02 09:15:11 -07:00
kevgliss aca69ce03c Closes #53 2015-09-02 09:15:11 -07:00
kevgliss bf8ce354e5 Closes #55 2015-09-02 09:13:47 -07:00
kevgliss 8d09d865b1 Closes #57 2015-09-02 09:13:47 -07:00