kevgliss
f990ef27cf
Adding sentry tracking to issued with certificate deployment. ( #978 )
2017-10-26 15:21:13 -07:00
kevgliss
d4209510c2
Adding some additional exception capturing during certificate parsing. ( #976 )
2017-10-25 08:19:07 -07:00
kevgliss
620e279453
Caa ( #975 )
...
* Adding verisign error code for a CAA failure.
* Tweaking error msg.
2017-10-24 14:46:33 -07:00
kevgliss
bbf73c48a3
Adding health exception tracking. ( #977 )
2017-10-24 14:04:51 -07:00
Johannes Langer
9319dda0ec
Added ability to ignore cert for oauth2 provider ( #971 )
...
* Added ability to ignore cert for oauth2 provider
This is useful for development environments where the OAuth provider
doesn't have a valid cert!
* Setting default for OAUTH2_VERIFY_CERT to true
2017-10-20 16:36:14 -07:00
kevgliss
14f5340802
During higher loads, retrying the connection attempt is often required for the CIS api. ( #972 )
2017-10-12 10:37:58 -07:00
kevgliss
0152985e64
Adding serial numbers when certificates with the same name are encoun… ( #970 )
...
* Adding serial numbers when certificates with the same name are encountered.
2017-10-11 13:20:19 -07:00
kevgliss
e43268f585
Source plugin ( #965 )
...
* Ensure that None values aren't passed.
2017-10-09 10:37:44 -07:00
kevgliss
7ef788752e
Source plugin ( #964 )
...
* Another minor fix.
2017-10-06 17:39:31 -07:00
kevgliss
b66d7ce1fd
Source plugin ( #963 )
...
* Ensuring that we have default options for source plugins.
* Handle duplicate serials. Serials are not unique across issuers.
* Minor fix.
2017-10-06 13:22:03 -07:00
kevgliss
dc34652efd
Source plugin ( #962 )
...
* Ensuring that we have default options for source plugins.
* Handle duplicate serials. Serials are not unique across issuers.
2017-10-06 08:49:05 -07:00
kevgliss
e0d2fb0de1
Ensuring that we have default options for source plugins. ( #961 )
2017-10-05 17:27:45 -07:00
kevgliss
e0d9443141
Ensuring existing users are also given the default role. ( #960 )
2017-10-05 16:47:52 -07:00
kevgliss
a6305a5cae
Adding Digicert CIS Sourceplugin ( #959 )
...
* Adding necessary features to complete backfill
* Fixing pagination logic.
2017-10-04 16:56:01 -07:00
kevgliss
9e2578be1e
Adding necessary features to complete backfill ( #958 )
2017-10-04 14:57:57 -07:00
kevgliss
09b8f532a7
Adding cli to mass revoke certificates. ( #955 )
2017-10-03 10:51:53 -07:00
kevgliss
e0939a2856
Adding some default data to put. ( #950 )
2017-09-29 14:49:07 -07:00
kevgliss
90f4b458e3
Adding the lemur identity to be able to re-issue certificates. ( #949 )
2017-09-29 14:07:40 -07:00
kevgliss
f5213deb67
Removing revocation comments for now. ( #947 )
2017-09-29 10:53:15 -07:00
kevgliss
bb08b1e637
Initial work allowing certificates to be revoked. ( #941 )
...
* Initial work allowing for certificates to be revoked.
2017-09-28 18:27:56 -07:00
Marti Raudsepp
54ff4cddbf
Disallow issuing certificates from inactive authority ( #936 )
2017-09-25 15:34:49 -07:00
Marti Raudsepp
645641f4bd
Avoid redundant key_view log entries ( #937 )
...
Don't re-request private key when it's already loaded in frontend.
2017-09-25 15:34:07 -07:00
Marti Raudsepp
97d83890e0
Various minor cleanups and fixes ( #938 )
...
* Documentation fixes
* Various docstring and help string fixes
* Minor code cleanups
* Removed redundant .gitignore entry, ignored package-lock.json.
* 'return' statement in certificates.service.render was redundant
* Split up too long line
* Non-matching tags in templates
2017-09-25 15:33:42 -07:00
Marti Raudsepp
ec5dec4a16
Add option to disable owner email address in CSR subject ( #939 )
2017-09-25 15:32:08 -07:00
Horatiu Eugen Vlad
f766871824
Create default rotation policy with name ( #924 )
2017-09-18 09:09:59 -07:00
Rick Breidenstein
fc9b1e5b12
server_default from "False" to sa.false() ( #913 )
2017-09-11 09:19:19 -07:00
Marti Raudsepp
dafed86179
Improve certificate name normalization: remove Unicode characters, etc. ( #906 )
...
* Accented characters are replaced with non-accented version (ä -> a)
* Spaces are replaced with '-' (previously they were removed)
* Multiple non-alphanumeric characters are collapsed into one '-'
2017-09-08 10:52:22 -07:00
Ian Stahnke
79d12578c7
basic ldap support ( #842 )
2017-09-03 20:41:43 -07:00
kevgliss
ff87c487c8
It's too expensive to attempt to load all certificates associated with a given notification. Some queries such as default
are associated with a large number of certificates. We have little control over when these objects are loaded, but when marshalled they are lazyloaded via SQLAlachemy. If a user needs to get all the certificates associated with a certificate they should use the /notifications/<id>/certificates endpoints that support pagination. ( #891 )
2017-08-28 17:57:39 -07:00
Marti Raudsepp
82b43b5a9d
Create signal hooks and handler for dumping CSR and certificate details ( #882 )
2017-08-28 17:35:56 -07:00
Marti Raudsepp
bb1c339655
Fix ability to remove all roles from authority ( #880 )
2017-08-28 17:35:01 -07:00
Marti Raudsepp
e7efaf4365
Prevent creation of empty SubjAltNames extension in CSR ( #883 )
2017-08-18 09:10:56 -07:00
Marti Raudsepp
c6d76f580e
Disable unused Flask Principal sessions ( #881 )
...
Lemur uses its own auth token for authentication; logging out doesn't
properly dispose of the Flask Principal session.
2017-08-17 09:24:35 -07:00
Marti Raudsepp
941df0366d
Fix roles display on user screen and fix removing user roles ( #879 )
2017-08-17 09:24:10 -07:00
Marti Raudsepp
7762d6ed52
Reworked sensitive domain name and restriction logic ( #878 )
...
* This is a fix for a potential security issue; the old code had edge
cases with unexpected behavior.
* LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS
is a list of *allowed* domain name patterns. Per discussion in PR #600
* Domain restrictions are now checked everywhere: in domain name-like
CN (common name) values and SAN DNSNames, including raw CSR requests.
* Common name values that contain a space are exempt, since they cannot
be valid domain names.
2017-08-16 19:24:49 -07:00
Marti Raudsepp
cf805f530f
Prevent unintended access to sensitive fields (passwords, private keys) ( #876 )
...
Make sure that fields specified in filter, sortBy, etc. are model fields
and may be accessed. This is fixes a potential security issue.
The filter() function allowed guessing the content of password hashes
one character at a time.
The sort() function allowed the user to call an arbitrary method of an
arbitrary model attribute, for example sortBy=id&sortDir=distinct would
produce an unexpected error.
2017-08-16 09:38:42 -07:00
Rick Breidenstein
f5e120ad2e
Update readme.txt ( #869 )
2017-08-04 12:42:27 -07:00
kevgliss
f5082e2d3a
Starting transition away from not_before and not_after. ( #854 )
2017-07-14 09:24:59 -07:00
kevgliss
61c493fc91
Adding additional failure conditions to sentry tracking. ( #853 )
...
* Adding additional failure conditions to sentry tracking.
* Removing sentry extension as a circular import.
2017-07-13 14:49:04 -07:00
kevgliss
6779e19ac9
Adding enum migration. ( #852 )
2017-07-13 13:12:53 -07:00
kevgliss
443eb43d1f
Adding the ability to specify a per-certificate rotation policy. ( #851 )
2017-07-12 16:46:11 -07:00
Paul Van de Vreede
53113e5eeb
Add auditing for creating or updating a cert. ( #845 )
2017-07-04 06:39:16 -07:00
kevgliss
169dcb86e2
supporting the ability to push exceptions to sentry ( #843 )
2017-06-29 14:12:38 -07:00
Ian Stahnke
e4f5224f42
set ses email content type to utf-8 instead of string ( #841 )
2017-06-28 09:44:19 -07:00
kevgliss
98907e66e9
Minor fixes to S3.put signature ( #840 )
2017-06-27 16:18:34 -07:00
kevgliss
c05343d58e
Adds the ability for destination plugins to be sub-classed from Expor… ( #839 )
...
* Adds the ability for destination plugins to be sub-classed from ExportDestination. These plugins have the extra option of specifying an export plugin before the destination receives the data. Closes #807 .
* fixing tests
2017-06-26 12:03:24 -07:00
Paul Borg
541fbc9a6d
Use named kwargs rather than args when calling s3 put ( #830 )
2017-06-20 11:28:19 -07:00
Asbjørn Kjær
35cc7ef8d7
Adding support for private DigiCert certificates ( #835 )
2017-06-14 09:20:24 -07:00
Asbjørn Kjær
e77382864b
Fixing KeyError on error handling ( #834 )
2017-06-14 09:07:27 -07:00
kevgliss
d4d6d832b1
Fixing audit filtering and sorting. ( #827 )
2017-06-02 09:07:22 -07:00