Merge pull request #241 from kevgliss/0.2.2.release

adding changelog

.gitattributes

@@ -1 +1,2 @@
-* text=auto
+* text=auto
+version.py  export-subst

.travis.yml

@@ -23,9 +23,6 @@ env:
   global:
     - PIP_DOWNLOAD_CACHE=".pip_download_cache"
 
-install:
-  - make dev-postgres
-
 before_script:
   - psql -c "create database lemur;" -U postgres
   - psql -c "create user lemur with password 'lemur;'" -U postgres
@@ -36,4 +33,4 @@ script:
 
 notifications:
   email:
-    kglisson@netflix.com
+    kglisson@netflix.com

AUTHORS

@@ -1,2 +1,3 @@
-- Kevin Glisson (kglisson@netflix.com)
+- Kevin Glisson <kglisson@netflix.com>
 - Jeremy Heffner <jheffner@netflix.com>
+

CHANGELOG.rst

@@ -0,0 +1,53 @@
+Changelog
+=========
+
+
+0.2.2 - 2016-02-05
+~~~~~~~~~~~~~~~~~~
+
+* Closed [#234](https://github.com/Netflix/lemur/issues/234) - Allows export plugins to define whether they need
+    private key material (default is True)
+* Closed [#231](https://github.com/Netflix/lemur/issues/231) - Authorities were not respecting 'owning' roles and their
+    users
+* Closed [#228](https://github.com/Netflix/lemur/issues/228) - Fixed documentation with correct filter values
+* Closed [#226](https://github.com/Netflix/lemur/issues/226) - Fixes issue were `import_certificate` was requiring
+    replacement certificates to be specified
+* Closed [#224](https://github.com/Netflix/lemur/issues/224) - Fixed an issue where NPM might not be globally available (thanks AlexClineBB!)
+* Closed [#221](https://github.com/Netflix/lemur/issues/234) - Fixes several reported issues where older migration scripts were
+    missing tables, this change removes pre 0.2 migration scripts
+* Closed [#218](https://github.com/Netflix/lemur/issues/234) - Fixed an issue where export passphrases would not validate
+
+
+0.2.1 - 2015-12-14
+~~~~~~~~~~~~~~~~~~
+
+* Fixed bug with search not refreshing values
+* Cleaned up documentation, including working supervisor example (thanks rpicard!)
+* Closed #165 - Fixed an issue with email templates
+* Closed #188 - Added ability to submit third party CSR
+* Closed #176 - Java-export should allow user to specify truststore/keystore
+* Closed #176 - Extended support for exporting certificate in P12 format
+
+
+0.2.0 - 2015-12-02
+~~~~~~~~~~~~~~~~~~~
+
+* Closed #120 - Error messages not displaying long enough
+* Closed #121 - Certificate create form should not be valid until a Certificate Authority object is available
+* Closed #122 - Certificate API should allow for the specification of preceding certificates
+    You can now target a certificate(s) for replacement. When specified the replaced certificate will be marked as
+    'inactive'. This means that there will be no notifications for that certificate.
+* Closed #139 - SubCA autogenerated descriptions for their certs are incorrect
+* Closed #140 - Permalink does not change with filtering
+* Closed #144 - Should be able to search certificates by domains covered, included wildcards
+* Closed #165 - Cleaned up expiration notification template
+* Closed #160 - Cleaned up quickstart documentation (thanks forkd!)
+* Closed #144 - Now able to search by all domains in a given certificate, not just by common name
+
+
+0.1.5 - 2015-10-26
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Switched from use a AES static key to Fernet encryption.
+  Affects all versions prior to 0.1.5. If upgrading this will require a data migration.
+  see: `Upgrading Lemur <https://lemur.readthedocs.com/adminstration#UpgradingLemur>`_

LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

MANIFEST.in

@@ -0,0 +1,4 @@
+include setup.py version.py package.json bower.json gulpfile.js README.rst MANIFEST.in LICENSE AUTHORS
+recursive-include lemur/plugins/lemur_email/templates *
+recursive-include lemur/static *
+global-exclude *~

Makefile

@@ -9,6 +9,8 @@ develop: update-submodules setup-git
 	pip install -e .
 	pip install "file://`pwd`#egg=lemur[dev]"
 	pip install "file://`pwd`#egg=lemur[tests]"
+	node_modules/.bin/gulp build
+	node_modules/.bin/gulp package
 	@echo ""
 
 dev-docs:

OSSMETADATA

@@ -0,0 +1 @@
+osslifecycle=active

README.rst

@@ -13,18 +13,28 @@ Lemur
     :target: https://lemur.readthedocs.org
     :alt: Latest Docs
 
-.. image:: https://magnum.travis-ci.com/Netflix/lemur.svg?branch=master
-      :target: https://magnum.travis-ci.com/Netflix/lemur
+.. image:: https://travis-ci.org/Netflix/lemur.svg
+    :target: https://travis-ci.org/Netflix/lemur
 
+.. image:: https://requires.io/github/Netflix/lemur/requirements.svg?branch=master
+    :target: https://requires.io/github/Netflix/lemur/requirements/?branch=master
+    :alt: Requirements Status
 
-Lemur manages SSL certificate creation. It provides a central portal for developers to issuer their own SSL certificates with 'sane' defaults.
+.. image:: https://badge.waffle.io/Netflix/lemur.png?label=ready&title=Ready
+    :target: https://waffle.io/Netflix/lemur
+    :alt: 'Stories in Ready'
+
+Lemur manages TLS certificate creation. While not able to issue certificates itself, Lemur acts as a broker between CAs
+and environments providing a central portal for developers to issue TLS certificates with 'sane' defaults.
+
+It works on CPython 2.7, 3.3, 3.4. We deploy on Ubuntu and develop on OS X.
 
-It works on CPython 2.7, 3.3, 3.4  It is known
-to work on Ubuntu Linux and OS X.
 
 Project resources
 =================
 
+- `Lemur Blog Post <http://techblog.netflix.com/2015/09/introducing-lemur.html>`_
 - `Documentation <http://lemur.readthedocs.org/>`_
 - `Source code <https://github.com/netflix/lemur>`_
 - `Issue tracker <https://github.com/netflix/lemur/issues>`_
+- `Docker <https://github.com/Netflix/lemur-docker>`_

bower.json

@@ -29,11 +29,16 @@
     "angular-ui-switch": "~0.1.0",
     "angular-chart.js": "~0.7.1",
     "satellizer": "~0.9.4",
-    "angularjs-toaster": "~0.4.14"
+    "angularjs-toaster": "~0.4.14",
+    "ngletteravatar": "~3.0.1",
+    "angular-ui-router": "~0.2.15",
+    "angular-clipboard": "~1.1.1",
+    "angular-file-saver": "~1.0.1"
   },
   "devDependencies": {
     "angular-mocks": "~1.3",
-    "angular-scenario": "~1.3"
+    "angular-scenario": "~1.3",
+    "ngletteravatar": "~3.0.1"
   },
   "resolutions": {
     "bootstrap": "~3.3.1",

docs/administration.rst

@@ -2,7 +2,7 @@ Configuration
 =============
 
 .. warning::
-    There are many secrets that Lemur uses that must be protected. All of these options are set via the Lemur configruation
+    There are many secrets that Lemur uses that must be protected. All of these options are set via the Lemur configuration
     file. It is highly advised that you do not store your secrets in this file! Lemur provides functions
     that allow you to encrypt files at rest and decrypt them when it's time for deployment. See :ref:`Credential Management <CredentialManagement>`
     for more information.
@@ -24,7 +24,6 @@ Basic Configuration
 
         LOG_FILE = "/logs/lemur/lemur-test.log"
 
-
 .. data:: debug
     :noindex:
 
@@ -34,7 +33,6 @@ Basic Configuration
 
         debug = False
 
-
     .. warning::
         This should never be used in a production environment as it exposes Lemur to
         remote code execution through the debug console.
@@ -72,9 +70,7 @@ Basic Configuration
 .. data:: LEMUR_TOKEN_SECRET
     :noindex:
 
-        The TOKEN_SECRET is the secret used to create JWT tokens that are given out to users. This should be securely generated and be kept private.
-
-        See `SECRET_KEY` for methods on secure secret generation.
+        The TOKEN_SECRET is the secret used to create JWT tokens that are given out to users. This should be securely generated and kept private.
 
     ::
 
@@ -89,23 +85,29 @@ Basic Configuration
         >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
 
 
-.. data:: LEMUR_ENCRYPTION_KEY
+.. data:: LEMUR_ENCRYPTION_KEYS
     :noindex:
 
-        The LEMUR_ENCRYPTION_KEY is used to encrypt data at rest within Lemur's database. Without this key Lemur will refuse
-        to start.
+        The LEMUR_ENCRYPTION_KEYS is used to encrypt data at rest within Lemur's database. Without a key Lemur will refuse
+        to start. Multiple keys can be provided to facilitate key rotation. The first key in the list is used for
+        encryption and all keys are tried for decryption until one works. Each key must be 32 URL safe base-64 encoded bytes.
 
-        See `LEMUR_TOKEN_SECRET` for methods of secure secret generation.
+        Running lemur create_config will securely generate a key for your configuration file.
+        If you would like to generate your own, we recommend the following method:
+
+            >>> import os
+            >>> import base64
+            >>> base64.urlsafe_b64encode(os.urandom(32))
 
     ::
 
-        LEMUR_ENCRYPTION_KEY = 'supersupersecret'
+        LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
 
 
 Certificate Default Options
 ---------------------------
 
-Lemur allows you to find tune your certificates to your organization. The following defaults are presented in the UI
+Lemur allows you to fine tune your certificates to your organization. The following defaults are presented in the UI
 and are used when Lemur creates the CSR for your certificates.
 
 
@@ -122,7 +124,7 @@ and are used when Lemur creates the CSR for your certificates.
 
     ::
 
-        LEMUR_DEFAULT_STATE = "CA"
+        LEMUR_DEFAULT_STATE = "California"
 
 
 .. data:: LEMUR_DEFAULT_LOCATION
@@ -152,15 +154,16 @@ and are used when Lemur creates the CSR for your certificates.
 Notification Options
 --------------------
 
-Lemur currently has very basic support for notifications. Notifications are sent to the certificate creator, owner and
-security team as specified by the `SECURITY_TEAM_EMAIL` configuration parameter.
+Lemur currently has very basic support for notifications. Currently only expiration notifications are supported. Actual notification
+is handled by the notification plugins that you have configured. Lemur ships with the 'Email' notification that allows expiration emails
+to be sent to subscribers.
 
-The template for all of these notifications lives under lemur/template/event.html and can be easily modified to fit your
-needs.
+Templates for expiration emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs.
+Notifications are sent to the certificate creator, owner and security team as specified by the `LEMUR_SECURITY_TEAM_EMAIL` configuration parameter.
 
-Certificates marked as in-active will **not** be notified of upcoming expiration. This enables a user to essentially
-silence the expiration. If a certificate is active and is expiring the above will be notified at 30, 15, 5, 2 days
-respectively.
+Certificates marked as inactive will **not** be notified of upcoming expiration. This enables a user to essentially
+silence the expiration. If a certificate is active and is expiring the above will be notified according to the `LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS` or
+30, 15, 2 days before expiration if no intervals are set.
 
 Lemur supports sending certification expiration notifications through SES and SMTP.
 
@@ -168,126 +171,189 @@ Lemur supports sending certification expiration notifications through SES and SM
 .. data:: LEMUR_EMAIL_SENDER
     :noindex:
 
-            Specifies which service will be delivering notification emails. Valid values are `SMTP` or `SES`
+    Specifies which service will be delivering notification emails. Valid values are `SMTP` or `SES`
 
-.. note::
-    If using STMP as your provider you will need to define additional configuration options as specified by Flask-Mail.
-    See: `Flask-Mail <https://pythonhosted.org/Flask-Mail>`_
+    .. note::
+        If using SMP as your provider you will need to define additional configuration options as specified by Flask-Mail.
+        See: `Flask-Mail <https://pythonhosted.org/Flask-Mail>`_
+
+        If you are using SES the email specified by the `LEMUR_MAIL` configuration will need to be verified by AWS before
+        you can send any mail. See: `Verifying Email Address in Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html>`_
 
-    If you are using SES the email specified by the `LEMUR_MAIL` configuration will need to be verified by AWS before
-    you can send any mail. See: `Verifying Email Address in Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html>`_
 
 .. data:: LEMUR_MAIL
     :noindex:
 
-            Lemur sender's email
+        Lemur sender's email
 
         ::
 
-        LEMUR_MAIL = 'lemur.example.com'
+            LEMUR_MAIL = 'lemur.example.com'
 
 
 .. data:: LEMUR_SECURITY_TEAM_EMAIL
     :noindex:
 
-            This is an email or list of emails that should be notified when a certificate is expiring. It is also the contact email address for any discovered certificate.
+        This is an email or list of emails that should be notified when a certificate is expiring. It is also the contact email address for any discovered certificate.
 
         ::
 
-        LEMUR_SECURITY_TEAM_EMAIL = ['security@example.com']
+            LEMUR_SECURITY_TEAM_EMAIL = ['security@example.com']
 
 
-Authority Options
------------------
-
-Authorities will each have their own configuration options. There are currently two plugins bundled with Lemur,
-Verisign/Symantec and CloudCA
-
-.. data:: VERISIGN_URL
+.. data:: LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS
     :noindex:
 
-        This is the url for the verisign API
+        Lemur notification intervals
+
+        ::
+
+            LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS = [30, 15, 2]
 
 
-.. data:: VERISIGN_PEM_PATH
-    :noindex:
-
-        This is the path to the mutual SSL certificate used for communicating with Verisign
-
-
-.. data:: CLOUDCA_URL
-    :noindex:
-
-        This is the URL for CLoudCA API
-
-
-.. data:: CLOUDCA_PEM_PATH
-    :noindex:
-
-        This is the path to the mutual SSL Certificate use for communicating with CLOUDCA
-
-.. data:: CLOUDCA_BUNDLE
-    :noindex:
-
-        This is the path to the CLOUDCA certificate bundle
-
-Authentication
---------------
-Lemur currently supports Basic Authentication and Ping OAuth2 out of the box, additional flows can be added relatively easily
-If you are not using Ping you do not need to configure any of these options.
+Authentication Options
+----------------------
+Lemur currently supports Basic Authentication, Ping OAuth2, and Google out of the box. Additional flows can be added relatively easily.
+If you are not using an authentication provider you do not need to configure any of these options.
 
 For more information about how to use social logins, see: `Satellizer <https://github.com/sahat/satellizer>`_
 
+.. data:: ACTIVE_PROVIDERS
+    :noindex:
+
+        ::
+
+            ACTIVE_PROVIDERS = ["ping", "google"]
+
 .. data:: PING_SECRET
     :noindex:
 
-    ::
+        ::
 
-        PING_SECRET = 'somethingsecret'
+            PING_SECRET = 'somethingsecret'
 
 .. data:: PING_ACCESS_TOKEN_URL
     :noindex:
 
-    ::
+        ::
 
-        PING_ACCESS_TOKEN_URL = "https://<yourpingserver>/as/token.oauth2"
+            PING_ACCESS_TOKEN_URL = "https://<yourpingserver>/as/token.oauth2"
 
 
 .. data:: PING_USER_API_URL
     :noindex:
 
-    ::
+        ::
 
-        PING_USER_API_URL = "https://<yourpingserver>/idp/userinfo.openid"
+            PING_USER_API_URL = "https://<yourpingserver>/idp/userinfo.openid"
 
 .. data:: PING_JWKS_URL
     :noindex:
 
-    ::
+        ::
 
-        PING_JWKS_URL = "https://<yourpingserver>/pf/JWKS"
+            PING_JWKS_URL = "https://<yourpingserver>/pf/JWKS"
+
+.. data:: PING_NAME
+    :noindex:
+
+        ::
+
+            PING_NAME = "Example Oauth2 Provider"
+
+.. data:: PING_CLIENT_ID
+    :noindex:
+
+        ::
+
+            PING_CLIENT_ID = "client-id"
+
+.. data:: GOOGLE_CLIENT_ID
+    :noindex:
+
+        ::
+
+        GOOGLE_CLIENT_ID = "client-id"
+
+.. data:: GOOGLE_SECRET
+    :noindex:
+
+        ::
+
+            GOOGLE_SECRET = "somethingsecret"
+
+
+Plugin Specific Options
+-----------------------
+
+Verisign Issuer Plugin
+^^^^^^^^^^^^^^^^^^^^^^
+
+Authorities will each have their own configuration options. There is currently just one plugin bundled with Lemur,
+Verisign/Symantec. Additional plugins may define additional options. Refer to the plugin's own documentation
+for those plugins.
+
+.. data:: VERISIGN_URL
+    :noindex:
+
+        This is the url for the Verisign API
+
+
+.. data:: VERISIGN_PEM_PATH
+    :noindex:
+
+        This is the path to the mutual TLS certificate used for communicating with Verisign
+
+
+.. data:: VERISIGN_FIRST_NAME
+    :noindex:
+
+        This is the first name to be used when requesting the certificate
+
+
+.. data:: VERISIGN_LAST_NAME
+    :noindex:
+
+        This is the last name to be used when requesting the certificate
+
+.. data:: VERISIGN_EMAIL
+    :noindex:
+
+        This is the email to be used when requesting the certificate
+
+
+.. data:: VERISIGN_INTERMEDIATE
+    :noindex:
+
+        This is the intermediate to be used for your CA chain
+
+
+.. data:: VERISIGN_ROOT
+    :noindex:
+
+        This is the root to be used for your CA chain
 
 
 
-AWS Plugin Configuration
-========================
+AWS Source/Destination Plugin
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In order for Lemur to manage it's own account and other accounts we must ensure it has the correct AWS permissions.
+In order for Lemur to manage its own account and other accounts we must ensure it has the correct AWS permissions.
 
-.. note:: AWS usage is completely optional. Lemur can upload, find and manage SSL certificates in AWS. But is not required to do so.
+.. note:: AWS usage is completely optional. Lemur can upload, find and manage TLS certificates in AWS. But is not required to do so.
 
 Setting up IAM roles
---------------------
+""""""""""""""""""""
 
-Lemur's aws plugin uses boto heavily to talk to all the AWS resources it manages. By default it uses the on-instance credentials to make the necessary calls.
+Lemur's AWS plugin uses boto heavily to talk to all the AWS resources it manages. By default it uses the on-instance credentials to make the necessary calls.
 
-In order to limit the permissions we will create a new two IAM roles for Lemur. You can name them whatever you would like but for example sake we will be calling them LemurInstanceProfile and Lemur.
+In order to limit the permissions, we will create two new IAM roles for Lemur. You can name them whatever you would like but for example sake we will be calling them LemurInstanceProfile and Lemur.
 
 Lemur uses to STS to talk to different accounts. For managing one account this isn't necessary but we will still use it so that we can easily add new accounts.
 
 LemurInstanceProfile is the IAM role you will launch your instance with. It actually has almost no rights. In fact it should really only be able to use STS to assume role to the Lemur role.
 
-Here is are example polices for the LemurInstanceProfile:
+Here are example policies for the LemurInstanceProfile:
 
 SES-SendEmail
 
@@ -325,7 +391,12 @@ STS-AssumeRole
 
 
 
-Next we will create the the Lemur IAM role. Lemur
+Next we will create the the Lemur IAM role.
+
+.. note::
+
+    The default IAM role that Lemur assumes into is called `Lemur`, if you need to change this ensure you set `LEMUR_INSTANCE_PROFILE` to your role name in the configuration.
+
 
 Here is an example policy for Lemur:
 
@@ -377,7 +448,8 @@ IAM-ServerCertificate
 
 
 Setting up STS access
----------------------
+"""""""""""""""""""""
+
 Once we have setup our accounts we need to ensure that we create a trust relationship so that LemurInstanceProfile can assume the Lemur role.
 
 In the AWS console select the Lemur IAM role and select the Trust Relationships tab and click Edit Trust Relationship
@@ -404,7 +476,7 @@ Below is an example policy:
 
 
 Adding N+1 accounts
--------------------
+"""""""""""""""""""
 
 To add another account we go to the new account and create a new Lemur IAM role with the same policy as above.
 
@@ -432,7 +504,7 @@ An example policy:
     }
 
 Setting up SES
---------------
+""""""""""""""
 
 Lemur has built in support for sending it's certificate notifications via Amazon's simple email service (SES). To force
 Lemur to use SES ensure you are the running as the IAM role defined above and that you have followed the steps outlined
@@ -442,23 +514,11 @@ The configuration::
 
     LEMUR_MAIL = 'lemur.example.com'
 
-Will be sender of all notifications, so ensure that it is verified with AWS.
+Will be the sender of all notifications, so ensure that it is verified with AWS.
 
 SES if the default notification gateway and will be used unless SMTP settings are configured in the application configuration
 settings.
 
-Upgrading Lemur
-===============
-
-Lemur provides an easy way to upgrade between versions. Simply download the newest
-version of Lemur from pypi and then apply any schema cahnges with the following command.
-
-.. code-block:: bash
-
-    $ lemur db upgrade
-
-.. note:: Internally, this uses `Alembic <https://alembic.readthedocs.org/en/latest/>`_ to manage database migrations.
-
 .. _CommandLineInterface:
 
 Command Line Interface
@@ -524,29 +584,11 @@ All commands default to `~/.lemur/lemur.conf.py` if a configuration is not speci
         lemur db upgrade
 
 
-.. data:: create_user
-
-    Creates new users within Lemur.
-
-    ::
-
-        lemur create_user -u jim -e jim@example.com
-
-
-.. data:: create_role
-
-    Creates new roles within Lemur.
-
-    ::
-
-        lemur create_role -n example -d "a new role"
-
-
 .. data:: check_revoked
 
-    Traverses every certificate that Lemur is aware of and attempts to understand it's validity.
+    Traverses every certificate that Lemur is aware of and attempts to understand its validity.
     It utilizes both OCSP and CRL. If Lemur is unable to come to a conclusion about a certificates
-    validity it's status is marked 'unknown'
+    validity its status is marked 'unknown'
 
 
 .. data:: sync
@@ -566,27 +608,111 @@ All commands default to `~/.lemur/lemur.conf.py` if a configuration is not speci
         lemur sync -list
 
 
+Sub-commands
+------------
+
+Lemur includes several sub-commands for interacting with Lemur such as creating new users, creating new roles and even
+issuing certificates.
+
+The best way to discover these commands is by using the built in help pages
+
+    ::
+
+        lemur --help
+
+
+and to get help on sub-commands
+
+    ::
+
+        lemur certificates --help
+
+
+
+Upgrading Lemur
+===============
+
+To upgrade Lemur to the newest release you will need to ensure you have the lastest code and have run any needed
+database migrations.
+
+To get the latest code from github run
+
+    ::
+
+        cd <lemur-source-directory>
+        git pull -t <version>
+        python setup.py develop
+
+
+.. note::
+    It's important to grab the latest release by specifying the release tag. This tags denote stable versions of Lemur.
+    If you want to try the bleeding edge version of Lemur you can by using the master branch.
+
+
+After you have the latest version of the Lemur code base you must run any needed database migrations. To run migrations
+
+    ::
+
+        cd <lemur-source-directory>/lemur
+        lemur db upgrade
+
+
+This will ensure that any needed tables or columns are created or destroyed.
+
+.. note::
+    Internally, this uses `Alembic <https://alembic.readthedocs.org/en/latest/>`_ to manage database migrations.
+
+.. note::
+    By default Alembic looks for the `migrations` folder in the current working directory.The migrations folder is
+    located under `<LEMUR_HOME>/lemur/migrations` if you are running the lemur command from any location besides
+    `<LEMUR_HOME>/lemur` you will need to pass the `-d` flag to specify the absolute file path to the `migrations` folder.
+
+Plugins
+=======
+
+There are several interfaces currently available to extend Lemur. These are a work in
+progress and the API is not frozen.
+
+Bundled Plugins
+---------------
+
+Lemur includes several plugins by default. Including extensive support for AWS, VeriSign/Symantec and CloudCA services.
+
+3rd Party Extensions
+--------------------
+
+The following extensions are available and maintained by members of the Lemur community:
+
+Have an extension that should be listed here? Submit a `pull request <https://github.com/netflix/lemur>`_ and we'll
+get it added.
+
+Want to create your own extension? See :doc:`../developer/plugins/index` to get started.
+
+
 Identity and Access Management
 ==============================
 
 Lemur uses a Role Based Access Control (RBAC) mechanism to control which users have access to which resources. When a
-user is first created in Lemur the can be assigned one or more roles. These roles are typically dynamically created
+user is first created in Lemur they can be assigned one or more roles. These roles are typically dynamically created
 depending on a external identity provider (Google, LDAP, etc.,) or are hardcoded within Lemur and associated with special
 meaning.
 
 Within Lemur there are three main permissions: AdminPermission, CreatorPermission, OwnerPermission. Sub-permissions such
 as ViewPrivateKeyPermission are compositions of these three main Permissions.
 
-Lets take a look at how these permissions used:
+Lets take a look at how these permissions are used:
 
 Each `Authority` has a set of roles associated with it. If a user is also associated with the same roles
-that the `Authority` is associated with it Lemur allows that user to user/view/update that `Authority`.
+that the `Authority` is associated with, Lemur allows that user to user/view/update that `Authority`.
 
 This RBAC is also used when determining which users can access which certificate private key. Lemur's current permission
 structure is setup such that if the user is a `Creator` or `Owner` of a given certificate they are allow to view that
-private key.
+private key. Owners can also be a role name, such that any user with the same role as owner will be allowed to view the
+private key information.
 
 These permissions are applied to the user upon login and refreshed on every request.
 
 .. seealso::
+
     `Flask-Principal <https://pythonhosted.org/Flask-Principal>`_
+

docs/changelog.rst

@@ -1,2 +1 @@
-Change Log
-==========
+.. include:: ../CHANGELOG.rst

docs/conf.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# security_monkey documentation build configuration file, created by
+# lemur documentation build configuration file, created by
 # sphinx-quickstart on Sat Jun  7 18:43:48 2014.
 #
 # This file is execfile()d with the current directory set to its
@@ -11,7 +11,6 @@
 #
 # All configuration values have a default; values that are commented out
 # serve to show the default.
-
 import sys
 import os
 
@@ -54,10 +53,12 @@ copyright = u'2015, Netflix Inc.'
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
-# The short X.Y version.
-version = '0.1'
-# The full version, including alpha/beta/rc tags.
-release = '0.1.1'
+base_dir = os.path.join(os.path.dirname(__file__), os.pardir)
+about = {}
+with open(os.path.join(base_dir, "lemur", "__about__.py")) as f:
+    exec(f.read(), about)
+
+version = release = about["__version__"]
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -100,9 +101,13 @@ pygments_style = 'sphinx'
 
 # -- Options for HTML output ----------------------------------------------
 
-# The theme to use for HTML and HTML Help pages.  See the documentation for
-# a list of builtin themes.
-html_theme = 'alabaster'
+# on_rtd is whether we are on readthedocs.org, this line of code grabbed from docs.readthedocs.org
+on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
+
+if not on_rtd:  # only import and set the theme if we're building docs locally
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the

docs/developer/index.rst

@@ -180,19 +180,92 @@ You can see a list of open pull requests (pending changes) by visiting https://g
 
 Pull requests should be against **master** and pass all TravisCI checks
 
-Plugins
-=======
+
+Writing a Plugin
+================
 
 .. toctree::
-    :maxdepth: 1
+    :maxdepth: 2
 
     plugins/index
 
+
+REST API
+========
+
+Lemur's front end is entirely API driven. Any action that you can accomplish via the UI can also be accomplished by the
+UI. The following is documents and provides examples on how to make requests to the Lemur API.
+
+Authentication
+--------------
+
+.. automodule:: lemur.auth.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Destinations
+------------
+
+.. automodule:: lemur.destinations.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Notifications
+-------------
+
+.. automodule:: lemur.notifications.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Users
+-----
+
+.. automodule:: lemur.users.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Roles
+-----
+
+.. automodule:: lemur.roles.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Certificates
+------------
+
+.. automodule:: lemur.certificates.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Authorities
+-----------
+
+.. automodule:: lemur.authorities.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Domains
+-------
+
+.. automodule:: lemur.domains.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
 Internals
 =========
 
 .. toctree::
-    :maxdepth: 1
+    :maxdepth: 2
 
     internals/lemur
 

docs/developer/internals/lemur.plugins.lemur_cloudca.rst

@@ -1,20 +0,0 @@
-lemur_cloudca Package
-=====================
-
-:mod:`lemur_cloudca` Package
-----------------------------
-
-.. automodule:: lemur.plugins.lemur_cloudca
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`plugin` Module
---------------------
-
-.. automodule:: lemur.plugins.lemur_cloudca.plugin
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/developer/internals/lemur.plugins.rst

@@ -27,6 +27,5 @@ Subpackages
     lemur.plugins.base
     lemur.plugins.bases
     lemur.plugins.lemur_aws
-    lemur.plugins.lemur_cloudca
     lemur.plugins.lemur_email
     lemur.plugins.lemur_verisign

docs/developer/internals/lemur.rst

@@ -96,5 +96,4 @@ Subpackages
     lemur.notifications
     lemur.plugins
     lemur.roles
-    lemur.status
     lemur.users

docs/developer/internals/lemur.status.rst

@@ -1,11 +0,0 @@
-status Package
-==============
-
-:mod:`views` Module
--------------------
-
-.. automodule:: lemur.status.views
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/developer/plugins/index.rst

@@ -1,6 +1,3 @@
-Writing a Plugin
-================
-
 Several interfaces exist for extending Lemur:
 
 * Issuer (lemur.plugins.base.issuer)
@@ -8,7 +5,7 @@ Several interfaces exist for extending Lemur:
 * Source (lemur.plugins.base.source)
 * Notification (lemur.plugins.base.notification)
 
-Each interface has its own function that will need to be defined in order for
+Each interface has its own functions that will need to be defined in order for
 your plugin to work correctly. See :ref:`Plugin Interfaces <PluginInterfaces>` for details.
 
 
@@ -91,7 +88,7 @@ Issuer
 Issuer plugins are used when you have an external service that creates certificates or authorities.
 In the simple case the third party only issues certificates (Verisign, DigiCert, etc.).
 
-If you have a third party or internal service that creates authorities (CloudCA, EJBCA, etc.), Lemur has you covered,
+If you have a third party or internal service that creates authorities (EJBCA, etc.), Lemur has you covered,
 it can treat any issuer plugin as both a source of creating new certificates as well as new authorities.
 
 
@@ -215,7 +212,7 @@ certificate Lemur does not know about and adding the certificate to it's invento
 The `SourcePlugin` object has one default option of `pollRate`. This controls the number of seconds which to get new certificates.
 
  .. warning::
-    Lemur currently has a very basic polling system of running a cron job every 15min to see which source plugins need to be run. A lock file is generated to guarentee that ]
+Lemur currently has a very basic polling system of running a cron job every 15min to see which source plugins need to be run. A lock file is generated to guarantee that
     only one sync is running at a time. It also means that the minimum resolution of a source plugin poll rate is effectively 15min. You can always specify a faster cron
     job if you need a higher resolution sync job.
 
@@ -227,7 +224,29 @@ The `SourcePlugin` object requires implementation of one function::
 
 
 .. Note::
-    Often times to facilitate code re-use it makes sense put source and destination plugins into one package.
+Often times to facilitate code re-use it makes sense put source and destination plugins into one package.
+
+
+Export
+------
+
+Formats, formats and more formats. That's the current PKI landscape. See the always relevant `xkcd <https://xkcd.com/927/>`_.
+Thankfully Lemur supports the ability to output your certificates into whatever format you want. This integration comes by the way
+of Export plugins. Support is still new and evolving, the goal of these plugins is to return raw data in a new format that
+can then be used by any number of applications. Included in Lemur is the `JavaExportPlugin` which currently supports generating
+a Java Key Store (JKS) file for use in Java based applications.
+
+
+The `ExportPlugin` object requires the implementation of one function::
+
+    def export(self, body, chain, key, options, **kwargs):
+        # sys.call('openssl hokuspocus')
+        # return "extension", passphrase, raw
+
+
+.. Note::
+Support of various formats sometimes relies on external tools system calls. Always be mindful of sanitizing any input to
+these calls.
 
 
 Testing

docs/developer/rest.rst

@@ -1,66 +0,0 @@
-Lemur's front end is entirely API driven. Any action that you can accomplish via the UI can also be accomplished by the
-UI. The following is documents and provides examples on how to make requests to the Lemur API.
-
-Authentication
---------------
-
-.. automodule:: lemur.auth.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Destinations
-------------
-
-.. automodule:: lemur.destinations.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Notifications
--------------
-
-.. automodule:: lemur.notifications.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Users
------
-
-.. automodule:: lemur.users.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Roles
------
-
-.. automodule:: lemur.roles.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Certificates
-------------
-
-.. automodule:: lemur.certificates.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Authorities
------------
-
-.. automodule:: lemur.authorities.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Domains
--------
-
-.. automodule:: lemur.domains.views
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/doing-a-release.rst

@@ -0,0 +1,53 @@
+Doing a release
+===============
+
+Doing a release of ``lemur`` requires a few steps.
+
+Bumping the version number
+--------------------------
+
+The next step in doing a release is bumping the version number in the
+software.
+
+* Update the version number in ``lemur/__about__.py``.
+* Set the release date in the :doc:`/changelog`.
+* Do a commit indicating this.
+* Send a pull request with this.
+* Wait for it to be merged.
+
+Performing the release
+----------------------
+
+The commit that merged the version number bump is now the official release
+commit for this release. You will need to have ``gpg`` installed and a ``gpg``
+key in order to do a release. Once this has happened:
+
+* Run ``invoke release {version}``.
+
+The release should now be available on PyPI and a tag should be available in
+the repository.
+
+Verifying the release
+---------------------
+
+You should verify that ``pip install lemur`` works correctly:
+
+.. code-block:: pycon
+
+    >>> import lemur
+    >>> lemur.__version__
+    '...'
+
+Verify that this is the version you just released.
+
+Post-release tasks
+------------------
+
+* Update the version number to the next major (e.g. ``0.5.dev1``) in
+  ``lemur/__about__.py`` and
+* Add new :doc:`/changelog` entry with next version and note that it is under
+  active development
+* Send a pull request with these items
+* Check for any outstanding code undergoing a deprecation cycle by looking in
+  ``lemur.utils`` for ``DeprecatedIn**`` definitions. If any exist open
+  a ticket to increment them for the next release.

docs/faq.rst

@@ -4,8 +4,8 @@ Frequently Asked Questions
 Common Problems
 ---------------
 
-In my startup logs I see *'Aborting... Lemur cannot locate db encryption key, is LEMUR_ENCRYPTION_KEY set?'*
-  You likely have not correctly configured **LEMUR_ENCRYPTION_KEY**. See
+In my startup logs I see *'Aborting... Lemur cannot locate db encryption key, is LEMUR_ENCRYPTION_KEYS set?'*
+  You likely have not correctly configured **LEMUR_ENCRYPTION_KEYS**. See
   :doc:`administration/index` for more information.
 
 
@@ -14,6 +14,27 @@ I am seeing Lemur's javascript load in my browser but not the CSS.
   :doc:`production/index` for example configurations.
 
 
+After installing Lemur I am unable to login
+  Ensure that you are trying to login with the credentials you entered during `lemur init`. These are separate
+  from the postgres database credentials.
+
+
+Running 'lemur db upgrade' seems stuck.
+  Most likely, the upgrade is stuck because an existing query on the database is holding onto a lock that the
+  migration needs.
+
+  To resolve, login to your lemur database and run:
+
+    SELECT * FROM pg_locks l INNER JOIN pg_stat_activity s ON (l.pid = s.pid) WHERE waiting AND NOT granted;
+
+  This will give you a list of queries that are currently waiting to be executed. From there attempt to idenity the PID
+  of the query blocking the migration. Once found execute:
+
+    select pg_terminate_backend(<blocking-pid>);
+
+  See `<http://stackoverflow.com/questions/22896496/alembic-migration-stuck-with-postgresql>`_ for more.
+
+
 How do I
 --------
 

docs/generate_api.py

@@ -1,261 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-"""
-sphinx-autopackage-script
-
-This script parses a directory tree looking for python modules and packages and
-creates ReST files appropriately to create code documentation with Sphinx.
-It also creates a modules index (named modules.<suffix>).
-"""
-
-# Copyright 2008 Société des arts technologiques (SAT), http://www.sat.qc.ca/
-# Copyright 2010 Thomas Waldmann <tw AT waldmann-edv DOT de>
-# All rights reserved.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-
-import os
-import optparse
-
-
-# automodule options
-OPTIONS = ['members',
-           'undoc-members',
-           # 'inherited-members', # disabled because there's a bug in sphinx
-           'show-inheritance',
-          ]
-
-INIT = '__init__.py'
-
-def makename(package, module):
-    """Join package and module with a dot."""
-    # Both package and module can be None/empty.
-    if package:
-        name = package
-        if module:
-            name += '.' + module
-    else:
-        name = module
-    return name
-
-def write_file(name, text, opts):
-    """Write the output file for module/package <name>."""
-    if opts.dryrun:
-        return
-    fname = os.path.join(opts.destdir, "%s.%s" % (name, opts.suffix))
-    if not opts.force and os.path.isfile(fname):
-        print 'File %s already exists, skipping.' % fname
-    else:
-        print 'Creating file %s.' % fname
-        f = open(fname, 'w')
-        f.write(text)
-        f.close()
-
-def format_heading(level, text):
-    """Create a heading of <level> [1, 2 or 3 supported]."""
-    underlining = ['=', '-', '~', ][level-1] * len(text)
-    return '%s\n%s\n\n' % (text, underlining)
-
-def format_directive(module, package=None):
-    """Create the automodule directive and add the options."""
-    directive = '.. automodule:: %s\n' % makename(package, module)
-    for option in OPTIONS:
-        directive += '    :%s:\n' % option
-    return directive
-
-def create_module_file(package, module, opts):
-    """Build the text of the file and write the file."""
-    text = format_heading(1, '%s Module' % module)
-    text += format_heading(2, ':mod:`%s` Module' % module)
-    text += format_directive(module, package)
-    write_file(makename(package, module), text, opts)
-
-def create_package_file(root, master_package, subroot, py_files, opts, subs):
-    """Build the text of the file and write the file."""
-    package = os.path.split(root)[-1]
-    text = format_heading(1, '%s Package' % package)
-    # add each package's module
-    for py_file in py_files:
-        if shall_skip(os.path.join(root, py_file)):
-            continue
-        is_package = py_file == INIT
-        py_file = os.path.splitext(py_file)[0]
-        py_path = makename(subroot, py_file)
-        if is_package:
-            heading = ':mod:`%s` Package' % package
-        else:
-            heading = ':mod:`%s` Module' % py_file
-        text += format_heading(2, heading)
-        text += format_directive(is_package and subroot or py_path, master_package)
-        text += '\n'
-
-    # build a list of directories that are packages (they contain an INIT file)
-    subs = [sub for sub in subs if os.path.isfile(os.path.join(root, sub, INIT))]
-    # if there are some package directories, add a TOC for theses subpackages
-    if subs:
-        text += format_heading(2, 'Subpackages')
-        text += '.. toctree::\n\n'
-        for sub in subs:
-            text += '    %s.%s\n' % (makename(master_package, subroot), sub)
-        text += '\n'
-
-    write_file(makename(master_package, subroot), text, opts)
-
-def create_modules_toc_file(master_package, modules, opts, name='modules'):
-    """
-    Create the module's index.
-    """
-    text = format_heading(1, '%s Modules' % opts.header)
-    text += '.. toctree::\n'
-    text += '   :maxdepth: %s\n\n' % opts.maxdepth
-
-    modules.sort()
-    prev_module = ''
-    for module in modules:
-        # look if the module is a subpackage and, if yes, ignore it
-        if module.startswith(prev_module + '.'):
-            continue
-        prev_module = module
-        text += '   %s\n' % module
-
-    write_file(name, text, opts)
-
-def shall_skip(module):
-    """
-    Check if we want to skip this module.
-    """
-    # skip it, if there is nothing (or just \n or \r\n) in the file
-    return os.path.getsize(module) < 3
-
-def recurse_tree(path, excludes, opts):
-    """
-    Look for every file in the directory tree and create the corresponding
-    ReST files.
-    """
-    # use absolute path for root, as relative paths like '../../foo' cause
-    # 'if "/." in root ...' to filter out *all* modules otherwise
-    path = os.path.abspath(path)
-    # check if the base directory is a package and get is name
-    if INIT in os.listdir(path):
-        package_name = path.split(os.path.sep)[-1]
-    else:
-        package_name = None
-
-    toc = []
-    tree = os.walk(path, False)
-    for root, subs, files in tree:
-        # keep only the Python script files
-        py_files =  sorted([f for f in files if os.path.splitext(f)[1] == '.py'])
-        if INIT in py_files:
-            py_files.remove(INIT)
-            py_files.insert(0, INIT)
-        # remove hidden ('.') and private ('_') directories
-        subs = sorted([sub for sub in subs if sub[0] not in ['.', '_']])
-        # check if there are valid files to process
-        # TODO: could add check for windows hidden files
-        if "/." in root or "/_" in root \
-        or not py_files \
-        or is_excluded(root, excludes):
-            continue
-        if INIT in py_files:
-            # we are in package ...
-            if (# ... with subpackage(s)
-                subs
-                or
-                # ... with some module(s)
-                len(py_files) > 1
-                or
-                # ... with a not-to-be-skipped INIT file
-                not shall_skip(os.path.join(root, INIT))
-               ):
-                subroot = root[len(path):].lstrip(os.path.sep).replace(os.path.sep, '.')
-                create_package_file(root, package_name, subroot, py_files, opts, subs)
-                toc.append(makename(package_name, subroot))
-        elif root == path:
-            # if we are at the root level, we don't require it to be a package
-            for py_file in py_files:
-                if not shall_skip(os.path.join(path, py_file)):
-                    module = os.path.splitext(py_file)[0]
-                    create_module_file(package_name, module, opts)
-                    toc.append(makename(package_name, module))
-
-    # create the module's index
-    if not opts.notoc:
-        create_modules_toc_file(package_name, toc, opts)
-
-def normalize_excludes(rootpath, excludes):
-    """
-    Normalize the excluded directory list:
-    * must be either an absolute path or start with rootpath,
-    * otherwise it is joined with rootpath
-    * with trailing slash
-    """
-    sep = os.path.sep
-    f_excludes = []
-    for exclude in excludes:
-        if not os.path.isabs(exclude) and not exclude.startswith(rootpath):
-            exclude = os.path.join(rootpath, exclude)
-        if not exclude.endswith(sep):
-            exclude += sep
-        f_excludes.append(exclude)
-    return f_excludes
-
-def is_excluded(root, excludes):
-    """
-    Check if the directory is in the exclude list.
-
-    Note: by having trailing slashes, we avoid common prefix issues, like
-          e.g. an exlude "foo" also accidentally excluding "foobar".
-    """
-    sep = os.path.sep
-    if not root.endswith(sep):
-        root += sep
-    for exclude in excludes:
-        if root.startswith(exclude):
-            return True
-    return False
-
-def main():
-    """
-    Parse and check the command line arguments.
-    """
-    parser = optparse.OptionParser(usage="""usage: %prog [options] <package path> [exclude paths, ...]
-
-Note: By default this script will not overwrite already created files.""")
-    parser.add_option("-n", "--doc-header", action="store", dest="header", help="Documentation Header (default=Project)", default="Project")
-    parser.add_option("-d", "--dest-dir", action="store", dest="destdir", help="Output destination directory", default="")
-    parser.add_option("-s", "--suffix", action="store", dest="suffix", help="module suffix (default=txt)", default="txt")
-    parser.add_option("-m", "--maxdepth", action="store", dest="maxdepth", help="Maximum depth of submodules to show in the TOC (default=4)", type="int", default=4)
-    parser.add_option("-r", "--dry-run", action="store_true", dest="dryrun", help="Run the script without creating the files")
-    parser.add_option("-f", "--force", action="store_true", dest="force", help="Overwrite all the files")
-    parser.add_option("-t", "--no-toc", action="store_true", dest="notoc", help="Don't create the table of content file")
-    (opts, args) = parser.parse_args()
-    if not args:
-        parser.error("package path is required.")
-    else:
-        rootpath, excludes = args[0], args[1:]
-        if os.path.isdir(rootpath):
-            # check if the output destination is a valid directory
-            if opts.destdir and os.path.isdir(opts.destdir):
-                excludes = normalize_excludes(rootpath, excludes)
-                recurse_tree(rootpath, excludes, opts)
-            else:
-                print '%s is not a valid output destination directory.' % opts.destdir
-        else:
-            print '%s is not a valid directory.' % rootpath
-
-
-if __name__ == '__main__':
-    main()

docs/guide/index.rst

@@ -1,14 +1,103 @@
-Creating Users
-==============
+User Guide
+==========
+
+These guides are quick tutorials on how to perform basic tasks in Lemur.
 
 
-Creating Roles
-==============
+Create a New Authority
+~~~~~~~~~~~~~~~~~~~~~~
+
+Before Lemur can issue certificates you must configure the authority you wish use. Lemur itself does
+not issue certificates, it relies on external CAs and the plugins associated with those CAs to create the certificate
+that Lemur can then manage.
 
 
-Creating Authorities
-====================
+.. figure:: create.png
+
+    In the authority table select "Create"
+
+.. figure:: create_authority.png
+
+    Enter a authority name and short description about the authority. Enter an owner,
+    and certificate common name. Depending on the authority and the authority/issuer plugin
+    these values may or may not be used.
+
+.. figure:: create_authority_options.png
+
+    Again how many of these values get used largely depends on the underlying plugin. It
+    is important to make sure you select the right plugin that you wish to use.
+
+
+Create a New Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. figure:: create.png
+
+    In the certificate table select "Create"
+
+.. figure:: create_certificate.png
+
+    Enter an owner, short description and the authority you wish to issue this certificate.
+    Enter a common name into the certificate, if no validity range is selected two years is
+    the default.
+
+    You can add notification options and upload the created certificate to a destination, both
+    of these are editable features and can be changed after the certificate has been created.
+
+.. figure:: certificate_extensions.png
+
+    These options are typically for advanced users, the one exception is the `Subject Alternate Names` or SAN.
+    For certificates that need to include more than one domains, the first domain is the Common Name and all
+    other domains are added here as DNSName entries.
+
+
+Import an Existing Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. figure:: upload_certificate.png
+
+    Enter a owner, short description and public certificate. If there are intermediates and private keys
+    Lemur will track them just as it does if the certificate were created through Lemur. Lemur generates
+    a certificate name but you can override that by passing a value to the `Custom Name` field.
+
+    You can add notification options and upload the created certificate to a destination, both
+    of these are editable features and can be changed after the certificate has been created.
+
+
+Create a New User
+~~~~~~~~~~~~~~~~~
+.. figure:: settings.png
+
+    From the settings dropdown select "Users"
+
+.. figure:: create.png
+
+    In the user table select "Create"
+
+.. figure:: create_user.png
+
+    Enter the username, email and password for the user. You can also assign any
+    roles that the user will need when they login. While there is no deletion
+    (we want to track creators forever) you can mark a user as 'Inactive' that will
+    not allow them to login to Lemur.
+
+
+Create a New Role
+~~~~~~~~~~~~~~~~~
+
+.. figure:: settings.png
+
+    From the settings dropdown select "Roles"
+
+.. figure:: create.png
+
+    In the role table select "Create"
+
+.. figure:: create_role.png
+
+    Enter a role name and short description about the role. You can optionally store
+    a user/password on the role. This is useful if your authority require specific roles.
+    You can then accurately map those roles onto Lemur users. Also optional you can assign
+    users to your new role.
 
 
-Creating Certificates
-=====================

docs/index.rst

@@ -1,8 +1,8 @@
 Lemur
 =====
 
-Lemur is a SSL management service. It attempts to help track and create certificates. By removing common issues with
-CSR creation it gives normal developers 'sane' SSL defaults and helps security teams push SSL usage throughout an organization.
+Lemur is a TLS management service. It attempts to help track and create certificates. By removing common issues with
+CSR creation it gives normal developers 'sane' TLS defaults and helps security teams push TLS usage throughout an organization.
 
 Installation
 ------------
@@ -27,8 +27,7 @@ Administration
 .. toctree::
     :maxdepth: 2
 
-    administration/index
-    plugins/index
+    administration
 
 Developers
 ----------
@@ -38,14 +37,21 @@ Developers
 
     developer/index
 
-
-REST API
+Security
 --------
 
 .. toctree::
     :maxdepth: 2
 
-    developer/rest
+    security
+
+Doing a Release
+---------------
+
+.. toctree::
+    :maxdepth: 1
+
+    doing-a-release
 
 FAQ
 ----

docs/plugins/index.rst

@@ -1,20 +0,0 @@
-Plugins
-=======
-
-There are several interfaces currently available to extend Lemur. These are a work in
-progress and the API is not frozen.
-
-Bundled Plugins
----------------
-
-Lemur includes several plugins by default. Including extensive support for AWS, VeriSign/Symantec and CloudCA services.
-
-3rd Party Extensions
---------------------
-
-The following extensions are available and maintained by members of the Lemur community:
-
-Have an extension that should be listed here? Submit a `pull request <https://github.com/netflix/lemur>`_ and we'll
-get it added.
-
-Want to create your own extension? See :doc:`../developer/plugins/index` to get started.

docs/production/index.rst

@@ -6,21 +6,22 @@ There are several steps needed to make Lemur production ready. Here we focus on
 Basics
 ======
 
-Because of the sensitivity of the information stored and maintain by Lemur it is important that you follow standard host hardening practices:
+Because of the sensitivity of the information stored and maintained by Lemur it is important that you follow standard host hardening practices:
 
 - Run Lemur with a limited user
-- Disabled any unneeded service
+- Disabled any unneeded services
 - Enable remote logging
+- Restrict access to host
 
 .. _CredentialManagement:
 
 Credential Management
 ---------------------
 
-Lemur often contains credentials such as mutual SSL keys that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
+Lemur often contains credentials such as mutual TLS keys or API tokens that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
 to automatically encrypt these keys such that your keys not be in clear text.
 
-The keys are located within lemur/keys and broken down by environment
+The keys are located within lemur/keys and broken down by environment.
 
 To utilize this ability use the following commands:
 
@@ -30,7 +31,7 @@ and
 
     ``lemur unlock``
 
-If you choose to use this feature ensure that the KEY are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
+If you choose to use this feature ensure that the keys are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
 
 Entropy
 -------
@@ -56,8 +57,8 @@ For additional information about OpenSSL entropy issues:
 - `Managing and Understanding Entropy Usage <https://www.blackhat.com/docs/us-15/materials/us-15-Potter-Understanding-And-Managing-Entropy-Usage.pdf>`_
 
 
-SSL
-====
+TLS/SSL
+=======
 
 Nginx
 -----
@@ -71,7 +72,7 @@ Nginx is a very popular choice to serve a Python project:
 Nginx doesn't run any Python process, it only serves requests from outside to
 the Python server.
 
-Therefor there are two steps:
+Therefore there are two steps:
 
 - Run the Python process.
 - Run Nginx.
@@ -89,7 +90,7 @@ You must create a Nginx configuration file for Lemur. On GNU/Linux, they usually
 go into /etc/nginx/conf.d/. Name it lemur.conf.
 
 `proxy_pass` just passes the external request to the Python process.
-The port much match the one used by the 0bin process of course.
+The port must match the one used by the Lemur process of course.
 
 You can make some adjustments to get a better user experience::
 
@@ -127,10 +128,10 @@ You can make some adjustments to get a better user experience::
 
     }
 
-This makes Nginx serve the favicon and static files which is is much better at than python.
+This makes Nginx serve the favicon and static files which it is much better at than python.
 
-It is highly recommended that you deploy SSL when deploying Lemur. This may be obvious given Lemur's purpose but the
-sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates SSL::
+It is highly recommended that you deploy TLS when deploying Lemur. This may be obvious given Lemur's purpose but the
+sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates TLS::
 
     server_tokens off;
     add_header X-Frame-Options DENY;
@@ -218,7 +219,7 @@ An example apache config::
         ...
     </VirtualHost>
 
-Also included in the configurations above are several best practices when it comes to deploying SSL. Things like enabling
+Also included in the configurations above are several best practices when it comes to deploying TLS. Things like enabling
 HSTS, disabling vulnerable ciphers are all good ideas when it comes to deploying Lemur into a production environment.
 
 .. note::
@@ -256,13 +257,12 @@ Create a configuration file named supervisor.ini::
     nodaemon=false
     minfds=1024
     minprocs=200
-    user=lemur
 
     [program:lemur]
     command=python /path/to/lemur/manage.py manage.py start
 
     directory=/path/to/lemur/
-    environment=PYTHONPATH='/path/to/lemur/'
+    environment=PYTHONPATH='/path/to/lemur/',LEMUR_CONF='/home/lemur/.lemur/lemur.conf.py'
     user=lemur
     autostart=true
     autorestart=true
@@ -270,7 +270,7 @@ Create a configuration file named supervisor.ini::
 The 4 first entries are just boiler plate to get you started, you can copy
 them verbatim.
 
-The last one define one (you can have many) process supervisor should manage.
+The last one defines one (you can have many) process supervisor should manage.
 
 It means it will run the command::
 
@@ -292,6 +292,6 @@ Then you can manage the process by running::
 
     supervisorctl -c /path/to/supervisor.ini
 
-It will start a shell from were you can start/stop/restart the service
+It will start a shell from which you can start/stop/restart the service.
 
-You can read all errors that might occurs from /tmp/lemur.log.
+You can read all errors that might occur from /tmp/lemur.log.

docs/quickstart/index.rst

@@ -1,95 +1,93 @@
 Quickstart
 **********
 
-This guide will step you through setting up a Python-based virtualenv, installing the required packages, and configuring the basic web service.
-This guide assumes a clean Ubuntu 14.04 instance, commands may differ based on the OS and configuration being used.
+This guide will step you through setting up a Python-based virtualenv, installing the required packages, and configuring the basic web service.  This guide assumes a clean Ubuntu 14.04 instance, commands may differ based on the OS and configuration being used.
+
+Pressed for time? See the Lemur docker file on `Github <https://github.com/Netflix/lemur-docker>`_.
+
 
 Dependencies
 ------------
 
 Some basic prerequisites which you'll need in order to run Lemur:
 
-* A UNIX-based operating system. We test on Ubuntu, develop on OS X
+* A UNIX-based operating system (we test on Ubuntu, develop on OS X)
 * Python 2.7
 * PostgreSQL
-* Ngnix
+* Nginx
+
+.. note:: Lemur was built with in AWS in mind. This means that things such as databases (RDS), mail (SES), and TLS (ELB), are largely handled for us.  Lemur does **not** require AWS to function. Our guides and documentation try to be be as generic as possible and are not intended to document every step of launching Lemur into a given environment.
+
+
+Installing Build Dependencies
+-----------------------------
+
+If installing Lemur on a bare Ubuntu OS you will need to grab the following packages so that Lemur can correctly build it's dependencies:
+
+.. code-block:: bash
+
+    $ sudo apt-get update
+    $ sudo apt-get install install nodejs-legacy python-pip python-dev libpq-dev build-essential libssl-dev libffi-dev nginx git supervisor npm postgresql
+
+.. note:: PostgreSQL is only required if your database is going to be on the same host as the webserver.  npm is needed if you're installing Lemur from the source (e.g., from git).
+
+Now, install Python ``virtualenv`` package:
+
+.. code-block:: bash
+
+    $ sudo pip install -U virtualenv
 
-.. note:: Lemur was built with in AWS in mind. This means that things such as databases (RDS), mail (SES), and SSL (ELB),
-    are largely handled for us. Lemur does **not** require AWS to function. Our guides and documentation try to be
-    be as generic as possible and are not intended to document every step of launching Lemur into a given environment.
 
 Setting up an Environment
 -------------------------
 
-The first thing you'll need is the Python ``virtualenv`` package. You probably already
-have this, but if not, you can install it with::
-
-  pip install -U virtualenv
-
-Once that's done, choose a location for the environment, and create it with the ``virtualenv``
-command. For our guide, we're going to choose ``/www/lemur/``::
-
-  virtualenv /www/lemur/
-
-Finally, activate your virtualenv::
-
-  source /www/lemur/bin/activate
-
-.. note:: Activating the environment adjusts your PATH, so that things like pip now
-          install into the virtualenv by default.
-
-
-Installing build dependencies
------------------------------
-
-If installing Lemur on truely bare Ubuntu OS you will need to grab the following packages so that Lemur can correctly build it's
-dependencies::
-
-    $ sudo apt-get update
-    $ sudo apt-get install nodejs-legacy python-pip libpq-dev python-dev build-essential libssl-dev libffi-dev nginx git supervisor
-
-And optionally if your database is going to be on the same host as the webserver::
-
-    $ sudo apt-get install postgres
-
-
-Installing Lemur
-----------------
-
-Once you've got the environment setup, you can install Lemur and all its dependencies with
-the same command you used to grab virtualenv::
-
-    pip install -U lemur
-
-Once everything is installed, you should be able to execute the Lemur CLI, via ``lemur``, and get something
-like the following:
+In this guide, Lemur will be installed in ``/www``, so you need to create that structure first:
 
 .. code-block:: bash
 
-  $ lemur
-  usage: lemur [--config=/path/to/settings.py] [command] [options]
+    $ sudo mkdir /www
+    $ cd /www
+
+Clone Lemur inside the just created directory and give yourself write permission (we assume ``lemur`` is the user):
+
+.. code-block:: bash
+
+    $ sudo git clone https://github.com/Netflix/lemur
+    $ sudo chown -R lemur lemur/
+
+Create the virtual environment, activate it and enter the Lemur's directory:
+
+.. code-block:: bash
+
+    $ virtualenv lemur
+    $ source /www/lemur/bin/activate
+    $ cd lemur
+
+.. note:: Activating the environment adjusts your PATH, so that things like pip now install into the virtualenv by default.
 
 
 Installing from Source
 ~~~~~~~~~~~~~~~~~~~~~~
 
-If you're installing the Lemur source (e.g. from git), you'll also need to install **npm**.
+Once your system is prepared, ensure that you are in the virtualenv:
 
-Once your system is prepared, symlink your source into the virtualenv:
+.. code-block:: bash
+
+  $ which python
+
+And then run:
 
 .. code-block:: bash
 
   $ make develop
 
-.. Note:: This command will install npm dependencies as well as compile static assets.
+.. note:: This command will install npm dependencies as well as compile static assets.
 
 
 Creating a configuration
 ------------------------
 
-Before we run Lemur we must create a valid configuration file for it.
-
-The Lemur cli comes with a simple command to get you up and running quickly.
+Before we run Lemur, we must create a valid configuration file for it.  The Lemur command line interface comes with a simple command to get you up and running quickly.
 
 Simply run:
 
@@ -97,84 +95,85 @@ Simply run:
 
   $ lemur create_config
 
-.. Note:: This command will create a default configuration under `~/.lemur/lemur.conf.py` you
-    can specify this location by passing the `config_path` parameter to the `create_config` command.
+.. note:: This command will create a default configuration under ``~/.lemur/lemur.conf.py`` you can specify this location by passing the ``config_path`` parameter to the ``create_config`` command.
+
+You can specify ``-c`` or ``--config`` to any Lemur command to specify the current environment you are working in. Lemur will also look under the environmental variable ``LEMUR_CONF`` should that be easier to setup in your environment.
 
-You can specify `-c` or `--config` to any Lemur command to specify the current environment
-you are working in. Lemur will also look under the environmental variable `LEMUR_CONF` should
-that be easier to setup in your environment.
 
 Update your configuration
 -------------------------
 
-Once created you will need to update the configuration file with information about your environment,
-such as which database to talk to, where keys are stores etc..
+Once created, you will need to update the configuration file with information about your environment, such as which database to talk to, where keys are stored etc.
+
+.. note:: If you are unfamiliar with with the SQLALCHEMY_DATABASE_URI string it can be broken up like so:
+      ``postgresql://userame:password@<database-fqdn>:<database-port>/<database-name>``
 
-.. Note:: If you are unfamiliar with with the SQLALCHEMY_DATABASE_URI string it can be broken up like so:
-      postgresql://userame:password@databasefqdn:databaseport/databasename
 
 Setup Postgres
 --------------
 
-For production a dedicated database is recommended, for this guide we will assume postgres has been installed and is on
-the same machine that Lemur is installed on.
+For production, a dedicated database is recommended, for this guide we will assume postgres has been installed and is on the same machine that Lemur is installed on.
 
-First, set a password for the postgres user.  For this guide, we will use **lemur** as an example but you should use the database password generated for by Lemur::
+First, set a password for the postgres user.  For this guide, we will use ``lemur`` as an example but you should use the database password generated by Lemur:
 
-     $ sudo -u postgres psql postgres
-     # \password postgres
-     Enter new password: lemur
-     Enter it again: lemur
+.. code-block:: bash
 
-Type CTRL-D to exit psql once you have changed the password.
+    $ sudo -u postgres psql postgres
+    # \password postgres
+    Enter new password: lemur
+    Enter it again: lemur
 
-Next, we will create our a new database::
+Once successful, type CTRL-D to exit the Postgres shell.
 
-     $ sudo -u postgres createdb lemur
+Next, we will create our new database:
+
+.. code-block:: bash
+
+    $ sudo -u postgres createdb lemur
 
 .. _InitializingLemur:
 
+Set a password for lemur user inside Postgres:
+
+.. code-block:: bash
+
+    $ sudo -u postgres psql postgres
+    \password lemur
+    Enter new password: lemur
+    Enter it again: lemur
+
+Again, enter CTRL-D to exit the Postgres shell.
+
+
 Initializing Lemur
 ------------------
 
-Lemur provides a helpful command that will initialize your database for you. It creates a default user (lemur) that is
-used by Lemur to help associate certificates that do not currently have an owner. This is most commonly the case when
-Lemur has discovered certificates from a third party source. This is also a default user that can be used to
-administer Lemur.
+Lemur provides a helpful command that will initialize your database for you. It creates a default user (``lemur``) that is used by Lemur to help associate certificates that do not currently have an owner. This is most commonly the case when Lemur has discovered certificates from a third party source.  This is also a default user that can be used to administer Lemur.
 
-In addition to create a new User, Lemur also creates a few default email notifications. These notifications are based
-on a few configuration options such as `LEMUR_SECURITY_TEAM_EMAIL` they basically garentee that every cerificate within
-Lemur will send one expiration notification to the security team.
+In addition to creating a new user, Lemur also creates a few default email notifications.  These notifications are based on a few configuration options such as ``LEMUR_SECURITY_TEAM_EMAIL``.  They basically guarantee that every certificate within Lemur will send one expiration notification to the security team.
 
-Additional notifications can be created through the UI or API.
-See :ref:`Creating Notifications <CreatingNotifications>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
+Additional notifications can be created through the UI or API.  See :ref:`Creating Notifications <CreatingNotifications>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
 
-**Make note of the password used as this will be used during first login to the Lemur UI**
-
-.. code-block:: bash
-
-    $ lemur db init
+**Make note of the password used as this will be used during first login to the Lemur UI.**
 
 .. code-block:: bash
 
+    $ cd /www/lemur/lemur
     $ lemur init
 
-.. note:: It is recommended that once the 'lemur' user is created that you create individual users for every day access.
-    There is currently no way for a user to self enroll for Lemur access, they must have an administrator create an account
-    for them or be enrolled automatically through SSO. This can be done through the CLI or UI.
-    See :ref:`Creating Users <CreatingUsers>` and :ref:`Command Line Interface <CommandLineInterface>` for details
+.. note:: It is recommended that once the ``lemur`` user is created that you create individual users for every day access.  There is currently no way for a user to self enroll for Lemur access, they must have an administrator create an account for them or be enrolled automatically through SSO.  This can be done through the CLI or UI.  See :ref:`Creating Users <CreatingUsers>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
+
 
 Setup a Reverse Proxy
 ---------------------
 
-By default, Lemur runs on port 5000. Even if you change this, under normal conditions you won't be able to bind to
-port 80. To get around this (and to avoid running Lemur as a privileged user, which you shouldn't), we recommend
-you setup a simple web proxy.
+By default, Lemur runs on port 8000.  Even if you change this, under normal conditions you won't be able to bind to port 80. To get around this (and to avoid running Lemur as a privileged user, which you shouldn't), we need setup a simple web proxy. There are many different web servers you can use for this, we like and recommend Nginx.
+
 
 Proxying with Nginx
 ~~~~~~~~~~~~~~~~~~~
 
-You'll use the builtin HttpProxyModule within Nginx to handle proxying
+You'll use the builtin ``HttpProxyModule`` within Nginx to handle proxying.  Edit the ``/etc/nginx/sites-available/default`` file according to the lines below
 
 ::
 
@@ -187,12 +186,6 @@ You'll use the builtin HttpProxyModule within Nginx to handle proxying
         proxy_set_header        X-Real-IP       $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     }
-    
-    location / {
-        root /www/lemur/lemur/static/dist;
-        include mime.types;
-        index index.html;
-    }
 
     location / {
         root /www/lemur/lemur/static/dist;
@@ -200,16 +193,22 @@ You'll use the builtin HttpProxyModule within Nginx to handle proxying
         index index.html;
     }
 
-See :doc:`../production/index` for more details on using Nginx.
+.. note:: See :doc:`../production/index` for more details on using Nginx.
+
+After making these changes, restart Nginx service to apply them:
+
+.. code-block:: bash
+
+    $ sudo service nginx restart
 
 
 Starting the Web Service
 ------------------------
 
-Lemur provides a built-in webserver (powered by gunicorn and eventlet) to get you off the ground quickly.
+Lemur provides a built-in web server (powered by gunicorn and eventlet) to get you off the ground quickly.
 
-To start the webserver, you simply use ``lemur start``. If you opted to use an alternative configuration path
-you can pass that via the --config option.
+To start the web server, you simply use ``lemur start``. If you opted to use an alternative configuration path
+you can pass that via the ``--config`` option.
 
 .. note::
     You can login with the default user created during :ref:`Initializing Lemur <InitializingLemur>` or any other
@@ -217,23 +216,23 @@ you can pass that via the --config option.
 
 ::
 
-  # Lemur's server runs on port 5000 by default. Make sure your client reflects
+  # Lemur's server runs on port 8000 by default. Make sure your client reflects
   # the correct host and port!
-  lemur --config=/etc/lemur.conf.py start -b 127.0.0.1:5000
+  lemur --config=/etc/lemur.conf.py start -b 127.0.0.1:8000
+
+You should now be able to test the web service by visiting ``http://localhost:8000/``.
 
-You should now be able to test the web service by visiting `http://localhost:5000/`.
 
 Running Lemur as a Service
----------------------------
+--------------------------
+
+We recommend using whatever software you are most familiar with for managing Lemur processes.  One option is `Supervisor <http://supervisord.org/>`_.
 
-We recommend using whatever software you are most familiar with for managing Lemur processes. One option is
-`Supervisor <http://supervisord.org/>`_.
 
 Configure ``supervisord``
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Configuring Supervisor couldn't be more simple. Just point it to the ``lemur`` executable in your virtualenv's bin/
-folder and you're good to go.
+Configuring Supervisor couldn't be more simple. Just point it to the ``lemur`` executable in your virtualenv's ``bin/`` folder and you're good to go.
 
 ::
 
@@ -248,11 +247,11 @@ folder and you're good to go.
 
 See :ref:`Using Supervisor <UsingSupervisor>` for more details on using Supervisor.
 
+
 Syncing
 -------
 
-Lemur uses periodic sync tasks to make sure it is up-to-date with it's environment. As always things can change outside
-of Lemur, but we do our best to reconcile those changes.
+Lemur uses periodic sync tasks to make sure it is up-to-date with its environment. As always, things can change outside of Lemur, but we do our best to reconcile those changes, for example, using Cron:
 
 .. code-block:: bash
 
@@ -260,30 +259,30 @@ of Lemur, but we do our best to reconcile those changes.
   * 3 * * * lemur sync --all
   * 3 * * * lemur check_revoked
 
+
 Additional Utilities
 --------------------
 
-If you're familiar with Python you'll quickly find yourself at home, and even more so if you've used Flask. The
-``lemur`` command is just a simple wrapper around Flask's ``manage.py``, which means you get all of the
-power and flexibility that goes with it.
+If you're familiar with Python you'll quickly find yourself at home, and even more so if you've used Flask.  The ``lemur`` command is just a simple wrapper around Flask's ``manage.py``, which means you get all of the power and flexibility that goes with it.
+
+Some of the features which you'll likely find useful are listed below.
 
-Some of those which you'll likely find useful are:
 
 lock
 ~~~~
 
-Encrypts sensitive key material - This is most useful for storing encrypted secrets in source code.
+Encrypts sensitive key material - this is most useful for storing encrypted secrets in source code.
+
 
 unlock
 ~~~~~~
 
-Decrypts sensitive key material - Used to decrypt the secrets stored in source during deployment.
+Decrypts sensitive key material - used to decrypt the secrets stored in source during deployment.
 
 
 What's Next?
 ------------
 
-The above gets you going, but for production there are several different security considerations to take into account,
-remember Lemur is handling sensitive data and security is imperative.
+Get familiar with how Lemur works by reviewing the :doc:`../guide/index`. When you're ready see :doc:`../production/index` for more details on how to configure Lemur for production.
 
-See :doc:`../production/index` for more details on how to configure Lemur for production.
+The above just gets you going, but for production there are several different security considerations to take into account.  Remember, Lemur is handling sensitive data and security is imperative.

docs/requirements.txt

@@ -2,4 +2,28 @@ Jinja2>=2.3
 Pygments>=1.2
 Sphinx>=1.3
 docutils>=0.7
-markupsafe
+markupsafe
+sphinxcontrib-httpdomain
+Flask==0.10.1
+Flask-RESTful==0.3.3
+Flask-SQLAlchemy==2.1
+Flask-Script==2.0.5
+Flask-Migrate==1.7.0
+Flask-Bcrypt==0.7.1
+Flask-Principal==0.4.0
+Flask-Mail==0.9.1
+SQLAlchemy-Utils==0.31.4
+BeautifulSoup4
+requests==2.9.1
+psycopg2==2.6.1
+arrow==0.7.0
+boto==2.38.0  # we might make this optional
+six==1.10.0
+gunicorn==19.4.4
+pycrypto==2.6.1
+cryptography==1.1.2
+pyopenssl==0.15.1
+pyjwt==1.4.0
+xmltodict==0.9.2
+lockfile==0.12.2
+future==0.15.2

docs/security.rst

@@ -0,0 +1,66 @@
+Security
+========
+
+We take the security of ``lemur`` seriously. The following are a set of
+policies we have adopted to ensure that security issues are addressed in a
+timely fashion.
+
+Reporting a security issue
+--------------------------
+
+We ask that you do not report security issues to our normal GitHub issue
+tracker.
+
+If you believe you've identified a security issue with ``lemur``, please
+report it to ``cloudsecurity@netflix.com``.
+
+Once you've submitted an issue via email, you should receive an acknowledgment
+within 48 hours, and depending on the action to be taken, you may receive
+further follow-up emails.
+
+Supported Versions
+------------------
+
+At any given time, we will provide security support for the `master`_ branch
+as well as the 2 most recent releases.
+
+Disclosure Process
+------------------
+
+Our process for taking a security issue from private discussion to public
+disclosure involves multiple steps.
+
+Approximately one week before full public disclosure, we will send advance
+notification of the issue to a list of people and organizations, primarily
+composed of operating-system vendors and other distributors of
+``lemur``.  This notification will consist of an email message
+containing:
+
+* A full description of the issue and the affected versions of
+  ``lemur``.
+* The steps we will be taking to remedy the issue.
+* The patches, if any, that will be applied to ``lemur``.
+* The date on which the ``lemur`` team will apply these patches, issue
+  new releases, and publicly disclose the issue.
+
+Simultaneously, the reporter of the issue will receive notification of the date
+on which we plan to make the issue public.
+
+On the day of disclosure, we will take the following steps:
+
+* Apply the relevant patches to the ``lemur`` repository. The commit
+  messages for these patches will indicate that they are for security issues,
+  but will not describe the issue in any detail; instead, they will warn of
+  upcoming disclosure.
+* Issue the relevant releases.
+
+If a reported issue is believed to be particularly time-sensitive – due to a
+known exploit in the wild, for example – the time between advance notification
+and public disclosure may be shortened considerably.
+
+The list of people and organizations who receives advanced notification of
+security issues is not, and will not, be made public. This list generally
+consists of high profile downstream distributors and is entirely at the
+discretion of the ``lemur`` team.
+
+.. _`master`: https://github.com/Netflix/lemur

gulp/build.js

@@ -72,7 +72,6 @@ gulp.task('dev:styles', function () {
   };
 
   var fileList = [
-    'lemur/static/app/styles/lemur.css',
     'bower_components/bootswatch/sandstone/bootswatch.less',
     'bower_components/fontawesome/css/font-awesome.css',
     'bower_components/angular-spinkit/src/angular-spinkit.css',
@@ -81,7 +80,8 @@ gulp.task('dev:styles', function () {
     'bower_components/angular-ui-switch/angular-ui-switch.css',
     'bower_components/angular-wizard/dist/angular-wizard.css',
     'bower_components/ng-table/ng-table.css',
-    'bower_components/angularjs-toaster/toaster.css'
+    'bower_components/angularjs-toaster/toaster.css',
+    'lemur/static/app/styles/lemur.css'
   ];
 
   return gulp.src(fileList)
@@ -238,8 +238,8 @@ gulp.task('build:images', function () {
 
 gulp.task('package:strip', function () {
   return gulp.src(['lemur/static/dist/scripts/main*'])
-    .pipe(replace('http:\/\/localhost:5000', ''))
     .pipe(replace('http:\/\/localhost:3000', ''))
+    .pipe(replace('http:\/\/localhost:8000', ''))
     .pipe(useref())
     .pipe(revReplace())
     .pipe(gulp.dest('lemur/static/dist/scripts'))

lemur/__about__.py

@@ -0,0 +1,18 @@
+from __future__ import absolute_import, division, print_function
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
+
+__title__ = "lemur"
+__summary__ = ("Certificate management and orchestration service")
+__uri__ = "https://github.com/Netflix/lemur"
+
+__version__ = "0.2.2"
+
+__author__ = "The Lemur developers"
+__email__ = "security@netflix.com"
+
+__license__ = "Apache License, Version 2.0"
+__copyright__ = "Copyright 2015 {0}".format(__author__)

lemur/__init__.py

@@ -8,6 +8,8 @@
 
 
 """
+from __future__ import absolute_import, division, print_function
+
 from lemur import factory
 
 from lemur.users.views import mod as users_bp
@@ -17,11 +19,21 @@ from lemur.domains.views import mod as domains_bp
 from lemur.destinations.views import mod as destinations_bp
 from lemur.authorities.views import mod as authorities_bp
 from lemur.certificates.views import mod as certificates_bp
-from lemur.status.views import mod as status_bp
+from lemur.defaults.views import mod as defaults_bp
 from lemur.plugins.views import mod as plugins_bp
 from lemur.notifications.views import mod as notifications_bp
 from lemur.sources.views import mod as sources_bp
 
+from lemur.__about__ import (
+    __author__, __copyright__, __email__, __license__, __summary__, __title__,
+    __uri__, __version__
+)
+
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
 
 LEMUR_BLUEPRINTS = (
     users_bp,
@@ -31,7 +43,7 @@ LEMUR_BLUEPRINTS = (
     destinations_bp,
     authorities_bp,
     certificates_bp,
-    status_bp,
+    defaults_bp,
     plugins_bp,
     notifications_bp,
     sources_bp

lemur/auth/permissions.py

@@ -19,6 +19,11 @@ CertificateCreator = namedtuple('certificate', ['method', 'value'])
 CertificateCreatorNeed = partial(CertificateCreator, 'key')
 
 
+class SensitiveDomainPermission(Permission):
+    def __init__(self):
+        super(SensitiveDomainPermission, self).__init__(RoleNeed('admin'))
+
+
 class ViewKeyPermission(Permission):
     def __init__(self, certificate_id, owner):
         c_need = CertificateCreatorNeed(certificate_id)

lemur/auth/views.py

@@ -35,7 +35,7 @@ class Login(Resource):
 
         Authorization:Bearer <token>
 
-    Tokens have a set expiration date. You can inspect the token expiration be base64 decoding the token and inspecting
+    Tokens have a set expiration date. You can inspect the token expiration by base64 decoding the token and inspecting
     it's contents.
 
     .. note:: It is recommended that the token expiration is fairly short lived (hours not days). This will largely depend \
@@ -125,7 +125,7 @@ class Ping(Resource):
 
         args = self.reqparse.parse_args()
 
-        # take the information we have received from Meechum to create a new request
+        # take the information we have received from the provider to create a new request
         params = {
             'client_id': args['clientId'],
             'grant_type': 'authorization_code',
@@ -138,7 +138,7 @@ class Ping(Resource):
         access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
         user_api_url = current_app.config.get('PING_USER_API_URL')
 
-        # the secret and cliendId will be given to you when you signup for meechum
+        # the secret and cliendId will be given to you when you signup for the provider
         basic = base64.b64encode('{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET")))
         headers = {'Authorization': 'Basic {0}'.format(basic)}
 
@@ -220,7 +220,7 @@ class Ping(Resource):
                 profile['email'],
                 profile['email'],
                 True,
-                profile.get('thumbnailPhotoUrl'),  # Encase profile isn't google+ enabled
+                profile.get('thumbnailPhotoUrl'),  # incase profile isn't google+ enabled
                 roles
             )
 
@@ -230,5 +230,77 @@ class Ping(Resource):
         return dict(token=create_token(user))
 
 
+class Google(Resource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(Google, self).__init__()
+
+    def post(self):
+        access_token_url = 'https://accounts.google.com/o/oauth2/token'
+        people_api_url = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect'
+
+        self.reqparse.add_argument('clientId', type=str, required=True, location='json')
+        self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
+        self.reqparse.add_argument('code', type=str, required=True, location='json')
+
+        args = self.reqparse.parse_args()
+
+        # Step 1. Exchange authorization code for access token
+        payload = {
+            'client_id': args['clientId'],
+            'grant_type': 'authorization_code',
+            'redirect_uri': args['redirectUri'],
+            'code': args['code'],
+            'client_secret': current_app.config.get('GOOGLE_SECRET')
+        }
+
+        r = requests.post(access_token_url, data=payload)
+        token = r.json()
+
+        # Step 2. Retrieve information about the current user
+        headers = {'Authorization': 'Bearer {0}'.format(token['access_token'])}
+
+        r = requests.get(people_api_url, headers=headers)
+        profile = r.json()
+
+        user = user_service.get_by_email(profile['email'])
+
+        if user:
+            return dict(token=create_token(user))
+
+
+class Providers(Resource):
+    def get(self):
+        active_providers = []
+
+        for provider in current_app.config.get("ACTIVE_PROVIDERS"):
+            provider = provider.lower()
+
+            if provider == "google":
+                active_providers.append({
+                    'name': 'google',
+                    'clientId': current_app.config.get("GOOGLE_CLIENT_ID"),
+                    'url': api.url_for(Google)
+                })
+
+            elif provider == "ping":
+                active_providers.append({
+                    'name': current_app.config.get("PING_NAME"),
+                    'url': current_app.config.get('PING_REDIRECT_URI'),
+                    'redirectUri': current_app.config.get("PING_REDIRECT_URI"),
+                    'clientId': current_app.config.get("PING_CLIENT_ID"),
+                    'responseType': 'code',
+                    'scope': ['openid', 'email', 'profile', 'address'],
+                    'scopeDelimiter': ' ',
+                    'authorizationEndpoint': current_app.config.get("PING_AUTH_ENDPOINT"),
+                    'requiredUrlParams': ['scope'],
+                    'type': '2.0'
+                })
+
+        return active_providers
+
+
 api.add_resource(Login, '/auth/login', endpoint='login')
 api.add_resource(Ping, '/auth/ping', endpoint='ping')
+api.add_resource(Google, '/auth/google', endpoint='google')
+api.add_resource(Providers, '/auth/providers', endpoint='providers')

lemur/authorities/models.py

@@ -14,7 +14,7 @@ from sqlalchemy import Column, Integer, String, Text, func, ForeignKey, DateTime
 from sqlalchemy.dialects.postgresql import JSON
 
 from lemur.database import db
-from lemur.certificates.models import cert_get_cn, cert_get_not_after, cert_get_not_before
+from lemur.certificates.models import get_cn, get_not_after, get_not_before
 
 
 class Authority(db.Model):
@@ -44,9 +44,9 @@ class Authority(db.Model):
         self.owner = owner
         self.plugin_name = plugin_name
         cert = x509.load_pem_x509_certificate(str(body), default_backend())
-        self.cn = cert_get_cn(cert)
-        self.not_before = cert_get_not_before(cert)
-        self.not_after = cert_get_not_after(cert)
+        self.cn = get_cn(cert)
+        self.not_before = get_not_before(cert)
+        self.not_after = get_not_after(cert)
         self.roles = roles
         self.description = description
 

lemur/authorities/service.py

@@ -28,7 +28,6 @@ def update(authority_id, description=None, owner=None, active=None, roles=None):
 
     :param authority_id:
     :param roles: roles that are allowed to use this authority
-    :rtype : Authority
     :return:
     """
     authority = get(authority_id)
@@ -47,7 +46,6 @@ def create(kwargs):
     """
     Create a new authority.
 
-    :rtype : Authority
     :return:
     """
 
@@ -58,7 +56,15 @@ def create(kwargs):
 
     cert = Certificate(cert_body, chain=intermediate)
     cert.owner = kwargs['ownerEmail']
-    cert.description = "This is the ROOT certificate for the {0} certificate authority".format(kwargs.get('caName'))
+
+    if kwargs['caType'] == 'subca':
+        cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
+                                authority is {1}.".format(kwargs.get('caName'), kwargs.get('caParent'))
+    else:
+        cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
+            kwargs.get('caName')
+        )
+
     cert.user = g.current_user
 
     cert.notifications = notification_service.create_default_expiration_notifications(
@@ -95,6 +101,10 @@ def create(kwargs):
     database.update(cert)
     authority = database.create(authority)
 
+    # the owning dl or role should have this authority associated with it
+    owner_role = role_service.get_by_name(kwargs['ownerEmail'])
+    owner_role.authority = authority
+
     g.current_user.authorities.append(authority)
 
     return authority
@@ -115,7 +125,6 @@ def get(authority_id):
     """
     Retrieves an authority given it's ID
 
-    :rtype : Authority
     :param authority_id:
     :return:
     """
@@ -127,7 +136,6 @@ def get_by_name(authority_name):
     Retrieves an authority given it's name.
 
     :param authority_name:
-    :rtype : Authority
     :return:
     """
     return database.get(Authority, authority_name, field='name')

lemur/authorities/views.py

@@ -85,9 +85,9 @@ class AuthoritiesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair. format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated

lemur/certificates/models.py

@@ -13,9 +13,7 @@ from cryptography.hazmat.backends import default_backend
 from sqlalchemy.orm import relationship
 from sqlalchemy import event, Integer, ForeignKey, String, DateTime, PassiveDefault, func, Column, Text, Boolean
 
-from sqlalchemy_utils import EncryptedType
-
-from lemur.utils import get_key
+from lemur.utils import Vault
 from lemur.database import db
 from lemur.plugins.base import plugins
 
@@ -24,7 +22,8 @@ from lemur.domains.models import Domain
 from lemur.constants import SAN_NAMING_TEMPLATE, DEFAULT_NAMING_TEMPLATE
 
 from lemur.models import certificate_associations, certificate_source_associations, \
-    certificate_destination_associations, certificate_notification_associations
+    certificate_destination_associations, certificate_notification_associations, \
+    certificate_replacement_associations
 
 
 def create_name(issuer, not_before, not_after, subject, san):
@@ -34,6 +33,11 @@ def create_name(issuer, not_before, not_after, subject, san):
     useful information such as Common Name, Validation dates,
     and Issuer.
 
+    :param san:
+    :param subject:
+    :param not_after:
+    :param issuer:
+    :param not_before:
     :rtype : str
     :return:
     """
@@ -63,7 +67,11 @@ def create_name(issuer, not_before, not_after, subject, san):
     return temp.replace(" ", "-")
 
 
-def cert_get_cn(cert):
+def get_signing_algorithm(cert):
+    return cert.signature_hash_algorithm.name
+
+
+def get_cn(cert):
     """
     Attempts to get a sane common name from a given certificate.
 
@@ -75,7 +83,7 @@ def cert_get_cn(cert):
     )[0].value.strip()
 
 
-def cert_get_domains(cert):
+def get_domains(cert):
     """
     Attempts to get an domains listed in a certificate.
     If 'subjectAltName' extension is not available we simply
@@ -96,7 +104,7 @@ def cert_get_domains(cert):
     return domains
 
 
-def cert_get_serial(cert):
+def get_serial(cert):
     """
     Fetch the serial number from the certificate.
 
@@ -106,7 +114,7 @@ def cert_get_serial(cert):
     return cert.serial
 
 
-def cert_is_san(cert):
+def is_san(cert):
     """
     Determines if a given certificate is a SAN certificate.
     SAN certificates are simply certificates that cover multiple domains.
@@ -114,18 +122,18 @@ def cert_is_san(cert):
     :param cert:
     :return: Bool
     """
-    if len(cert_get_domains(cert)) > 1:
+    if len(get_domains(cert)) > 1:
         return True
 
 
-def cert_is_wildcard(cert):
+def is_wildcard(cert):
     """
     Determines if certificate is a wildcard certificate.
 
     :param cert:
     :return: Bool
     """
-    domains = cert_get_domains(cert)
+    domains = get_domains(cert)
     if len(domains) == 1 and domains[0][0:1] == "*":
         return True
 
@@ -133,7 +141,7 @@ def cert_is_wildcard(cert):
         return True
 
 
-def cert_get_bitstrength(cert):
+def get_bitstrength(cert):
     """
     Calculates a certificates public key bit length.
 
@@ -143,7 +151,7 @@ def cert_get_bitstrength(cert):
     return cert.public_key().key_size
 
 
-def cert_get_issuer(cert):
+def get_issuer(cert):
     """
     Gets a sane issuer from a given certificate.
 
@@ -160,7 +168,7 @@ def cert_get_issuer(cert):
         current_app.logger.error("Unable to get issuer! {0}".format(e))
 
 
-def cert_get_not_before(cert):
+def get_not_before(cert):
     """
     Gets the naive datetime of the certificates 'not_before' field.
     This field denotes the first date in time which the given certificate
@@ -172,7 +180,7 @@ def cert_get_not_before(cert):
     return cert.not_valid_before
 
 
-def cert_get_not_after(cert):
+def get_not_after(cert):
     """
     Gets the naive datetime of the certificates 'not_after' field.
     This field denotes the last date in time which the given certificate
@@ -209,7 +217,7 @@ class Certificate(db.Model):
     id = Column(Integer, primary_key=True)
     owner = Column(String(128))
     body = Column(Text())
-    private_key = Column(EncryptedType(String, get_key))
+    private_key = Column(Vault)
     status = Column(String(128))
     deleted = Column(Boolean, index=True)
     name = Column(String(128))
@@ -224,10 +232,16 @@ class Certificate(db.Model):
     not_before = Column(DateTime)
     not_after = Column(DateTime)
     date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)
+    signing_algorithm = Column(String(128))
     user_id = Column(Integer, ForeignKey('users.id'))
     authority_id = Column(Integer, ForeignKey('authorities.id'))
     notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')
     destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')
+    replaces = relationship("Certificate",
+                            secondary=certificate_replacement_associations,
+                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
+                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
+                            backref='replaced')
     sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')
     domains = relationship("Domain", secondary=certificate_associations, backref="certificate")
 
@@ -237,16 +251,17 @@ class Certificate(db.Model):
         self.private_key = private_key
         self.chain = chain
         cert = x509.load_pem_x509_certificate(str(self.body), default_backend())
-        self.bits = cert_get_bitstrength(cert)
-        self.issuer = cert_get_issuer(cert)
-        self.serial = cert_get_serial(cert)
-        self.cn = cert_get_cn(cert)
-        self.san = cert_is_san(cert)
-        self.not_before = cert_get_not_before(cert)
-        self.not_after = cert_get_not_after(cert)
+        self.signing_algorithm = get_signing_algorithm(cert)
+        self.bits = get_bitstrength(cert)
+        self.issuer = get_issuer(cert)
+        self.serial = get_serial(cert)
+        self.cn = get_cn(cert)
+        self.san = is_san(cert)
+        self.not_before = get_not_before(cert)
+        self.not_after = get_not_after(cert)
         self.name = create_name(self.issuer, self.not_before, self.not_after, self.cn, self.san)
 
-        for domain in cert_get_domains(cert):
+        for domain in get_domains(cert):
             self.domains.append(Domain(name=domain))
 
     @property
@@ -276,11 +291,44 @@ class Certificate(db.Model):
         """
         return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)
 
-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
-
 
 @event.listens_for(Certificate.destinations, 'append')
 def update_destinations(target, value, initiator):
+    """
+    Attempt to upload the new certificate to the new destination
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
     destination_plugin = plugins.get(value.plugin_name)
     destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
+
+
+@event.listens_for(Certificate.replaces, 'append')
+def update_replacement(target, value, initiator):
+    """
+    When a certificate is marked as 'replaced' it is then marked as in-active
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
+    value.active = False
+
+
+@event.listens_for(Certificate, 'before_update')
+def protect_active(mapper, connection, target):
+    """
+    When a certificate has a replacement do not allow it to be marked as 'active'
+
+    :param connection:
+    :param mapper:
+    :param target:
+    :return:
+    """
+    if target.active:
+        if target.replaced:
+            raise Exception("Cannot mark certificate as active, certificate has been marked as replaced.")

lemur/certificates/service.py

@@ -17,6 +17,7 @@ from lemur.certificates.models import Certificate
 from lemur.destinations.models import Destination
 from lemur.notifications.models import Notification
 from lemur.authorities.models import Authority
+from lemur.domains.models import Domain
 
 from lemur.roles.models import Role
 
@@ -76,13 +77,30 @@ def find_duplicates(cert_body):
     return Certificate.query.filter_by(body=cert_body).all()
 
 
-def update(cert_id, owner, description, active, destinations, notifications):
+def export(cert, export_plugin):
     """
-    Updates a certificate.
+    Exports a certificate to the requested format. This format
+    may be a binary format.
 
+    :param export_plugin:
+    :param cert:
+    :return:
+    """
+    plugin = plugins.get(export_plugin['slug'])
+
+    return plugin.export(cert.body, cert.chain, cert.private_key, export_plugin['pluginOptions'])
+
+
+def update(cert_id, owner, description, active, destinations, notifications, replaces):
+    """
+    Updates a certificate
     :param cert_id:
     :param owner:
+    :param description:
     :param active:
+    :param destinations:
+    :param notifications:
+    :param replaces:
     :return:
     """
     from lemur.notifications import service as notification_service
@@ -104,6 +122,7 @@ def update(cert_id, owner, description, active, destinations, notifications):
     cert.notifications = new_notifications
 
     database.update_list(cert, 'destinations', Destination, destinations)
+    database.update_list(cert, 'replaces', Certificate, replaces)
 
     cert.owner = owner
 
@@ -121,7 +140,12 @@ def mint(issuer_options):
 
     issuer = plugins.get(authority.plugin_name)
 
-    csr, private_key = create_csr(issuer_options)
+    # allow the CSR to be specified by the user
+    if not issuer_options.get('csr'):
+        csr, private_key = create_csr(issuer_options)
+    else:
+        csr = issuer_options.get('csr')
+        private_key = None
 
     issuer_options['creator'] = g.user.email
     cert_body, cert_chain = issuer.create_certificate(csr, issuer_options)
@@ -165,6 +189,10 @@ def import_certificate(**kwargs):
 
     notification_name = 'DEFAULT_SECURITY'
     notifications = notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
+
+    if kwargs.get('replacements'):
+        database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
+
     cert.notifications = notifications
 
     cert = database.create(cert)
@@ -194,8 +222,8 @@ def upload(**kwargs):
     g.user.certificates.append(cert)
 
     database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
-
     database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
+    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
 
     # create default notifications for this certificate if none are provided
     notifications = []
@@ -228,11 +256,11 @@ def create(**kwargs):
     # do this after the certificate has already been created because if it fails to upload to the third party
     # we do not want to lose the certificate information.
     database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
-
+    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
     database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
 
     # create default notifications for this certificate if none are provided
-    notifications = []
+    notifications = cert.notifications
     if not kwargs.get('notifications'):
         notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
         notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])
@@ -266,6 +294,7 @@ def render(args):
 
     if filt:
         terms = filt.split(';')
+
         if 'issuer' in terms:
             # we can't rely on issuer being correct in the cert directly so we combine queries
             sub_query = database.session_query(Authority.id)\
@@ -280,10 +309,17 @@ def render(args):
             )
             return database.sort_and_page(query, Certificate, args)
 
-        if 'destination' in terms:
+        elif 'destination' in terms:
             query = query.filter(Certificate.destinations.any(Destination.id == terms[1]))
         elif 'active' in filt:  # this is really weird but strcmp seems to not work here??
             query = query.filter(Certificate.active == terms[1])
+        elif 'cn' in terms:
+            query = query.filter(
+                or_(
+                    Certificate.cn.ilike('%{0}%'.format(terms[1])),
+                    Certificate.domains.any(Domain.name.ilike('%{0}%'.format(terms[1])))
+                )
+            )
         else:
             query = database.filter(query, Certificate, terms)
 

lemur/certificates/verify.py

@@ -5,7 +5,6 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-import os
 import requests
 import subprocess
 from OpenSSL import crypto
@@ -13,20 +12,7 @@ from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 
 from flask import current_app
-
-from contextlib import contextmanager
-from tempfile import NamedTemporaryFile
-
-
-@contextmanager
-def mktempfile():
-    with NamedTemporaryFile(delete=False) as f:
-        name = f.name
-
-    try:
-        yield name
-    finally:
-        os.unlink(name)
+from lemur.utils import mktempfile
 
 
 def ocsp_verify(cert_path, issuer_chain_path):

lemur/certificates/views.py

@@ -5,32 +5,34 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
+import base64
 from builtins import str
 
-from flask import Blueprint, current_app, make_response, jsonify
+from flask import Blueprint, make_response, jsonify
 from flask.ext.restful import reqparse, Api, fields
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 
-from lemur.certificates import service
-from lemur.authorities.models import Authority
+from lemur.plugins import plugins
 
 from lemur.auth.service import AuthenticatedResource
-from lemur.auth.permissions import ViewKeyPermission, AuthorityPermission, UpdateCertificatePermission
+from lemur.auth.permissions import ViewKeyPermission
+from lemur.auth.permissions import AuthorityPermission
+from lemur.auth.permissions import UpdateCertificatePermission
+from lemur.auth.permissions import SensitiveDomainPermission
 
+from lemur.certificates import service
+from lemur.authorities.models import Authority
 from lemur.roles import service as role_service
-
+from lemur.domains import service as domain_service
 from lemur.common.utils import marshal_items, paginated_parser
-
 from lemur.notifications.views import notification_list
 
-
 mod = Blueprint('certificates', __name__)
 api = Api(mod)
 
-
 FIELDS = {
     'name': fields.String,
     'id': fields.Integer,
@@ -46,6 +48,7 @@ FIELDS = {
     'notBefore': fields.DateTime(dt_format='iso8601', attribute='not_before'),
     'notAfter': fields.DateTime(dt_format='iso8601', attribute='not_after'),
     'cn': fields.String,
+    'signingAlgorithm': fields.String(attribute='signing_algorithm'),
     'status': fields.String,
     'body': fields.String
 }
@@ -70,6 +73,36 @@ def valid_authority(authority_options):
     return authority
 
 
+def get_domains_from_options(options):
+    """
+    Retrive all domains from certificate options
+    :param options:
+    :return:
+    """
+    domains = [options['commonName']]
+    if options.get('extensions'):
+        if options['extensions'].get('subAltNames'):
+            for k, v in options['extensions']['subAltNames']['names']:
+                if k == 'DNSName':
+                    domains.append(v)
+    return domains
+
+
+def check_sensitive_domains(domains):
+    """
+    Determines if any certificates in the given certificate
+    are marked as sensitive
+    :param domains:
+    :return:
+    """
+    for domain in domains:
+        domain_objs = domain_service.get_by_name(domain)
+        for d in domain_objs:
+            if d.sensitive:
+                raise ValueError("The domain {0} has been marked as sensitive. Contact an administrator to "
+                                 "issue this certificate".format(d.name))
+
+
 def pem_str(value, name):
     """
     Used to validate that the given string is a PEM formatted string
@@ -102,6 +135,7 @@ def private_key_str(value, name):
 
 class CertificatesList(AuthenticatedResource):
     """ Defines the 'certificates' endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesList, self).__init__()
@@ -156,7 +190,7 @@ class CertificatesList(AuthenticatedResource):
            :query sortBy: field to sort on
            :query sortDir: acs or desc
            :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
+           :query filter: key value pair format is k;v
            :query limit: limit number. default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
@@ -198,6 +232,7 @@ class CertificatesList(AuthenticatedResource):
                 "owner": "bob@example.com",
                 "description": "test",
                 "selectedAuthority": "timetest2",
+                "csr",
                 "authority": {
                     "body": "-----BEGIN...",
                     "name": "timetest2",
@@ -208,6 +243,46 @@ class CertificatesList(AuthenticatedResource):
                     "notAfter": "2015-06-17T15:21:08",
                     "description": "dsfdsf"
                 },
+                "notifications": [
+                    {
+                      "description": "Default 30 day expiration notification",
+                      "notificationOptions": [
+                        {
+                          "name": "interval",
+                          "required": true,
+                          "value": 30,
+                          "helpMessage": "Number of days to be alert before expiration.",
+                          "validation": "^\\d+$",
+                          "type": "int"
+                        },
+                        {
+                          "available": [
+                            "days",
+                            "weeks",
+                            "months"
+                          ],
+                          "name": "unit",
+                          "required": true,
+                          "value": "days",
+                          "helpMessage": "Interval unit",
+                          "validation": "",
+                          "type": "select"
+                        },
+                        {
+                          "name": "recipients",
+                          "required": true,
+                          "value": "bob@example.com",
+                          "helpMessage": "Comma delimited list of email addresses",
+                          "validation": "^([\\w+-.%]+@[\\w-.]+\\.[A-Za-z]{2,4},?)+$",
+                            "type": "str"
+                          }
+                        ],
+                        "label": "DEFAULT_KGLISSON_30_DAY",
+                        "pluginName": "email-notification",
+                        "active": true,
+                        "id": 7
+                    }
+                ],
                 "extensions": {
                     "basicConstraints": {},
                     "keyUsage": {
@@ -228,7 +303,10 @@ class CertificatesList(AuthenticatedResource):
                 },
                 "commonName": "test",
                 "validityStart": "2015-06-05T07:00:00.000Z",
-                "validityEnd": "2015-06-16T07:00:00.000Z"
+                "validityEnd": "2015-06-16T07:00:00.000Z",
+                "replacements": [
+                    {'id': 123}
+                ]
              }
 
            **Example response**:
@@ -276,18 +354,19 @@ class CertificatesList(AuthenticatedResource):
         self.reqparse.add_argument('extensions', type=dict, location='json')
         self.reqparse.add_argument('destinations', type=list, default=[], location='json')
         self.reqparse.add_argument('notifications', type=list, default=[], location='json')
-        self.reqparse.add_argument('owner', type=str, location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
         self.reqparse.add_argument('validityStart', type=str, location='json')  # TODO validate
         self.reqparse.add_argument('validityEnd', type=str, location='json')  # TODO validate
-        self.reqparse.add_argument('authority', type=valid_authority, location='json')
+        self.reqparse.add_argument('authority', type=valid_authority, location='json', required=True)
         self.reqparse.add_argument('description', type=str, location='json')
-        self.reqparse.add_argument('country', type=str, location='json')
-        self.reqparse.add_argument('state', type=str, location='json')
-        self.reqparse.add_argument('location', type=str, location='json')
-        self.reqparse.add_argument('organization', type=str, location='json')
-        self.reqparse.add_argument('organizationalUnit', type=str, location='json')
-        self.reqparse.add_argument('owner', type=str, location='json')
-        self.reqparse.add_argument('commonName', type=str, location='json')
+        self.reqparse.add_argument('country', type=str, location='json', required=True)
+        self.reqparse.add_argument('state', type=str, location='json', required=True)
+        self.reqparse.add_argument('location', type=str, location='json', required=True)
+        self.reqparse.add_argument('organization', type=str, location='json', required=True)
+        self.reqparse.add_argument('organizationalUnit', type=str, location='json', required=True)
+        self.reqparse.add_argument('owner', type=str, location='json', required=True)
+        self.reqparse.add_argument('commonName', type=str, location='json', required=True)
+        self.reqparse.add_argument('csr', type=str, location='json')
 
         args = self.reqparse.parse_args()
 
@@ -299,9 +378,12 @@ class CertificatesList(AuthenticatedResource):
 
         # allow "owner" roles by team DL
         roles.append(role)
-        permission = AuthorityPermission(authority.id, roles)
+        authority_permission = AuthorityPermission(authority.id, roles)
 
-        if permission.can():
+        if authority_permission.can():
+            # if we are not admins lets make sure we aren't issuing anything sensitive
+            if not SensitiveDomainPermission().can():
+                check_sensitive_domains(get_domains_from_options(args))
             return service.create(**args)
 
         return dict(message="You are not authorized to use {0}".format(args['authority'].name)), 403
@@ -309,6 +391,7 @@ class CertificatesList(AuthenticatedResource):
 
 class CertificatesUpload(AuthenticatedResource):
     """ Defines the 'certificates' upload endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesUpload, self).__init__()
@@ -335,6 +418,7 @@ class CertificatesUpload(AuthenticatedResource):
                  "privateKey": "---Begin Private..."
                  "destinations": [],
                  "notifications": [],
+                 "replacements": [],
                  "name": "cert1"
               }
 
@@ -361,6 +445,7 @@ class CertificatesUpload(AuthenticatedResource):
                  "active": true,
                  "notBefore": "2015-06-05T17:09:39",
                  "notAfter": "2015-06-10T17:09:39",
+                 "signingAlgorithm": "sha2"
                  "cn": "example.com",
                  "status": "unknown"
               }
@@ -378,8 +463,9 @@ class CertificatesUpload(AuthenticatedResource):
         self.reqparse.add_argument('owner', type=str, required=True, location='json')
         self.reqparse.add_argument('name', type=str, location='json')
         self.reqparse.add_argument('publicCert', type=pem_str, required=True, dest='public_cert', location='json')
-        self.reqparse.add_argument('destinations', type=list, default=[], dest='destinations', location='json')
-        self.reqparse.add_argument('notifications', type=list, default=[], dest='notifications', location='json')
+        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
+        self.reqparse.add_argument('notifications', type=list, default=[], location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
         self.reqparse.add_argument('intermediateCert', type=pem_str, dest='intermediate_cert', location='json')
         self.reqparse.add_argument('privateKey', type=private_key_str, dest='private_key', location='json')
 
@@ -394,6 +480,7 @@ class CertificatesUpload(AuthenticatedResource):
 
 class CertificatesStats(AuthenticatedResource):
     """ Defines the 'certificates' stats endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesStats, self).__init__()
@@ -504,6 +591,7 @@ class Certificates(AuthenticatedResource):
                 "active": true,
                 "notBefore": "2015-06-05T17:09:39",
                 "notAfter": "2015-06-10T17:09:39",
+                "signingAlgorithm": "sha2",
                 "cn": "example.com",
                 "status": "unknown"
               }
@@ -533,7 +621,8 @@ class Certificates(AuthenticatedResource):
                  "owner": "jimbob@example.com",
                  "active": false
                  "notifications": [],
-                 "destinations": []
+                 "destinations": [],
+                 "replacements": []
               }
 
            **Example response**:
@@ -572,6 +661,7 @@ class Certificates(AuthenticatedResource):
         self.reqparse.add_argument('description', type=str, location='json')
         self.reqparse.add_argument('destinations', type=list, default=[], location='json')
         self.reqparse.add_argument('notifications', type=notification_list, default=[], location='json')
+        self.reqparse.add_argument('replacements', type=list, default=[], location='json')
         args = self.reqparse.parse_args()
 
         cert = service.get(certificate_id)
@@ -586,7 +676,8 @@ class Certificates(AuthenticatedResource):
                 args['description'],
                 args['active'],
                 args['destinations'],
-                args['notifications']
+                args['notifications'],
+                args['replacements']
             )
 
         return dict(message='You are not authorized to update this certificate'), 403
@@ -594,6 +685,7 @@ class Certificates(AuthenticatedResource):
 
 class NotificationCertificatesList(AuthenticatedResource):
     """ Defines the 'certificates' endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(NotificationCertificatesList, self).__init__()
@@ -638,6 +730,7 @@ class NotificationCertificatesList(AuthenticatedResource):
                       "active": true,
                       "notBefore": "2015-06-05T17:09:39",
                       "notAfter": "2015-06-10T17:09:39",
+                      "signingAlgorithm": "sha2",
                       "cn": "example.com",
                       "status": "unknown"
                     }
@@ -647,9 +740,9 @@ class NotificationCertificatesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
@@ -668,22 +761,23 @@ class NotificationCertificatesList(AuthenticatedResource):
         return service.render(args)
 
 
-class CertificatesDefaults(AuthenticatedResource):
-    """ Defineds the 'certificates' defaults endpoint """
+class CertificatesReplacementsList(AuthenticatedResource):
     def __init__(self):
-        super(CertificatesDefaults)
+        self.reqparse = reqparse.RequestParser()
+        super(CertificatesReplacementsList, self).__init__()
 
-    def get(self):
+    @marshal_items(FIELDS)
+    def get(self, certificate_id):
         """
-        .. http:get:: /certificates/defaults
+        .. http:get:: /certificates/1/replacements
 
-            Returns defaults needed to generate CSRs
+           One certificate
 
            **Example request**:
 
            .. sourcecode:: http
 
-              GET /certificates/defaults HTTP/1.1
+              GET /certificates/1/replacements HTTP/1.1
               Host: example.com
               Accept: application/json, text/javascript
 
@@ -695,25 +789,122 @@ class CertificatesDefaults(AuthenticatedResource):
               Vary: Accept
               Content-Type: text/javascript
 
+              [{
+                "id": 1,
+                "name": "cert1",
+                "description": "this is cert1",
+                "bits": 2048,
+                "deleted": false,
+                "issuer": "ExampeInc.",
+                "serial": "123450",
+                "chain": "-----Begin ...",
+                "body": "-----Begin ...",
+                "san": true,
+                "owner": "bob@example.com",
+                "active": true,
+                "notBefore": "2015-06-05T17:09:39",
+                "notAfter": "2015-06-10T17:09:39",
+                "signingAlgorithm": "sha2",
+                "cn": "example.com",
+                "status": "unknown"
+              }]
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        return service.get(certificate_id).replaces
+
+
+class CertificateExport(AuthenticatedResource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(CertificateExport, self).__init__()
+
+    def post(self, certificate_id):
+        """
+        .. http:post:: /certificates/1/export
+
+           Export a certificate
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              PUT /certificates/1/export HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
               {
-                 "country": "US",
-                 "state": "CA",
-                 "location": "Los Gatos",
-                 "organization": "Netflix",
-                 "organizationalUnit": "Operations"
+                "export": {
+                    "plugin": {
+                        "pluginOptions": [{
+                            "available": ["Java Key Store (JKS)"],
+                            "required": true,
+                            "type": "select",
+                            "name": "type",
+                            "helpMessage": "Choose the format you wish to export",
+                            "value": "Java Key Store (JKS)"
+                        }, {
+                            "required": false,
+                            "type": "str",
+                            "name": "passphrase",
+                            "validation": "^(?=.*[A-Za-z])(?=.*\\d)(?=.*[$@$!%*#?&])[A-Za-z\\d$@$!%*#?&]{8,}$",
+                            "helpMessage": "If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8."
+                        }, {
+                            "required": false,
+                            "type": "str",
+                            "name": "alias",
+                            "helpMessage": "Enter the alias you wish to use for the keystore."
+                        }],
+                        "version": "unknown",
+                        "description": "Attempts to generate a JKS keystore or truststore",
+                        "title": "Java",
+                        "author": "Kevin Glisson",
+                        "type": "export",
+                        "slug": "java-export"
+                    }
+                }
+              }
+
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                "data": "base64encodedstring",
+                "passphrase": "UAWOHW#&@_%!tnwmxh832025",
+                "extension": "jks"
               }
 
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
         """
-        return dict(
-            country=current_app.config.get('LEMUR_DEFAULT_COUNTRY'),
-            state=current_app.config.get('LEMUR_DEFAULT_STATE'),
-            location=current_app.config.get('LEMUR_DEFAULT_LOCATION'),
-            organization=current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'),
-            organizationalUnit=current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT')
-        )
+        self.reqparse.add_argument('export', type=dict, required=True, location='json')
+        args = self.reqparse.parse_args()
+
+        cert = service.get(certificate_id)
+        role = role_service.get_by_name(cert.owner)
+
+        permission = UpdateCertificatePermission(certificate_id, getattr(role, 'name', None))
+
+        plugin = plugins.get(args['export']['plugin']['slug'])
+        if plugin.requires_key:
+            if permission.can():
+                extension, passphrase, data = plugin.export(cert.body, cert.chain, cert.private_key, args['export']['plugin']['pluginOptions'])
+            else:
+                return dict(message='You are not authorized to export this certificate'), 403
+        else:
+            extension, passphrase, data = plugin.export(cert.body, cert.chain, cert.private_key, args['export']['plugin']['pluginOptions'])
+
+        # we take a hit in message size when b64 encoding
+        return dict(extension=extension, passphrase=passphrase, data=base64.b64encode(data))
 
 
 api.add_resource(CertificatesList, '/certificates', endpoint='certificates')
@@ -721,5 +912,8 @@ api.add_resource(Certificates, '/certificates/<int:certificate_id>', endpoint='c
 api.add_resource(CertificatesStats, '/certificates/stats', endpoint='certificateStats')
 api.add_resource(CertificatesUpload, '/certificates/upload', endpoint='certificateUpload')
 api.add_resource(CertificatePrivateKey, '/certificates/<int:certificate_id>/key', endpoint='privateKeyCertificates')
-api.add_resource(NotificationCertificatesList, '/notifications/<int:notification_id>/certificates', endpoint='notificationCertificates')
-api.add_resource(CertificatesDefaults, '/certificates/defaults', endpoint='certificatesDefault')
+api.add_resource(CertificateExport, '/certificates/<int:certificate_id>/export', endpoint='exportCertificate')
+api.add_resource(NotificationCertificatesList, '/notifications/<int:notification_id>/certificates',
+                 endpoint='notificationCertificates')
+api.add_resource(CertificatesReplacementsList, '/certificates/<int:certificate_id>/replacements',
+                 endpoint='replacements')

lemur/common/managers.py

@@ -22,7 +22,8 @@ class InstanceManager(object):
 
     def add(self, class_path):
         self.cache = None
-        self.class_list.append(class_path)
+        if class_path not in self.class_list:
+            self.class_list.append(class_path)
 
     def remove(self, class_path):
         self.cache = None

lemur/common/utils.py

@@ -63,9 +63,9 @@ class marshal_items(object):
                     if hasattr(e, 'data'):
                         return {'message': e.data['message']}, 400
                     else:
-                        return {'message': 'unknown'}, 400
+                        return {'message': {'exception': 'unknown'}}, 400
                 else:
-                    return {'message': str(e)}, 400
+                    return {'message': {'exception': str(e)}}, 400
         return wrapper
 
 

lemur/database.py

@@ -11,8 +11,10 @@
 """
 from sqlalchemy import exc
 from sqlalchemy.sql import and_, or_
+from sqlalchemy.orm import make_transient
 from sqlalchemy.orm.exc import NoResultFound
 
+
 from lemur.extensions import db
 from lemur.exceptions import AttrNotFound, DuplicateError
 
@@ -254,6 +256,18 @@ def update_list(model, model_attr, item_model, items):
     return model
 
 
+def clone(model):
+    """
+    Clones the given model and removes it's primary key
+    :param model:
+    :return:
+    """
+    db.session.expunge(model)
+    make_transient(model)
+    model.id = None
+    return model
+
+
 def sort_and_page(query, model, args):
     """
     Helper that allows us to combine sorting and paging

lemur/defaults/views.py

@@ -0,0 +1,63 @@
+"""
+.. module: lemur.status.views
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+"""
+from flask import current_app, Blueprint
+from flask.ext.restful import Api
+
+from lemur.auth.service import AuthenticatedResource
+
+
+mod = Blueprint('default', __name__)
+api = Api(mod)
+
+
+class LemurDefaults(AuthenticatedResource):
+    """ Defines the 'defaults' endpoint """
+    def __init__(self):
+        super(LemurDefaults)
+
+    def get(self):
+        """
+        .. http:get:: /defaults
+
+            Returns defaults needed to generate CSRs
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /defaults HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                 "country": "US",
+                 "state": "CA",
+                 "location": "Los Gatos",
+                 "organization": "Netflix",
+                 "organizationalUnit": "Operations"
+              }
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        return dict(
+            country=current_app.config.get('LEMUR_DEFAULT_COUNTRY'),
+            state=current_app.config.get('LEMUR_DEFAULT_STATE'),
+            location=current_app.config.get('LEMUR_DEFAULT_LOCATION'),
+            organization=current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'),
+            organizationalUnit=current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT')
+        )
+
+api.add_resource(LemurDefaults, '/defaults', endpoint='default')

lemur/destinations/service.py

@@ -8,6 +8,7 @@
 from sqlalchemy import func
 
 from lemur import database
+from lemur.models import certificate_destination_associations
 from lemur.destinations.models import Destination
 from lemur.certificates.models import Certificate
 
@@ -117,10 +118,9 @@ def stats(**kwargs):
     :param kwargs:
     :return:
     """
-    attr = getattr(Destination, kwargs.get('metric'))
-    query = database.db.session.query(attr, func.count(attr))
-
-    items = query.group_by(attr).all()
+    items = database.db.session.query(Destination.label, func.count(certificate_destination_associations.c.certificate_id))\
+        .join(certificate_destination_associations)\
+        .group_by(Destination.label).all()
 
     keys = []
     values = []

lemur/destinations/views.py

@@ -82,8 +82,8 @@ class DestinationsList(AuthenticatedResource):
            :query sortBy: field to sort on
            :query sortDir: acs or desc
            :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
@@ -341,9 +341,9 @@ class CertificateDestinations(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """

lemur/domains/models.py

@@ -7,7 +7,7 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 
 """
-from sqlalchemy import Column, Integer, String
+from sqlalchemy import Column, Integer, String, Boolean
 
 from lemur.database import db
 
@@ -16,11 +16,4 @@ class Domain(db.Model):
     __tablename__ = 'domains'
     id = Column(Integer, primary_key=True)
     name = Column(String(256))
-
-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
-
-    def serialize(self):
-        blob = self.as_dict()
-        blob['certificates'] = [x.id for x in self.certificate]
-        return blob
+    sensitive = Column(Boolean, default=False)

lemur/domains/service.py

@@ -32,6 +32,43 @@ def get_all():
     return database.find_all(query, Domain, {}).all()
 
 
+def get_by_name(name):
+    """
+    Fetches domain by it's name
+
+    :param name:
+    :return:
+    """
+    return database.get_all(Domain, name, field="name").all()
+
+
+def create(name, sensitive):
+    """
+    Create a new domain
+
+    :param name:
+    :param sensitive:
+    :return:
+    """
+    domain = Domain(name=name, sensitive=sensitive)
+    return database.create(domain)
+
+
+def update(domain_id, name, sensitive):
+    """
+    Update an existing domain
+
+    :param domain_id:
+    :param name:
+    :param sensitive:
+    :return:
+    """
+    domain = get(domain_id)
+    domain.name = name
+    domain.sensitive = sensitive
+    database.update(domain)
+
+
 def render(args):
     """
     Helper to parse REST Api requests

lemur/domains/views.py

@@ -12,12 +12,14 @@ from flask.ext.restful import reqparse, Api, fields
 
 from lemur.domains import service
 from lemur.auth.service import AuthenticatedResource
+from lemur.auth.permissions import SensitiveDomainPermission
 
 from lemur.common.utils import paginated_parser, marshal_items
 
 FIELDS = {
     'id': fields.Integer,
-    'name': fields.String
+    'name': fields.String,
+    'sensitive': fields.Boolean
 }
 
 mod = Blueprint('domains', __name__)
@@ -57,10 +59,12 @@ class DomainsList(AuthenticatedResource):
                     {
                       "id": 1,
                       "name": "www.example.com",
+                      "sensitive": false
                     },
                     {
                       "id": 2,
                       "name": "www.example2.com",
+                      "sensitive": false
                     }
                   ]
                 "total": 2
@@ -68,8 +72,8 @@ class DomainsList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
            :query limit: limit number. default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
@@ -79,6 +83,54 @@ class DomainsList(AuthenticatedResource):
         args = parser.parse_args()
         return service.render(args)
 
+    @marshal_items(FIELDS)
+    def post(self):
+        """
+        .. http:post:: /domains
+
+           The current domain list
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /domains HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+              {
+                "name": "www.example.com",
+                "sensitive": false
+              }
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                "id": 1,
+                "name": "www.example.com",
+                "sensitive": false
+              }
+
+           :query sortBy: field to sort on
+           :query sortDir: acs or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        self.reqparse.add_argument('name', type=str, location='json')
+        self.reqparse.add_argument('sensitive', type=bool, default=False, location='json')
+        args = self.reqparse.parse_args()
+        return service.create(args['name'], args['sensitive'])
+
 
 class Domains(AuthenticatedResource):
     def __init__(self):
@@ -111,6 +163,7 @@ class Domains(AuthenticatedResource):
               {
                   "id": 1,
                   "name": "www.example.com",
+                  "sensitive": false
               }
 
            :reqheader Authorization: OAuth token to authenticate
@@ -119,6 +172,53 @@ class Domains(AuthenticatedResource):
         """
         return service.get(domain_id)
 
+    @marshal_items(FIELDS)
+    def put(self, domain_id):
+        """
+        .. http:get:: /domains/1
+
+           update one domain
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /domains HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+              {
+                  "name": "www.example.com",
+                  "sensitive": false
+              }
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                  "id": 1,
+                  "name": "www.example.com",
+                  "sensitive": false
+              }
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        self.reqparse.add_argument('name', type=str, location='json')
+        self.reqparse.add_argument('sensitive', type=bool, default=False, location='json')
+        args = self.reqparse.parse_args()
+
+        if SensitiveDomainPermission().can():
+            return service.update(domain_id, args['name'], args['sensitive'])
+
+        return dict(message='You are not authorized to modify this domain'), 403
+
 
 class CertificateDomains(AuthenticatedResource):
     """ Defines the 'domains' endpoint """
@@ -153,10 +253,12 @@ class CertificateDomains(AuthenticatedResource):
                     {
                       "id": 1,
                       "name": "www.example.com",
+                      "sensitive": false
                     },
                     {
                       "id": 2,
                       "name": "www.example2.com",
+                      "sensitive": false
                     }
                   ]
                 "total": 2
@@ -164,9 +266,9 @@ class CertificateDomains(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated

lemur/manage.py

@@ -4,6 +4,7 @@ import os
 import sys
 import base64
 import time
+import arrow
 import requests
 import json
 from gunicorn.config import make_settings
@@ -24,7 +25,11 @@ from lemur.certificates import service as cert_service
 from lemur.sources import service as source_service
 from lemur.notifications import service as notification_service
 
+from lemur.certificates.models import get_name_from_arn
 from lemur.certificates.verify import verify_string
+
+from lemur.plugins.lemur_aws import elb
+
 from lemur.sources.service import sync
 
 from lemur import create_app
@@ -72,7 +77,7 @@ SECRET_KEY = '{flask_secret_key}'
 
 # You should consider storing these separately from your config
 LEMUR_TOKEN_SECRET = '{secret_token}'
-LEMUR_ENCRYPTION_KEY = '{encryption_key}'
+LEMUR_ENCRYPTION_KEYS = '{encryption_key}'
 
 # this is a list of domains as regexes that only admins can issue
 LEMUR_RESTRICTED_DOMAINS = []
@@ -90,6 +95,8 @@ LEMUR_DEFAULT_LOCATION = ''
 LEMUR_DEFAULT_ORGANIZATION = ''
 LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = ''
 
+# Authentication Providers
+ACTIVE_PROVIDERS = []
 
 # Logging
 
@@ -112,13 +119,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql://lemur:lemur@localhost:5432/lemur'
 # These will be dependent on which 3rd party that Lemur is
 # configured to use.
 
-# CLOUDCA_URL = ''
-# CLOUDCA_PEM_PATH = ''
-# CLOUDCA_BUNDLE = ''
-
-# number of years to issue if not specified
-# CLOUDCA_DEFAULT_VALIDITY = 2
-
 # VERISIGN_URL = ''
 # VERISIGN_PEM_PATH = ''
 # VERISIGN_FIRST_NAME = ''
@@ -178,7 +178,9 @@ def generate_settings():
     settings file.
     """
     output = CONFIG_TEMPLATE.format(
-        encryption_key=base64.b64encode(os.urandom(KEY_LENGTH)),
+        # we use Fernet.generate_key to make sure that the key length is
+        # compatible with Fernet
+        encryption_key=Fernet.generate_key(),
         secret_token=base64.b64encode(os.urandom(KEY_LENGTH)),
         flask_secret_key=base64.b64encode(os.urandom(KEY_LENGTH)),
     )
@@ -263,18 +265,23 @@ class InitializeApp(Command):
     Additionally a Lemur user will be created as a default user
     and be used when certificates are discovered by Lemur.
     """
-    def run(self):
+    option_list = (
+        Option('-p', '--password', dest='password'),
+    )
+
+    def run(self, password):
         create()
         user = user_service.get_by_username("lemur")
 
         if not user:
-            sys.stdout.write("We need to set Lemur's password to continue!\n")
-            password1 = prompt_pass("Password")
-            password2 = prompt_pass("Confirm Password")
+            if not password:
+                sys.stdout.write("We need to set Lemur's password to continue!\n")
+                password = prompt_pass("Password")
+                password1 = prompt_pass("Confirm Password")
 
-            if password1 != password2:
-                sys.stderr.write("[!] Passwords do not match!\n")
-                sys.exit(1)
+                if password != password1:
+                    sys.stderr.write("[!] Passwords do not match!\n")
+                    sys.exit(1)
 
             role = role_service.get_by_name('admin')
 
@@ -285,16 +292,16 @@ class InitializeApp(Command):
                 role = role_service.create('admin', description='this is the lemur administrator role')
                 sys.stdout.write("[+] Created 'admin' role\n")
 
-            user_service.create("lemur", password1, 'lemur@nobody', True, None, [role])
+            user_service.create("lemur", password, 'lemur@nobody', True, None, [role])
             sys.stdout.write("[+] Added a 'lemur' user and added it to the 'admin' role!\n")
 
         else:
             sys.stdout.write("[-] Default user has already been created, skipping...!\n")
 
         sys.stdout.write("[+] Creating expiration email notifications!\n")
-        sys.stdout.write("[!] Using {recipients} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n")
+        sys.stdout.write("[!] Using {0} as specified by LEMUR_SECURITY_TEAM_EMAIL for notifications\n".format("LEMUR_SECURITY_TEAM_EMAIL"))
 
-        intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS")
+        intervals = current_app.config.get("LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS", [])
         sys.stdout.write(
             "[!] Creating {num} notifications for {intervals} days as specified by LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS\n".format(
                 num=len(intervals),
@@ -316,7 +323,7 @@ class CreateUser(Command):
         Option('-u', '--username', dest='username', required=True),
         Option('-e', '--email', dest='email', required=True),
         Option('-a', '--active', dest='active', default=True),
-        Option('-r', '--roles', dest='roles', default=[])
+        Option('-r', '--roles', dest='roles', action='append', default=[])
     )
 
     def run(self, username, email, active, roles):
@@ -503,11 +510,77 @@ def unicode_(data):
     return data
 
 
+class RotateELBs(Command):
+    """
+    Rotates existing certificates to a new one on an ELB
+    """
+    option_list = (
+        Option('-e', '--elb-list', dest='elb_list', required=True),
+        Option('-p', '--chain-path', dest='chain_path'),
+        Option('-c', '--cert-name', dest='cert_name'),
+        Option('-a', '--cert-prefix', dest='cert_prefix'),
+        Option('-d', '--description', dest='description')
+    )
+
+    def run(self, elb_list, chain_path, cert_name, cert_prefix, description):
+
+        for e in open(elb_list, 'r').readlines():
+            elb_name, account_id, region, from_port, to_port, protocol = e.strip().split(',')
+
+            if cert_name:
+                arn = "arn:aws:iam::{0}:server-certificate/{1}".format(account_id, cert_name)
+
+            else:
+                # if no cert name is provided we need to discover it
+                listeners = elb.get_listeners(account_id, region, elb_name)
+
+                # get the listener we care about
+                for listener in listeners:
+                    if listener[0] == int(from_port) and listener[1] == int(to_port):
+                        arn = listener[4]
+                        name = get_name_from_arn(arn)
+                        certificate = cert_service.get_by_name(name)
+                        break
+                else:
+                    sys.stdout.write("[-] Could not find ELB {0}".format(elb_name))
+                    continue
+
+                if not certificate:
+                    sys.stdout.write("[-] Could not find certificate {0} in Lemur".format(name))
+                    continue
+
+                dests = []
+                for d in certificate.destinations:
+                    dests.append({'id': d.id})
+
+                nots = []
+                for n in certificate.notifications:
+                    nots.append({'id': n.id})
+
+                new_certificate = database.clone(certificate)
+
+                if cert_prefix:
+                    new_certificate.name = "{0}-{1}".format(cert_prefix, new_certificate.name)
+
+                new_certificate.chain = open(chain_path, 'r').read()
+                new_certificate.description = "{0} - {1}".format(new_certificate.description, description)
+
+                new_certificate = database.create(new_certificate)
+                database.update_list(new_certificate, 'destinations', Destination, dests)
+                database.update_list(new_certificate, 'notifications', Notification, nots)
+                database.update(new_certificate)
+
+                arn = new_certificate.get_arn(account_id)
+
+            elb.update_listeners(account_id, region, elb_name, [(from_port, to_port, protocol, arn)], [from_port])
+
+            sys.stdout.write("[+] Updated {0} to use {1}\n".format(elb_name, new_certificate.name))
+
+
 class ProvisionELB(Command):
     """
     Creates and provisions a certificate on an ELB based on command line arguments
     """
-
     option_list = (
         Option('-d', '--dns', dest='dns', action='append', required=True, type=unicode_),
         Option('-e', '--elb', dest='elb_name', required=True, type=unicode_),
@@ -569,11 +642,11 @@ class ProvisionELB(Command):
             'authority': authority,
             'owner': owner,
             # defaults:
-            'organization': u'Netflix, Inc.',
-            'organizationalUnit': u'Operations',
-            'country': u'US',
-            'state': u'California',
-            'location': u'Los Gatos'
+            'organization': current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'),
+            'organizationalUnit': current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'),
+            'country': current_app.config.get('LEMUR_DEFAULT_COUNTRY'),
+            'state': current_app.config.get('LEMUR_DEFAULT_STATE'),
+            'location': current_app.config.get('LEMUR_DEFAULT_LOCATION')
         }
 
         return options
@@ -718,6 +791,48 @@ def publish_verisign_units():
         requests.post('http://localhost:8078/metrics', data=json.dumps(metric))
 
 
+class Rolling(Command):
+    """
+    Rotates existing certificates to a new one on an ELB
+    """
+    option_list = (
+        Option('-w', '--window', dest='window', default=24),
+    )
+
+    def run(self, window):
+        """
+        Simple function that queries verisign for API units and posts the mertics to
+        Atlas API for other teams to consume.
+        :return:
+        """
+        end = arrow.utcnow()
+        start = end.replace(hours=-window)
+        items = Certificate.query.filter(Certificate.not_before <= end.format('YYYY-MM-DD')) \
+            .filter(Certificate.not_before >= start.format('YYYY-MM-DD')).all()
+
+        metrics = {}
+        for i in items:
+            name = "{0},{1}".format(i.owner, i.issuer)
+            if metrics.get(name):
+                metrics[name] += 1
+            else:
+                metrics[name] = 1
+
+        for name, value in metrics.iteritems():
+            owner, issuer = name.split(",")
+            metric = [
+                {
+                    "timestamp": 1321351651,
+                    "type": "GAUGE",
+                    "name": "Issued Certificates",
+                    "tags": {"owner": owner, "issuer": issuer, "window": window},
+                    "value": value
+                }
+            ]
+
+            requests.post('http://localhost:8078/metrics', data=json.dumps(metric))
+
+
 def main():
     manager.add_command("start", LemurServer())
     manager.add_command("runserver", Server(host='127.0.0.1'))
@@ -728,6 +843,8 @@ def main():
     manager.add_command("create_user", CreateUser())
     manager.add_command("create_role", CreateRole())
     manager.add_command("provision_elb", ProvisionELB())
+    manager.add_command("rotate_elbs", RotateELBs())
+    manager.add_command("rolling", Rolling())
     manager.run()
 
 if __name__ == "__main__":

lemur/migrations/versions/1ff763f5b80b_.py

@@ -1,42 +0,0 @@
-"""Adding in models for certificate sources
-
-Revision ID: 1ff763f5b80b
-Revises: 4dc5ddd111b8
-Create Date: 2015-08-01 15:24:20.412725
-
-"""
-
-# revision identifiers, used by Alembic.
-revision = '1ff763f5b80b'
-down_revision = '4dc5ddd111b8'
-
-from alembic import op
-import sqlalchemy as sa
-
-import sqlalchemy_utils
-
-
-def upgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('sources',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('label', sa.String(length=32), nullable=True),
-    sa.Column('options', sqlalchemy_utils.types.json.JSONType(), nullable=True),
-    sa.Column('description', sa.Text(), nullable=True),
-    sa.Column('plugin_name', sa.String(length=32), nullable=True),
-    sa.PrimaryKeyConstraint('id')
-    )
-    op.create_table('certificate_source_associations',
-    sa.Column('source_id', sa.Integer(), nullable=True),
-    sa.Column('certificate_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['certificate_id'], ['certificates.id'], ondelete='cascade'),
-    sa.ForeignKeyConstraint(['source_id'], ['destinations.id'], ondelete='cascade')
-    )
-    ### end Alembic commands ###
-
-
-def downgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('certificate_source_associations')
-    op.drop_table('sources')
-    ### end Alembic commands ###

lemur/migrations/versions/33de094da890_.py

@@ -0,0 +1,31 @@
+"""Adding the ability to specify certificate replacements
+
+Revision ID: 33de094da890
+Revises: ed422fc58ba
+Create Date: 2015-11-30 15:40:19.827272
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '33de094da890'
+down_revision = None
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+def upgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('certificate_replacement_associations',
+    sa.Column('replaced_certificate_id', sa.Integer(), nullable=True),
+    sa.Column('certificate_id', sa.Integer(), nullable=True),
+    sa.ForeignKeyConstraint(['certificate_id'], ['certificates.id'], ondelete='cascade'),
+    sa.ForeignKeyConstraint(['replaced_certificate_id'], ['certificates.id'], ondelete='cascade')
+    )
+    ### end Alembic commands ###
+
+
+def downgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('certificate_replacement_associations')
+    ### end Alembic commands ###

lemur/migrations/versions/3b718f59b8ce_.py

@@ -1,49 +0,0 @@
-"""Refactors Accounts to Destinations
-
-Revision ID: 3b718f59b8ce
-Revises: None
-Create Date: 2015-07-09 17:44:55.626221
-
-"""
-
-# revision identifiers, used by Alembic.
-revision = '3b718f59b8ce'
-down_revision = None
-
-from alembic import op
-import sqlalchemy as sa
-
-
-def upgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('certificate_account_associations')
-    op.drop_table('accounts')
-    op.add_column('destinations', sa.Column('plugin_name', sa.String(length=32), nullable=True))
-    op.drop_index('ix_elbs_account_id', table_name='elbs')
-    op.drop_constraint(u'elbs_account_id_fkey', 'elbs', type_='foreignkey')
-    op.drop_column('elbs', 'account_id')
-    ### end Alembic commands ###
-
-
-def downgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.add_column('elbs', sa.Column('account_id', sa.BIGINT(), autoincrement=False, nullable=True))
-    op.create_foreign_key(u'elbs_account_id_fkey', 'elbs', 'accounts', ['account_id'], ['id'])
-    op.create_index('ix_elbs_account_id', 'elbs', ['account_id'], unique=False)
-    op.drop_column('destinations', 'plugin_name')
-    op.create_table('accounts',
-    sa.Column('id', sa.INTEGER(), server_default=sa.text(u"nextval('accounts_id_seq'::regclass)"), nullable=False),
-    sa.Column('account_number', sa.VARCHAR(length=32), autoincrement=False, nullable=True),
-    sa.Column('label', sa.VARCHAR(length=32), autoincrement=False, nullable=True),
-    sa.Column('notes', sa.TEXT(), autoincrement=False, nullable=True),
-    sa.PrimaryKeyConstraint('id', name=u'accounts_pkey'),
-    sa.UniqueConstraint('account_number', name=u'accounts_account_number_key'),
-        postgresql_ignore_search_path=False
-    )
-    op.create_table('certificate_account_associations',
-    sa.Column('account_id', sa.INTEGER(), autoincrement=False, nullable=True),
-    sa.Column('certificate_id', sa.INTEGER(), autoincrement=False, nullable=True),
-    sa.ForeignKeyConstraint(['account_id'], [u'accounts.id'], name=u'certificate_account_associations_account_id_fkey', ondelete=u'CASCADE'),
-    sa.ForeignKeyConstraint(['certificate_id'], [u'certificates.id'], name=u'certificate_account_associations_certificate_id_fkey', ondelete=u'CASCADE')
-    )
-    ### end Alembic commands ###

lemur/migrations/versions/4c50b903d1ae_.py

@@ -0,0 +1,26 @@
+"""Adding ability to mark domains as 'sensitive'
+
+Revision ID: 4c50b903d1ae
+Revises: 33de094da890
+Create Date: 2015-12-30 10:19:30.057791
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '4c50b903d1ae'
+down_revision = '33de094da890'
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+def upgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('domains', sa.Column('sensitive', sa.Boolean(), nullable=True))
+    ### end Alembic commands ###
+
+
+def downgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('domains', 'sensitive')
+    ### end Alembic commands ###

lemur/migrations/versions/4c8915e461b3_.py

@@ -1,41 +0,0 @@
-"""Adding notifications
-
-Revision ID: 4c8915e461b3
-Revises: 3b718f59b8ce
-Create Date: 2015-07-24 14:34:57.316273
-
-"""
-
-# revision identifiers, used by Alembic.
-revision = '4c8915e461b3'
-down_revision = '3b718f59b8ce'
-
-from alembic import op
-import sqlalchemy as sa
-from sqlalchemy.dialects import postgresql
-
-import sqlalchemy_utils
-
-
-def upgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('notifications',
-    sa.Column('id', sa.Integer(), nullable=False),
-    sa.Column('label', sa.String(length=128), nullable=True),
-    sa.Column('description', sa.Text(), nullable=True),
-    sa.Column('options', sqlalchemy_utils.types.json.JSONType(), nullable=True),
-    sa.Column('active', sa.Boolean(), nullable=True),
-    sa.Column('plugin_name', sa.String(length=32), nullable=True),
-    sa.PrimaryKeyConstraint('id')
-    )
-    op.drop_column(u'certificates', 'challenge')
-    op.drop_column(u'certificates', 'csr_config')
-    ### end Alembic commands ###
-
-
-def downgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.add_column(u'certificates', sa.Column('csr_config', sa.TEXT(), autoincrement=False, nullable=True))
-    op.add_column(u'certificates', sa.Column('challenge', postgresql.BYTEA(), autoincrement=False, nullable=True))
-    op.drop_table('notifications')
-    ### end Alembic commands ###

lemur/migrations/versions/4dc5ddd111b8_.py

@@ -1,31 +0,0 @@
-"""Creating a one-to-many relationship for notifications
-
-Revision ID: 4dc5ddd111b8
-Revises: 4c8915e461b3
-Create Date: 2015-07-24 15:02:04.398262
-
-"""
-
-# revision identifiers, used by Alembic.
-revision = '4dc5ddd111b8'
-down_revision = '4c8915e461b3'
-
-from alembic import op
-import sqlalchemy as sa
-
-
-def upgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.create_table('certificate_notification_associations',
-    sa.Column('notification_id', sa.Integer(), nullable=True),
-    sa.Column('certificate_id', sa.Integer(), nullable=True),
-    sa.ForeignKeyConstraint(['certificate_id'], ['certificates.id'], ondelete='cascade'),
-    sa.ForeignKeyConstraint(['notification_id'], ['notifications.id'], ondelete='cascade')
-    )
-    ### end Alembic commands ###
-
-
-def downgrade():
-    ### commands auto generated by Alembic - please adjust! ###
-    op.drop_table('certificate_notification_associations')
-    ### end Alembic commands ###

lemur/models.py

@@ -36,6 +36,14 @@ certificate_notification_associations = db.Table('certificate_notification_assoc
                                                  Column('certificate_id', Integer,
                                                         ForeignKey('certificates.id', ondelete='cascade'))
                                                  )
+
+certificate_replacement_associations = db.Table('certificate_replacement_associations',
+                                                Column('replaced_certificate_id', Integer,
+                                                       ForeignKey('certificates.id', ondelete='cascade')),
+                                                Column('certificate_id', Integer,
+                                                       ForeignKey('certificates.id', ondelete='cascade'))
+                                                )
+
 roles_users = db.Table('roles_users',
                        Column('user_id', Integer, ForeignKey('users.id')),
                        Column('role_id', Integer, ForeignKey('roles.id'))

lemur/notifications/service.py

@@ -9,7 +9,6 @@
 
 """
 import ssl
-import socket
 
 import arrow
 
@@ -37,13 +36,16 @@ def _get_message_data(cert):
     :param cert:
     :return:
     """
-    cert_dict = cert.as_dict()
+    cert_dict = {}
 
     if cert.user:
         cert_dict['creator'] = cert.user.email
 
-    cert_dict['domains'] = [x .name for x in cert.domains]
-    cert_dict['superseded'] = list(set([x.name for x in _find_superseded(cert) if cert.name != x]))
+    cert_dict['not_after'] = cert.not_after
+    cert_dict['owner'] = cert.owner
+    cert_dict['name'] = cert.name
+    cert_dict['body'] = cert.body
+
     return cert_dict
 
 
@@ -114,8 +116,9 @@ def _get_domain_certificate(name):
     try:
         pub_key = ssl.get_server_certificate((name, 443))
         return cert_service.find_duplicates(pub_key.strip())
-    except socket.gaierror as e:
+    except Exception as e:
         current_app.logger.info(str(e))
+        return []
 
 
 def _find_superseded(cert):

lemur/notifications/views.py

@@ -133,9 +133,9 @@ class NotificationsList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
@@ -470,9 +470,9 @@ class CertificateNotifications(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """

lemur/plugins/base/v1.py

@@ -108,10 +108,11 @@ class IPlugin(local):
         """
         return self.resource_links
 
-    def get_option(self, name, options):
+    @staticmethod
+    def get_option(name, options):
         for o in options:
             if o.get('name') == name:
-                return o['value']
+                return o.get('value')
 
 
 class Plugin(IPlugin):

lemur/plugins/bases/__init__.py

@@ -2,3 +2,4 @@ from .destination import DestinationPlugin  # noqa
 from .issuer import IssuerPlugin  # noqa
 from .source import SourcePlugin  # noqa
 from .notification import NotificationPlugin, ExpirationNotificationPlugin  # noqa
+from .export import ExportPlugin  # noqa

lemur/plugins/bases/export.py

@@ -0,0 +1,21 @@
+"""
+.. module: lemur.bases.export
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from lemur.plugins.base import Plugin
+
+
+class ExportPlugin(Plugin):
+    """
+    This is the base class from which all supported
+    exporters will inherit from.
+    """
+    type = 'export'
+    requires_key = True
+
+    def export(self):
+        raise NotImplemented

lemur/plugins/lemur_aws/plugin.py

@@ -43,15 +43,18 @@ class AWSDestinationPlugin(DestinationPlugin):
     # }
 
     def upload(self, name, body, private_key, cert_chain, options, **kwargs):
-        try:
-            iam.upload_cert(find_value('accountNumber', options), name, body, private_key, cert_chain=cert_chain)
-        except BotoServerError as e:
-            if e.error_code != 'EntityAlreadyExists':
-                raise Exception(e)
+        if private_key:
+            try:
+                iam.upload_cert(find_value('accountNumber', options), name, body, private_key, cert_chain=cert_chain)
+            except BotoServerError as e:
+                if e.error_code != 'EntityAlreadyExists':
+                    raise Exception(e)
 
-        e = find_value('elb', options)
-        if e:
-            elb.attach_certificate(kwargs['accountNumber'], ['region'], e['name'], e['port'], e['certificateId'])
+            e = find_value('elb', options)
+            if e:
+                elb.attach_certificate(kwargs['accountNumber'], ['region'], e['name'], e['port'], e['certificateId'])
+        else:
+            raise Exception("Unable to upload to AWS, private key is required")
 
 
 class AWSSourcePlugin(SourcePlugin):

lemur/plugins/lemur_cloudca/plugin.py

@@ -1,364 +0,0 @@
-"""
-.. module: lemur.common.services.issuers.plugins.cloudca
-    :platform: Unix
-    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
-    :license: Apache, see LICENSE for more details.
-
-.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
-
-"""
-import re
-import ssl
-import base64
-from json import dumps
-
-import arrow
-import requests
-from requests.adapters import HTTPAdapter
-from requests.exceptions import ConnectionError
-
-from flask import current_app
-
-from lemur.exceptions import LemurException
-from lemur.plugins.bases import IssuerPlugin, SourcePlugin
-from lemur.plugins import lemur_cloudca as cloudca
-
-from lemur.authorities import service as authority_service
-
-
-class CloudCAException(LemurException):
-    def __init__(self, message):
-        self.message = message
-        current_app.logger.error(self)
-
-    def __str__(self):
-        return repr("CloudCA request failed: {0}".format(self.message))
-
-
-class CloudCAHostNameCheckingAdapter(HTTPAdapter):
-    def cert_verify(self, conn, url, verify, cert):
-        super(CloudCAHostNameCheckingAdapter, self).cert_verify(conn, url, verify, cert)
-        conn.assert_hostname = False
-
-
-def remove_none(options):
-    """
-    Simple function that traverse the options and removed any None items
-    CloudCA really dislikes null values.
-
-    :param options:
-    :return:
-    """
-    new_dict = {}
-    for k, v in options.items():
-        if v:
-            new_dict[k] = v
-
-    # this is super hacky and gross, cloudca doesn't like null values
-    if new_dict.get('extensions'):
-        if len(new_dict['extensions']['subAltNames']['names']) == 0:
-            del new_dict['extensions']['subAltNames']
-
-    return new_dict
-
-
-def get_default_issuance(options):
-    """
-    Gets the default time range for certificates
-
-    :param options:
-    :return:
-    """
-    if not options.get('validityStart') and not options.get('validityEnd'):
-        start = arrow.utcnow()
-        options['validityStart'] = start.floor('second').isoformat()
-        options['validityEnd'] = start.replace(years=current_app.config.get('CLOUDCA_DEFAULT_VALIDITY'))\
-            .ceil('second').isoformat()
-    return options
-
-
-def convert_to_pem(der):
-    """
-    Converts DER to PEM Lemur uses PEM internally
-
-    :param der:
-    :return:
-    """
-    decoded = base64.b64decode(der)
-    return ssl.DER_cert_to_PEM_cert(decoded)
-
-
-def convert_date_to_utc_time(date):
-    """
-    Converts a python `datetime` object to the current date + current time in UTC.
-
-    :param date:
-    :return:
-    """
-    d = arrow.get(date)
-    return arrow.utcnow().replace(day=d.naive.day).replace(month=d.naive.month).replace(year=d.naive.year)\
-        .replace(microsecond=0)
-
-
-def process_response(response):
-    """
-    Helper function that processes responses from CloudCA.
-
-    :param response:
-    :return: :raise CloudCAException:
-    """
-    if response.status_code == 200:
-        res = response.json()
-        if res['returnValue'] != 'success':
-            current_app.logger.debug(res)
-            if res.get('data'):
-                raise CloudCAException(" ".join([res['returnMessage'], res['data']['dryRunResultMessage']]))
-            else:
-                raise CloudCAException(res['returnMessage'])
-    else:
-        raise CloudCAException("There was an error with your request: {0}".format(response.status_code))
-
-    return response.json()
-
-
-def get_auth_data(ca_name):
-    """
-    Creates the authentication record needed to authenticate a user request to CloudCA.
-
-    :param ca_name:
-    :return: :raise CloudCAException:
-    """
-    role = authority_service.get_authority_role(ca_name)
-    if role:
-        return {
-            "authInfo": {
-                "credType": "password",
-                "credentials": {
-                    "username": role.username,
-                    "password": role.password  # we only decrypt when we need to
-                }
-
-            }
-        }
-
-    raise CloudCAException("You do not have the required role to issue certificates from {0}".format(ca_name))
-
-
-class CloudCA(object):
-    def __init__(self, *args, **kwargs):
-        self.session = requests.Session()
-        self.session.mount('https://', CloudCAHostNameCheckingAdapter())
-        self.url = current_app.config.get('CLOUDCA_URL')
-
-        if current_app.config.get('CLOUDCA_PEM_PATH') and current_app.config.get('CLOUDCA_BUNDLE'):
-            self.session.cert = current_app.config.get('CLOUDCA_PEM_PATH')
-            self.ca_bundle = current_app.config.get('CLOUDCA_BUNDLE')
-        else:
-            current_app.logger.warning(
-                "No CLOUDCA credentials found, lemur will be unable to request certificates from CLOUDCA"
-            )
-
-        super(CloudCA, self).__init__(*args, **kwargs)
-
-    def post(self, endpoint, data):
-        """
-        HTTP POST to CloudCA
-
-        :param endpoint:
-        :param data:
-        :return:
-        """
-        data = dumps(dict(data.items() + get_auth_data(data['caName']).items()))
-
-        # we set a low timeout, if cloudca is down it shouldn't bring down
-        # lemur
-        try:
-            response = self.session.post(self.url + endpoint, data=data, timeout=10, verify=self.ca_bundle)
-        except ConnectionError:
-            raise Exception("Could not talk to CloudCA, is it up?")
-
-        return process_response(response)
-
-    def get(self, endpoint):
-        """
-        HTTP GET to CloudCA
-
-        :param endpoint:
-        :return:
-        """
-        try:
-            response = self.session.get(self.url + endpoint, timeout=10, verify=self.ca_bundle)
-        except ConnectionError:
-            raise Exception("Could not talk to CloudCA, is it up?")
-
-        return process_response(response)
-
-    def random(self, length=10):
-        """
-        Uses CloudCA as a decent source of randomness.
-
-        :param length:
-        :return:
-        """
-        endpoint = '/v1/random/{0}'.format(length)
-        response = self.session.get(self.url + endpoint, verify=self.ca_bundle)
-        return response
-
-    def get_authorities(self):
-        """
-        Retrieves authorities that were made outside of Lemur.
-
-        :return:
-        """
-        endpoint = '{0}/listCAs'.format(current_app.config.get('CLOUDCA_API_ENDPOINT'))
-        authorities = []
-        for ca in self.get(endpoint)['data']['caList']:
-            try:
-                authorities.append(ca['caName'])
-            except AttributeError:
-                current_app.logger.error("No authority has been defined for {}".format(ca['caName']))
-
-        return authorities
-
-
-class CloudCAIssuerPlugin(IssuerPlugin, CloudCA):
-    title = 'CloudCA'
-    slug = 'cloudca-issuer'
-    description = 'Enables the creation of certificates from the cloudca API.'
-    version = cloudca.VERSION
-
-    author = 'Kevin Glisson'
-    author_url = 'https://github.com/netflix/lemur'
-
-    def create_authority(self, options):
-        """
-        Creates a new certificate authority
-
-        :param options:
-        :return:
-        """
-        # this is weird and I don't like it
-        endpoint = '{0}/createCA'.format(current_app.config.get('CLOUDCA_API_ENDPOINT'))
-        options['caDN']['email'] = options['ownerEmail']
-
-        if options['caType'] == 'subca':
-            options = dict(options.items() + self.auth_data(options['caParent']).items())
-
-        options['validityStart'] = convert_date_to_utc_time(options['validityStart']).isoformat()
-        options['validityEnd'] = convert_date_to_utc_time(options['validityEnd']).isoformat()
-        options['description'] = re.sub(r'[^a-zA-Z0-9]', '', options['caDescription'])
-
-        try:
-            response = self.session.post(self.url + endpoint, data=dumps(remove_none(options)), timeout=10,
-                                         verify=self.ca_bundle)
-        except ConnectionError:
-            raise Exception("Could not communicate with CloudCA, is it up?")
-
-        json = process_response(response)
-        roles = []
-
-        for cred in json['data']['authInfo']:
-            role = {
-                'username': cred['credentials']['username'],
-                'password': cred['credentials']['password'],
-                'name': "_".join([options['caName'], cred['credentials']['username']])
-            }
-            roles.append(role)
-
-        if options['caType'] == 'subca':
-            cert = convert_to_pem(json['data']['certificate'])
-        else:
-            cert = convert_to_pem(json['data']['rootCertificate'])
-
-        intermediates = []
-        for i in json['data']['intermediateCertificates']:
-            intermediates.append(convert_to_pem(i))
-
-        return cert, "".join(intermediates), roles,
-
-    def create_certificate(self, csr, options):
-        """
-        Creates a new certificate from cloudca
-
-        If no start and end date are specified the default issue range
-        will be used.
-
-        :param csr:
-        :param options:
-        """
-        endpoint = '{0}/enroll'.format(current_app.config.get('CLOUDCA_API_ENDPOINT'))
-        # lets default to two years if it's not specified
-        # we do some last minute data massaging
-        options = get_default_issuance(options)
-
-        cloudca_options = {
-            'extensions': options['extensions'],
-            'validityStart': convert_date_to_utc_time(options['validityStart']).isoformat(),
-            'validityEnd': convert_date_to_utc_time(options['validityEnd']).isoformat(),
-            'creator': options['creator'],
-            'ownerEmail': options['owner'],
-            'caName': options['authority'].name,
-            'csr': csr,
-            'comment': re.sub(r'[^a-zA-Z0-9]', '', options['description'])
-        }
-
-        response = self.post(endpoint, remove_none(cloudca_options))
-
-        # we return a concatenated list of intermediate because that is what aws
-        # expects
-        cert = convert_to_pem(response['data']['certificate'])
-
-        intermediates = [convert_to_pem(response['data']['rootCertificate'])]
-        for i in response['data']['intermediateCertificates']:
-            intermediates.append(convert_to_pem(i))
-
-        return cert, "".join(intermediates),
-
-
-class CloudCASourcePlugin(SourcePlugin, CloudCA):
-    title = 'CloudCA'
-    slug = 'cloudca-source'
-    description = 'Discovers all SSL certificates in CloudCA'
-    version = cloudca.VERSION
-
-    author = 'Kevin Glisson'
-    author_url = 'https://github.com/netflix/lemur'
-
-    options = {
-        'pollRate': {'type': 'int', 'default': '60'}
-    }
-
-    def get_certificates(self, options, **kwargs):
-        certs = []
-        for authority in self.get_authorities():
-            certs += self.get_cert(ca_name=authority)
-        return certs
-
-    def get_cert(self, ca_name=None, cert_handle=None):
-        """
-        Returns a given cert from CloudCA.
-
-        :param ca_name:
-        :param cert_handle:
-        :return:
-        """
-        endpoint = '{0}/getCert'.format(current_app.config.get('CLOUDCA_API_ENDPOINT'))
-        response = self.session.post(self.url + endpoint, data=dumps({'caName': ca_name}), timeout=10,
-                                     verify=self.ca_bundle)
-        raw = process_response(response)
-
-        certs = []
-        for c in raw['data']['certList']:
-            cert = convert_to_pem(c['certValue'])
-
-            intermediates = []
-            for i in c['intermediateCertificates']:
-                intermediates.append(convert_to_pem(i))
-
-            certs.append({
-                'public_certificate': cert,
-                'intermediate_certificate': "\n".join(intermediates),
-                'owner': c['ownerEmail']
-            })
-
-        return certs

lemur/plugins/lemur_email/templates/config.py

@@ -1,5 +1,12 @@
 import os
+import arrow
 from jinja2 import Environment, FileSystemLoader
 
 loader = FileSystemLoader(searchpath=os.path.dirname(os.path.realpath(__file__)))
 env = Environment(loader=loader)
+
+
+def human_time(time):
+    return arrow.get(time).format('dddd, MMMM D, YYYY')
+
+env.filters['time'] = human_time

lemur/plugins/lemur_email/templates/expiration.html

@@ -7,141 +7,161 @@
     <meta name="format-detection" content="telephone=no"> <!-- disable auto telephone linking in iOS -->
 
     <title>Lemur</title>
-    <style type="text/css">
-
-        /* Resets: see reset.css for details */
-        .ReadMsgBody { width: 100%; background-color: #ebebeb;}
-        .ExternalClass {width: 100%; background-color: #ebebeb;}
-        .ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div {line-height:100%;}
-        body {-webkit-text-size-adjust:none; -ms-text-size-adjust:none;}
-        body {margin:0; padding:0;}
-        table {border-spacing:0;}
-        table td {border-collapse:collapse;}
-        .yshortcuts a {border-bottom: none !important;}
-
-
-        /* Constrain email width for small screens */
-        @media screen and (max-width: 600px) {
-            table[class="container"] {
-                width: 95% !important;
-            }
-        }
-
-        /* Give content more room on mobile */
-        @media screen and (max-width: 480px) {
-            td[class="container-padding"] {
-                padding-left: 12px !important;
-                padding-right: 12px !important;
-            }
-        }
-
-    </style>
 </head>
-<body style="margin:0; padding:10px 0;" bgcolor="#ebebeb" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
-<br>
-<!-- 100% wrapper (grey background) -->
-<table border="0" width="100%" height="100%" cellpadding="50" cellspacing="0" bgcolor="#ebebeb">
-    <tr>
-        <td align="center" valign="top" bgcolor="#ebebeb" style="background-color: #ebebeb;">
-            <!-- 600px container (white background) -->
-            <table border="0" width="600" cellpadding="0" cellspacing="0" class="container" bgcolor="#ffffff">
-                <tr>
-                    <td class="container-padding" bgcolor="#ffffff" style="background-color: #ffffff; padding-left: 30px; padding-right: 30px; font-size: 14px; line-height: 20px; font-family: Helvetica, sans-serif; color: #333;">
-                       <br />
-                       <div style="font-weight: bold; font-size: 18px; line-height: 24px; color: #202d3b">
-                            <span style="color: #29abe0">Notice: Your SSL certificates are expiring!</span>
-                            <hr />
-                       </div>
-                        <p>
-                            Lemur, Netflix's SSL management portal has noticed that the following certificates are expiring soon, if you rely on these certificates
-                            you should create new certificates to replace the certificates that are expiring.
-                        </p>
-                        <p>
-                            Visit https://{{ hostname }}/#/certificates/create to reissue them.
-                        </p>
-                    </td>
-                </tr>
-                {%  for message in messages %}
-                <tr>
-                    <td class="container-padding" bgcolor="#ffffff" style="background-color: #ffffff; padding-left: 30px; padding-right: 30px; font-size: 14px; line-height: 20px; font-family: Helvetica, sans-serif; color: #333;">
-                        <hr />
-                        <table width="540">
-                            <tr>
-                                <td><strong>Name</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{ message.name }}</td>
-                            <tr>
-                                <td><strong>Owner</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{ message.owner }}</td>
-                            </tr>
-                            <tr>
-                                <td><strong>Creator</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{ message.creator }}</td>
-                            </tr>
-                            <tr>
-                                <td><strong>Description</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{ message.description }}</td>
-                            </tr>
-                            <tr>
-                                <td><strong>Not Before</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{  message.not_before }}</td>
-                            </tr>
-                            <tr>
-                                <td><strong>Not After</strong></td>
-                            </tr>
-                            <tr>
-                                <td>{{  message.not_after }}</td>
-                            </tr>
-                            <tr>
-                                <td><strong>Associated Domains</strong></td>
-                            </tr>
-                            {% if message.domains %}
-                                {% for name in message.domains %}
-                                    <tr>
-                                        <td>{{ name }}</td>
-                                    </tr>
-                                {% endfor %}
-                            {% else %}
+
+<div style="margin:0;padding:0" bgcolor="#FFFFFF">
+    <table width="100%" height="100%" style="min-width:348px" border="0" cellspacing="0" cellpadding="0">
+        <tbody>
+        <tr height="32px"></tr>
+        <tr align="center">
+            <td width="32px"></td>
+            <td>
+                <table border="0" cellspacing="0" cellpadding="0" style="max-width:600px">
+                    <tbody>
+                    <tr>
+                        <td>
+                            <table width="100%" border="0" cellspacing="0" cellpadding="0">
+                                <tbody>
                                 <tr>
-                                    <td>Unknown</td>
+                                    <td align="left" style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:35px;color:#727272;" line-height:1.5">
+                                        Lemur
+                                    </td>
                                 </tr>
-                            {% endif %}
-                            <tr>
-                                <td><strong>Potentially Superseded by</strong> (Lemur's best guess)</td>
-                            </tr>
-                            {% if message.superseded %}
-                                {%  for name in message.superseded %}
-                                    <tr><td>{{ name }}</td></tr>
-                                {% endfor %}
-                            {% else %}
-                                <tr><td>Unknown</td></tr>
-                            {% endif %}
-                            <tr><td></td></tr>
-                        </table>
-                    </td>
-                </tr>
-                {% endfor %}
-            </table>
-        <!--/600px container -->
-        </td>
-    </tr>
-    <tr>
-        <td style="padding-top: 0px" align="center" valign="top">
-            <em style="font-style:italic; font-size: 12px; color: #aaa;">Lemur is broken regularly by Netflix</em>
-        </td>
-    </tr>
-</table>
-<!--/100% wrapper-->
-<br>
-<br>
-</body>
-</html>
+                                </tbody>
+                            </table>
+                        </td>
+                    </tr>
+                    <tr height="16"></tr>
+                    <tr>
+                        <td>
+                            <table bgcolor="#F44336" width="100%" border="0" cellspacing="0" cellpadding="0"
+                                   style="min-width:332px;max-width:600px;border:1px solid #e0e0e0;border-bottom:0;border-top-left-radius:3px;border-top-right-radius:3px">
+                                <tbody>
+                                <tr>
+                                    <td height="72px" colspan="3"></td>
+                                </tr>
+                                <tr>
+                                    <td width="32px"></td>
+                                    <td style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:24px;color:#ffffff;line-height:1.25">
+                                       Your certificate(s) are expiring!
+                                    </td>
+                                    <td width="32px"></td>
+                                </tr>
+                                <tr>
+                                    <td height="18px" colspan="3"></td>
+                                </tr>
+                                </tbody>
+                            </table>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td>
+                            <table bgcolor="#FAFAFA" width="100%" border="0" cellspacing="0" cellpadding="0"
+                                   style="min-width:332px;max-width:600px;border:1px solid #f0f0f0;border-bottom:1px solid #c0c0c0;border-top:0;border-bottom-left-radius:3px;border-bottom-right-radius:3px">
+                                <tbody>
+                                <tr height="16px">
+                                    <td width="32px" rowspan="3"></td>
+                                    <td></td>
+                                    <td width="32px" rowspan="3"></td>
+                                </tr>
+                                <tr>
+                                    <td>
+                                        <table style="min-width:300px" border="0" cellspacing="0" cellpadding="0">
+                                            <tbody>
+                                            <tr>
+                                                <td style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#202020;line-height:1.5">
+                                                    Hi,
+                                                </td>
+                                            </tr>
+                                            <tr>
+                                                <td style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#202020;line-height:1.5">
+                                                    <br>This is a Lemur certificate expiration notice. Please verify that the following certificates are no longer used.
+                                                    <table border="0" cellspacing="0" cellpadding="0"
+                                                           style="margin-top:48px;margin-bottom:48px">
+                                                        <tbody>
+                                                        {%  for message in messages %}
+                                                            <tr valign="middle">
+                                                                <td width="32px"></td>
+                                                                <td width="16px"></td>
+                                                                <td style="line-height:1.2"><span
+                                                                        style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:20px;color:#202020">{{ message.name }}</span><br><span
+                                                                        style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#727272">{{ message.owner }}
+                                                                        <br>{{ message.not_after | time }}
+                                                                        <a href="https://{{ hostname }}/#/certificates/{{ message.name }}" target="_blank">Details</a>
+                                                                        </span>
+                                                                </td>
+                                                            </tr>
+                                                                {%  if not loop.last %}
+                                                                <tr valign="middle">
+                                                                    <td width="32px" height="24px"></td>
+                                                                </tr>
+                                                                {% endif %}
+                                                        {%  endfor %}
+                                                        </tbody>
+                                                    </table>
+                                                </td>
+                                            </tr>
+                                            <tr>
+                                                <td style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#202020;line-height:1.5">
+                                                    If the above certificates are still in use. You should re-issue and deploy new certificates as soon as possible.</span>
+                                                </td>
+                                            </tr>
+                                            <tr>
+                                            </tr>
+                                            <tr>
+                                                <td style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:13px;color:#202020;line-height:1.5">
+                                                    <br>Best,<br><span class="il">Lemur</span>
+                                                </td>
+                                            </tr>
+                                            <tr height="16px"></tr>
+                                            <tr>
+                                                <td>
+                                                    <table style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:12px;color:#b9b9b9;line-height:1.5">
+                                                        <tbody>
+                                                        <tr>
+                                                            <td>*All expiration times are in UTC<br></td>
+                                                        </tr>
+                                                        </tbody>
+                                                    </table>
+                                                </td>
+                                            </tr>
+                                            </tbody>
+                                        </table>
+                                    </td>
+                                </tr>
+                                <tr height="32px"></tr>
+                                </tbody>
+                            </table>
+                        </td>
+                    </tr>
+                    <tr height="16"></tr>
+                    <tr>
+                        <td style="max-width:600px;font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:10px;color:#bcbcbc;line-height:1.5"></td>
+                    </tr>
+                    <tr>
+                        <td>
+                            <table style="font-family:Roboto-Regular,Helvetica,Arial,sans-serif;font-size:10px;color:#666666;line-height:18px;padding-bottom:10px">
+                                <tbody>
+                                <tr>
+                                    <td>You received this mandatory email service announcement to update you about
+                                        important changes to your <span class="il">TLS certificate</span>.
+                                    </td>
+                                </tr>
+                                <tr>
+                                    <td>
+                                        <div style="direction:ltr;text-align:left">© 2015 <span class="il">Lemur</span></div>
+                                    </td>
+                                </tr>
+                                </tbody>
+                            </table>
+                        </td>
+                    </tr>
+                    </tbody>
+                </table>
+            </td>
+            <td width="32px"></td>
+        </tr>
+        <tr height="32px"></tr>
+        </tbody>
+    </table>
+</div>

lemur/plugins/lemur_email/tests/test_email.py

@@ -0,0 +1,16 @@
+from lemur.plugins.lemur_email.templates.config import env
+
+import os.path
+
+
+def test_render():
+    messages = [{
+        'name': 'a-really-really-long-certificate-name',
+        'owner': 'bob@example.com',
+        'not_after': '2015-12-14 23:59:59'
+    }] * 10
+
+    template = env.get_template('{}.html'.format('expiration'))
+    body = template.render(dict(messages=messages, hostname='lemur.test.example.com'))
+    with open(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'email.html'), 'w+') as f:
+        f.write(body.encode('utf8'))

lemur/plugins/lemur_java/plugin.py

@@ -0,0 +1,235 @@
+"""
+.. module: lemur.plugins.lemur_java.plugin
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+import subprocess
+
+from flask import current_app
+
+from lemur.utils import mktempfile, mktemppath
+from lemur.plugins.bases import ExportPlugin
+from lemur.plugins import lemur_java as java
+from lemur.common.utils import get_psuedo_random_string
+
+
+def run_process(command):
+    """
+    Runs a given command with pOpen and wraps some
+    error handling around it.
+    :param command:
+    :return:
+    """
+    p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    if p.returncode != 0:
+        current_app.logger.debug(" ".join(command))
+        current_app.logger.error(stderr)
+        raise Exception(stderr)
+
+
+def split_chain(chain):
+    """
+    Split the chain into individual certificates for import into keystore
+
+    :param chain:
+    :return:
+    """
+    certs = []
+    lines = chain.split('\n')
+
+    cert = []
+    for line in lines:
+        cert.append(line + '\n')
+        if line == '-----END CERTIFICATE-----':
+            certs.append("".join(cert))
+            cert = []
+
+    return certs
+
+
+def create_truststore(cert, chain, jks_tmp, alias, passphrase):
+    with mktempfile() as cert_tmp:
+        with open(cert_tmp, 'w') as f:
+            f.write(cert)
+
+        run_process([
+            "keytool",
+            "-importcert",
+            "-file", cert_tmp,
+            "-keystore", jks_tmp,
+            "-alias", "{0}_cert".format(alias),
+            "-storepass", passphrase,
+            "-noprompt"
+        ])
+
+        # Import the entire chain
+        for idx, cert in enumerate(split_chain(chain)):
+            with mktempfile() as c_tmp:
+                with open(c_tmp, 'w') as f:
+                    f.write(cert)
+
+                # Import signed cert in to JKS keystore
+                run_process([
+                    "keytool",
+                    "-importcert",
+                    "-file", c_tmp,
+                    "-keystore", jks_tmp,
+                    "-alias", "{0}_cert_{1}".format(alias, idx),
+                    "-storepass", passphrase,
+                    "-noprompt"
+                ])
+
+
+def create_keystore(cert, jks_tmp, key, alias, passphrase):
+    with mktempfile() as key_tmp:
+        with open(key_tmp, 'w') as f:
+            f.write(key)
+
+        # Create PKCS12 keystore from private key and public certificate
+        with mktempfile() as cert_tmp:
+            with open(cert_tmp, 'w') as f:
+                f.write(cert)
+
+            with mktempfile() as p12_tmp:
+                run_process([
+                    "openssl",
+                    "pkcs12",
+                    "-export",
+                    "-name", alias,
+                    "-in", cert_tmp,
+                    "-inkey", key_tmp,
+                    "-out", p12_tmp,
+                    "-password", "pass:{}".format(passphrase)
+                ])
+
+                # Convert PKCS12 keystore into a JKS keystore
+                run_process([
+                    "keytool",
+                    "-importkeystore",
+                    "-destkeystore", jks_tmp,
+                    "-srckeystore", p12_tmp,
+                    "-srcstoretype", "PKCS12",
+                    "-alias", alias,
+                    "-srcstorepass", passphrase,
+                    "-deststorepass", passphrase
+                ])
+
+
+class JavaTruststoreExportPlugin(ExportPlugin):
+    title = 'Java Truststore (JKS)'
+    slug = 'java-truststore-jks'
+    description = 'Attempts to generate a JKS truststore'
+    requires_key = False
+    version = java.VERSION
+
+    author = 'Kevin Glisson'
+    author_url = 'https://github.com/netflix/lemur'
+
+    options = [
+        {
+            'name': 'alias',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'Enter the alias you wish to use for the truststore.',
+        },
+        {
+            'name': 'passphrase',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.',
+            'validation': ''
+        },
+    ]
+
+    def export(self, body, chain, key, options, **kwargs):
+        """
+        Generates a Java Truststore
+
+        :param key:
+        :param chain:
+        :param body:
+        :param options:
+        :param kwargs:
+        """
+
+        if self.get_option('alias', options):
+            alias = self.get_option('alias', options)
+        else:
+            alias = "blah"
+
+        if self.get_option('passphrase', options):
+            passphrase = self.get_option('passphrase', options)
+        else:
+            passphrase = get_psuedo_random_string()
+
+        with mktemppath() as jks_tmp:
+            create_truststore(body, chain, jks_tmp, alias, passphrase)
+
+            with open(jks_tmp, 'rb') as f:
+                raw = f.read()
+
+        return "jks", passphrase, raw
+
+
+class JavaKeystoreExportPlugin(ExportPlugin):
+    title = 'Java Keystore (JKS)'
+    slug = 'java-keystore-jks'
+    description = 'Attempts to generate a JKS keystore'
+    version = java.VERSION
+
+    author = 'Kevin Glisson'
+    author_url = 'https://github.com/netflix/lemur'
+
+    options = [
+        {
+            'name': 'passphrase',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.',
+            'validation': ''
+        },
+        {
+            'name': 'alias',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'Enter the alias you wish to use for the keystore.',
+        }
+    ]
+
+    def export(self, body, chain, key, options, **kwargs):
+        """
+        Generates a Java Keystore
+
+        :param key:
+        :param chain:
+        :param body:
+        :param options:
+        :param kwargs:
+        """
+
+        if self.get_option('passphrase', options):
+            passphrase = self.get_option('passphrase', options)
+        else:
+            passphrase = get_psuedo_random_string()
+
+        if self.get_option('alias', options):
+            alias = self.get_option('alias', options)
+        else:
+            alias = "blah"
+
+        with mktemppath() as jks_tmp:
+            if not key:
+                raise Exception("Unable to export, no private key found.")
+
+            create_truststore(body, chain, jks_tmp, alias, passphrase)
+            create_keystore(body, jks_tmp, key, alias, passphrase)
+
+            with open(jks_tmp, 'rb') as f:
+                raw = f.read()
+
+        return "jks", passphrase, raw

lemur/plugins/lemur_java/tests/conftest.py

@@ -0,0 +1 @@
+from lemur.tests.conftest import *  # noqa

lemur/plugins/lemur_java/tests/test_java.py

@@ -0,0 +1,63 @@
+PRIVATE_KEY_STR = b"""
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsXn+QZRATxryRmGXI4fdI+0a2oBwuVh8fC/9bcqX6c5eDmgc
+rj6esmc1hpIFxMM3DvkFXX6xISkU6B5fmYDEGZLi7NvcXF3+EoA/SCkP1MFlvqhn
+EvNhb0t1fBLs0i/0gfTS/FHBZY1ekHisd/sUetCDZ7F11RxMwws0Oc8bl7j1TpRc
+awXFAsh/aWwQOwFeyWU7TtZeAE7sMyWXInBg37tKk1wlv+mN+27WijI091+amkVy
+zIV6mA5OHfqbjuqV8uQflN8jE244Qr7shtSk7LpBpWf0M6dC7dXbuUctHFhqcDjy
+3IRUl+NisKRoMtq+a0uehfmpFNSUD7F4gdUtSwIDAQABAoIBAGITsZ+aBuPwVzzv
+x286MMoeyL1BR4oVzU1v09Rtpf/uLGo3vMnKDzc19A12+rseynl6wi1FyysxIb2Y
+s2oID9a2JrOQWLmus66TsuT01CvV6J0xQSzm1MyFXdqANuF84NlEa6hGoeK1+jFK
+jr0LQukP+9484oovxnfu5CCiRHRWNZmeuekuYhI1SJf343Tr6jwvyr6KZpnIy0Yt
+axuuIZdCfY9ZV2vFG89GwwgwVQrhf14Kv5vBMZrNh1lRGsr0Sqlx5cGkPRAy90lg
+HjrRMogrtXr3AR5Pk2qqAYXzZBU2EFhJ3k2njpwOzlSj0r0ZwTmejZ89cco0sW5j
++eQ6aRECgYEA1tkNW75fgwU52Va5VETCzG8II/pZdqNygnoc3z8EutN+1w8f6Tr+
+PdpKSICW0z7Iq4f5k/4wrA5xw1vy5RBMH0ZP29GwHTvCPiTBboR9vWvxQvZn1jb9
+wvKa0RxE18KcF0YIyTnZMubkA17QTFlvCNyZg0iCqeyFYPyqVE+R4AkCgYEA03h1
+XrqECZDDbG9HLUdGbkZNk4VzTcF6dQ3GAPY8M/H7rw5BbvH0RZLOrzl46DDVzKTg
+B1VOReAHsxBKFdkqeq1A99CLDow6vHTIEG8DwxkA7/2QPkt8MybwdApUyYnQh5/v
+CxwkRt4Mm+EiYfn5iyL8yI+vaQSRToVO/3BND7MCgYAJQSpBJG8qzqPSR9kN1zRo
+5/N60ULfSGUbV7U8rJNAlPGmw+EFA+SFt4xxmRBmIxMzyFSo2k8waiLeXmyVD2Go
+CzhPaLXkXHmegajPYOelrCulTcXlRVMi/Z5LmaMhhCGDIyInwNUpSybROllQoJ2W
+zSHTtODj/usz5U5U+WR4OQKBgHQRosI6t2wUo96peTS18UdnmP7GeZINBuymga5X
+eJW+VLkxpuKBNOTW/lCYx+8Rlte7CyebP9oEa9VxtGgniTRKUeVy9lAm0bpMkt7K
+QBNebvBKiVhX0DS3Q7U9UmpIFUfLlcXQTW0ERYFtYZTLQpeGvZ5LlyiaFDM34jM7
+7WAXAoGANDPJdQLEuimCOAMx/xoecNWeZIP6ieB0hVBrwLNxsaZlkn1KodUMuvla
+VEowbtPRdc9o3VZRh4q9cEakssTvOD70hgUZCFcMarmc37RgRvvD2fsZmDZF6qd3
+QfHplREs9F0sW+eiirczG7up4XL+CA162TtZxW+2GAiQhwhE5jA=
+-----END RSA PRIVATE KEY-----
+"""
+
+EXTERNAL_VALID_STR = b"""
+-----BEGIN CERTIFICATE-----
+MIID2zCCAsOgAwIBAgICA+0wDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlMb3MgR2F0b3MxDTALBgNV
+BAMMBHRlc3QxFjAUBgNVBAoMDU5ldGZsaXgsIEluYy4xEzARBgNVBAsMCk9wZXJh
+dGlvbnMxIzAhBgkqhkiG9w0BCQEWFGtnbGlzc29uQG5ldGZsaXguY29tMB4XDTE1
+MTEyMzIxNDIxMFoXDTE1MTEyNjIxNDIxMFowcjENMAsGA1UEAwwEdGVzdDEWMBQG
+A1UECgwNTmV0ZmxpeCwgSW5jLjETMBEGA1UECwwKT3BlcmF0aW9uczELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUxvcyBHYXRvczCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALF5/kGUQE8a8kZhlyOH3SPt
+GtqAcLlYfHwv/W3Kl+nOXg5oHK4+nrJnNYaSBcTDNw75BV1+sSEpFOgeX5mAxBmS
+4uzb3Fxd/hKAP0gpD9TBZb6oZxLzYW9LdXwS7NIv9IH00vxRwWWNXpB4rHf7FHrQ
+g2exddUcTMMLNDnPG5e49U6UXGsFxQLIf2lsEDsBXsllO07WXgBO7DMllyJwYN+7
+SpNcJb/pjftu1ooyNPdfmppFcsyFepgOTh36m47qlfLkH5TfIxNuOEK+7IbUpOy6
+QaVn9DOnQu3V27lHLRxYanA48tyEVJfjYrCkaDLavmtLnoX5qRTUlA+xeIHVLUsC
+AwEAAaNVMFMwUQYDVR0fBEowSDBGoESgQoZAaHR0cDovL3Rlc3QuY2xvdWRjYS5j
+cmwubmV0ZmxpeC5jb20vdGVzdERlY3JpcHRpb25DQVJvb3QvY3JsLnBlbTANBgkq
+hkiG9w0BAQsFAAOCAQEAiHREBKg7zhlQ/N7hDIkxgodRSWD7CVbJGSCdkR3Pvr6+
+jHBVNTJUrYqy7sL2pIutoeiSTQEH65/Gbm30mOnNu+lvFKxTxzof6kNYv8cyc8sX
+eBuBfSrlTodPFSHXQIpOexZgA0f30LOuXegqzxgXkKg+uMXOez5Zo5pNjTUow0He
+oe+V1hfYYvL1rocCmBOkhIGWz7622FxKDawRtZTGVsGsMwMIWyvS3+KQ04K8yHhp
+bQOg9zZAoYQuHY1inKBnA0II8eW0hPpJrlZoSqN8Tp0NSBpFiUk3m7KNFP2kITIf
+tTneAgyUsgfDxNDifZryZSzg7MH31sTBcYaotSmTXw==
+-----END CERTIFICATE-----
+"""
+
+
+def test_export_certificate_to_jks(app):
+    from lemur.plugins.base import plugins
+    p = plugins.get('java-export')
+    options = {'passphrase': 'test1234'}
+    raw = p.export(EXTERNAL_VALID_STR, "", PRIVATE_KEY_STR, options)
+    assert raw != b""

lemur/plugins/lemur_openssl/__init__.py

@@ -0,0 +1,5 @@
+try:
+    VERSION = __import__('pkg_resources') \
+        .get_distribution(__name__).version
+except Exception as e:
+    VERSION = 'unknown'

lemur/plugins/lemur_openssl/plugin.py

@@ -0,0 +1,130 @@
+"""
+.. module: lemur.plugins.lemur_openssl.plugin
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+import subprocess
+
+from flask import current_app
+
+from lemur.utils import mktempfile, mktemppath
+from lemur.plugins.bases import ExportPlugin
+from lemur.plugins import lemur_openssl as openssl
+from lemur.common.utils import get_psuedo_random_string
+
+
+def run_process(command):
+    """
+    Runs a given command with pOpen and wraps some
+    error handling around it.
+    :param command:
+    :return:
+    """
+    p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    current_app.logger.debug(command)
+    stdout, stderr = p.communicate()
+
+    if p.returncode != 0:
+        current_app.logger.debug(" ".join(command))
+        current_app.logger.error(stderr)
+        raise Exception(stderr)
+
+
+def create_pkcs12(cert, p12_tmp, key, alias, passphrase):
+    """
+    Creates a pkcs12 formated file.
+    :param cert:
+    :param jks_tmp:
+    :param key:
+    :param alias:
+    :param passphrase:
+    """
+    with mktempfile() as key_tmp:
+        with open(key_tmp, 'w') as f:
+            f.write(key)
+
+        # Create PKCS12 keystore from private key and public certificate
+        with mktempfile() as cert_tmp:
+            with open(cert_tmp, 'w') as f:
+                f.write(cert)
+
+            run_process([
+                "openssl",
+                "pkcs12",
+                "-export",
+                "-name", alias,
+                "-in", cert_tmp,
+                "-inkey", key_tmp,
+                "-out", p12_tmp,
+                "-password", "pass:{}".format(passphrase)
+            ])
+
+
+class OpenSSLExportPlugin(ExportPlugin):
+    title = 'OpenSSL'
+    slug = 'openssl-export'
+    description = 'Is a loose interface to openssl and support various formats'
+    version = openssl.VERSION
+
+    author = 'Kevin Glisson'
+    author_url = 'https://github.com/netflix/lemur'
+
+    options = [
+        {
+            'name': 'type',
+            'type': 'select',
+            'required': True,
+            'available': ['PKCS12 (.p12)'],
+            'helpMessage': 'Choose the format you wish to export',
+        },
+        {
+            'name': 'passphrase',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8.',
+            'validation': '^(?=.*[A-Za-z])(?=.*\d)(?=.*[$@$!%*#?&])[A-Za-z\d$@$!%*#?&]{8,}$'
+        },
+        {
+            'name': 'alias',
+            'type': 'str',
+            'required': False,
+            'helpMessage': 'Enter the alias you wish to use for the keystore.',
+        }
+    ]
+
+    def export(self, body, chain, key, options, **kwargs):
+        """
+        Generates a Java Keystore or Truststore
+
+        :param key:
+        :param chain:
+        :param body:
+        :param options:
+        :param kwargs:
+        """
+        if self.get_option('passphrase', options):
+            passphrase = self.get_option('passphrase', options)
+        else:
+            passphrase = get_psuedo_random_string()
+
+        if self.get_option('alias', options):
+            alias = self.get_option('alias', options)
+        else:
+            alias = "blah"
+
+        type = self.get_option('type', options)
+
+        with mktemppath() as output_tmp:
+            if type == 'PKCS12 (.p12)':
+                create_pkcs12(body, output_tmp, key, alias, passphrase)
+                extension = "p12"
+            else:
+                raise Exception("Unable to export, unsupported type: {0}".format(type))
+
+            with open(output_tmp, 'rb') as f:
+                raw = f.read()
+
+        return extension, passphrase, raw

lemur/plugins/lemur_openssl/tests/conftest.py

@@ -0,0 +1 @@
+from lemur.tests.conftest import *  # noqa

lemur/plugins/lemur_openssl/tests/test_openssl.py

@@ -0,0 +1,63 @@
+PRIVATE_KEY_STR = b"""
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsXn+QZRATxryRmGXI4fdI+0a2oBwuVh8fC/9bcqX6c5eDmgc
+rj6esmc1hpIFxMM3DvkFXX6xISkU6B5fmYDEGZLi7NvcXF3+EoA/SCkP1MFlvqhn
+EvNhb0t1fBLs0i/0gfTS/FHBZY1ekHisd/sUetCDZ7F11RxMwws0Oc8bl7j1TpRc
+awXFAsh/aWwQOwFeyWU7TtZeAE7sMyWXInBg37tKk1wlv+mN+27WijI091+amkVy
+zIV6mA5OHfqbjuqV8uQflN8jE244Qr7shtSk7LpBpWf0M6dC7dXbuUctHFhqcDjy
+3IRUl+NisKRoMtq+a0uehfmpFNSUD7F4gdUtSwIDAQABAoIBAGITsZ+aBuPwVzzv
+x286MMoeyL1BR4oVzU1v09Rtpf/uLGo3vMnKDzc19A12+rseynl6wi1FyysxIb2Y
+s2oID9a2JrOQWLmus66TsuT01CvV6J0xQSzm1MyFXdqANuF84NlEa6hGoeK1+jFK
+jr0LQukP+9484oovxnfu5CCiRHRWNZmeuekuYhI1SJf343Tr6jwvyr6KZpnIy0Yt
+axuuIZdCfY9ZV2vFG89GwwgwVQrhf14Kv5vBMZrNh1lRGsr0Sqlx5cGkPRAy90lg
+HjrRMogrtXr3AR5Pk2qqAYXzZBU2EFhJ3k2njpwOzlSj0r0ZwTmejZ89cco0sW5j
++eQ6aRECgYEA1tkNW75fgwU52Va5VETCzG8II/pZdqNygnoc3z8EutN+1w8f6Tr+
+PdpKSICW0z7Iq4f5k/4wrA5xw1vy5RBMH0ZP29GwHTvCPiTBboR9vWvxQvZn1jb9
+wvKa0RxE18KcF0YIyTnZMubkA17QTFlvCNyZg0iCqeyFYPyqVE+R4AkCgYEA03h1
+XrqECZDDbG9HLUdGbkZNk4VzTcF6dQ3GAPY8M/H7rw5BbvH0RZLOrzl46DDVzKTg
+B1VOReAHsxBKFdkqeq1A99CLDow6vHTIEG8DwxkA7/2QPkt8MybwdApUyYnQh5/v
+CxwkRt4Mm+EiYfn5iyL8yI+vaQSRToVO/3BND7MCgYAJQSpBJG8qzqPSR9kN1zRo
+5/N60ULfSGUbV7U8rJNAlPGmw+EFA+SFt4xxmRBmIxMzyFSo2k8waiLeXmyVD2Go
+CzhPaLXkXHmegajPYOelrCulTcXlRVMi/Z5LmaMhhCGDIyInwNUpSybROllQoJ2W
+zSHTtODj/usz5U5U+WR4OQKBgHQRosI6t2wUo96peTS18UdnmP7GeZINBuymga5X
+eJW+VLkxpuKBNOTW/lCYx+8Rlte7CyebP9oEa9VxtGgniTRKUeVy9lAm0bpMkt7K
+QBNebvBKiVhX0DS3Q7U9UmpIFUfLlcXQTW0ERYFtYZTLQpeGvZ5LlyiaFDM34jM7
+7WAXAoGANDPJdQLEuimCOAMx/xoecNWeZIP6ieB0hVBrwLNxsaZlkn1KodUMuvla
+VEowbtPRdc9o3VZRh4q9cEakssTvOD70hgUZCFcMarmc37RgRvvD2fsZmDZF6qd3
+QfHplREs9F0sW+eiirczG7up4XL+CA162TtZxW+2GAiQhwhE5jA=
+-----END RSA PRIVATE KEY-----
+"""
+
+EXTERNAL_VALID_STR = b"""
+-----BEGIN CERTIFICATE-----
+MIID2zCCAsOgAwIBAgICA+0wDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlMb3MgR2F0b3MxDTALBgNV
+BAMMBHRlc3QxFjAUBgNVBAoMDU5ldGZsaXgsIEluYy4xEzARBgNVBAsMCk9wZXJh
+dGlvbnMxIzAhBgkqhkiG9w0BCQEWFGtnbGlzc29uQG5ldGZsaXguY29tMB4XDTE1
+MTEyMzIxNDIxMFoXDTE1MTEyNjIxNDIxMFowcjENMAsGA1UEAwwEdGVzdDEWMBQG
+A1UECgwNTmV0ZmxpeCwgSW5jLjETMBEGA1UECwwKT3BlcmF0aW9uczELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCUxvcyBHYXRvczCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALF5/kGUQE8a8kZhlyOH3SPt
+GtqAcLlYfHwv/W3Kl+nOXg5oHK4+nrJnNYaSBcTDNw75BV1+sSEpFOgeX5mAxBmS
+4uzb3Fxd/hKAP0gpD9TBZb6oZxLzYW9LdXwS7NIv9IH00vxRwWWNXpB4rHf7FHrQ
+g2exddUcTMMLNDnPG5e49U6UXGsFxQLIf2lsEDsBXsllO07WXgBO7DMllyJwYN+7
+SpNcJb/pjftu1ooyNPdfmppFcsyFepgOTh36m47qlfLkH5TfIxNuOEK+7IbUpOy6
+QaVn9DOnQu3V27lHLRxYanA48tyEVJfjYrCkaDLavmtLnoX5qRTUlA+xeIHVLUsC
+AwEAAaNVMFMwUQYDVR0fBEowSDBGoESgQoZAaHR0cDovL3Rlc3QuY2xvdWRjYS5j
+cmwubmV0ZmxpeC5jb20vdGVzdERlY3JpcHRpb25DQVJvb3QvY3JsLnBlbTANBgkq
+hkiG9w0BAQsFAAOCAQEAiHREBKg7zhlQ/N7hDIkxgodRSWD7CVbJGSCdkR3Pvr6+
+jHBVNTJUrYqy7sL2pIutoeiSTQEH65/Gbm30mOnNu+lvFKxTxzof6kNYv8cyc8sX
+eBuBfSrlTodPFSHXQIpOexZgA0f30LOuXegqzxgXkKg+uMXOez5Zo5pNjTUow0He
+oe+V1hfYYvL1rocCmBOkhIGWz7622FxKDawRtZTGVsGsMwMIWyvS3+KQ04K8yHhp
+bQOg9zZAoYQuHY1inKBnA0II8eW0hPpJrlZoSqN8Tp0NSBpFiUk3m7KNFP2kITIf
+tTneAgyUsgfDxNDifZryZSzg7MH31sTBcYaotSmTXw==
+-----END CERTIFICATE-----
+"""
+
+
+def test_export_certificate_to_jks(app):
+    from lemur.plugins.base import plugins
+    p = plugins.get('java-export')
+    options = {'passphrase': 'test1234'}
+    raw = p.export(EXTERNAL_VALID_STR, "", PRIVATE_KEY_STR, options)
+    assert raw != b""

lemur/plugins/lemur_verisign/constants.py

@@ -1,57 +0,0 @@
-VERISIGN_INTERMEDIATE = """-----BEGIN CERTIFICATE-----
-MIIFFTCCA/2gAwIBAgIQKC4nkXkzkuQo8iGnTsk3rjANBgkqhkiG9w0BAQsFADCB
-yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
-ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp
-U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
-ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5IC0gRzMwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
-CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
-BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
-YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
-A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
-9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
-s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
-L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
-Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBQDCCATwwHQYDVR0O
-BBYEFF9gz2GQVd+EQxSKYCqy9Xr0QxjvMBIGA1UdEwEB/wQIMAYBAf8CAQAwawYD
-VR0gBGQwYjBgBgpghkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cu
-c3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0
-aC5jb20vcnBhMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9zLnN5bWNiLmNvbS9w
-Y2EzLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNV
-BAMTEVN5bWFudGVjUEtJLTEtNTM0MC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcw
-AYYSaHR0cDovL3Muc3ltY2QuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBbF1K+1lZ7
-9Pc0CUuWysf2IdBpgO/nmhnoJOJ/2S9h3RPrWmXk4WqQy04q6YoW51KN9kMbRwUN
-gKOomv4p07wdKNWlStRxPA91xQtzPwBIZXkNq2oeJQzAAt5mrL1LBmuaV4oqgX5n
-m7pSYHPEFfe7wVDJCKW6V0o6GxBzHOF7tpQDS65RsIJAOloknO4NWF2uuil6yjOe
-soHCL47BJ89A8AShP/U3wsr8rFNtqVNpT+F2ZAwlgak3A/I5czTSwXx4GByoaxbn
-5+CdKa/Y5Gk5eZVpuXtcXQGc1PfzSEUTZJXXCm5y2kMiJG8+WnDcwJLgLeVX+OQr
-J+71/xuzAYN6
------END CERTIFICATE-----
-"""
-
-VERISIGN_ROOT = """-----BEGIN CERTIFICATE-----
-MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
-CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
-cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
-LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
-aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
-VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
-aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
-bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
-IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
-LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
-N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
-KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
-kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
-CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
-Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
-imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
-2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
-DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
-/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
-F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
-TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
------END CERTIFICATE-----
-"""

lemur/plugins/lemur_verisign/plugin.py

@@ -13,9 +13,8 @@ import xmltodict
 
 from flask import current_app
 
-from lemur.plugins.bases import IssuerPlugin
+from lemur.plugins.bases import IssuerPlugin, SourcePlugin
 from lemur.plugins import lemur_verisign as verisign
-from lemur.plugins.lemur_verisign import constants
 from lemur.common.utils import get_psuedo_random_string
 
 
@@ -80,7 +79,7 @@ def process_options(options):
 
     if options.get('validityEnd'):
         end_date, period = get_default_issuance(options)
-        data['specificEndDate'] = end_date
+        data['specificEndDate'] = str(end_date)
         data['validityPeriod'] = period
 
     return data
@@ -132,7 +131,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
     version = verisign.VERSION
 
     author = 'Kevin Glisson'
-    author_url = 'https://github.com/netflix/lemur'
+    author_url = 'https://github.com/netflix/lemur.git'
 
     def __init__(self, *args, **kwargs):
         self.session = requests.Session()
@@ -147,7 +146,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
         :param issuer_options:
         :return: :raise Exception:
         """
-        url = current_app.config.get("VERISIGN_URL") + '/enroll'
+        url = current_app.config.get("VERISIGN_URL") + '/rest/services/enroll'
 
         data = process_options(issuer_options)
         data['csr'] = csr
@@ -156,7 +155,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
 
         response = self.session.post(url, data=data)
         cert = handle_response(response.content)['Response']['Certificate']
-        return cert, constants.VERISIGN_INTERMEDIATE,
+        return cert, current_app.config.get('VERISIGN_INTERMEDIATE'),
 
     @staticmethod
     def create_authority(options):
@@ -168,7 +167,7 @@ class VerisignIssuerPlugin(IssuerPlugin):
         :return:
         """
         role = {'username': '', 'password': '', 'name': 'verisign'}
-        return constants.VERISIGN_ROOT, "", [role]
+        return current_app.config.get('VERISIGN_ROOT'), "", [role]
 
     def get_available_units(self):
         """
@@ -177,6 +176,35 @@ class VerisignIssuerPlugin(IssuerPlugin):
 
         :return:
         """
-        url = current_app.config.get("VERISIGN_URL") + '/getTokens'
+        url = current_app.config.get("VERISIGN_URL") + '/rest/services/getTokens'
         response = self.session.post(url, headers={'content-type': 'application/x-www-form-urlencoded'})
         return handle_response(response.content)['Response']['Order']
+
+
+class VerisignSourcePlugin(SourcePlugin):
+    title = 'Verisign'
+    slug = 'verisign-source'
+    description = 'Allows for the polling of issued certificates from the VICE2.0 verisign API.'
+    version = verisign.VERSION
+
+    author = 'Kevin Glisson'
+    author_url = 'https://github.com/netflix/lemur.git'
+
+    def __init__(self, *args, **kwargs):
+        self.session = requests.Session()
+        self.session.cert = current_app.config.get('VERISIGN_PEM_PATH')
+        super(VerisignSourcePlugin, self).__init__(*args, **kwargs)
+
+    def get_certificates(self):
+        url = current_app.config.get('VERISIGN_URL') + '/reportingws'
+        end = arrow.now()
+        start = end.replace(years=-5)
+        data = {
+            'reportType': 'detail',
+            'startDate': start.format("MM/DD/YYYY"),
+            'endDate': end.format("MM/DD/YYYY"),
+            'structuredRecord': 'Y',
+            'certStatus': 'Valid',
+        }
+        current_app.logger.debug(data)
+        response = self.session.post(url, data=data)

lemur/plugins/lemur_verisign/tests/conftest.py

@@ -0,0 +1 @@
+from lemur.tests.conftest import *  # noqa

lemur/plugins/lemur_verisign/tests/test_verisign.py

@@ -0,0 +1,5 @@
+
+def test_get_certificates(app):
+    from lemur.plugins.base import plugins
+    p = plugins.get('verisign-source')
+    p.get_certificates()

lemur/plugins/views.py

@@ -86,7 +86,7 @@ class PluginsList(AuthenticatedResource):
         if args['type']:
             return list(plugins.all(plugin_type=args['type']))
 
-        return plugins.all()
+        return list(plugins.all())
 
 
 class Plugins(AuthenticatedResource):

lemur/roles/models.py

@@ -12,9 +12,8 @@
 from sqlalchemy.orm import relationship
 from sqlalchemy import Column, Integer, String, Text, ForeignKey
 
-from sqlalchemy_utils import EncryptedType
 from lemur.database import db
-from lemur.utils import get_key
+from lemur.utils import Vault
 from lemur.models import roles_users
 
 
@@ -23,7 +22,7 @@ class Role(db.Model):
     id = Column(Integer, primary_key=True)
     name = Column(String(128), unique=True)
     username = Column(String(128))
-    password = Column(EncryptedType(String, get_key))
+    password = Column(Vault)
     description = Column(Text)
     authority_id = Column(Integer, ForeignKey('authorities.id'))
     user_id = Column(Integer, ForeignKey('users.id'))

lemur/roles/views.py

@@ -75,9 +75,9 @@ class RolesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
@@ -367,9 +367,9 @@ class UserRolesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
@@ -426,9 +426,9 @@ class AuthorityRolesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """

lemur/sources/service.py

@@ -76,7 +76,7 @@ def sync(labels=None):
             if source.label not in labels:
                 continue
 
-        current_app.logger.error("Retrieving certificates from {0}".format(source.label))
+        current_app.logger.debug("Retrieving certificates from {0}".format(source.label))
         s = plugins.get(source.plugin_name)
         certificates = s.get_certificates(source.options)
 

lemur/sources/views.py

@@ -83,9 +83,9 @@ class SourcesList(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
@@ -349,9 +349,9 @@ class CertificateSources(AuthenticatedResource):
 
            :query sortBy: field to sort on
            :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query limit: limit number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """

lemur/static/app/angular/app.js

@@ -1,113 +1,158 @@
 'use strict';
 
-var lemur = angular
-  .module('lemur', [
-    'ngRoute',
-    'ngTable',
-    'ngAnimate',
-    'chart.js',
-    'restangular',
-    'angular-loading-bar',
-    'ui.bootstrap',
-    'angular-spinkit',
-    'toaster',
-    'uiSwitch',
-    'mgo-angular-wizard',
-    'satellizer'
-  ])
-  .config(function ($routeProvider, $authProvider) {
-    $routeProvider
-      .when('/', {
+(function() {
+  var lemur = angular
+    .module('lemur', [
+      'ui.router',
+      'ngTable',
+      'ngAnimate',
+      'chart.js',
+      'restangular',
+      'angular-loading-bar',
+      'ui.bootstrap',
+      'angular-spinkit',
+      'toaster',
+      'uiSwitch',
+      'mgo-angular-wizard',
+      'satellizer',
+      'ngLetterAvatar',
+      'angular-clipboard',
+      'ngFileSaver'
+    ]);
+
+
+  function fetchData() {
+    var initInjector = angular.injector(['ng']);
+    var $http = initInjector.get('$http');
+
+    return $http.get('http://localhost:8000/api/1/auth/providers').then(function(response) {
+      lemur.constant('providers', response.data);
+    }, function(errorResponse) {
+      console.log('Could not fetch SSO providers' + errorResponse);
+    });
+  }
+
+  function bootstrapApplication() {
+    angular.element(document).ready(function() {
+      angular.bootstrap(document, ['lemur']);
+    });
+  }
+
+  fetchData().then(bootstrapApplication);
+
+  lemur.config(function ($stateProvider, $urlRouterProvider, $authProvider, providers) {
+    $urlRouterProvider.otherwise('/welcome');
+    $stateProvider
+      .state('welcome', {
+        url: '/welcome',
         templateUrl: 'angular/welcome/welcome.html'
-      })
-      .otherwise({
-        redirectTo: '/'
       });
 
-    $authProvider.oauth2({
-      name: 'example',
-      url: 'http://localhost:5000/api/1/auth/ping',
-      redirectUri: 'http://localhost:3000/',
-      clientId: 'client-id',
-      responseType: 'code',
-      scope: ['openid', 'email', 'profile', 'address'],
-      scopeDelimiter: ' ',
-      authorizationEndpoint: 'https://example.com/as/authorization.oauth2',
-      requiredUrlParams: ['scope']
-    });
-  });
-
-lemur.service('MomentService', function () {
-  this.diffMoment = function (start, end) {
-    if (end !== 'None') {
-      return moment(end, 'YYYY-MM-DD HH:mm Z').diff(moment(start, 'YYYY-MM-DD HH:mm Z'), 'minutes') + ' minutes';
-    }
-    return 'Unknown';
-  };
-  this.createMoment = function (date) {
-    if (date !== 'None') {
-      return moment(date, 'YYYY-MM-DD HH:mm Z').fromNow();
-    }
-    return 'Unknown';
-  };
-});
-
-lemur.controller('datePickerController', function ($scope, $timeout){
-  $scope.open = function() {
-    $timeout(function() {
-      $scope.opened = true;
-    });
-  };
-});
-
-lemur.factory('LemurRestangular', function (Restangular, $location, $auth) {
-  return Restangular.withConfig(function (RestangularConfigurer) {
-    RestangularConfigurer.setBaseUrl('http://localhost:5000/api/1');
-    RestangularConfigurer.setDefaultHttpFields({withCredentials: true});
-
-    RestangularConfigurer.addResponseInterceptor(function (data, operation) {
-      var extractedData;
-
-      // .. to look for getList operations
-      if (operation === 'getList') {
-        // .. and handle the data and meta data
-        extractedData = data.items;
-        extractedData.total = data.total;
+    _.each(providers, function(provider) {
+      if ($authProvider.hasOwnProperty(provider.name)) {
+        $authProvider[provider.name](provider);
       } else {
-        extractedData = data;
+        $authProvider.oauth2(provider);
       }
-      return extractedData;
     });
-
-    RestangularConfigurer.addFullRequestInterceptor(function (element, operation, route, url, headers, params) {
-      // We want to make sure the user is auth'd before any requests
-      if (!$auth.isAuthenticated()) {
-        $location.path('/login');
-        return false;
-      }
-
-      var regExp = /\[([^)]+)\]/;
-
-      var s = 'sorting';
-      var f = 'filter';
-      var newParams = {};
-      for (var item in params) {
-        if (item.indexOf(s) > -1) {
-          newParams.sortBy = regExp.exec(item)[1];
-          newParams.sortDir = params[item];
-        } else if (item.indexOf(f) > -1) {
-          var key = regExp.exec(item)[1];
-          newParams.filter = key + ';' + params[item];
-        } else {
-          newParams[item] = params[item];
-        }
-      }
-      return { params: newParams };
-    });
-
   });
-});
 
-lemur.run(['$templateCache', function ($templateCache) {
-  $templateCache.put('ng-table/pager.html', '<div class="ng-cloak ng-table-pager"> <div ng-if="params.settings().counts.length" class="ng-table-counts btn-group pull-left"> <button ng-repeat="count in params.settings().counts" type="button" ng-class="{\'active\':params.count()==count}" ng-click="params.count(count)" class="btn btn-default"> <span ng-bind="count"></span> </button></div><div class="pull-right"><ul style="margin: 0; padding: 0;" class="pagination ng-table-pagination"> <li ng-class="{\'disabled\': !page.active}" ng-repeat="page in pages" ng-switch="page.type"> <a ng-switch-when="prev" ng-click="params.page(page.number)" href="">&laquo;</a> <a ng-switch-when="first" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="page" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="more" ng-click="params.page(page.number)" href="">&#8230;</a> <a ng-switch-when="last" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="next" ng-click="params.page(page.number)" href="">&raquo;</a> </li> </ul> </div></div>');
-}]);
+  lemur.service('MomentService', function () {
+    this.diffMoment = function (start, end) {
+      if (end !== 'None') {
+        return moment(end, 'YYYY-MM-DD HH:mm Z').diff(moment(start, 'YYYY-MM-DD HH:mm Z'), 'minutes') + ' minutes';
+      }
+      return 'Unknown';
+    };
+    this.createMoment = function (date) {
+      if (date !== 'None') {
+        return moment(date, 'YYYY-MM-DD HH:mm Z').fromNow();
+      }
+      return 'Unknown';
+    };
+  });
+
+  lemur.controller('datePickerController', function ($scope, $timeout){
+    $scope.open = function() {
+      $timeout(function() {
+        $scope.opened = true;
+      });
+    };
+  });
+
+  lemur.service('DefaultService', function (LemurRestangular) {
+    var DefaultService = this;
+    DefaultService.get = function () {
+      return LemurRestangular.all('defaults').customGET().then(function (defaults) {
+        return defaults;
+      });
+    };
+  });
+
+  lemur.factory('LemurRestangular', function (Restangular, $location, $auth) {
+    return Restangular.withConfig(function (RestangularConfigurer) {
+      RestangularConfigurer.setBaseUrl('http://localhost:8000/api/1');
+      RestangularConfigurer.setDefaultHttpFields({withCredentials: true});
+
+      RestangularConfigurer.addResponseInterceptor(function (data, operation) {
+        var extractedData;
+
+        // .. to look for getList operations
+        if (operation === 'getList') {
+          // .. and handle the data and meta data
+          extractedData = data.items;
+          extractedData.total = data.total;
+        } else {
+          extractedData = data;
+        }
+
+        return extractedData;
+      });
+
+      RestangularConfigurer.setErrorInterceptor(function(response) {
+        if (response.status === 400) {
+          if (response.data.message) {
+            var data = '';
+            _.each(response.data.message, function (value, key) {
+              data = data + ' ' + key + ' ' + value;
+            });
+            response.data.message = data;
+          }
+        }
+      });
+
+      RestangularConfigurer.addFullRequestInterceptor(function (element, operation, route, url, headers, params) {
+        // We want to make sure the user is auth'd before any requests
+        if (!$auth.isAuthenticated()) {
+          $location.path('/login');
+          return false;
+        }
+
+        var regExp = /\[([^)]+)\]/;
+
+        var s = 'sorting';
+        var f = 'filter';
+        var newParams = {};
+        for (var item in params) {
+          if (item.indexOf(s) > -1) {
+            newParams.sortBy = regExp.exec(item)[1];
+            newParams.sortDir = params[item];
+          } else if (item.indexOf(f) > -1) {
+            var key = regExp.exec(item)[1];
+            newParams.filter = key + ';' + params[item];
+          } else {
+            newParams[item] = params[item];
+          }
+        }
+        return { params: newParams };
+      });
+
+    });
+  });
+
+  lemur.run(['$templateCache', function ($templateCache) {
+    $templateCache.put('ng-table/pager.html', '<div class="ng-cloak ng-table-pager"> <div ng-if="params.settings().counts.length" class="ng-table-counts btn-group pull-left"> <button ng-repeat="count in params.settings().counts" type="button" ng-class="{\'active\':params.count()==count}" ng-click="params.count(count)" class="btn btn-default"> <span ng-bind="count"></span> </button></div><div class="pull-right"><ul style="margin: 0; padding: 0;" class="pagination ng-table-pagination"> <li ng-class="{\'disabled\': !page.active}" ng-repeat="page in pages" ng-switch="page.type"> <a ng-switch-when="prev" ng-click="params.page(page.number)" href="">&laquo;</a> <a ng-switch-when="first" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="page" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="more" ng-click="params.page(page.number)" href="">&#8230;</a> <a ng-switch-when="last" ng-click="params.page(page.number)" href=""><span ng-bind="page.number"></span></a> <a ng-switch-when="next" ng-click="params.page(page.number)" href="">&raquo;</a> </li> </ul> </div></div>');
+  }]);
+}());
+
+

lemur/static/app/angular/authentication/login/login.js

@@ -1,17 +1,20 @@
 'use strict';
 
 angular.module('lemur')
-  .config(function config($routeProvider) {
-    $routeProvider.when('/login', {
+  .config(function config($stateProvider) {
+    $stateProvider.state('login', {
+      url: '/login',
       templateUrl: '/angular/authentication/login/login.tpl.html',
       controller: 'LoginController'
     });
   })
-  .controller('LoginController', function ($rootScope, $scope, AuthenticationService, UserService) {
+  .controller('LoginController', function ($rootScope, $scope, AuthenticationService, UserService, providers) {
     $scope.login = AuthenticationService.login;
     $scope.authenticate = AuthenticationService.authenticate;
     $scope.logout = AuthenticationService.logout;
 
+    $scope.providers = providers;
+
     UserService.getCurrentUser().then(function (user) {
       $scope.currentUser = user;
     });

lemur/static/app/angular/authentication/login/login.tpl.html

@@ -3,8 +3,8 @@
   <div class="login">
     <div class="row">
       <div class="col-xs-12 col-sm-12 col-md-12">
-        <button class="btn btn-block btn-default" ng-click="authenticate('Example')">
-          Login with Example
+        <button class="btn btn-block btn-default" ng-repeat="(key, value) in providers" ng-click="authenticate(value.name)">
+          Login with {{ value.name }}
         </button>
       </div>
     </div>