Marti Raudsepp
7762d6ed52
Reworked sensitive domain name and restriction logic ( #878 )
...
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
2017-08-16 19:24:49 -07:00
Doppins
466df367e6
Upgrade dependency boto3 to ==1.4.6 ( #874 )
2017-08-16 09:56:22 -07:00
Doppins
b0c8787cfa
Upgrade dependency marshmallow to ==2.13.6 ( #877 )
2017-08-16 09:56:08 -07:00
Marti Raudsepp
cf805f530f
Prevent unintended access to sensitive fields (passwords, private keys) ( #876 )
...
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
Doppins
b40c6a1c67
Upgrade dependency pem to ==17.1.0 ( #872 )
2017-08-10 15:08:11 -07:00
Doppins
3a62010445
Upgrade dependency pytest to ==3.2.1 ( #871 )
2017-08-09 15:00:15 -07:00
Andrew Murray
3b4e7d9169
Fixed typo ( #870 )
2017-08-09 08:40:22 -07:00
Doppins
4245ba0d15
Upgrade dependency acme to ==0.17.0 ( #866 )
2017-08-06 11:19:10 -07:00
Doppins
95e4c23db1
Upgrade dependency factory-boy to ==2.9.2 ( #868 )
2017-08-06 11:19:00 -07:00
Rick Breidenstein
f5e120ad2e
Update readme.txt ( #869 )
2017-08-04 12:42:27 -07:00
Doppins
fab146b328
[Doppins] Upgrade dependency factory-boy to ==2.9.1 ( #863 )
...
* Upgrade dependency factory-boy to ==2.9.0
* Upgrade dependency factory-boy to ==2.9.1
2017-08-02 09:17:25 -07:00
Doppins
5aeadf8f98
[Doppins] Upgrade dependency psycopg2 to ==2.7.3 ( #858 )
...
* Upgrade dependency psycopg2 to ==2.7.2
* Upgrade dependency psycopg2 to ==2.7.3
2017-08-02 09:16:38 -07:00
Doppins
5f9c655594
Upgrade dependency Flask-Migrate to ==2.1.0 ( #861 )
2017-08-02 09:16:21 -07:00
Doppins
dd18cac702
Upgrade dependency boto3 to ==1.4.5 ( #862 )
2017-08-02 09:16:01 -07:00
Doppins
b76ab902e5
Upgrade dependency pytest to ==3.2.0 ( #865 )
2017-08-02 09:15:42 -07:00
kevgliss
f5082e2d3a
Starting transition away from not_before and not_after. ( #854 )
2017-07-14 09:24:59 -07:00
kevgliss
61c493fc91
Adding additional failure conditions to sentry tracking. ( #853 )
...
* Adding additional failure conditions to sentry tracking.
* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
kevgliss
6779e19ac9
Adding enum migration. ( #852 )
2017-07-13 13:12:53 -07:00
kevgliss
443eb43d1f
Adding the ability to specify a per-certificate rotation policy. ( #851 )
2017-07-12 16:46:11 -07:00
Doppins
560bd5a872
Upgrade dependency acme to ==0.16.0 ( #850 )
2017-07-12 15:53:32 -07:00
Doppins
8f35a64faf
Upgrade dependency pyjwt to ==1.5.2 ( #846 )
2017-07-12 15:52:50 -07:00
kevgliss
7507f6be50
Updating documentation ( #849 )
2017-07-05 20:17:19 -07:00
Doppins
ac3b441456
Upgrade dependency pytest to ==3.1.3 ( #847 )
2017-07-05 19:02:59 -07:00
Paul Van de Vreede
53113e5eeb
Add auditing for creating or updating a cert. ( #845 )
2017-07-04 06:39:16 -07:00
kevgliss
9d5db3ec12
This should not have been upgraded as it breaks mTLS ( #844 )
2017-06-29 16:29:26 -07:00
kevgliss
169dcb86e2
supporting the ability to push exceptions to sentry ( #843 )
2017-06-29 14:12:38 -07:00
Ian Stahnke
e4f5224f42
set ses email content type to utf-8 instead of string ( #841 )
2017-06-28 09:44:19 -07:00
kevgliss
98907e66e9
Minor fixes to S3.put signature ( #840 )
2017-06-27 16:18:34 -07:00
kevgliss
c05343d58e
Adds the ability for destination plugins to be sub-classed from Expor… ( #839 )
...
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807 .
* fixing tests
2017-06-26 12:03:24 -07:00
Paul Borg
541fbc9a6d
Use named kwargs rather than args when calling s3 put ( #830 )
2017-06-20 11:28:19 -07:00
Doppins
ef08e02333
[Doppins] Upgrade dependency paramiko to ==2.2.1 ( #833 )
...
* Upgrade dependency paramiko to ==2.1.3
* Upgrade dependency paramiko to ==2.2.0
* Upgrade dependency paramiko to ==2.2.1
2017-06-14 09:20:35 -07:00
Asbjørn Kjær
35cc7ef8d7
Adding support for private DigiCert certificates ( #835 )
2017-06-14 09:20:24 -07:00
Asbjørn Kjær
e77382864b
Fixing KeyError on error handling ( #834 )
2017-06-14 09:07:27 -07:00
Doppins
b5fd802005
Upgrade dependency acme to ==0.15.0 ( #831 )
2017-06-09 09:03:07 -07:00
Doppins
98897f3c98
Upgrade dependency pytest to ==3.1.2 ( #832 )
2017-06-09 09:02:55 -07:00
Doppins
d49bb8a6ca
Upgrade dependency Flask-RESTful to ==0.3.6 ( #828 )
2017-06-03 20:25:11 -07:00
Doppins
05f2d3b2d9
Upgrade dependency moto to ==1.0.1 ( #829 )
2017-06-03 20:24:51 -07:00
kevgliss
d4d6d832b1
Fixing audit filtering and sorting. ( #827 )
2017-06-02 09:07:22 -07:00
kevgliss
9c92138f2d
Fixing autorotation failures. ( #825 )
...
* Fixing issue with auto rotation failing due to a change in the way certificate data is serialized.
2017-06-02 08:59:42 -07:00
kevgliss
5a4806bc43
Allowing description to be optional. ( #826 )
2017-06-01 17:09:04 -07:00
Doppins
54105e221e
Upgrade dependency Flask-Migrate to ==2.0.4 ( #822 )
2017-05-31 08:58:54 -07:00
Doppins
adfc76aa79
Upgrade dependency pytest to ==3.1.1 ( #823 )
2017-05-31 08:58:38 -07:00
Doppins
3e3f7af796
Upgrade dependency cryptography to ==1.9 ( #821 )
2017-05-30 09:03:46 -07:00
kevgliss
07969f7e10
Ensuring IPAddresses and IPNetworks are correctly serialized. ( #818 )
2017-05-26 10:48:26 -07:00
Doppins
249ab23df4
Upgrade dependency acme to ==0.14.2 ( #817 )
2017-05-25 17:40:55 -07:00
Michael LoSapio
3141b47fba
Catch OAuth providers that want the params sent as data ( #800 )
2017-05-25 10:21:29 -07:00
Henry Megarry
31f4cf0253
adding url context path to html templates ( #814 )
2017-05-25 10:20:32 -07:00
kevgliss
21d48b32c9
Fixing an issue with uploading to cloudfront. ( #815 )
2017-05-25 10:10:12 -07:00
kevgliss
11bd42af82
Correct status code for basic-auth ( #813 )
...
* ensuring those using basic auth recieve a correct status code when their password is incorrect
* Fixing oauth status codes
2017-05-23 09:48:31 -07:00
Doppins
feac9cb3a3
Upgrade dependency pytest to ==3.1.0 ( #811 )
2017-05-23 09:31:18 -07:00