0.5 Release (#750)

* Upgrade dependency marshmallow-sqlalchemy to ==0.13.0

* Upgrade dependency marshmallow-sqlalchemy to ==0.13.1

.coveragerc

@@ -0,0 +1,4 @@
+[report]
+include = lemur/*.py
+omit = lemur/migrations/*
+

.gitattributes

@@ -1 +1,2 @@
-* text=auto
+* text=auto
+version.py  export-subst

.gitignore

@@ -1,3 +1,4 @@
+/.cache
 .coverage
 .tox
 .DS_Store

.jshintrc

@@ -8,7 +8,7 @@
   "eqeqeq": true,
   "immed": true,
   "indent": 2,
-  "latedef": true,
+  "latedef": false,
   "newcap": false,
   "noarg": true,
   "quotmark": "single",
@@ -22,6 +22,8 @@
     "angular": false,
     "moment": false,
     "toaster": false,
+    "d3": false,
+    "self": false,
     "_": false
   }
 }

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+-   repo: git://github.com/pre-commit/pre-commit-hooks
+    sha: 18d7035de5388cc7775be57f529c154bf541aab9
+    hooks:
+    -   id: trailing-whitespace
+    -   id: flake8
+    -   id: check-merge-conflict
+-   repo: git://github.com/pre-commit/mirrors-jshint
+    sha: e72140112bdd29b18b0c8257956c896c4c3cebcb
+    hooks:
+    -   id: jshint

.travis.yml

@@ -1,18 +1,17 @@
-sudo: false
-
 language: python
+sudo: required
+dist: trusty
+
+node_js:
+  - "6.2.0"
 
 addons:
   postgresql: "9.4"
 
 matrix:
   include:
-    - python: "2.7"
-      env: TOXENV=py27
-    - python: "3.3"
-      env: TOXENV=py33
-    - python: "3.4"
-      env: TOXENV=py34
+    - python: "3.5"
+      env: TOXENV=py35
 
 cache:
   directories:
@@ -22,18 +21,26 @@ cache:
 env:
   global:
     - PIP_DOWNLOAD_CACHE=".pip_download_cache"
-
-install:
-  - make dev-postgres
+    # do not load /etc/boto.cfg with Python 3 incompatible plugin
+    # https://github.com/travis-ci/travis-ci/issues/5246#issuecomment-166460882
+    - BOTO_CONFIG=/doesnotexist
 
 before_script:
   - psql -c "create database lemur;" -U postgres
   - psql -c "create user lemur with password 'lemur;'" -U postgres
+  - npm config set registry https://registry.npmjs.org
   - npm install -g bower
+  - pip install --upgrade setuptools
+
+install:
+  - pip install coveralls
 
 script:
   - make test
 
+after_success:
+  - coveralls
+
 notifications:
   email:
-    kglisson@netflix.com
+    kglisson@netflix.com

AUTHORS

@@ -1,2 +1,3 @@
-- Kevin Glisson (kglisson@netflix.com)
+- Kevin Glisson <kglisson@netflix.com>
 - Jeremy Heffner <jheffner@netflix.com>
+

CHANGELOG.rst

@@ -0,0 +1,167 @@
+Changelog
+=========
+
+0.5 - `2016-04-08`
+~~~~~~~~~~~~~~~~~~
+
+This release is most notable for dropping support for python2.7. All Lemur versions >0.4 will now support python3.5 only.
+
+Big thanks to neilschelly for quite a lot of improvements to the `lemur-cryptography` plugin.
+
+Other Highlights:
+
+* Closed `#501 <https://github.com/Netflix/lemur/issues/501>`_ - Endpoint resource as now kept in sync via an
+expiration mechanism. Such that non-existant endpoints gracefully fall out of Lemur. Certificates are never
+removed from Lemur.
+
+* Closed `#551 <https://github.com/Netflix/lemur/pull/551>`_ - Added the ability to create a 4096 bit key during certificate
+creation. Closed `#528 <https://github.com/Netflix/lemur/pull/528>`_ to ensure that issuer plugins supported the new 4096 bit keys.
+
+* Closed `#566 <https://github.com/Netflix/lemur/issues/566>`_ - Fixed an issue changing the notification status for  certificates
+without private keys.
+
+* Closed `#594 <https://github.com/Netflix/lemur/issues/594>`_ - Added `replaced` field indicating if a certificate has been superseded.
+
+* Closed `#602 <https://github.com/Netflix/lemur/issues/602>`_ - AWS plugin added support for ALBs for endpoint tracking.
+
+
+Special thanks to all who helped with with this release, notably:
+
+- RcRonco
+- harmw
+- jeremyguarini
+
+See the full list of issues closed in `0.5 <https://github.com/Netflix/lemur/milestone/4>`_.
+
+Upgrading
+---------
+
+.. note:: This release will need a slight migration change. Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.
+
+
+0.4 - `2016-11-17`
+~~~~~~~~~~~~~~~~~~
+
+There have been quite a few issues closed in this release. Some notables:
+
+* Closed `#284 <https://github.com/Netflix/lemur/issues/284>`_ - Created new models for `Endpoints` created associated
+AWS ELB endpoint tracking code. This was the major stated goal of this milestone and should serve as the basis for
+future enhancements of Lemur's certificate 'deployment' capabilities.
+
+* Closed `#334 <https://github.com/Netflix/lemur/issues/334>`_ - Lemur not has the ability
+to restrict certificate expiration dates to weekdays.
+
+Several fixes/tweaks to Lemurs python3 support (thanks chadhendrie!)
+
+This will most likely be the last release to support python2.7 moving Lemur to target python3 exclusively. Please comment
+on issue #340 if this negatively affects your usage of Lemur.
+
+See the full list of issues closed in `0.4 <https://github.com/Netflix/lemur/milestone/3>`_.
+
+Upgrading
+---------
+
+.. note:: This release will need a slight migration change. Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.
+
+
+0.3.0 - `2016-06-06`
+~~~~~~~~~~~~~~~~~~~~
+
+This is quite a large upgrade, it is highly advised you backup your database before attempting to upgrade as this release
+requires the migration of database structure as well as data.
+
+
+Upgrading
+---------
+
+Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.
+
+
+Source Plugin Owners
+--------------------
+
+The dictionary returned from a source plugin has changed keys from `public_certificate` to `body` and `intermediate_certificate` to chain.
+
+
+Issuer Plugin Owners
+--------------------
+
+This release may break your plugins, the keys in `issuer_options` have been changed from `camelCase` to `under_score`.
+This change was made to break a undue reliance on downstream options maintains a more pythonic naming convention. Renaming
+these keys should be fairly trivial, additionally pull requests have been submitted to affected plugins to help ease the transition.
+
+.. note:: This change only affects issuer plugins and does not affect any other types of plugins.
+
+
+* Closed `#63 <https://github.com/Netflix/lemur/issues/63>`_ - Validates all endpoints with Marshmallow schemas, this allows for
+    stricter input validation and better error messages when validation fails.
+* Closed `#146 <https://github.com/Netflix/lemur/issues/146>`_ - Moved authority type to first pane of authority creation wizard.
+* Closed `#147 <https://github.com/Netflix/lemur/issues/147>`_ - Added and refactored the relationship between authorities and their
+    root certificates. Displays the certificates (and chains) next the the authority in question.
+* Closed `#199 <https://github.com/Netflix/lemur/issues/199>`_ - Ensures that the dates submitted to Lemur during authority and
+    certificate creation are actually dates.
+* Closed `#230 <https://github.com/Netflix/lemur/issues/230>`_ - Migrated authority dropdown to a ui-select based dropdown, this
+    should be easier to determine what authorities are available and when an authority has actually been selected.
+* Closed `#254 <https://github.com/Netflix/lemur/issues/254>`_ - Forces certificate names to be generally unique. If a certificate name
+    (generated or otherwise) is found to be a duplicate we increment by appending a counter.
+* Closed `#254 <https://github.com/Netflix/lemur/issues/275>`_ - Switched to using Fernet generated passphrases for exported items.
+    These are more sounds that pseudo random passphrases generated before and have the nice property of being in base64.
+* Closed `#278 <https://github.com/Netflix/lemur/issues/278>`_ - Added ability to specify a custom name to certificate creation, previously
+    this was only available in the certificate import wizard.
+* Closed `#281 <https://github.com/Netflix/lemur/issues/281>`_ - Fixed an issue where notifications could not be removed from a certificate
+    via the UI.
+* Closed `#289 <https://github.com/Netflix/lemur/issues/289>`_ - Fixed and issue where intermediates were not being properly exported.
+* Closed `#315 <https://github.com/Netflix/lemur/issues/315>`_ - Made how roles are associated with certificates and authorities much more
+    explict, including adding the ability to add roles directly to certificates and authorities on creation.
+
+
+
+0.2.2 - 2016-02-05
+~~~~~~~~~~~~~~~~~~
+
+* Closed `#234 <https://github.com/Netflix/lemur/issues/234>`_ - Allows export plugins to define whether they need
+    private key material (default is True)
+* Closed `#231 <https://github.com/Netflix/lemur/issues/231>`_ - Authorities were not respecting 'owning' roles and their
+    users
+* Closed `#228 <https://github.com/Netflix/lemur/issues/228>`_ - Fixed documentation with correct filter values
+* Closed `#226 <https://github.com/Netflix/lemur/issues/226>`_ - Fixes issue were `import_certificate` was requiring
+    replacement certificates to be specified
+* Closed `#224 <https://github.com/Netflix/lemur/issues/224>`_ - Fixed an issue where NPM might not be globally available (thanks AlexClineBB!)
+* Closed `#221 <https://github.com/Netflix/lemur/issues/234>`_ - Fixes several reported issues where older migration scripts were
+    missing tables, this change removes pre 0.2 migration scripts
+* Closed `#218 <https://github.com/Netflix/lemur/issues/234>`_ - Fixed an issue where export passphrases would not validate
+
+
+0.2.1 - 2015-12-14
+~~~~~~~~~~~~~~~~~~
+
+* Fixed bug with search not refreshing values
+* Cleaned up documentation, including working supervisor example (thanks rpicard!)
+* Closed #165 - Fixed an issue with email templates
+* Closed #188 - Added ability to submit third party CSR
+* Closed #176 - Java-export should allow user to specify truststore/keystore
+* Closed #176 - Extended support for exporting certificate in P12 format
+
+
+0.2.0 - 2015-12-02
+~~~~~~~~~~~~~~~~~~
+
+* Closed #120 - Error messages not displaying long enough
+* Closed #121 - Certificate create form should not be valid until a Certificate Authority object is available
+* Closed #122 - Certificate API should allow for the specification of preceding certificates
+    You can now target a certificate(s) for replacement. When specified the replaced certificate will be marked as
+    'inactive'. This means that there will be no notifications for that certificate.
+* Closed #139 - SubCA autogenerated descriptions for their certs are incorrect
+* Closed #140 - Permalink does not change with filtering
+* Closed #144 - Should be able to search certificates by domains covered, included wildcards
+* Closed #165 - Cleaned up expiration notification template
+* Closed #160 - Cleaned up quickstart documentation (thanks forkd!)
+* Closed #144 - Now able to search by all domains in a given certificate, not just by common name
+
+
+0.1.5 - 2015-10-26
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Switched from use a AES static key to Fernet encryption.
+  Affects all versions prior to 0.1.5. If upgrading this will require a data migration.
+  see: `Upgrading Lemur <https://lemur.readthedocs.com/adminstration#UpgradingLemur>`_

LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

MANIFEST.in

@@ -0,0 +1,4 @@
+include setup.py version.py package.json bower.json gulpfile.js README.rst MANIFEST.in LICENSE AUTHORS
+recursive-include lemur/plugins/lemur_email/templates *
+recursive-include lemur/static *
+global-exclude *~

Makefile

@@ -1,14 +1,38 @@
 NPM_ROOT = ./node_modules
 STATIC_DIR = src/lemur/static/app
 
+USER := $(shell whoami)
+
 develop: update-submodules setup-git
 	@echo "--> Installing dependencies"
+ifeq ($(USER), root)
+	@echo "WARNING: It looks like you are installing Lemur as root. This is not generally advised."
+	npm install --unsafe-perm
+else
 	npm install
+endif
 	pip install "setuptools>=0.9.8"
 	# order matters here, base package must install first
 	pip install -e .
 	pip install "file://`pwd`#egg=lemur[dev]"
 	pip install "file://`pwd`#egg=lemur[tests]"
+	node_modules/.bin/gulp build
+	node_modules/.bin/gulp package --urlContextPath=$(urlContextPath)
+	@echo ""
+
+release:
+	@echo "--> Installing dependencies"
+ifeq ($(USER), root)
+	@echo "WARNING: It looks like you are installing Lemur as root. This is not generally advised."
+	npm install --unsafe-perm
+else
+	npm install
+endif
+	pip install "setuptools>=0.9.8"
+	# order matters here, base package must install first
+	pip install -e .
+	node_modules/.bin/gulp build
+	node_modules/.bin/gulp package --urlContextPath=$(urlContextPath)
 	@echo ""
 
 dev-docs:
@@ -39,7 +63,7 @@ test: develop lint test-python
 
 testloop: develop
 	pip install pytest-xdist
-	py.test tests -f
+	coverage run --source lemur -m py.test
 
 test-cli:
 	@echo "--> Testing CLI"
@@ -58,7 +82,7 @@ test-js:
 
 test-python:
 	@echo "--> Running Python tests"
-	py.test lemur/tests || exit 1
+	coverage run --source lemur -m py.test
 	@echo ""
 
 lint: lint-python lint-js
@@ -80,4 +104,4 @@ coverage: develop
 publish:
 	python setup.py sdist bdist_wheel upload
 
-.PHONY: develop dev-postgres dev-docs setup-git build clean update-submodules test testloop test-cli test-js test-python lint lint-python lint-js coverage publish
+.PHONY: develop dev-postgres dev-docs setup-git build clean update-submodules test testloop test-cli test-js test-python lint lint-python lint-js coverage publish release

OSSMETADATA

@@ -0,0 +1 @@
+osslifecycle=active

README.rst

@@ -5,26 +5,27 @@ Lemur
    :alt: Join the chat at https://gitter.im/Netflix/lemur
    :target: https://gitter.im/Netflix/lemur?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge
 
-.. image:: https://img.shields.io/pypi/v/lemur.svg
-    :target: https://pypi.python.org/pypi/lemur/
-    :alt: Latest Version
-
 .. image:: https://readthedocs.org/projects/lemur/badge/?version=latest
     :target: https://lemur.readthedocs.org
     :alt: Latest Docs
 
-.. image:: https://magnum.travis-ci.com/Netflix/lemur.svg?branch=master
-      :target: https://magnum.travis-ci.com/Netflix/lemur
+.. image:: https://img.shields.io/badge/NetflixOSS-active-brightgreen.svg
+
+.. image:: https://travis-ci.org/Netflix/lemur.svg
+    :target: https://travis-ci.org/Netflix/lemur
 
 
-Lemur manages SSL certificate creation. It provides a central portal for developers to issuer their own SSL certificates with 'sane' defaults.
+Lemur manages TLS certificate creation. While not able to issue certificates itself, Lemur acts as a broker between CAs
+and environments providing a central portal for developers to issue TLS certificates with 'sane' defaults.
+
+It works on CPython 3.5. We deploy on Ubuntu and develop on OS X.
 
-It works on CPython 2.7, 3.3, 3.4  It is known
-to work on Ubuntu Linux and OS X.
 
 Project resources
 =================
 
+- `Lemur Blog Post <http://techblog.netflix.com/2015/09/introducing-lemur.html>`_
 - `Documentation <http://lemur.readthedocs.org/>`_
 - `Source code <https://github.com/netflix/lemur>`_
 - `Issue tracker <https://github.com/netflix/lemur/issues>`_
+- `Docker <https://github.com/Netflix/lemur-docker>`_

bower.json

@@ -6,38 +6,45 @@
   },
   "private": true,
   "dependencies": {
-    "angular": "1.3",
-    "json3": "~3.3",
-    "es5-shim": "~4.0",
-    "jquery": "~2.1",
-    "angular-resource": "1.2.15",
-    "angular-cookies": "1.2.15",
-    "angular-sanitize": "1.2.15",
-    "angular-route": "1.2.15",
-    "angular-strap": "~2.0.2",
-    "restangular": "~1.4.0",
-    "ng-table": "~0.5.4",
-    "ngAnimate": "*",
-    "moment": "~2.6.0",
-    "angular-animate": "~1.4.0",
-    "angular-loading-bar": "~0.6.0",
-    "fontawesome": "~4.2.0",
+    "jquery": "~2.2.0",
     "angular-wizard": "~0.4.0",
-    "bootswatch": "3.3.1+2",
-    "angular-spinkit": "~0.3.3",
-    "angular-bootstrap": "~0.12.0",
+    "angular": "1.4.9",
+    "json3": "~3.3",
+    "es5-shim": "~4.5.0",
+    "bootstrap": "~3.3.6",
+    "angular-bootstrap": "~1.1.1",
+    "angular-animate": "~1.4.9",
+    "restangular": "~1.5.1",
+    "ng-table": "~0.8.3",
+    "moment": "~2.11.1",
+    "angular-loading-bar": "~0.8.0",
+    "angular-moment": "~0.10.3",
+    "moment-range": "~2.1.0",
+    "angular-clipboard": "~1.3.0",
+    "angularjs-toaster": "~1.0.0",
+    "angular-chart.js": "~0.8.8",
+    "ngletteravatar": "~4.0.0",
+    "bootswatch": "~3.3.6",
+    "fontawesome": "~4.5.0",
+    "satellizer": "~0.13.4",
+    "angular-ui-router": "~0.2.15",
+    "font-awesome": "~4.5.0",
+    "lodash": "~4.0.1",
+    "underscore": "~1.8.3",
+    "angular-smart-table": "~2.1.6",
+    "angular-strap": ">= 2.2.2",
+    "angular-underscore": "^0.5.0",
+    "angular-translate": "^2.9.0",
     "angular-ui-switch": "~0.1.0",
-    "angular-chart.js": "~0.7.1",
-    "satellizer": "~0.9.4",
-    "angularjs-toaster": "~0.4.14"
-  },
-  "devDependencies": {
-    "angular-mocks": "~1.3",
-    "angular-scenario": "~1.3"
+    "angular-sanitize": "~1.5.0",
+    "angular-file-saver": "~1.0.1",
+    "angular-ui-select": "~0.17.1",
+    "d3": "^3.5.17"
   },
   "resolutions": {
-    "bootstrap": "~3.3.1",
-    "angular": "1.3"
+    "moment": ">=2.8.0 <2.11.0",
+    "lodash": ">=1.3.0 <2.5.0",
+    "angular": "1.4.9"
   },
   "ignore": [
     "**/.*",

docs/administration.rst

@@ -0,0 +1,1027 @@
+Configuration
+=============
+
+.. warning::
+    There are many secrets that Lemur uses that must be protected. All of these options are set via the Lemur configuration
+    file. It is highly advised that you do not store your secrets in this file! Lemur provides functions
+    that allow you to encrypt files at rest and decrypt them when it's time for deployment. See :ref:`Credential Management <CredentialManagement>`
+    for more information.
+
+Basic Configuration
+-------------------
+
+.. data:: LOG_LEVEL
+    :noindex:
+
+    ::
+
+        LOG_LEVEL = "DEBUG"
+
+.. data:: LOG_FILE
+    :noindex:
+
+    ::
+
+        LOG_FILE = "/logs/lemur/lemur-test.log"
+
+.. data:: debug
+    :noindex:
+
+    Sets the flask debug flag to true (if supported by the webserver)
+
+    ::
+
+        debug = False
+
+    .. warning::
+        This should never be used in a production environment as it exposes Lemur to
+        remote code execution through the debug console.
+
+
+.. data:: CORS
+    :noindex:
+
+    Allows for cross domain requests, this is most commonly used for development but could
+    be use in production if you decided to host the webUI on a different domain than the server.
+
+    Use this cautiously, if you're not sure. Set it to `False`
+
+    ::
+
+        CORS = False
+
+
+.. data:: SQLALCHEMY_DATABASE_URI
+    :noindex:
+
+        If you have ever used sqlalchemy before this is the standard connection string used. Lemur uses a postgres database and the connection string would look something like:
+
+    ::
+
+        SQLALCHEMY_DATABASE_URI = 'postgresql://<user>:<password>@<hostname>:5432/lemur'
+
+
+.. data:: LEMUR_ALLOW_WEEKEND_EXPIRATION
+    :noindex:
+
+        Specifies whether to allow certificates created by Lemur to expire on weekends. Default is True.
+
+.. data:: LEMUR_RESTRICTED_DOMAINS
+    :noindex:
+
+        This allows the administrator to mark a subset of domains or domains matching a particular regex as
+        *restricted*. This means that only an administrator is allows to issue the domains in question.
+
+.. data:: LEMUR_TOKEN_SECRET
+    :noindex:
+
+        The TOKEN_SECRET is the secret used to create JWT tokens that are given out to users. This should be securely generated and kept private.
+
+    ::
+
+        LEMUR_TOKEN_SECRET = 'supersecret'
+
+    An example of how you might generate a random string:
+
+        >>> import random
+        >>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6))
+        >>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6))
+        >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
+
+
+.. data:: LEMUR_ENCRYPTION_KEYS
+    :noindex:
+
+        The LEMUR_ENCRYPTION_KEYS is used to encrypt data at rest within Lemur's database. Without a key Lemur will refuse
+        to start. Multiple keys can be provided to facilitate key rotation. The first key in the list is used for
+        encryption and all keys are tried for decryption until one works. Each key must be 32 URL safe base-64 encoded bytes.
+
+        Running lemur create_config will securely generate a key for your configuration file.
+        If you would like to generate your own, we recommend the following method:
+
+            >>> import os
+            >>> import base64
+            >>> base64.urlsafe_b64encode(os.urandom(32))
+
+    ::
+
+        LEMUR_ENCRYPTION_KEYS = ['1YeftooSbxCiX2zo8m1lXtpvQjy27smZcUUaGmffhMY=', 'LAfQt6yrkLqOK5lwpvQcT4jf2zdeTQJV1uYeh9coT5s=']
+
+
+Certificate Default Options
+---------------------------
+
+Lemur allows you to fine tune your certificates to your organization. The following defaults are presented in the UI
+and are used when Lemur creates the CSR for your certificates.
+
+
+.. data:: LEMUR_DEFAULT_COUNTRY
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_COUNTRY = "US"
+
+
+.. data:: LEMUR_DEFAULT_STATE
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_STATE = "California"
+
+
+.. data:: LEMUR_DEFAULT_LOCATION
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_LOCATION = "Los Gatos"
+
+
+.. data:: LEMUR_DEFAULT_ORGANIZATION
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_ORGANIZATION = "Netflix"
+
+
+.. data:: LEMUR_DEFAULT_ORGANIZATIONAL_UNIT
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations"
+
+
+.. data:: LEMUR_DEFAULT_ISSUER_PLUGIN
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_ISSUER_PLUGIN = "verisign-issuer"
+
+
+.. data:: LEMUR_DEFAULT_AUTHORITY
+    :noindex:
+
+    ::
+
+        LEMUR_DEFAULT_AUTHORITY = "verisign"
+
+
+Notification Options
+--------------------
+
+Lemur currently has very basic support for notifications. Currently only expiration notifications are supported. Actual notification
+is handled by the notification plugins that you have configured. Lemur ships with the 'Email' notification that allows expiration emails
+to be sent to subscribers.
+
+Templates for expiration emails are located under `lemur/plugins/lemur_email/templates` and can be modified for your needs.
+Notifications are sent to the certificate creator, owner and security team as specified by the `LEMUR_SECURITY_TEAM_EMAIL` configuration parameter.
+
+Certificates marked as inactive will **not** be notified of upcoming expiration. This enables a user to essentially
+silence the expiration. If a certificate is active and is expiring the above will be notified according to the `LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS` or
+30, 15, 2 days before expiration if no intervals are set.
+
+Lemur supports sending certification expiration notifications through SES and SMTP.
+
+
+.. data:: LEMUR_EMAIL_SENDER
+    :noindex:
+
+    Specifies which service will be delivering notification emails. Valid values are `SMTP` or `SES`
+
+    .. note::
+        If using SMTP as your provider you will need to define additional configuration options as specified by Flask-Mail.
+        See: `Flask-Mail <https://pythonhosted.org/Flask-Mail>`_
+
+        If you are using SES the email specified by the `LEMUR_MAIL` configuration will need to be verified by AWS before
+        you can send any mail. See: `Verifying Email Address in Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html>`_
+
+
+.. data:: LEMUR_MAIL
+    :noindex:
+
+        Lemur sender's email
+
+        ::
+
+            LEMUR_MAIL = 'lemur.example.com'
+
+
+.. data:: LEMUR_SECURITY_TEAM_EMAIL
+    :noindex:
+
+        This is an email or list of emails that should be notified when a certificate is expiring. It is also the contact email address for any discovered certificate.
+
+        ::
+
+            LEMUR_SECURITY_TEAM_EMAIL = ['security@example.com']
+
+
+.. data:: LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS
+    :noindex:
+
+        Lemur notification intervals
+
+        ::
+
+            LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS = [30, 15, 2]
+
+
+Authentication Options
+----------------------
+Lemur currently supports Basic Authentication, Ping OAuth2, and Google out of the box. Additional flows can be added relatively easily.
+If you are not using an authentication provider you do not need to configure any of these options.
+
+For more information about how to use social logins, see: `Satellizer <https://github.com/sahat/satellizer>`_
+
+.. data:: ACTIVE_PROVIDERS
+    :noindex:
+
+        ::
+
+            ACTIVE_PROVIDERS = ["ping", "google", "oauth2"]
+
+.. data:: PING_SECRET
+    :noindex:
+
+        ::
+
+            PING_SECRET = 'somethingsecret'
+
+.. data:: PING_ACCESS_TOKEN_URL
+    :noindex:
+
+        ::
+
+            PING_ACCESS_TOKEN_URL = "https://<yourpingserver>/as/token.oauth2"
+
+
+.. data:: PING_USER_API_URL
+    :noindex:
+
+        ::
+
+            PING_USER_API_URL = "https://<yourpingserver>/idp/userinfo.openid"
+
+.. data:: PING_JWKS_URL
+    :noindex:
+
+        ::
+
+            PING_JWKS_URL = "https://<yourpingserver>/pf/JWKS"
+
+.. data:: PING_NAME
+    :noindex:
+
+        ::
+
+            PING_NAME = "Example Oauth2 Provider"
+
+.. data:: PING_CLIENT_ID
+    :noindex:
+
+        ::
+
+            PING_CLIENT_ID = "client-id"
+
+.. data:: PING_REDIRECT_URI
+    :noindex:
+
+        ::
+
+            PING_REDIRECT_URI = "https://<yourlemurserver>/api/1/auth/ping"
+
+.. data:: PING_AUTH_ENDPOINT
+    :noindex:
+
+        ::
+
+            PING_AUTH_ENDPOINT = "https://<yourpingserver>/oauth2/authorize"
+
+.. data:: OAUTH2_SECRET
+    :noindex:
+
+        ::
+
+            OAUTH2_SECRET = 'somethingsecret'
+
+.. data:: OAUTH2_ACCESS_TOKEN_URL
+    :noindex:
+
+        ::
+
+            OAUTH2_ACCESS_TOKEN_URL = "https://<youroauthserver> /oauth2/v1/authorize"
+
+
+.. data:: OAUTH2_USER_API_URL
+    :noindex:
+
+        ::
+
+            OAUTH2_USER_API_URL = "https://<youroauthserver>/oauth2/v1/userinfo"
+
+.. data:: OAUTH2_JWKS_URL
+    :noindex:
+
+        ::
+
+            OAUTH2_JWKS_URL = "https://<youroauthserver>/oauth2/v1/keys"
+
+.. data:: OAUTH2_NAME
+    :noindex:
+
+        ::
+
+            OAUTH2_NAME = "Example Oauth2 Provider"
+
+.. data:: OAUTH2_CLIENT_ID
+    :noindex:
+
+        ::
+
+            OAUTH2_CLIENT_ID = "client-id"
+
+.. data:: OAUTH2_REDIRECT_URI
+    :noindex:
+
+        ::
+
+            OAUTH2_REDIRECT_URI = "https://<yourlemurserver>/api/1/auth/oauth2"
+
+.. data:: OAUTH2_AUTH_ENDPOINT
+    :noindex:
+
+        ::
+
+            OAUTH2_AUTH_ENDPOINT = "https://<youroauthserver>/oauth2/v1/authorize"
+
+.. data:: GOOGLE_CLIENT_ID
+    :noindex:
+
+        ::
+
+            GOOGLE_CLIENT_ID = "client-id"
+
+.. data:: GOOGLE_SECRET
+    :noindex:
+
+        ::
+
+            GOOGLE_SECRET = "somethingsecret"
+
+
+Plugin Specific Options
+-----------------------
+
+Verisign Issuer Plugin
+^^^^^^^^^^^^^^^^^^^^^^
+
+Authorities will each have their own configuration options. There is currently just one plugin bundled with Lemur,
+Verisign/Symantec. Additional plugins may define additional options. Refer to the plugin's own documentation
+for those plugins.
+
+.. data:: VERISIGN_URL
+    :noindex:
+
+        This is the url for the Verisign API
+
+
+.. data:: VERISIGN_PEM_PATH
+    :noindex:
+
+        This is the path to the mutual TLS certificate used for communicating with Verisign
+
+
+.. data:: VERISIGN_FIRST_NAME
+    :noindex:
+
+        This is the first name to be used when requesting the certificate
+
+
+.. data:: VERISIGN_LAST_NAME
+    :noindex:
+
+        This is the last name to be used when requesting the certificate
+
+.. data:: VERISIGN_EMAIL
+    :noindex:
+
+        This is the email to be used when requesting the certificate
+
+
+.. data:: VERISIGN_INTERMEDIATE
+    :noindex:
+
+        This is the intermediate to be used for your CA chain
+
+
+.. data:: VERISIGN_ROOT
+    :noindex:
+
+        This is the root to be used for your CA chain
+
+
+Digicert Issuer Plugin
+~~~~~~~~~~~~~~~~~~~~~~
+
+The following configuration properties are required to use the Digicert issuer plugin.
+
+
+.. data:: DIGICERT_URL
+    :noindex:
+
+            This is the url for the Digicert API
+
+
+.. data:: DIGICERT_API_KEY
+    :noindex:
+
+            This is the Digicert API key
+
+
+.. data:: DIGICERT_ORG_ID
+    :noindex:
+
+            This is the Digicert organization ID tied to your API key
+
+
+.. data:: DIGICERT_INTERMEDIATE
+    :noindex:
+
+            This is the intermediate to be used for your CA chain
+
+
+.. data:: DIGICERT_ROOT
+    :noindex:
+
+            This is the root to be used for your CA chain
+
+
+.. data:: DIGICERT_DEFAULT_VALIDITY
+    :noindex:
+
+            This is the default validity (in years), if no end date is specified. (Default: 1)
+
+
+
+CFSSL Issuer Plugin
+^^^^^^^^^^^^^^^^^^^
+
+The following configuration properties are required to use the CFSSL issuer plugin.
+
+.. data:: CFSSL_URL
+    :noindex:
+
+        This is the URL for the CFSSL API
+
+.. data:: CFSSL_ROOT
+    :noindex:
+
+        This is the root to be used for your CA chain
+
+.. data:: CFSSL_INTERMEDIATE
+    :noindex:
+
+        This is the intermediate to be used for your CA chain
+
+
+AWS Source/Destination Plugin
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In order for Lemur to manage its own account and other accounts we must ensure it has the correct AWS permissions.
+
+.. note:: AWS usage is completely optional. Lemur can upload, find and manage TLS certificates in AWS. But is not required to do so.
+
+Setting up IAM roles
+""""""""""""""""""""
+
+Lemur's AWS plugin uses boto heavily to talk to all the AWS resources it manages. By default it uses the on-instance credentials to make the necessary calls.
+
+In order to limit the permissions, we will create two new IAM roles for Lemur. You can name them whatever you would like but for example sake we will be calling them LemurInstanceProfile and Lemur.
+
+Lemur uses to STS to talk to different accounts. For managing one account this isn't necessary but we will still use it so that we can easily add new accounts.
+
+LemurInstanceProfile is the IAM role you will launch your instance with. It actually has almost no rights. In fact it should really only be able to use STS to assume role to the Lemur role.
+
+Here are example policies for the LemurInstanceProfile:
+
+SES-SendEmail
+
+.. code-block:: python
+
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ses:SendEmail"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+
+
+STS-AssumeRole
+
+.. code-block:: python
+
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action":
+            "sts:AssumeRole",
+          "Resource": "*"
+        }
+      ]
+    }
+
+
+
+Next we will create the Lemur IAM role.
+
+.. note::
+
+    The default IAM role that Lemur assumes into is called `Lemur`, if you need to change this ensure you set `LEMUR_INSTANCE_PROFILE` to your role name in the configuration.
+
+
+Here is an example policy for Lemur:
+
+IAM-ServerCertificate
+
+.. code-block:: python
+
+    {
+        "Statement": [
+                    {
+                         "Action": [
+                              "iam:ListServerCertificates",
+                              "iam:UpdateServerCertificate",
+                              "iam:GetServerCertificate",
+                              "iam:UploadServerCertificate"
+                         ],
+                         "Resource": [
+                              "*"
+                         ],
+                         "Effect": "Allow",
+                         "Sid": "Stmt1404836868000"
+                    }
+               ]
+    }
+
+
+.. code-block:: python
+
+    {
+        "Statement": [
+                    {
+                         "Action": [
+                              "elasticloadbalancing:DescribeInstanceHealth",
+                              "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                              "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                              "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                              "elasticloadbalancing:DescribeLoadBalancers",
+                              "elasticloadbalancing:DeleteLoadBalancerListeners",
+                              "elasticloadbalancing:CreateLoadBalancerListeners"
+                         ],
+                         "Resource": [
+                              "*"
+                         ],
+                         "Effect": "Allow",
+                         "Sid": "Stmt1404841912000"
+                    }
+               ]
+    }
+
+
+Setting up STS access
+"""""""""""""""""""""
+
+Once we have setup our accounts we need to ensure that we create a trust relationship so that LemurInstanceProfile can assume the Lemur role.
+
+In the AWS console select the Lemur IAM role and select the Trust Relationships tab and click Edit Trust Relationship
+
+Below is an example policy:
+
+.. code-block:: python
+
+    {
+      "Version": "2008-10-17",
+      "Statement": [
+        {
+          "Sid": "",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": [
+              "arn:aws:iam::<awsaccountnumber>:role/LemurInstanceProfile",
+            ]
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+
+
+Adding N+1 accounts
+"""""""""""""""""""
+
+To add another account we go to the new account and create a new Lemur IAM role with the same policy as above.
+
+Then we would go to the account that Lemur is running is and edit the trust relationship policy.
+
+An example policy:
+
+.. code-block:: python
+
+    {
+      "Version": "2008-10-17",
+      "Statement": [
+        {
+          "Sid": "",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": [
+              "arn:aws:iam::<awsaccountnumber>:role/LemurInstanceProfile",
+              "arn:aws:iam::<awsaccountnumber1>:role/LemurInstanceProfile",
+            ]
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+
+Setting up SES
+""""""""""""""
+
+Lemur has built in support for sending it's certificate notifications via Amazon's simple email service (SES). To force
+Lemur to use SES ensure you are the running as the IAM role defined above and that you have followed the steps outlined
+in Amazon's documentation `Setting up Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/setting-up-ses.html>`_
+
+The configuration::
+
+    LEMUR_MAIL = 'lemur.example.com'
+
+Will be the sender of all notifications, so ensure that it is verified with AWS.
+
+SES if the default notification gateway and will be used unless SMTP settings are configured in the application configuration
+settings.
+
+.. _CommandLineInterface:
+
+Command Line Interface
+======================
+
+Lemur installs a command line script under the name ``lemur``. This will allow you to
+perform most required operations that are unachievable within the web UI.
+
+If you're using a non-standard configuration location, you'll need to prefix every command with
+--config (excluding create_config, which is a special case). For example::
+
+    lemur --config=/etc/lemur.conf.py help
+
+For a list of commands, you can also use ``lemur help``, or ``lemur [command] --help``
+for help on a specific command.
+
+.. note:: The script is powered by a library called `Flask-Script <https://github.com/smurfix/flask-script>`_
+
+Builtin Commands
+----------------
+
+All commands default to `~/.lemur/lemur.conf.py` if a configuration is not specified.
+
+.. data:: create_config
+
+    Creates a default configuration file for Lemur.
+
+    Path defaults to ``~/.lemur/lemur.config.py``
+
+    ::
+
+        lemur create_config .
+
+    .. note::
+        This command is a special case and does not depend on the configuration file
+        being set.
+
+
+.. data:: init
+
+    Initializes the configuration file for Lemur.
+
+    ::
+
+        lemur -c /etc/lemur.conf.py init
+
+
+.. data:: start
+
+    Starts a Lemur service. You can also pass any flag that Gunicorn uses to specify the webserver configuration.
+
+    ::
+
+        lemur start -w 6 -b 127.0.0.1:8080
+
+
+.. data:: db upgrade
+
+    Performs any needed database migrations.
+
+    ::
+
+        lemur db upgrade
+
+
+.. data:: check_revoked
+
+    Traverses every certificate that Lemur is aware of and attempts to understand its validity.
+    It utilizes both OCSP and CRL. If Lemur is unable to come to a conclusion about a certificates
+    validity its status is marked 'unknown'.
+
+
+.. data:: sync
+
+    Sync attempts to discover certificates in the environment that were not created by Lemur. If you wish to only sync
+    a few sources you can pass a comma delimited list of sources to sync.
+
+    ::
+
+        lemur sync -s source1,source2
+
+
+    Additionally you can also list the available sources that Lemur can sync.
+
+    ::
+
+        lemur sync
+
+
+.. data:: notify
+
+    Will traverse all current notifications and see if any of them need to be triggered.
+
+    ::
+
+        lemur notify
+
+
+Sub-commands
+------------
+
+Lemur includes several sub-commands for interacting with Lemur such as creating new users, creating new roles and even
+issuing certificates.
+
+The best way to discover these commands is by using the built in help pages
+
+    ::
+
+        lemur --help
+
+
+and to get help on sub-commands
+
+    ::
+
+        lemur certificates --help
+
+
+
+Upgrading Lemur
+===============
+
+To upgrade Lemur to the newest release you will need to ensure you have the latest code and have run any needed
+database migrations.
+
+To get the latest code from github run
+
+    ::
+
+        cd <lemur-source-directory>
+        git pull -t <version>
+        python setup.py develop
+
+
+.. note::
+    It's important to grab the latest release by specifying the release tag. This tags denote stable versions of Lemur.
+    If you want to try the bleeding edge version of Lemur you can by using the master branch.
+
+
+After you have the latest version of the Lemur code base you must run any needed database migrations. To run migrations
+
+    ::
+
+        cd <lemur-source-directory>/lemur
+        lemur db upgrade
+
+
+This will ensure that any needed tables or columns are created or destroyed.
+
+.. note::
+    Internally, this uses `Alembic <https://alembic.readthedocs.org/en/latest/>`_ to manage database migrations.
+
+.. note::
+    By default Alembic looks for the `migrations` folder in the current working directory.The migrations folder is
+    located under `<LEMUR_HOME>/lemur/migrations` if you are running the lemur command from any location besides
+    `<LEMUR_HOME>/lemur` you will need to pass the `-d` flag to specify the absolute file path to the `migrations` folder.
+
+Plugins
+=======
+
+There are several interfaces currently available to extend Lemur. These are a work in
+progress and the API is not frozen.
+
+Lemur includes several plugins by default. Including extensive support for AWS, VeriSign/Symantec.
+
+Verisign/Symantec
+-----------------
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Issuer
+:Description:
+    Basic support for the VICE 2.0 API
+
+
+Cryptography
+------------
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>,
+    Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
+:Type:
+    Issuer
+:Description:
+    Toy certificate authority that creates self-signed certificate authorities.
+    Allows for the creation of arbitrary authorities and end-entity certificates.
+    This is *not* recommended for production use.
+
+
+Acme
+----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>,
+    Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
+:Type:
+    Issuer
+:Description:
+    Adds support for the ACME protocol (including LetsEncrypt) with domain validation being handled Route53.
+
+
+Atlas
+-----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Metric
+:Description:
+    Adds basic support for the `Atlas <https://github.com/Netflix/atlas/wiki>`_ telemetry system.
+
+
+Email
+-----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Notification
+:Description:
+    Adds support for basic email notifications via SES.
+
+
+Slack
+-----
+
+:Authors:
+    Harm Weites <harm@weites.com>
+:Type:
+    Notification
+:Description:
+    Adds support for slack notifications.
+
+
+AWS
+----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Source
+:Description:
+    Uses AWS IAM as a source of certificates to manage. Supports a multi-account deployment.
+
+
+AWS
+----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Destination
+:Description:
+    Uses AWS IAM as a destination for Lemur generated certificates. Support a multi-account deployment.
+
+
+Kubernetes
+----------
+
+:Authors:
+    Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
+:Type:
+    Destination
+:Description:
+    Allows Lemur to upload generated certificates to the Kubernetes certificate store.
+
+
+Java
+----
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Export
+:Description:
+    Generates java compatible .jks keystores and truststores from Lemur managed certificates.
+
+
+Openssl
+-------
+
+:Authors:
+    Kevin Glisson <kglisson@netflix.com>
+:Type:
+    Export
+:Description:
+    Leverages Openssl to support additional export formats (pkcs12)
+
+
+CFSSL
+-----
+
+:Authors:
+    Charles Hendrie <chad.hendrie@thomsonreuters.com>
+:Type:
+    Issuer
+:Description:
+    Basic support for generating certificates from the private certificate authority CFSSL
+
+
+3rd Party Plugins
+=================
+
+The following plugins are available and maintained by members of the Lemur community:
+
+Digicert
+--------
+
+:Authors:
+    Chris Dorros
+:Type:
+    Issuer
+:Description:
+    Adds support for basic Digicert
+:Links:
+    https://github.com/opendns/lemur-digicert
+
+
+Have an extension that should be listed here? Submit a `pull request <https://github.com/netflix/lemur>`_ and we'll
+get it added.
+
+Want to create your own extension? See :doc:`../developer/plugins/index` to get started.
+
+
+Identity and Access Management
+==============================
+
+Lemur uses a Role Based Access Control (RBAC) mechanism to control which users have access to which resources. When a
+user is first created in Lemur they can be assigned one or more roles. These roles are typically dynamically created
+depending on an external identity provider (Google, LDAP, etc.), or are hardcoded within Lemur and associated with special
+meaning.
+
+Within Lemur there are three main permissions: AdminPermission, CreatorPermission, OwnerPermission. Sub-permissions such
+as ViewPrivateKeyPermission are compositions of these three main Permissions.
+
+Lets take a look at how these permissions are used:
+
+Each `Authority` has a set of roles associated with it. If a user is also associated with the same roles
+that the `Authority` is associated with, Lemur allows that user to user/view/update that `Authority`.
+
+This RBAC is also used when determining which users can access which certificate private key. Lemur's current permission
+structure is setup such that if the user is a `Creator` or `Owner` of a given certificate they are allow to view that
+private key. Owners can also be a role name, such that any user with the same role as owner will be allowed to view the
+private key information.
+
+These permissions are applied to the user upon login and refreshed on every request.
+
+.. seealso::
+
+    `Flask-Principal <https://pythonhosted.org/Flask-Principal>`_

docs/administration/index.rst

@@ -1,592 +0,0 @@
-Configuration
-=============
-
-.. warning::
-    There are many secrets that Lemur uses that must be protected. All of these options are set via the Lemur configruation
-    file. It is highly advised that you do not store your secrets in this file! Lemur provides functions
-    that allow you to encrypt files at rest and decrypt them when it's time for deployment. See :ref:`Credential Management <CredentialManagement>`
-    for more information.
-
-Basic Configuration
--------------------
-
-.. data:: LOG_LEVEL
-    :noindex:
-
-    ::
-
-        LOG_LEVEL = "DEBUG"
-
-.. data:: LOG_FILE
-    :noindex:
-
-    ::
-
-        LOG_FILE = "/logs/lemur/lemur-test.log"
-
-
-.. data:: debug
-    :noindex:
-
-    Sets the flask debug flag to true (if supported by the webserver)
-
-    ::
-
-        debug = False
-
-
-    .. warning::
-        This should never be used in a production environment as it exposes Lemur to
-        remote code execution through the debug console.
-
-
-.. data:: CORS
-    :noindex:
-
-    Allows for cross domain requests, this is most commonly used for development but could
-    be use in production if you decided to host the webUI on a different domain than the server.
-
-    Use this cautiously, if you're not sure. Set it to `False`
-
-    ::
-
-        CORS = False
-
-
-.. data:: SQLACHEMY_DATABASE_URI
-    :noindex:
-
-        If you have ever used sqlalchemy before this is the standard connection string used. Lemur uses a postgres database and the connection string would look something like:
-
-    ::
-
-        SQLALCHEMY_DATABASE_URI = 'postgresql://<user>:<password>@<hostname>:5432/lemur'
-
-
-.. data:: LEMUR_RESTRICTED_DOMAINS
-    :noindex:
-
-        This allows the administrator to mark a subset of domains or domains matching a particular regex as
-        *restricted*. This means that only an administrator is allows to issue the domains in question.
-
-.. data:: LEMUR_TOKEN_SECRET
-    :noindex:
-
-        The TOKEN_SECRET is the secret used to create JWT tokens that are given out to users. This should be securely generated and be kept private.
-
-        See `SECRET_KEY` for methods on secure secret generation.
-
-    ::
-
-        LEMUR_TOKEN_SECRET = 'supersecret'
-
-    An example of how you might generate a random string:
-
-        >>> import random
-        >>> secret_key = ''.join(random.choice(string.ascii_uppercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice("~!@#$%^&*()_+") for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.ascii_lowercase) for x in range(6))
-        >>> secret_key = secret_key + ''.join(random.choice(string.digits) for x in range(6))
-
-
-.. data:: LEMUR_ENCRYPTION_KEY
-    :noindex:
-
-        The LEMUR_ENCRYPTION_KEY is used to encrypt data at rest within Lemur's database. Without this key Lemur will refuse
-        to start.
-
-        See `LEMUR_TOKEN_SECRET` for methods of secure secret generation.
-
-    ::
-
-        LEMUR_ENCRYPTION_KEY = 'supersupersecret'
-
-
-Certificate Default Options
----------------------------
-
-Lemur allows you to find tune your certificates to your organization. The following defaults are presented in the UI
-and are used when Lemur creates the CSR for your certificates.
-
-
-.. data:: LEMUR_DEFAULT_COUNTRY
-    :noindex:
-
-    ::
-
-        LEMUR_DEFAULT_COUNTRY = "US"
-
-
-.. data:: LEMUR_DEFAULT_STATE
-    :noindex:
-
-    ::
-
-        LEMUR_DEFAULT_STATE = "CA"
-
-
-.. data:: LEMUR_DEFAULT_LOCATION
-    :noindex:
-
-    ::
-
-        LEMUR_DEFAULT_LOCATION = "Los Gatos"
-
-
-.. data:: LEMUR_DEFAULT_ORGANIZATION
-    :noindex:
-
-    ::
-
-        LEMUR_DEFAULT_ORGANIZATION = "Netflix"
-
-
-.. data:: LEMUR_DEFAULT_ORGANIZATION_UNIT
-    :noindex:
-
-    ::
-
-        LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = "Operations"
-
-
-Notification Options
---------------------
-
-Lemur currently has very basic support for notifications. Notifications are sent to the certificate creator, owner and
-security team as specified by the `SECURITY_TEAM_EMAIL` configuration parameter.
-
-The template for all of these notifications lives under lemur/template/event.html and can be easily modified to fit your
-needs.
-
-Certificates marked as in-active will **not** be notified of upcoming expiration. This enables a user to essentially
-silence the expiration. If a certificate is active and is expiring the above will be notified at 30, 15, 5, 2 days
-respectively.
-
-Lemur supports sending certification expiration notifications through SES and SMTP.
-
-
-.. data:: LEMUR_EMAIL_SENDER
-    :noindex:
-
-            Specifies which service will be delivering notification emails. Valid values are `SMTP` or `SES`
-
-.. note::
-    If using STMP as your provider you will need to define additional configuration options as specified by Flask-Mail.
-    See: `Flask-Mail <https://pythonhosted.org/Flask-Mail>`_
-
-    If you are using SES the email specified by the `LEMUR_MAIL` configuration will need to be verified by AWS before
-    you can send any mail. See: `Verifying Email Address in Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html>`_
-
-.. data:: LEMUR_MAIL
-    :noindex:
-
-            Lemur sender's email
-
-        ::
-
-        LEMUR_MAIL = 'lemur.example.com'
-
-
-.. data:: LEMUR_SECURITY_TEAM_EMAIL
-    :noindex:
-
-            This is an email or list of emails that should be notified when a certificate is expiring. It is also the contact email address for any discovered certificate.
-
-        ::
-
-        LEMUR_SECURITY_TEAM_EMAIL = ['security@example.com']
-
-
-Authority Options
------------------
-
-Authorities will each have their own configuration options. There are currently two plugins bundled with Lemur,
-Verisign/Symantec and CloudCA
-
-.. data:: VERISIGN_URL
-    :noindex:
-
-        This is the url for the verisign API
-
-
-.. data:: VERISIGN_PEM_PATH
-    :noindex:
-
-        This is the path to the mutual SSL certificate used for communicating with Verisign
-
-
-.. data:: CLOUDCA_URL
-    :noindex:
-
-        This is the URL for CLoudCA API
-
-
-.. data:: CLOUDCA_PEM_PATH
-    :noindex:
-
-        This is the path to the mutual SSL Certificate use for communicating with CLOUDCA
-
-.. data:: CLOUDCA_BUNDLE
-    :noindex:
-
-        This is the path to the CLOUDCA certificate bundle
-
-Authentication
---------------
-Lemur currently supports Basic Authentication and Ping OAuth2 out of the box, additional flows can be added relatively easily
-If you are not using Ping you do not need to configure any of these options.
-
-For more information about how to use social logins, see: `Satellizer <https://github.com/sahat/satellizer>`_
-
-.. data:: PING_SECRET
-    :noindex:
-
-    ::
-
-        PING_SECRET = 'somethingsecret'
-
-.. data:: PING_ACCESS_TOKEN_URL
-    :noindex:
-
-    ::
-
-        PING_ACCESS_TOKEN_URL = "https://<yourpingserver>/as/token.oauth2"
-
-
-.. data:: PING_USER_API_URL
-    :noindex:
-
-    ::
-
-        PING_USER_API_URL = "https://<yourpingserver>/idp/userinfo.openid"
-
-.. data:: PING_JWKS_URL
-    :noindex:
-
-    ::
-
-        PING_JWKS_URL = "https://<yourpingserver>/pf/JWKS"
-
-
-
-AWS Plugin Configuration
-========================
-
-In order for Lemur to manage it's own account and other accounts we must ensure it has the correct AWS permissions.
-
-.. note:: AWS usage is completely optional. Lemur can upload, find and manage SSL certificates in AWS. But is not required to do so.
-
-Setting up IAM roles
---------------------
-
-Lemur's aws plugin uses boto heavily to talk to all the AWS resources it manages. By default it uses the on-instance credentials to make the necessary calls.
-
-In order to limit the permissions we will create a new two IAM roles for Lemur. You can name them whatever you would like but for example sake we will be calling them LemurInstanceProfile and Lemur.
-
-Lemur uses to STS to talk to different accounts. For managing one account this isn't necessary but we will still use it so that we can easily add new accounts.
-
-LemurInstanceProfile is the IAM role you will launch your instance with. It actually has almost no rights. In fact it should really only be able to use STS to assume role to the Lemur role.
-
-Here is are example polices for the LemurInstanceProfile:
-
-SES-SendEmail
-
-.. code-block:: python
-
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "ses:SendEmail"
-          ],
-          "Resource": "*"
-        }
-      ]
-    }
-
-
-STS-AssumeRole
-
-.. code-block:: python
-
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action":
-            "sts:AssumeRole",
-          "Resource": "*"
-        }
-      ]
-    }
-
-
-
-Next we will create the the Lemur IAM role. Lemur
-
-Here is an example policy for Lemur:
-
-IAM-ServerCertificate
-
-.. code-block:: python
-
-    {
-        "Statement": [
-                    {
-                         "Action": [
-                              "iam:ListServerCertificates",
-                              "iam:UpdateServerCertificate",
-                              "iam:GetServerCertificate",
-                              "iam:UploadServerCertificate"
-                         ],
-                         "Resource": [
-                              "*"
-                         ],
-                         "Effect": "Allow",
-                         "Sid": "Stmt1404836868000"
-                    }
-               ]
-    }
-
-
-.. code-block:: python
-
-    {
-        "Statement": [
-                    {
-                         "Action": [
-                              "elasticloadbalancing:DescribeInstanceHealth",
-                              "elasticloadbalancing:DescribeLoadBalancerAttributes",
-                              "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
-                              "elasticloadbalancing:DescribeLoadBalancerPolicies",
-                              "elasticloadbalancing:DescribeLoadBalancers",
-                              "elasticloadbalancing:DeleteLoadBalancerListeners",
-                              "elasticloadbalancing:CreateLoadBalancerListeners"
-                         ],
-                         "Resource": [
-                              "*"
-                         ],
-                         "Effect": "Allow",
-                         "Sid": "Stmt1404841912000"
-                    }
-               ]
-    }
-
-
-Setting up STS access
----------------------
-Once we have setup our accounts we need to ensure that we create a trust relationship so that LemurInstanceProfile can assume the Lemur role.
-
-In the AWS console select the Lemur IAM role and select the Trust Relationships tab and click Edit Trust Relationship
-
-Below is an example policy:
-
-.. code-block:: python
-
-    {
-      "Version": "2008-10-17",
-      "Statement": [
-        {
-          "Sid": "",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": [
-              "arn:aws:iam::<awsaccountnumber>:role/LemurInstanceProfile",
-            ]
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }
-
-
-Adding N+1 accounts
--------------------
-
-To add another account we go to the new account and create a new Lemur IAM role with the same policy as above.
-
-Then we would go to the account that Lemur is running is and edit the trust relationship policy.
-
-An example policy:
-
-.. code-block:: python
-
-    {
-      "Version": "2008-10-17",
-      "Statement": [
-        {
-          "Sid": "",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": [
-              "arn:aws:iam::<awsaccountnumber>:role/LemurInstanceProfile",
-              "arn:aws:iam::<awsaccountnumber1>:role/LemurInstanceProfile",
-            ]
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }
-
-Setting up SES
---------------
-
-Lemur has built in support for sending it's certificate notifications via Amazon's simple email service (SES). To force
-Lemur to use SES ensure you are the running as the IAM role defined above and that you have followed the steps outlined
-in Amazon's documentation `Setting up Amazon SES <http://docs.aws.amazon.com/ses/latest/DeveloperGuide/setting-up-ses.html>`_
-
-The configuration::
-
-    LEMUR_MAIL = 'lemur.example.com'
-
-Will be sender of all notifications, so ensure that it is verified with AWS.
-
-SES if the default notification gateway and will be used unless SMTP settings are configured in the application configuration
-settings.
-
-Upgrading Lemur
-===============
-
-Lemur provides an easy way to upgrade between versions. Simply download the newest
-version of Lemur from pypi and then apply any schema cahnges with the following command.
-
-.. code-block:: bash
-
-    $ lemur db upgrade
-
-.. note:: Internally, this uses `Alembic <https://alembic.readthedocs.org/en/latest/>`_ to manage database migrations.
-
-.. _CommandLineInterface:
-
-Command Line Interface
-======================
-
-Lemur installs a command line script under the name ``lemur``. This will allow you to
-perform most required operations that are unachievable within the web UI.
-
-If you're using a non-standard configuration location, you'll need to prefix every command with
---config (excluding create_config, which is a special case). For example::
-
-    lemur --config=/etc/lemur.conf.py help
-
-For a list of commands, you can also use ``lemur help``, or ``lemur [command] --help``
-for help on a specific command.
-
-.. note:: The script is powered by a library called `Flask-Script <https://github.com/smurfix/flask-script>`_
-
-Builtin Commands
-----------------
-
-All commands default to `~/.lemur/lemur.conf.py` if a configuration is not specified.
-
-.. data:: create_config
-
-    Creates a default configuration file for Lemur.
-
-    Path defaults to ``~/.lemur/lemur.config.py``
-
-    ::
-
-        lemur create_config .
-
-    .. note::
-        This command is a special case and does not depend on the configuration file
-        being set.
-
-
-.. data:: init
-
-    Initializes the configuration file for Lemur.
-
-    ::
-
-        lemur -c /etc/lemur.conf.py init
-
-
-.. data:: start
-
-    Starts a Lemur service. You can also pass any flag that Gunicorn uses to specify the webserver configuration.
-
-    ::
-
-        lemur start -w 6 -b 127.0.0.1:8080
-
-
-.. data:: db upgrade
-
-    Performs any needed database migrations.
-
-    ::
-
-        lemur db upgrade
-
-
-.. data:: create_user
-
-    Creates new users within Lemur.
-
-    ::
-
-        lemur create_user -u jim -e jim@example.com
-
-
-.. data:: create_role
-
-    Creates new roles within Lemur.
-
-    ::
-
-        lemur create_role -n example -d "a new role"
-
-
-.. data:: check_revoked
-
-    Traverses every certificate that Lemur is aware of and attempts to understand it's validity.
-    It utilizes both OCSP and CRL. If Lemur is unable to come to a conclusion about a certificates
-    validity it's status is marked 'unknown'
-
-
-.. data:: sync
-
-    Sync attempts to discover certificates in the environment that were not created by Lemur. If you wish to only sync
-    a few sources you can pass a comma delimited list of sources to sync
-
-    ::
-
-        lemur sync source1,source2
-
-
-    Additionally you can also list the available sources that Lemur can sync
-
-    ::
-
-        lemur sync -list
-
-
-Identity and Access Management
-==============================
-
-Lemur uses a Role Based Access Control (RBAC) mechanism to control which users have access to which resources. When a
-user is first created in Lemur the can be assigned one or more roles. These roles are typically dynamically created
-depending on a external identity provider (Google, LDAP, etc.,) or are hardcoded within Lemur and associated with special
-meaning.
-
-Within Lemur there are three main permissions: AdminPermission, CreatorPermission, OwnerPermission. Sub-permissions such
-as ViewPrivateKeyPermission are compositions of these three main Permissions.
-
-Lets take a look at how these permissions used:
-
-Each `Authority` has a set of roles associated with it. If a user is also associated with the same roles
-that the `Authority` is associated with it Lemur allows that user to user/view/update that `Authority`.
-
-This RBAC is also used when determining which users can access which certificate private key. Lemur's current permission
-structure is setup such that if the user is a `Creator` or `Owner` of a given certificate they are allow to view that
-private key.
-
-These permissions are applied to the user upon login and refreshed on every request.
-
-.. seealso::
-    `Flask-Principal <https://pythonhosted.org/Flask-Principal>`_

docs/changelog.rst

@@ -1,2 +1 @@
-Change Log
-==========
+.. include:: ../CHANGELOG.rst

docs/conf.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# security_monkey documentation build configuration file, created by
+# lemur documentation build configuration file, created by
 # sphinx-quickstart on Sat Jun  7 18:43:48 2014.
 #
 # This file is execfile()d with the current directory set to its
@@ -11,7 +11,6 @@
 #
 # All configuration values have a default; values that are commented out
 # serve to show the default.
-
 import sys
 import os
 
@@ -54,10 +53,12 @@ copyright = u'2015, Netflix Inc.'
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
-# The short X.Y version.
-version = '0.1'
-# The full version, including alpha/beta/rc tags.
-release = '0.1.1'
+base_dir = os.path.join(os.path.dirname(__file__), os.pardir)
+about = {}
+with open(os.path.join(base_dir, "lemur", "__about__.py")) as f:
+    exec(f.read(), about)
+
+version = release = about["__version__"]
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -100,9 +101,13 @@ pygments_style = 'sphinx'
 
 # -- Options for HTML output ----------------------------------------------
 
-# The theme to use for HTML and HTML Help pages.  See the documentation for
-# a list of builtin themes.
-html_theme = 'alabaster'
+# on_rtd is whether we are on readthedocs.org, this line of code grabbed from docs.readthedocs.org
+on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
+
+if not on_rtd:  # only import and set the theme if we're building docs locally
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the

docs/developer/index.rst

@@ -48,7 +48,7 @@ of Lemur. You'll want to make sure you have a few things on your local system fi
 * pip
 * virtualenv (ideally virtualenvwrapper)
 * node.js (for npm and building css/javascript)
-* (Optional) Potgresql
+* (Optional) PostgreSQL
 
 Once you've got all that, the rest is simple:
 
@@ -86,7 +86,7 @@ You'll likely want to make some changes to the default configuration (we recomme
 	lemur upgrade
 
 
-.. note:: The ``upgrade`` shortcut is simply a shorcut to Alembic's upgrade command.
+.. note:: The ``upgrade`` shortcut is simply a shortcut to Alembic's upgrade command.
 
 
 Coding Standards
@@ -113,6 +113,12 @@ HTML:
   2 Spaces
 
 
+Git hooks
+~~~~~~~~~
+
+To help developers maintain the above standards, Lemur includes a configuration file for Yelp's `pre-commit <http://pre-commit.com/>`_. This is an optional dependency and is not required in order to contribute to Lemur.
+
+
 Running the Test Suite
 ----------------------
 
@@ -144,8 +150,19 @@ If you've made changes and need to compile them by hand for any reason, you can
 
 The minified and processed files should be committed alongside the unprocessed changes.
 
+It's also important to note that Lemur's frontend and API are not tied together. The API does not serve any of the static assets, we rely on nginx or some other file server to server all of the static assets.
+During development that means we need an additional server to serve those static files for the GUI.
+
+This is accomplished with a Gulp task:
+
+::
+
+    ./node_modules/.bin/gulp serve
+
+The gulp task compiles all the JS/CSS/HTML files and opens the Lemur welcome page in your default browsers. Additionally any changes to made to the JS/CSS/HTML with be reloaded in your browsers.
+
 Developing with Flask
-----------------------
+---------------------
 
 Because Lemur is just Flask, you can use all of the standard Flask functionality. The only difference is you'll be accessing commands that would normally go through manage.py using the ``lemur`` CLI helper instead.
 
@@ -164,7 +181,7 @@ Schema changes should always introduce the new schema in a commit, and then intr
 
 Removing columns and tables requires a slightly more painful flow, and should resemble the follow multi-commit flow:
 
-- Remove all references to the column or table (but dont remove the Model itself)
+- Remove all references to the column or table (but don't remove the Model itself)
 - Remove the model code
 - Remove the table or column
 
@@ -180,19 +197,91 @@ You can see a list of open pull requests (pending changes) by visiting https://g
 
 Pull requests should be against **master** and pass all TravisCI checks
 
-Plugins
-=======
+
+Writing a Plugin
+================
 
 .. toctree::
-    :maxdepth: 1
+    :maxdepth: 2
 
     plugins/index
 
+
+REST API
+========
+
+Lemur's front end is entirely API driven. Any action that you can accomplish via the UI can also be accomplished by the
+API. The following is documents and provides examples on how to make requests to the Lemur API.
+
+Authentication
+--------------
+
+.. automodule:: lemur.auth.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Destinations
+------------
+
+.. automodule:: lemur.destinations.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Notifications
+-------------
+
+.. automodule:: lemur.notifications.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Users
+-----
+
+.. automodule:: lemur.users.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Roles
+-----
+
+.. automodule:: lemur.roles.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Certificates
+------------
+
+.. automodule:: lemur.certificates.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Authorities
+-----------
+
+.. automodule:: lemur.authorities.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+Domains
+-------
+
+.. automodule:: lemur.domains.views
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
 Internals
 =========
 
 .. toctree::
-    :maxdepth: 1
+    :maxdepth: 2
 
     internals/lemur
-

docs/developer/internals/lemur.plugins.lemur_cfssl.rst

@@ -0,0 +1,20 @@
+lemur_cfssl Package
+===================
+
+:mod:`lemur_cfssl` Package
+--------------------------
+
+.. automodule:: lemur.plugins.lemur_cfssl
+    :noindex:
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+:mod:`plugin` Module
+--------------------
+
+.. automodule:: lemur.plugins.lemur_cfssl.plugin
+    :noindex:
+    :members:
+    :undoc-members:
+    :show-inheritance:

docs/developer/internals/lemur.plugins.lemur_cloudca.rst

@@ -1,20 +0,0 @@
-lemur_cloudca Package
-=====================
-
-:mod:`lemur_cloudca` Package
-----------------------------
-
-.. automodule:: lemur.plugins.lemur_cloudca
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-:mod:`plugin` Module
---------------------
-
-.. automodule:: lemur.plugins.lemur_cloudca.plugin
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/developer/internals/lemur.plugins.rst

@@ -27,6 +27,6 @@ Subpackages
     lemur.plugins.base
     lemur.plugins.bases
     lemur.plugins.lemur_aws
-    lemur.plugins.lemur_cloudca
+    lemur.plugins.lemur_cfssl
     lemur.plugins.lemur_email
     lemur.plugins.lemur_verisign

docs/developer/internals/lemur.rst

@@ -96,5 +96,4 @@ Subpackages
     lemur.notifications
     lemur.plugins
     lemur.roles
-    lemur.status
     lemur.users

docs/developer/internals/lemur.status.rst

@@ -1,11 +0,0 @@
-status Package
-==============
-
-:mod:`views` Module
--------------------
-
-.. automodule:: lemur.status.views
-    :noindex:
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/developer/plugins/index.rst

@@ -1,6 +1,3 @@
-Writing a Plugin
-================
-
 Several interfaces exist for extending Lemur:
 
 * Issuer (lemur.plugins.base.issuer)
@@ -8,7 +5,7 @@ Several interfaces exist for extending Lemur:
 * Source (lemur.plugins.base.source)
 * Notification (lemur.plugins.base.notification)
 
-Each interface has its own function that will need to be defined in order for
+Each interface has its own functions that will need to be defined in order for
 your plugin to work correctly. See :ref:`Plugin Interfaces <PluginInterfaces>` for details.
 
 
@@ -28,7 +25,7 @@ if you want to pull the version using pkg_resources (which is what we recommend)
     try:
         VERSION = __import__('pkg_resources') \
             .get_distribution(__name__).version
-    except Exception, e:
+    except Exception as e:
         VERSION = 'unknown'
 
 Inside of ``plugin.py``, you'll declare your Plugin class::
@@ -73,10 +70,18 @@ at multiple plugins within your package::
         },
     )
 
+Once your plugin files are in place and the ``/www/lemur/setup.py`` file has been modified, you can load your plugin into your instance by reinstalling lemur:
+::
+
+    (lemur)$cd /www/lemur
+    (lemur)$pip install -e .
+
 That's it! Users will be able to install your plugin via ``pip install <package name>``.
 
 .. SeeAlso:: For more information about python packages see `Python Packaging <https://packaging.python.org/en/latest/distributing.html>`_
 
+.. SeeAlso:: For an example of a plugin operation outside of Lemur's core, see `lemur-digicert <https://github.com/opendns/lemur-digicert>`_
+
 .. _PluginInterfaces:
 
 Plugin Interfaces
@@ -91,13 +96,13 @@ Issuer
 Issuer plugins are used when you have an external service that creates certificates or authorities.
 In the simple case the third party only issues certificates (Verisign, DigiCert, etc.).
 
-If you have a third party or internal service that creates authorities (CloudCA, EJBCA, etc.), Lemur has you covered,
+If you have a third party or internal service that creates authorities (EJBCA, etc.), Lemur has you covered,
 it can treat any issuer plugin as both a source of creating new certificates as well as new authorities.
 
 
 The `IssuerPlugin` exposes two functions::
 
-    def create_certificate(self, options):
+    def create_certificate(self, csr, issuer_options):
         # requests.get('a third party')
 
 Lemur will pass a dictionary of all possible options for certificate creation. Including a valid CSR, and the raw options associated with the request.
@@ -140,9 +145,15 @@ Destination
 Destination plugins allow you to propagate certificates managed by Lemur to additional third parties. This provides flexibility when
 different orchestration systems have their own way of manage certificates or there is an existing system you wish to integrate with Lemur.
 
+By default destination plugins have a private key requirement. If your plugin does not require a certificates private key mark `requires_key = False`
+in the plugins base class like so::
+
+    class MyDestinationPlugin(DestinationPlugin):
+        requires_key = False
+
 The DestinationPlugin requires only one function to be implemented::
 
-    def upload(self, cert, private_key, cert_chain, options, **kwargs):
+    def upload(self, name, body, private_key, cert_chain, options, **kwargs):
         # request.post('a third party')
 
 Additionally the DestinationPlugin allows the plugin author to add additional options
@@ -151,25 +162,25 @@ that can be used to help define sub-destinations.
 For example, if we look at the aws-destination plugin we can see that it defines an `accountNumber` option::
 
     options = [
-      {
-          'name': 'accountNumber',
-          'type': 'int',
-          'required': True,
-          'validation': '/^[0-9]{12,12}$/',
-          'helpMessage': 'Must be a valid AWS account number!',
-      }
+        {
+            'name': 'accountNumber',
+            'type': 'int',
+            'required': True,
+            'validation': '/^[0-9]{12,12}$/',
+            'helpMessage': 'Must be a valid AWS account number!',
+        }
     ]
 
 By defining an `accountNumber` we can make this plugin handle many N number of AWS accounts instead of just one.
 
 The schema for defining plugin options are pretty straightforward:
 
-  - **Name**: name of the variable you wish to present the user, snake case (snakeCase) is preferrred as Lemur
+  - **Name**: name of the variable you wish to present the user, snake case (snakeCase) is preferred as Lemur
     will parse these and create pretty variable titles
   - **Type** there are currently four supported variable types
       - **Int** creates an html integer box for the user to enter integers into
       - **Str** creates a html text input box
-      - **Boolean** creates a checkbox for the user to signify truithyness
+      - **Boolean** creates a checkbox for the user to signify truthiness
       - **Select** creates a select box that gives the user a list of options
           - When used a `available` key must be provided with a list of selectable options
   - **Required** determines if this option is required, this **must be a boolean value**
@@ -185,7 +196,7 @@ Notification
 ------------
 
 Lemur includes the ability to create Email notifications by **default**. These notifications
-currently come in the form of expiration noticies. Lemur periodically checks certifications expiration dates and
+currently come in the form of expiration notices. Lemur periodically checks certifications expiration dates and
 determines if a given certificate is eligible for notification. There are currently only two parameters used to
 determine if a certificate is eligible; validity expiration (date the certificate is no longer valid) and the number
 of days the current date (UTC) is from that expiration date.
@@ -196,10 +207,10 @@ are trying to create a new notification type (audit, failed logins, etc.) this w
 You would also then need to build additional code to trigger the new notification type.
 
 The second is `ExpirationNotificationPlugin`, this object inherits from `NotificationPlugin` object.
-You will most likely want to base your plugin on, if you want to add new channels for expiration notices (Slack, Hipcat, Jira, etc.). It adds default options that are required by
-by all expiration notifications (interval, unit). This interface expects for the child to define the following function::
+You will most likely want to base your plugin on, if you want to add new channels for expiration notices (Slack, HipChat, Jira, etc.). It adds default options that are required by
+all expiration notifications (interval, unit). This interface expects for the child to define the following function::
 
-    def send(self):
+    def send(self, notification_type, message, targets, options, **kwargs):
         #  request.post("some alerting infrastructure")
 
 
@@ -207,27 +218,48 @@ Source
 ------
 
 When building Lemur we realized that although it would be nice if every certificate went through Lemur to get issued, but this is not
-always be the case. Often times there are third parties that will issue certificates on your behalf and these can get deployed
+always be the case. Oftentimes there are third parties that will issue certificates on your behalf and these can get deployed
 to infrastructure without any interaction with Lemur. In an attempt to combat this and try to track every certificate, Lemur has a notion of
 certificate **Sources**. Lemur will contact the source at periodic intervals and attempt to **sync** against the source. This means downloading or discovering any
-certificate Lemur does not know about and adding the certificate to it's inventory to be tracked and alerted on.
+certificate Lemur does not know about and adding the certificate to its inventory to be tracked and alerted on.
 
 The `SourcePlugin` object has one default option of `pollRate`. This controls the number of seconds which to get new certificates.
 
- .. warning::
-    Lemur currently has a very basic polling system of running a cron job every 15min to see which source plugins need to be run. A lock file is generated to guarentee that ]
+.. warning::
+    Lemur currently has a very basic polling system of running a cron job every 15min to see which source plugins need to be run. A lock file is generated to guarantee that
     only one sync is running at a time. It also means that the minimum resolution of a source plugin poll rate is effectively 15min. You can always specify a faster cron
     job if you need a higher resolution sync job.
 
 
 The `SourcePlugin` object requires implementation of one function::
 
-      def get_certificates(self, **kwargs):
+      def get_certificates(self, options, **kwargs):
           #  request.get("some source of certificates")
 
 
-.. Note::
-    Often times to facilitate code re-use it makes sense put source and destination plugins into one package.
+.. note::
+    Oftentimes to facilitate code re-use it makes sense put source and destination plugins into one package.
+
+
+Export
+------
+
+Formats, formats and more formats. That's the current PKI landscape. See the always relevant `xkcd <https://xkcd.com/927/>`_.
+Thankfully Lemur supports the ability to output your certificates into whatever format you want. This integration comes by the way
+of Export plugins. Support is still new and evolving, the goal of these plugins is to return raw data in a new format that
+can then be used by any number of applications. Included in Lemur is the `JavaExportPlugin` which currently supports generating
+a Java Key Store (JKS) file for use in Java based applications.
+
+
+The `ExportPlugin` object requires the implementation of one function::
+
+    def export(self, body, chain, key, options, **kwargs):
+        # sys.call('openssl hokuspocus')
+        # return "extension", passphrase, raw
+
+
+.. note::
+    Support of various formats sometimes relies on external tools system calls. Always be mindful of sanitizing any input to these calls.
 
 
 Testing
@@ -246,9 +278,9 @@ Augment your setup.py to ensure at least the following:
 
    setup(
        # ...
-      install_requires=[
+       install_requires=[
           'lemur',
-      ]
+       ]
    )
 
 
@@ -259,11 +291,7 @@ The ``conftest.py`` file is our main entry-point for py.test. We need to configu
 
 .. code-block:: python
 
-   from __future__ import absolute_import
-
-   pytest_plugins = [
-       'lemur.utils.pytest'
-   ]
+   from lemur.tests.conftest import *  # noqa
 
 
 Test Cases
@@ -273,14 +301,18 @@ You can now inherit from Lemur's core test classes. These are Django-based and e
 
 .. code-block:: python
 
-   # test_myextension.py
-   from __future__ import absolute_import
+    import pytest
+    from lemur.tests.vectors import INTERNAL_CERTIFICATE_A_STR, INTERNAL_PRIVATE_KEY_A_STR
 
-   from lemur.testutils import TestCase
+    def test_export_keystore(app):
+        from lemur.plugins.base import plugins
+        p = plugins.get('java-keystore-jks')
+        options = [{'name': 'passphrase', 'value': 'test1234'}]
+        with pytest.raises(Exception):
+            p.export(INTERNAL_CERTIFICATE_A_STR, "", "", options)
 
-   class MyExtensionTest(TestCase):
-       def test_simple(self):
-          assert 1 != 2
+        raw = p.export(INTERNAL_CERTIFICATE_A_STR, "", INTERNAL_PRIVATE_KEY_A_STR, options)
+        assert raw != b""
 
 
 Running Tests
@@ -292,13 +324,14 @@ Running tests follows the py.test standard. As long as your test files and metho
 
     $ py.test -v
     ============================== test session starts ==============================
-    platform darwin -- Python 2.7.9 -- py-1.4.26 -- pytest-2.6.4/python2.7
-    plugins: django
-    collected 1 items
+    platform darwin -- Python 2.7.10, pytest-2.8.5, py-1.4.30, pluggy-0.3.1
+    cachedir: .cache
+    plugins: flask-0.10.0
+    collected 346 items
 
-    tests/test_myextension.py::MyExtensionTest::test_simple PASSED
+    lemur/plugins/lemur_acme/tests/test_acme.py::test_get_certificates PASSED
 
     =========================== 1 passed in 0.35 seconds ============================
 
 
-.. SeeAlso:: Lemur bundles several plugins that use the same interfaces mentioned above. View the source: # TODO
+.. SeeAlso:: Lemur bundles several plugins that use the same interfaces mentioned above.

docs/developer/rest.rst

@@ -1,66 +0,0 @@
-Lemur's front end is entirely API driven. Any action that you can accomplish via the UI can also be accomplished by the
-UI. The following is documents and provides examples on how to make requests to the Lemur API.
-
-Authentication
---------------
-
-.. automodule:: lemur.auth.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Destinations
-------------
-
-.. automodule:: lemur.destinations.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Notifications
--------------
-
-.. automodule:: lemur.notifications.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Users
------
-
-.. automodule:: lemur.users.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Roles
------
-
-.. automodule:: lemur.roles.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Certificates
-------------
-
-.. automodule:: lemur.certificates.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Authorities
------------
-
-.. automodule:: lemur.authorities.views
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
-Domains
--------
-
-.. automodule:: lemur.domains.views
-    :members:
-    :undoc-members:
-    :show-inheritance:

docs/doing-a-release.rst

@@ -0,0 +1,53 @@
+Doing a release
+===============
+
+Doing a release of ``lemur`` requires a few steps.
+
+Bumping the version number
+--------------------------
+
+The next step in doing a release is bumping the version number in the
+software.
+
+* Update the version number in ``lemur/__about__.py``.
+* Set the release date in the :doc:`/changelog`.
+* Do a commit indicating this.
+* Send a pull request with this.
+* Wait for it to be merged.
+
+Performing the release
+----------------------
+
+The commit that merged the version number bump is now the official release
+commit for this release. You will need to have ``gpg`` installed and a ``gpg``
+key in order to do a release. Once this has happened:
+
+* Run ``invoke release {version}``.
+
+The release should now be available on PyPI and a tag should be available in
+the repository.
+
+Verifying the release
+---------------------
+
+You should verify that ``pip install lemur`` works correctly:
+
+.. code-block:: pycon
+
+    >>> import lemur
+    >>> lemur.__version__
+    '...'
+
+Verify that this is the version you just released.
+
+Post-release tasks
+------------------
+
+* Update the version number to the next major (e.g. ``0.5.dev1``) in
+  ``lemur/__about__.py`` and
+* Add new :doc:`/changelog` entry with next version and note that it is under
+  active development
+* Send a pull request with these items
+* Check for any outstanding code undergoing a deprecation cycle by looking in
+  ``lemur.utils`` for ``DeprecatedIn**`` definitions. If any exist open
+  a ticket to increment them for the next release.

docs/faq.rst

@@ -4,8 +4,8 @@ Frequently Asked Questions
 Common Problems
 ---------------
 
-In my startup logs I see *'Aborting... Lemur cannot locate db encryption key, is LEMUR_ENCRYPTION_KEY set?'*
-  You likely have not correctly configured **LEMUR_ENCRYPTION_KEY**. See
+In my startup logs I see *'Aborting... Lemur cannot locate db encryption key, is LEMUR_ENCRYPTION_KEYS set?'*
+  You likely have not correctly configured **LEMUR_ENCRYPTION_KEYS**. See
   :doc:`administration/index` for more information.
 
 
@@ -14,6 +14,27 @@ I am seeing Lemur's javascript load in my browser but not the CSS.
   :doc:`production/index` for example configurations.
 
 
+After installing Lemur I am unable to login
+  Ensure that you are trying to login with the credentials you entered during `lemur init`. These are separate
+  from the postgres database credentials.
+
+
+Running 'lemur db upgrade' seems stuck.
+  Most likely, the upgrade is stuck because an existing query on the database is holding onto a lock that the
+  migration needs.
+
+  To resolve, login to your lemur database and run:
+
+    SELECT * FROM pg_locks l INNER JOIN pg_stat_activity s ON (l.pid = s.pid) WHERE waiting AND NOT granted;
+
+  This will give you a list of queries that are currently waiting to be executed. From there attempt to idenity the PID
+  of the query blocking the migration. Once found execute:
+
+    select pg_terminate_backend(<blocking-pid>);
+
+  See `<http://stackoverflow.com/questions/22896496/alembic-migration-stuck-with-postgresql>`_ for more.
+
+
 How do I
 --------
 

docs/generate_api.py

@@ -1,261 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-"""
-sphinx-autopackage-script
-
-This script parses a directory tree looking for python modules and packages and
-creates ReST files appropriately to create code documentation with Sphinx.
-It also creates a modules index (named modules.<suffix>).
-"""
-
-# Copyright 2008 Société des arts technologiques (SAT), http://www.sat.qc.ca/
-# Copyright 2010 Thomas Waldmann <tw AT waldmann-edv DOT de>
-# All rights reserved.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-
-import os
-import optparse
-
-
-# automodule options
-OPTIONS = ['members',
-           'undoc-members',
-           # 'inherited-members', # disabled because there's a bug in sphinx
-           'show-inheritance',
-          ]
-
-INIT = '__init__.py'
-
-def makename(package, module):
-    """Join package and module with a dot."""
-    # Both package and module can be None/empty.
-    if package:
-        name = package
-        if module:
-            name += '.' + module
-    else:
-        name = module
-    return name
-
-def write_file(name, text, opts):
-    """Write the output file for module/package <name>."""
-    if opts.dryrun:
-        return
-    fname = os.path.join(opts.destdir, "%s.%s" % (name, opts.suffix))
-    if not opts.force and os.path.isfile(fname):
-        print 'File %s already exists, skipping.' % fname
-    else:
-        print 'Creating file %s.' % fname
-        f = open(fname, 'w')
-        f.write(text)
-        f.close()
-
-def format_heading(level, text):
-    """Create a heading of <level> [1, 2 or 3 supported]."""
-    underlining = ['=', '-', '~', ][level-1] * len(text)
-    return '%s\n%s\n\n' % (text, underlining)
-
-def format_directive(module, package=None):
-    """Create the automodule directive and add the options."""
-    directive = '.. automodule:: %s\n' % makename(package, module)
-    for option in OPTIONS:
-        directive += '    :%s:\n' % option
-    return directive
-
-def create_module_file(package, module, opts):
-    """Build the text of the file and write the file."""
-    text = format_heading(1, '%s Module' % module)
-    text += format_heading(2, ':mod:`%s` Module' % module)
-    text += format_directive(module, package)
-    write_file(makename(package, module), text, opts)
-
-def create_package_file(root, master_package, subroot, py_files, opts, subs):
-    """Build the text of the file and write the file."""
-    package = os.path.split(root)[-1]
-    text = format_heading(1, '%s Package' % package)
-    # add each package's module
-    for py_file in py_files:
-        if shall_skip(os.path.join(root, py_file)):
-            continue
-        is_package = py_file == INIT
-        py_file = os.path.splitext(py_file)[0]
-        py_path = makename(subroot, py_file)
-        if is_package:
-            heading = ':mod:`%s` Package' % package
-        else:
-            heading = ':mod:`%s` Module' % py_file
-        text += format_heading(2, heading)
-        text += format_directive(is_package and subroot or py_path, master_package)
-        text += '\n'
-
-    # build a list of directories that are packages (they contain an INIT file)
-    subs = [sub for sub in subs if os.path.isfile(os.path.join(root, sub, INIT))]
-    # if there are some package directories, add a TOC for theses subpackages
-    if subs:
-        text += format_heading(2, 'Subpackages')
-        text += '.. toctree::\n\n'
-        for sub in subs:
-            text += '    %s.%s\n' % (makename(master_package, subroot), sub)
-        text += '\n'
-
-    write_file(makename(master_package, subroot), text, opts)
-
-def create_modules_toc_file(master_package, modules, opts, name='modules'):
-    """
-    Create the module's index.
-    """
-    text = format_heading(1, '%s Modules' % opts.header)
-    text += '.. toctree::\n'
-    text += '   :maxdepth: %s\n\n' % opts.maxdepth
-
-    modules.sort()
-    prev_module = ''
-    for module in modules:
-        # look if the module is a subpackage and, if yes, ignore it
-        if module.startswith(prev_module + '.'):
-            continue
-        prev_module = module
-        text += '   %s\n' % module
-
-    write_file(name, text, opts)
-
-def shall_skip(module):
-    """
-    Check if we want to skip this module.
-    """
-    # skip it, if there is nothing (or just \n or \r\n) in the file
-    return os.path.getsize(module) < 3
-
-def recurse_tree(path, excludes, opts):
-    """
-    Look for every file in the directory tree and create the corresponding
-    ReST files.
-    """
-    # use absolute path for root, as relative paths like '../../foo' cause
-    # 'if "/." in root ...' to filter out *all* modules otherwise
-    path = os.path.abspath(path)
-    # check if the base directory is a package and get is name
-    if INIT in os.listdir(path):
-        package_name = path.split(os.path.sep)[-1]
-    else:
-        package_name = None
-
-    toc = []
-    tree = os.walk(path, False)
-    for root, subs, files in tree:
-        # keep only the Python script files
-        py_files =  sorted([f for f in files if os.path.splitext(f)[1] == '.py'])
-        if INIT in py_files:
-            py_files.remove(INIT)
-            py_files.insert(0, INIT)
-        # remove hidden ('.') and private ('_') directories
-        subs = sorted([sub for sub in subs if sub[0] not in ['.', '_']])
-        # check if there are valid files to process
-        # TODO: could add check for windows hidden files
-        if "/." in root or "/_" in root \
-        or not py_files \
-        or is_excluded(root, excludes):
-            continue
-        if INIT in py_files:
-            # we are in package ...
-            if (# ... with subpackage(s)
-                subs
-                or
-                # ... with some module(s)
-                len(py_files) > 1
-                or
-                # ... with a not-to-be-skipped INIT file
-                not shall_skip(os.path.join(root, INIT))
-               ):
-                subroot = root[len(path):].lstrip(os.path.sep).replace(os.path.sep, '.')
-                create_package_file(root, package_name, subroot, py_files, opts, subs)
-                toc.append(makename(package_name, subroot))
-        elif root == path:
-            # if we are at the root level, we don't require it to be a package
-            for py_file in py_files:
-                if not shall_skip(os.path.join(path, py_file)):
-                    module = os.path.splitext(py_file)[0]
-                    create_module_file(package_name, module, opts)
-                    toc.append(makename(package_name, module))
-
-    # create the module's index
-    if not opts.notoc:
-        create_modules_toc_file(package_name, toc, opts)
-
-def normalize_excludes(rootpath, excludes):
-    """
-    Normalize the excluded directory list:
-    * must be either an absolute path or start with rootpath,
-    * otherwise it is joined with rootpath
-    * with trailing slash
-    """
-    sep = os.path.sep
-    f_excludes = []
-    for exclude in excludes:
-        if not os.path.isabs(exclude) and not exclude.startswith(rootpath):
-            exclude = os.path.join(rootpath, exclude)
-        if not exclude.endswith(sep):
-            exclude += sep
-        f_excludes.append(exclude)
-    return f_excludes
-
-def is_excluded(root, excludes):
-    """
-    Check if the directory is in the exclude list.
-
-    Note: by having trailing slashes, we avoid common prefix issues, like
-          e.g. an exlude "foo" also accidentally excluding "foobar".
-    """
-    sep = os.path.sep
-    if not root.endswith(sep):
-        root += sep
-    for exclude in excludes:
-        if root.startswith(exclude):
-            return True
-    return False
-
-def main():
-    """
-    Parse and check the command line arguments.
-    """
-    parser = optparse.OptionParser(usage="""usage: %prog [options] <package path> [exclude paths, ...]
-
-Note: By default this script will not overwrite already created files.""")
-    parser.add_option("-n", "--doc-header", action="store", dest="header", help="Documentation Header (default=Project)", default="Project")
-    parser.add_option("-d", "--dest-dir", action="store", dest="destdir", help="Output destination directory", default="")
-    parser.add_option("-s", "--suffix", action="store", dest="suffix", help="module suffix (default=txt)", default="txt")
-    parser.add_option("-m", "--maxdepth", action="store", dest="maxdepth", help="Maximum depth of submodules to show in the TOC (default=4)", type="int", default=4)
-    parser.add_option("-r", "--dry-run", action="store_true", dest="dryrun", help="Run the script without creating the files")
-    parser.add_option("-f", "--force", action="store_true", dest="force", help="Overwrite all the files")
-    parser.add_option("-t", "--no-toc", action="store_true", dest="notoc", help="Don't create the table of content file")
-    (opts, args) = parser.parse_args()
-    if not args:
-        parser.error("package path is required.")
-    else:
-        rootpath, excludes = args[0], args[1:]
-        if os.path.isdir(rootpath):
-            # check if the output destination is a valid directory
-            if opts.destdir and os.path.isdir(opts.destdir):
-                excludes = normalize_excludes(rootpath, excludes)
-                recurse_tree(rootpath, excludes, opts)
-            else:
-                print '%s is not a valid output destination directory.' % opts.destdir
-        else:
-            print '%s is not a valid directory.' % rootpath
-
-
-if __name__ == '__main__':
-    main()

docs/guide/index.rst

@@ -1,14 +1,103 @@
-Creating Users
-==============
+User Guide
+==========
+
+These guides are quick tutorials on how to perform basic tasks in Lemur.
 
 
-Creating Roles
-==============
+Create a New Authority
+~~~~~~~~~~~~~~~~~~~~~~
+
+Before Lemur can issue certificates you must configure the authority you wish use. Lemur itself does
+not issue certificates, it relies on external CAs and the plugins associated with those CAs to create the certificate
+that Lemur can then manage.
 
 
-Creating Authorities
-====================
+.. figure:: create.png
+
+    In the authority table select "Create"
+
+.. figure:: create_authority.png
+
+    Enter an authority name and short description about the authority. Enter an owner,
+    and certificate common name. Depending on the authority and the authority/issuer plugin
+    these values may or may not be used.
+
+.. figure:: create_authority_options.png
+
+    Again how many of these values get used largely depends on the underlying plugin. It
+    is important to make sure you select the right plugin that you wish to use.
+
+
+Create a New Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. figure:: create.png
+
+    In the certificate table select "Create"
+
+.. figure:: create_certificate.png
+
+    Enter an owner, short description and the authority you wish to issue this certificate.
+    Enter a common name into the certificate, if no validity range is selected two years is
+    the default.
+
+    You can add notification options and upload the created certificate to a destination, both
+    of these are editable features and can be changed after the certificate has been created.
+
+.. figure:: certificate_extensions.png
+
+    These options are typically for advanced users, the one exception is the `Subject Alternate Names` or SAN.
+    For certificates that need to include more than one domains, the first domain is the Common Name and all
+    other domains are added here as DNSName entries.
+
+
+Import an Existing Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. figure:: upload_certificate.png
+
+    Enter an owner, short description and public certificate. If there are intermediates and private keys
+    Lemur will track them just as it does if the certificate were created through Lemur. Lemur generates
+    a certificate name but you can override that by passing a value to the `Custom Name` field.
+
+    You can add notification options and upload the created certificate to a destination, both
+    of these are editable features and can be changed after the certificate has been created.
+
+
+Create a New User
+~~~~~~~~~~~~~~~~~
+.. figure:: settings.png
+
+    From the settings dropdown select "Users"
+
+.. figure:: create.png
+
+    In the user table select "Create"
+
+.. figure:: create_user.png
+
+    Enter the username, email and password for the user. You can also assign any
+    roles that the user will need when they login. While there is no deletion
+    (we want to track creators forever) you can mark a user as 'Inactive' that will
+    not allow them to login to Lemur.
+
+
+Create a New Role
+~~~~~~~~~~~~~~~~~
+
+.. figure:: settings.png
+
+    From the settings dropdown select "Roles"
+
+.. figure:: create.png
+
+    In the role table select "Create"
+
+.. figure:: create_role.png
+
+    Enter a role name and short description about the role. You can optionally store
+    a user/password on the role. This is useful if your authority require specific roles.
+    You can then accurately map those roles onto Lemur users. Also optional you can assign
+    users to your new role.
 
 
-Creating Certificates
-=====================

docs/index.rst

@@ -1,8 +1,8 @@
 Lemur
 =====
 
-Lemur is a SSL management service. It attempts to help track and create certificates. By removing common issues with
-CSR creation it gives normal developers 'sane' SSL defaults and helps security teams push SSL usage throughout an organization.
+Lemur is a TLS management service. It attempts to help track and create certificates. By removing common issues with
+CSR creation it gives normal developers 'sane' TLS defaults and helps security teams push TLS usage throughout an organization.
 
 Installation
 ------------
@@ -27,8 +27,7 @@ Administration
 .. toctree::
     :maxdepth: 2
 
-    administration/index
-    plugins/index
+    administration
 
 Developers
 ----------
@@ -38,17 +37,24 @@ Developers
 
     developer/index
 
-
-REST API
+Security
 --------
 
 .. toctree::
     :maxdepth: 2
 
-    developer/rest
+    security
+
+Doing a Release
+---------------
+
+.. toctree::
+    :maxdepth: 1
+
+    doing-a-release
 
 FAQ
-----
+---
 
 .. toctree::
     :maxdepth: 1

docs/plugins/index.rst

@@ -1,20 +0,0 @@
-Plugins
-=======
-
-There are several interfaces currently available to extend Lemur. These are a work in
-progress and the API is not frozen.
-
-Bundled Plugins
----------------
-
-Lemur includes several plugins by default. Including extensive support for AWS, VeriSign/Symantec and CloudCA services.
-
-3rd Party Extensions
---------------------
-
-The following extensions are available and maintained by members of the Lemur community:
-
-Have an extension that should be listed here? Submit a `pull request <https://github.com/netflix/lemur>`_ and we'll
-get it added.
-
-Want to create your own extension? See :doc:`../developer/plugins/index` to get started.

docs/production/index.rst

@@ -6,21 +6,22 @@ There are several steps needed to make Lemur production ready. Here we focus on
 Basics
 ======
 
-Because of the sensitivity of the information stored and maintain by Lemur it is important that you follow standard host hardening practices:
+Because of the sensitivity of the information stored and maintained by Lemur it is important that you follow standard host hardening practices:
 
 - Run Lemur with a limited user
-- Disabled any unneeded service
+- Disabled any unneeded services
 - Enable remote logging
+- Restrict access to host
 
 .. _CredentialManagement:
 
 Credential Management
 ---------------------
 
-Lemur often contains credentials such as mutual SSL keys that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
+Lemur often contains credentials such as mutual TLS keys or API tokens that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
 to automatically encrypt these keys such that your keys not be in clear text.
 
-The keys are located within lemur/keys and broken down by environment
+The keys are located within lemur/keys and broken down by environment.
 
 To utilize this ability use the following commands:
 
@@ -30,34 +31,34 @@ and
 
     ``lemur unlock``
 
-If you choose to use this feature ensure that the KEY are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
+If you choose to use this feature ensure that the keys are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
 
 Entropy
 -------
 
 Lemur generates private keys for the certificates it creates. This means that it is vitally important that Lemur has enough entropy to draw from. To generate private keys Lemur uses the python library `Cryptography <https://cryptography.io>`_. In turn Cryptography uses OpenSSL bindings to generate
-keys just like you might from the OpenSSL command line. OpenSSL draws it's initial entropy from system during startup and uses PRNGs to generate a stream of random bytes (as output by /dev/urandom) whenever it needs to do a cryptographic operation.
+keys just like you might from the OpenSSL command line. OpenSSL draws its initial entropy from system during startup and uses PRNGs to generate a stream of random bytes (as output by /dev/urandom) whenever it needs to do a cryptographic operation.
 
 What does all this mean? Well in order for the keys
 that Lemur generates to be strong, the system needs to interact with the outside world. This is typically accomplished through the systems hardware (thermal, sound, video user-input, etc.) since the physical world is much more "random" than the computer world.
 
-If you are running Lemur on its own server with its own hardware "bare metal" then the entropy of the system is typically "good enough" for generating keys. If however you are using an VM on shared hardware there is a potential that your initial seed data (data that was initially
-fed to the PRNG) is not very good. What's more VMs have been known to be unable to inject more entropy into the system once it has been started. This is because there is typically very little interaction with the server once it has been started.
+If you are running Lemur on its own server with its own hardware "bare metal" then the entropy of the system is typically "good enough" for generating keys. If however you are using a VM on shared hardware there is a potential that your initial seed data (data that was initially
+fed to the PRNG) is not very good. What's more, VMs have been known to be unable to inject more entropy into the system once it has been started. This is because there is typically very little interaction with the server once it has been started.
 
 The amount of effort you wish to expend ensuring that Lemur has good entropy to draw from is up to your specific risk tolerance and how Lemur is configured.
 
 If you wish to generate more entropy for your system we would suggest you take a look at the following resources:
 
 - `WES-entropy-client <https://github.com/WhitewoodCrypto/WES-entropy-client>`_
-- `haveaged <http://www.issihosts.com/haveged/>`_
+- `haveged <http://www.issihosts.com/haveged/>`_
 
 For additional information about OpenSSL entropy issues:
 
 - `Managing and Understanding Entropy Usage <https://www.blackhat.com/docs/us-15/materials/us-15-Potter-Understanding-And-Managing-Entropy-Usage.pdf>`_
 
 
-SSL
-====
+TLS/SSL
+=======
 
 Nginx
 -----
@@ -71,7 +72,7 @@ Nginx is a very popular choice to serve a Python project:
 Nginx doesn't run any Python process, it only serves requests from outside to
 the Python server.
 
-Therefor there are two steps:
+Therefore, there are two steps:
 
 - Run the Python process.
 - Run Nginx.
@@ -89,7 +90,7 @@ You must create a Nginx configuration file for Lemur. On GNU/Linux, they usually
 go into /etc/nginx/conf.d/. Name it lemur.conf.
 
 `proxy_pass` just passes the external request to the Python process.
-The port much match the one used by the 0bin process of course.
+The port must match the one used by the Lemur process of course.
 
 You can make some adjustments to get a better user experience::
 
@@ -109,7 +110,7 @@ You can make some adjustments to get a better user experience::
        error_log   /var/log/nginx/log/lemur.error.log;
 
        location /api {
-            proxy_pass  http://127.0.0.1:5000;
+            proxy_pass  http://127.0.0.1:8000;
             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
             proxy_redirect off;
             proxy_buffering off;
@@ -127,10 +128,10 @@ You can make some adjustments to get a better user experience::
 
     }
 
-This makes Nginx serve the favicon and static files which is is much better at than python.
+This makes Nginx serve the favicon and static files which it is much better at than python.
 
-It is highly recommended that you deploy SSL when deploying Lemur. This may be obvious given Lemur's purpose but the
-sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates SSL::
+It is highly recommended that you deploy TLS when deploying Lemur. This may be obvious given Lemur's purpose but the
+sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates TLS::
 
     server_tokens off;
     add_header X-Frame-Options DENY;
@@ -175,7 +176,7 @@ sensitive nature of Lemur and what it controls makes this essential. This is a s
        resolver <IP DNS resolver>;
 
        location /api {
-            proxy_pass  http://127.0.0.1:5000;
+            proxy_pass  http://127.0.0.1:8000;
             proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
             proxy_redirect off;
             proxy_buffering off;
@@ -218,11 +219,11 @@ An example apache config::
         ...
     </VirtualHost>
 
-Also included in the configurations above are several best practices when it comes to deploying SSL. Things like enabling
+Also included in the configurations above are several best practices when it comes to deploying TLS. Things like enabling
 HSTS, disabling vulnerable ciphers are all good ideas when it comes to deploying Lemur into a production environment.
 
 .. note::
-    This is a rather incomplete apache config for running Lemur (needs mod_wsgi etc.,), if you have a working apache config please let us know!
+    This is a rather incomplete apache config for running Lemur (needs mod_wsgi etc.), if you have a working apache config please let us know!
 
 .. seealso::
     `Mozilla SSL Configuration Generator <https://mozilla.github.io/server-side-tls/ssl-config-generator/>`_
@@ -239,10 +240,10 @@ most of the time), but here is a quick overview on how to use it.
 Create a configuration file named supervisor.ini::
 
     [unix_http_server]
-    file=/tmp/supervisor.sock;
+    file=/tmp/supervisor.sock
 
     [supervisorctl]
-    serverurl=unix:///tmp/supervisor.sock;
+    serverurl=unix:///tmp/supervisor.sock
 
     [rpcinterface:supervisor]
     supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface
@@ -256,13 +257,12 @@ Create a configuration file named supervisor.ini::
     nodaemon=false
     minfds=1024
     minprocs=200
-    user=lemur
 
     [program:lemur]
     command=python /path/to/lemur/manage.py manage.py start
 
     directory=/path/to/lemur/
-    environment=PYTHONPATH='/path/to/lemur/'
+    environment=PYTHONPATH='/path/to/lemur/',LEMUR_CONF='/home/lemur/.lemur/lemur.conf.py'
     user=lemur
     autostart=true
     autorestart=true
@@ -270,7 +270,7 @@ Create a configuration file named supervisor.ini::
 The 4 first entries are just boiler plate to get you started, you can copy
 them verbatim.
 
-The last one define one (you can have many) process supervisor should manage.
+The last one defines one (you can have many) process supervisor should manage.
 
 It means it will run the command::
 
@@ -292,6 +292,28 @@ Then you can manage the process by running::
 
     supervisorctl -c /path/to/supervisor.ini
 
-It will start a shell from were you can start/stop/restart the service
+It will start a shell from which you can start/stop/restart the service.
 
-You can read all errors that might occurs from /tmp/lemur.log.
+You can read all errors that might occur from /tmp/lemur.log.
+
+
+Periodic Tasks
+==============
+
+Lemur contains a few tasks that are run and scheduled basis, currently the recommend way to run these tasks is to create
+a cron job that runs the commands.
+
+There are currently three commands that could/should be run on a periodic basis:
+
+- `notify`
+- `check_revoked`
+- `sync`
+
+How often you run these commands is largely up to the user. `notify` and `check_revoked` are typically run at least once a day.
+`sync` is typically run every 15 minutes.
+
+Example cron entries::
+
+    0 22 * * * lemuruser export LEMUR_CONF=/Users/me/.lemur/lemur.conf.py; /www/lemur/bin/lemur notify
+    */15 * * * * lemuruser export LEMUR_CONF=/Users/me/.lemur/lemur.conf.py; /www/lemur/bin/lemur sync -s all
+    0 22 * * * lemuruser export LEMUR_CONF=/Users/me/.lemur/lemur.conf.py; /www/lemur/bin/lemur check_revoked

docs/quickstart/index.rst

@@ -1,95 +1,110 @@
 Quickstart
 **********
 
-This guide will step you through setting up a Python-based virtualenv, installing the required packages, and configuring the basic web service.
-This guide assumes a clean Ubuntu 14.04 instance, commands may differ based on the OS and configuration being used.
+This guide will step you through setting up a Python-based virtualenv, installing the required packages, and configuring the basic web service.  This guide assumes a clean Ubuntu 14.04 instance, commands may differ based on the OS and configuration being used.
+
+Pressed for time? See the Lemur docker file on `Github <https://github.com/Netflix/lemur-docker>`_.
+
 
 Dependencies
 ------------
 
 Some basic prerequisites which you'll need in order to run Lemur:
 
-* A UNIX-based operating system. We test on Ubuntu, develop on OS X
-* Python 2.7
-* PostgreSQL
-* Ngnix
+* A UNIX-based operating system (we test on Ubuntu, develop on OS X)
+* Python 3.5 or greater
+* PostgreSQL 9.4 or greater
+* Nginx
+
+.. note:: Lemur was built with in AWS in mind. This means that things such as databases (RDS), mail (SES), and TLS (ELB), are largely handled for us.  Lemur does **not** require AWS to function. Our guides and documentation try to be as generic as possible and are not intended to document every step of launching Lemur into a given environment.
+
+
+Installing Build Dependencies
+-----------------------------
+
+If installing Lemur on a bare Ubuntu OS you will need to grab the following packages so that Lemur can correctly build it's dependencies:
+
+.. code-block:: bash
+
+    $ sudo apt-get update
+    $ sudo apt-get install nodejs-legacy python-pip python-dev python3-dev libpq-dev build-essential libssl-dev libffi-dev nginx git supervisor npm postgresql
+
+.. note:: PostgreSQL is only required if your database is going to be on the same host as the webserver.  npm is needed if you're installing Lemur from the source (e.g., from git).
+
+Now, install Python ``virtualenv`` package:
+
+.. code-block:: bash
+
+    $ sudo pip install -U virtualenv
 
-.. note:: Lemur was built with in AWS in mind. This means that things such as databases (RDS), mail (SES), and SSL (ELB),
-    are largely handled for us. Lemur does **not** require AWS to function. Our guides and documentation try to be
-    be as generic as possible and are not intended to document every step of launching Lemur into a given environment.
 
 Setting up an Environment
 -------------------------
 
-The first thing you'll need is the Python ``virtualenv`` package. You probably already
-have this, but if not, you can install it with::
-
-  pip install -U virtualenv
-
-Once that's done, choose a location for the environment, and create it with the ``virtualenv``
-command. For our guide, we're going to choose ``/www/lemur/``::
-
-  virtualenv /www/lemur/
-
-Finally, activate your virtualenv::
-
-  source /www/lemur/bin/activate
-
-.. note:: Activating the environment adjusts your PATH, so that things like pip now
-          install into the virtualenv by default.
-
-
-Installing build dependencies
------------------------------
-
-If installing Lemur on truely bare Ubuntu OS you will need to grab the following packages so that Lemur can correctly build it's
-dependencies::
-
-    $ sudo apt-get update
-    $ sudo apt-get install nodejs-legacy python-pip libpq-dev python-dev build-essential libssl-dev libffi-dev nginx git supervisor
-
-And optionally if your database is going to be on the same host as the webserver::
-
-    $ sudo apt-get install postgres
-
-
-Installing Lemur
-----------------
-
-Once you've got the environment setup, you can install Lemur and all its dependencies with
-the same command you used to grab virtualenv::
-
-    pip install -U lemur
-
-Once everything is installed, you should be able to execute the Lemur CLI, via ``lemur``, and get something
-like the following:
+In this guide, Lemur will be installed in ``/www``, so you need to create that structure first:
 
 .. code-block:: bash
 
-  $ lemur
-  usage: lemur [--config=/path/to/settings.py] [command] [options]
+    $ sudo mkdir /www
+    $ cd /www
+
+Clone Lemur inside the just created directory and give yourself write permission (we assume ``lemur`` is the user):
+
+.. code-block:: bash
+
+    $ sudo useradd lemur
+    $ sudo passwd lemur
+    $ sudo mkdir /home/lemur
+    $ sudo chown lemur:lemur /home/lemur
+    $ sudo git clone https://github.com/Netflix/lemur
+    $ sudo chown -R lemur lemur/
+
+Create the virtual environment, activate it and enter the Lemur's directory:
+
+.. code-block:: bash
+
+    $ su lemur
+    $ virtualenv -p python3 lemur
+    $ source /www/lemur/bin/activate
+    $ cd lemur
+
+.. note:: Activating the environment adjusts your PATH, so that things like pip now install into the virtualenv by default.
 
 
 Installing from Source
 ~~~~~~~~~~~~~~~~~~~~~~
 
-If you're installing the Lemur source (e.g. from git), you'll also need to install **npm**.
-
-Once your system is prepared, symlink your source into the virtualenv:
+Once your system is prepared, ensure that you are in the virtualenv:
 
 .. code-block:: bash
 
-  $ make develop
+  $ which python
 
-.. Note:: This command will install npm dependencies as well as compile static assets.
+And then run:
+
+.. code-block:: bash
+
+  $ make release
+
+.. note:: This command will install npm dependencies as well as compile static assets.
+
+
+You may also run with the urlContextPath variable set. If this is set it will add the desired context path for subsequent calls back to lemur.
+::
+
+  Example:
+    urlContextPath=lemur
+    /api/1/auth/providers -> /lemur/api/1/auth/providers
+
+.. code-block:: bash
+
+  $ make release urlContextPath={desired context path}
 
 
 Creating a configuration
 ------------------------
 
-Before we run Lemur we must create a valid configuration file for it.
-
-The Lemur cli comes with a simple command to get you up and running quickly.
+Before we run Lemur, we must create a valid configuration file for it.  The Lemur command line interface comes with a simple command to get you up and running quickly.
 
 Simply run:
 
@@ -97,89 +112,100 @@ Simply run:
 
   $ lemur create_config
 
-.. Note:: This command will create a default configuration under `~/.lemur/lemur.conf.py` you
-    can specify this location by passing the `config_path` parameter to the `create_config` command.
+.. note:: This command will create a default configuration under ``~/.lemur/lemur.conf.py`` you can specify this location by passing the ``config_path`` parameter to the ``create_config`` command.
+
+You can specify ``-c`` or ``--config`` to any Lemur command to specify the current environment you are working in. Lemur will also look under the environmental variable ``LEMUR_CONF`` should that be easier to setup in your environment.
 
-You can specify `-c` or `--config` to any Lemur command to specify the current environment
-you are working in. Lemur will also look under the environmental variable `LEMUR_CONF` should
-that be easier to setup in your environment.
 
 Update your configuration
 -------------------------
 
-Once created you will need to update the configuration file with information about your environment,
-such as which database to talk to, where keys are stores etc..
+Once created, you will need to update the configuration file with information about your environment, such as which database to talk to, where keys are stored etc.
 
-.. Note:: If you are unfamiliar with with the SQLALCHEMY_DATABASE_URI string it can be broken up like so:
-      postgresql://userame:password@databasefqdn:databaseport/databasename
+.. code-block:: bash
+
+    $ vi ~/.lemur/lemur.conf.py
+
+.. note:: If you are unfamiliar with the SQLALCHEMY_DATABASE_URI string it can be broken up like so:
+      ``postgresql://userame:password@<database-fqdn>:<database-port>/<database-name>``
+
+Before Lemur will run you need to fill in a few required variables in the configuration file:
+
+.. code-block:: bash
+
+    LEMUR_SECURITY_TEAM_EMAIL
+    #/the e-mail address needs to be enclosed in quotes
+    LEMUR_DEFAULT_COUNTRY
+    LEMUR_DEFAULT_STATE
+    LEMUR_DEFAULT_LOCATION
+    LEMUR_DEFAUTL_ORGANIZATION
+    LEMUR_DEFAULT_ORGANIZATIONAL_UNIT
 
 Setup Postgres
 --------------
 
-For production a dedicated database is recommended, for this guide we will assume postgres has been installed and is on
-the same machine that Lemur is installed on.
+For production, a dedicated database is recommended, for this guide we will assume postgres has been installed and is on the same machine that Lemur is installed on.
 
-First, set a password for the postgres user.  For this guide, we will use **lemur** as an example but you should use the database password generated for by Lemur::
+First, set a password for the postgres user.  For this guide, we will use ``lemur`` as an example but you should use the database password generated by Lemur:
 
-     $ sudo -u postgres psql postgres
-     # \password postgres
-     Enter new password: lemur
-     Enter it again: lemur
+.. code-block:: bash
 
-Type CTRL-D to exit psql once you have changed the password.
+    $ sudo -u postgres -i
+    # \password postgres
+    Enter new password: lemur
+    Enter it again: lemur
 
-Next, we will create our a new database::
+Once successful, type CTRL-D to exit the Postgres shell.
 
-     $ sudo -u postgres createdb lemur
+Next, we will create our new database:
+
+.. code-block:: bash
+
+    $ sudo -u postgres createdb lemur
 
 .. _InitializingLemur:
 
+.. note::
+    For this guide we assume you will use the `postgres` user to connect to your database, when deploying to a VM or container this is often all you will need. If you have a shared database it is recommend you give Lemur its own user.
+
+.. note::
+    Postgres 9.4 or greater is required as Lemur relies advanced data columns (e.g. JSON Column type)
+
 Initializing Lemur
 ------------------
 
-Lemur provides a helpful command that will initialize your database for you. It creates a default user (lemur) that is
-used by Lemur to help associate certificates that do not currently have an owner. This is most commonly the case when
-Lemur has discovered certificates from a third party source. This is also a default user that can be used to
-administer Lemur.
+Lemur provides a helpful command that will initialize your database for you. It creates a default user (``lemur``) that is used by Lemur to help associate certificates that do not currently have an owner. This is most commonly the case when Lemur has discovered certificates from a third party source.  This is also a default user that can be used to administer Lemur.
 
-In addition to create a new User, Lemur also creates a few default email notifications. These notifications are based
-on a few configuration options such as `LEMUR_SECURITY_TEAM_EMAIL` they basically garentee that every cerificate within
-Lemur will send one expiration notification to the security team.
+In addition to creating a new user, Lemur also creates a few default email notifications.  These notifications are based on a few configuration options such as ``LEMUR_SECURITY_TEAM_EMAIL``.  They basically guarantee that every certificate within Lemur will send one expiration notification to the security team.
 
-Additional notifications can be created through the UI or API.
-See :ref:`Creating Notifications <CreatingNotifications>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
+Additional notifications can be created through the UI or API.  See :ref:`Creating Notifications <CreatingNotifications>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
 
-**Make note of the password used as this will be used during first login to the Lemur UI**
-
-.. code-block:: bash
-
-    $ lemur db init
+**Make note of the password used as this will be used during first login to the Lemur UI.**
 
 .. code-block:: bash
 
+    $ cd /www/lemur/lemur
     $ lemur init
 
-.. note:: It is recommended that once the 'lemur' user is created that you create individual users for every day access.
-    There is currently no way for a user to self enroll for Lemur access, they must have an administrator create an account
-    for them or be enrolled automatically through SSO. This can be done through the CLI or UI.
-    See :ref:`Creating Users <CreatingUsers>` and :ref:`Command Line Interface <CommandLineInterface>` for details
+
+.. note:: It is recommended that once the ``lemur`` user is created that you create individual users for every day access.  There is currently no way for a user to self enroll for Lemur access, they must have an administrator create an account for them or be enrolled automatically through SSO.  This can be done through the CLI or UI.  See :ref:`Creating Users <CreatingUsers>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
+
 
 Setup a Reverse Proxy
 ---------------------
 
-By default, Lemur runs on port 5000. Even if you change this, under normal conditions you won't be able to bind to
-port 80. To get around this (and to avoid running Lemur as a privileged user, which you shouldn't), we recommend
-you setup a simple web proxy.
+By default, Lemur runs on port 8000.  Even if you change this, under normal conditions you won't be able to bind to port 80. To get around this (and to avoid running Lemur as a privileged user, which you shouldn't), we need setup a simple web proxy. There are many different web servers you can use for this, we like and recommend Nginx.
+
 
 Proxying with Nginx
 ~~~~~~~~~~~~~~~~~~~
 
-You'll use the builtin HttpProxyModule within Nginx to handle proxying
+You'll use the builtin ``HttpProxyModule`` within Nginx to handle proxying.  Edit the ``/etc/nginx/sites-available/default`` file according to the lines below
 
 ::
 
    location /api {
-        proxy_pass  http://127.0.0.1:5000;
+        proxy_pass  http://127.0.0.1:8000;
         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
         proxy_buffering off;
@@ -187,12 +213,6 @@ You'll use the builtin HttpProxyModule within Nginx to handle proxying
         proxy_set_header        X-Real-IP       $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     }
-    
-    location / {
-        root /www/lemur/lemur/static/dist;
-        include mime.types;
-        index index.html;
-    }
 
     location / {
         root /www/lemur/lemur/static/dist;
@@ -200,16 +220,22 @@ You'll use the builtin HttpProxyModule within Nginx to handle proxying
         index index.html;
     }
 
-See :doc:`../production/index` for more details on using Nginx.
+.. note:: See :doc:`../production/index` for more details on using Nginx.
+
+After making these changes, restart Nginx service to apply them:
+
+.. code-block:: bash
+
+    $ sudo service nginx restart
 
 
 Starting the Web Service
 ------------------------
 
-Lemur provides a built-in webserver (powered by gunicorn and eventlet) to get you off the ground quickly.
+Lemur provides a built-in web server (powered by gunicorn and eventlet) to get you off the ground quickly.
 
-To start the webserver, you simply use ``lemur start``. If you opted to use an alternative configuration path
-you can pass that via the --config option.
+To start the web server, you simply use ``lemur start``. If you opted to use an alternative configuration path
+you can pass that via the ``--config`` option.
 
 .. note::
     You can login with the default user created during :ref:`Initializing Lemur <InitializingLemur>` or any other
@@ -217,23 +243,23 @@ you can pass that via the --config option.
 
 ::
 
-  # Lemur's server runs on port 5000 by default. Make sure your client reflects
+  # Lemur's server runs on port 8000 by default. Make sure your client reflects
   # the correct host and port!
-  lemur --config=/etc/lemur.conf.py start -b 127.0.0.1:5000
+  lemur --config=/etc/lemur.conf.py start -b 127.0.0.1:8000
+
+You should now be able to test the web service by visiting ``http://localhost:8000/``.
 
-You should now be able to test the web service by visiting `http://localhost:5000/`.
 
 Running Lemur as a Service
----------------------------
+--------------------------
+
+We recommend using whatever software you are most familiar with for managing Lemur processes.  One option is `Supervisor <http://supervisord.org/>`_.
 
-We recommend using whatever software you are most familiar with for managing Lemur processes. One option is
-`Supervisor <http://supervisord.org/>`_.
 
 Configure ``supervisord``
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Configuring Supervisor couldn't be more simple. Just point it to the ``lemur`` executable in your virtualenv's bin/
-folder and you're good to go.
+Configuring Supervisor couldn't be more simple. Just point it to the ``lemur`` executable in your virtualenv's ``bin/`` folder and you're good to go.
 
 ::
 
@@ -248,42 +274,43 @@ folder and you're good to go.
 
 See :ref:`Using Supervisor <UsingSupervisor>` for more details on using Supervisor.
 
+
 Syncing
 -------
 
-Lemur uses periodic sync tasks to make sure it is up-to-date with it's environment. As always things can change outside
-of Lemur, but we do our best to reconcile those changes.
+Lemur uses periodic sync tasks to make sure it is up-to-date with its environment. Things change outside of Lemur we do our best to reconcile those changes. The recommended method is to use CRON:
 
 .. code-block:: bash
 
   $ crontab -e
-  * 3 * * * lemur sync --all
-  * 3 * * * lemur check_revoked
+  */15 * * * * lemur sync -s all
+  0 22 * * * lemur check_revoked
+  0 22 * * * lemur notify
+
 
 Additional Utilities
 --------------------
 
-If you're familiar with Python you'll quickly find yourself at home, and even more so if you've used Flask. The
-``lemur`` command is just a simple wrapper around Flask's ``manage.py``, which means you get all of the
-power and flexibility that goes with it.
+If you're familiar with Python you'll quickly find yourself at home, and even more so if you've used Flask.  The ``lemur`` command is just a simple wrapper around Flask's ``manage.py``, which means you get all of the power and flexibility that goes with it.
+
+Some of the features which you'll likely find useful are listed below.
 
-Some of those which you'll likely find useful are:
 
 lock
 ~~~~
 
-Encrypts sensitive key material - This is most useful for storing encrypted secrets in source code.
+Encrypts sensitive key material - this is most useful for storing encrypted secrets in source code.
+
 
 unlock
 ~~~~~~
 
-Decrypts sensitive key material - Used to decrypt the secrets stored in source during deployment.
+Decrypts sensitive key material - used to decrypt the secrets stored in source during deployment.
 
 
 What's Next?
 ------------
 
-The above gets you going, but for production there are several different security considerations to take into account,
-remember Lemur is handling sensitive data and security is imperative.
+Get familiar with how Lemur works by reviewing the :doc:`../guide/index`. When you're ready see :doc:`../production/index` for more details on how to configure Lemur for production.
 
-See :doc:`../production/index` for more details on how to configure Lemur for production.
+The above just gets you going, but for production there are several different security considerations to take into account.  Remember, Lemur is handling sensitive data and security is imperative.

docs/requirements.txt

@@ -1,5 +1,54 @@
-Jinja2>=2.3
-Pygments>=1.2
-Sphinx>=1.3
-docutils>=0.7
-markupsafe
+alabaster==0.7.8
+alembic==0.8.6
+aniso8601==1.1.0
+arrow==0.7.0
+Babel==2.3.4
+bcrypt==2.0.0
+beautifulsoup4==4.4.1
+blinker==1.4
+boto==2.38.0
+cffi==1.7.0
+cryptography==1.3.2
+docutils==0.12
+enum34==1.1.6
+Flask==0.10.1
+Flask-Bcrypt==0.7.1
+Flask-Mail==0.9.1
+Flask-Migrate==1.7.0
+Flask-Principal==0.4.0
+Flask-RESTful==0.3.3
+Flask-Script==2.0.5
+Flask-SQLAlchemy==2.1
+future==0.15.2
+gunicorn==19.4.1
+idna==2.1
+imagesize==0.7.1
+inflection==0.3.1
+ipaddress==1.0.16
+itsdangerous==0.24
+Jinja2==2.8
+lockfile==0.12.2
+Mako==1.0.4
+MarkupSafe==0.23
+marshmallow==2.4.0
+marshmallow-sqlalchemy==0.8.0
+psycopg2==2.6.1
+pyasn1==0.1.9
+pycparser==2.14
+pycrypto==2.6.1
+Pygments==2.1.3
+PyJWT==1.4.0
+pyOpenSSL==0.15.1
+python-dateutil==2.5.3
+python-editor==1.0.1
+pytz==2016.4
+requests==2.9.1
+six==1.10.0
+snowballstemmer==1.2.1
+Sphinx==1.4.4
+sphinx-rtd-theme==0.1.9
+sphinxcontrib-httpdomain==1.5.0
+SQLAlchemy==1.0.13
+SQLAlchemy-Utils==0.31.4
+Werkzeug==0.11.10
+xmltodict==0.9.2

docs/security.rst

@@ -0,0 +1,66 @@
+Security
+========
+
+We take the security of ``lemur`` seriously. The following are a set of
+policies we have adopted to ensure that security issues are addressed in a
+timely fashion.
+
+Reporting a security issue
+--------------------------
+
+We ask that you do not report security issues to our normal GitHub issue
+tracker.
+
+If you believe you've identified a security issue with ``lemur``, please
+report it to ``cloudsecurity@netflix.com``.
+
+Once you've submitted an issue via email, you should receive an acknowledgment
+within 48 hours, and depending on the action to be taken, you may receive
+further follow-up emails.
+
+Supported Versions
+------------------
+
+At any given time, we will provide security support for the `master`_ branch
+as well as the 2 most recent releases.
+
+Disclosure Process
+------------------
+
+Our process for taking a security issue from private discussion to public
+disclosure involves multiple steps.
+
+Approximately one week before full public disclosure, we will send advance
+notification of the issue to a list of people and organizations, primarily
+composed of operating-system vendors and other distributors of
+``lemur``.  This notification will consist of an email message
+containing:
+
+* A full description of the issue and the affected versions of
+  ``lemur``.
+* The steps we will be taking to remedy the issue.
+* The patches, if any, that will be applied to ``lemur``.
+* The date on which the ``lemur`` team will apply these patches, issue
+  new releases, and publicly disclose the issue.
+
+Simultaneously, the reporter of the issue will receive notification of the date
+on which we plan to make the issue public.
+
+On the day of disclosure, we will take the following steps:
+
+* Apply the relevant patches to the ``lemur`` repository. The commit
+  messages for these patches will indicate that they are for security issues,
+  but will not describe the issue in any detail; instead, they will warn of
+  upcoming disclosure.
+* Issue the relevant releases.
+
+If a reported issue is believed to be particularly time-sensitive – due to a
+known exploit in the wild, for example – the time between advance notification
+and public disclosure may be shortened considerably.
+
+The list of people and organizations who receives advanced notification of
+security issues is not, and will not, be made public. This list generally
+consists of high-profile downstream distributors and is entirely at the
+discretion of the ``lemur`` team.
+
+.. _`master`: https://github.com/Netflix/lemur

gulp/build.js

@@ -1,13 +1,12 @@
+'use strict';
+
 var gulp = require('gulp'),
   minifycss = require('gulp-minify-css'),
   concat = require('gulp-concat'),
   less = require('gulp-less'),
   gulpif = require('gulp-if'),
-  order = require('gulp-order'),
   gutil = require('gulp-util'),
-  rename = require('gulp-rename'),
   foreach = require('gulp-foreach'),
-  debug = require('gulp-debug'),
   path =require('path'),
   merge = require('merge-stream'),
   del = require('del'),
@@ -27,7 +26,8 @@ var gulp = require('gulp'),
   minifyHtml = require('gulp-minify-html'),
   bowerFiles = require('main-bower-files'),
   karma = require('karma'),
-  replace = require('gulp-replace');
+  replace = require('gulp-replace'),
+  argv = require('yargs').argv;
 
 gulp.task('default', ['clean'], function () {
   gulp.start('fonts', 'styles');
@@ -72,7 +72,6 @@ gulp.task('dev:styles', function () {
   };
 
   var fileList = [
-    'lemur/static/app/styles/lemur.css',
     'bower_components/bootswatch/sandstone/bootswatch.less',
     'bower_components/fontawesome/css/font-awesome.css',
     'bower_components/angular-spinkit/src/angular-spinkit.css',
@@ -80,17 +79,19 @@ gulp.task('dev:styles', function () {
     'bower_components/angular-loading-bar/src/loading-bar.css',
     'bower_components/angular-ui-switch/angular-ui-switch.css',
     'bower_components/angular-wizard/dist/angular-wizard.css',
-    'bower_components/ng-table/ng-table.css',
-    'bower_components/angularjs-toaster/toaster.css'
+    'bower_components/ng-table/dist/ng-table.css',
+    'bower_components/angularjs-toaster/toaster.css',
+    'bower_components/angular-ui-select/dist/select.css',
+    'lemur/static/app/styles/lemur.css'
   ];
 
   return gulp.src(fileList)
     .pipe(gulpif(isBootswatchFile, foreach(function (stream, file) {
       var themeName = path.basename(path.dirname(file.path)),
         content = replaceAll(baseContent, '$theme$', themeName),
-        file = string_src('bootstrap-' +  themeName + '.less', content);
+        file2 = string_src('bootstrap-' +  themeName + '.less', content);
 
-      return file;
+      return file2;
     })))
     .pipe(less())
     .pipe(gulpif(isBootstrapFile, foreach(function (stream, file) {
@@ -100,7 +101,7 @@ gulp.task('dev:styles', function () {
       // http://stackoverflow.com/questions/21719833/gulp-how-to-add-src-files-in-the-middle-of-a-pipe
       // https://github.com/gulpjs/gulp/blob/master/docs/recipes/using-multiple-sources-in-one-task.md
       return merge(stream, gulp.src(['.tmp/styles/font-awesome.css', '.tmp/styles/lemur.css']))
-        .pipe(concat('style-' + themeName + ".css"));
+        .pipe(concat('style-' + themeName + '.css'));
     })))
     .pipe(plumber())
     .pipe(concat('styles.css'))
@@ -112,7 +113,7 @@ gulp.task('dev:styles', function () {
 
 // http://stackoverflow.com/questions/1144783/replacing-all-occurrences-of-a-string-in-javascript
 function escapeRegExp(string) {
-  return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
+  return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, '\\$1');
 }
 
 function replaceAll(string, find, replace) {
@@ -122,7 +123,7 @@ function replaceAll(string, find, replace) {
 function string_src(filename, string) {
   var src = require('stream').Readable({ objectMode: true });
   src._read = function () {
-    this.push(new gutil.File({ cwd: "", base: "", path: filename, contents: new Buffer(string) }));
+    this.push(new gutil.File({ cwd: '', base: '', path: filename, contents: new Buffer(string) }));
     this.push(null);
   };
   return src;
@@ -143,26 +144,18 @@ gulp.task('build:extras', function () {
 function injectHtml(isDev) {
   return gulp.src('lemur/static/app/index.html')
     .pipe(
-    inject(gulp.src(bowerFiles({ base: 'app' }), {
-      read: false
-    }), {
+    inject(gulp.src(bowerFiles({ base: 'app' })), {
       starttag: '<!-- inject:bower:{{ext}} -->',
       addRootSlash: false,
       ignorePath: isDev ? ['lemur/static/app/', '.tmp/'] : null
     })
   )
-    .pipe(inject(gulp.src(['lemur/static/app/angular/**/*.js'], {
-      read: false
-    }), {
-      read: false,
+    .pipe(inject(gulp.src(['lemur/static/app/angular/**/*.js']), {
       starttag: '<!-- inject:{{ext}} -->',
       addRootSlash: false,
       ignorePath: isDev ? ['lemur/static/app/', '.tmp/'] : null
     }))
-    .pipe(inject(gulp.src(['.tmp/styles/**/*.css'], {
-      read: false
-    }), {
-      read: false,
+    .pipe(inject(gulp.src(['.tmp/styles/**/*.css']), {
       starttag: '<!-- inject:{{ext}} -->',
       addRootSlash: false,
       ignorePath: isDev ? ['lemur/static/app/', '.tmp/'] : null
@@ -170,13 +163,11 @@ function injectHtml(isDev) {
     .pipe(
     gulpif(!isDev,
       inject(gulp.src('lemur/static/dist/ngviews/ngviews.min.js'), {
-        read: false,
         starttag: '<!-- inject:ngviews -->',
         addRootSlash: false
       })
     )
-  )
-    .pipe(gulp.dest('.tmp/'));
+  ).pipe(gulp.dest('.tmp/'));
 }
 
 gulp.task('dev:inject', ['dev:styles', 'dev:scripts'], function () {
@@ -199,23 +190,17 @@ gulp.task('build:ngviews', function () {
 });
 
 gulp.task('build:html', ['dev:styles', 'dev:scripts', 'build:ngviews', 'build:inject'], function () {
-  var jsFilter = filter('**/*.js');
-  var cssFilter = filter('**/*.css');
-
-  var assets = useref.assets();
+  var jsFilter = filter(['**/*.js'], {'restore': true});
+  var cssFilter = filter(['**/*.css'], {'restore': true});
 
   return gulp.src('.tmp/index.html')
-    .pipe(assets)
-    .pipe(rev())
     .pipe(jsFilter)
     .pipe(ngAnnotate())
-    .pipe(jsFilter.restore())
+    .pipe(jsFilter.restore)
     .pipe(cssFilter)
     .pipe(csso())
-    .pipe(cssFilter.restore())
-    .pipe(assets.restore())
+    .pipe(cssFilter.restore)
     .pipe(useref())
-    .pipe(revReplace())
     .pipe(gulp.dest('lemur/static/dist'))
     .pipe(size());
 });
@@ -238,13 +223,37 @@ gulp.task('build:images', function () {
 
 gulp.task('package:strip', function () {
   return gulp.src(['lemur/static/dist/scripts/main*'])
-    .pipe(replace('http:\/\/localhost:5000', ''))
     .pipe(replace('http:\/\/localhost:3000', ''))
+    .pipe(replace('http:\/\/localhost:8000', ''))
     .pipe(useref())
-    .pipe(revReplace())
     .pipe(gulp.dest('lemur/static/dist/scripts'))
     .pipe(size());
 });
 
+gulp.task('addUrlContextPath',['addUrlContextPath:revreplace'], function(){
+  var urlContextPathExists = argv.urlContextPath ? true : false;
+  return gulp.src('lemur/static/dist/scripts/main*.js')
+    .pipe(gulpif(urlContextPathExists, replace('api/', argv.urlContextPath + '/api/')))
+    .pipe(gulpif(urlContextPathExists, replace('angular/', argv.urlContextPath + '/angular/')))
+    .pipe(gulp.dest('lemur/static/dist/scripts'))
+});
+
+gulp.task('addUrlContextPath:revision', function(){
+  return gulp.src(['lemur/static/dist/**/*.css','lemur/static/dist/**/*.js'])
+    .pipe(rev())
+    .pipe(gulp.dest('lemur/static/dist'))
+    .pipe(rev.manifest())
+    .pipe(gulp.dest('lemur/static/dist'))
+})
+
+gulp.task('addUrlContextPath:revreplace', ['addUrlContextPath:revision'], function(){
+  var manifest = gulp.src("lemur/static/dist/rev-manifest.json");
+  var urlContextPathExists = argv.urlContextPath ? true : false;
+  return gulp.src( "lemur/static/dist/index.html")
+    .pipe(gulpif(urlContextPathExists, revReplace({prefix: argv.urlContextPath + '/', manifest: manifest}, revReplace({manifest: manifest}))))
+    .pipe(gulp.dest('lemur/static/dist'));
+})
+
+
 gulp.task('build', ['build:ngviews', 'build:inject', 'build:images', 'build:fonts', 'build:html', 'build:extras']);
-gulp.task('package', ['package:strip']);
+gulp.task('package', ['addUrlContextPath', 'package:strip']);

hooks/pre-commit

@@ -1,46 +0,0 @@
-#!/usr/bin/env python
-
-import glob
-import os
-import sys
-
-os.environ['PYFLAKES_NODOCTEST'] = '1'
-
-# pep8.py uses sys.argv to find setup.cfg
-sys.argv = [os.path.join(os.path.dirname(__file__), os.pardir, os.pardir)]
-
-# git usurbs your bin path for hooks and will always run system python
-if 'VIRTUAL_ENV' in os.environ:
-    site_packages = glob.glob(
-        '%s/lib/*/site-packages' % os.environ['VIRTUAL_ENV'])[0]
-    sys.path.insert(0, site_packages)
-
-
-def py_lint(files_modified):
-    from flake8.main import DEFAULT_CONFIG
-    from flake8.engine import get_style_guide
-
-    # remove non-py files and files which no longer exist
-    files_modified = filter(lambda x: x.endswith('.py'), files_modified)
-
-    flake8_style = get_style_guide(parse_argv=True, config_file=DEFAULT_CONFIG)
-    report = flake8_style.check_files(files_modified)
-
-    return report.total_errors != 0
-
-
-def main():
-    from flake8.hooks import run
-
-    gitcmd = "git diff-index --cached --name-only HEAD"
-
-    _, files_modified, _ = run(gitcmd)
-
-    files_modified = filter(lambda x: os.path.exists(x), files_modified)
-
-    if py_lint(files_modified):
-        return 1
-    return 0
-
-if __name__ == '__main__':
-    sys.exit(main())

lemur/__about__.py

@@ -0,0 +1,18 @@
+from __future__ import absolute_import, division, print_function
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
+
+__title__ = "lemur"
+__summary__ = ("Certificate management and orchestration service")
+__uri__ = "https://github.com/Netflix/lemur"
+
+__version__ = "0.5.0"
+
+__author__ = "The Lemur developers"
+__email__ = "security@netflix.com"
+
+__license__ = "Apache License, Version 2.0"
+__copyright__ = "Copyright 2016 {0}".format(__author__)

lemur/__init__.py

@@ -8,7 +8,10 @@
 
 
 """
+from __future__ import absolute_import, division, print_function
+
 from lemur import factory
+from lemur.extensions import metrics
 
 from lemur.users.views import mod as users_bp
 from lemur.roles.views import mod as roles_bp
@@ -17,11 +20,23 @@ from lemur.domains.views import mod as domains_bp
 from lemur.destinations.views import mod as destinations_bp
 from lemur.authorities.views import mod as authorities_bp
 from lemur.certificates.views import mod as certificates_bp
-from lemur.status.views import mod as status_bp
+from lemur.defaults.views import mod as defaults_bp
 from lemur.plugins.views import mod as plugins_bp
 from lemur.notifications.views import mod as notifications_bp
 from lemur.sources.views import mod as sources_bp
+from lemur.endpoints.views import mod as endpoints_bp
+from lemur.logs.views import mod as logs_bp
 
+from lemur.__about__ import (
+    __author__, __copyright__, __email__, __license__, __summary__, __title__,
+    __uri__, __version__
+)
+
+
+__all__ = [
+    "__title__", "__summary__", "__uri__", "__version__", "__author__",
+    "__email__", "__license__", "__copyright__",
+]
 
 LEMUR_BLUEPRINTS = (
     users_bp,
@@ -31,10 +46,12 @@ LEMUR_BLUEPRINTS = (
     destinations_bp,
     authorities_bp,
     certificates_bp,
-    status_bp,
+    defaults_bp,
     plugins_bp,
     notifications_bp,
-    sources_bp
+    sources_bp,
+    endpoints_bp,
+    logs_bp
 )
 
 
@@ -50,7 +67,8 @@ def configure_hook(app):
     :param app:
     :return:
     """
-    from flask.ext.principal import PermissionDenied
+    from flask import jsonify
+    from werkzeug.exceptions import HTTPException
     from lemur.decorators import crossdomain
     if app.config.get('CORS'):
         @app.after_request
@@ -58,8 +76,16 @@ def configure_hook(app):
         def after(response):
             return response
 
-    @app.errorhandler(PermissionDenied)
-    def handle_invalid_usage(error):
-        response = {'message': 'You are not allow to access this resource'}
-        response.status_code = 403
+    @app.after_request
+    def log_status(response):
+        metrics.send('status_code_{}'.format(response.status_code), 'counter', 1)
         return response
+
+    @app.errorhandler(Exception)
+    def handle_error(e):
+        code = 500
+        if isinstance(e, HTTPException):
+            code = e.code
+
+        app.logger.exception(e)
+        return jsonify(error=str(e)), code

lemur/analyze/service.py

@@ -1,64 +0,0 @@
-"""
-.. module: lemur.analyze.service
-    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
-    :license: Apache, see LICENSE for more details.
-.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
-"""
-# def analyze(endpoints, truststores):
-#    results = {"headings": ["Endpoint"],
-#               "results": [],
-#               "time": datetime.now().strftime("#Y%m%d %H:%M:%S")}
-#
-#    for store in truststores:
-#        results['headings'].append(os.path.basename(store))
-#
-#    for endpoint in endpoints:
-#        result_row = [endpoint]
-#        for store in truststores:
-#            result = {'details': []}
-#
-#            tests = []
-#            for region, ip in REGIONS.items():
-#                try:
-#                    domain = dns.name.from_text(endpoint)
-#                    if not domain.is_absolute():
-#                        domain = domain.concatenate(dns.name.root)
-#
-#                    my_resolver = dns.resolver.Resolver()
-#                    my_resolver.nameservers = [ip]
-#                    answer = my_resolver.query(domain)
-#
-#                    #force the testing of regional enpoints by changing the dns server
-#                    response = requests.get('https://' + str(answer[0]), verify=store)
-#                    tests.append('pass')
-#                    result['details'].append("{}: SSL testing completed without errors".format(region))
-#
-#                except SSLError as e:
-#                    log.debug(e)
-#                    if 'hostname' in str(e):
-#                        tests.append('pass')
-#                        result['details'].append(
-#                              "{}: This test passed ssl negotiation but failed hostname verification because \
-#                                   the hostname is not included in the certificate".format(region))
-#                    elif 'certificate verify failed' in str(e):
-#                        tests.append('fail')
-#                        result['details'].append("{}: This test failed to verify the SSL certificate".format(region))
-#                    else:
-#                        tests.append('fail')
-#                        result['details'].append("{}: {}".format(region, str(e)))
-#
-#                except Exception as e:
-#                    log.debug(e)
-#                    tests.append('fail')
-#                    result['details'].append("{}: {}".format(region, str(e)))
-#
-#            #any failing tests fails the whole endpoint
-#            if 'fail' in tests:
-#                result['test'] = 'fail'
-#            else:
-#                result['test'] = 'pass'
-#
-#            result_row.append(result)
-#        results['results'].append(result_row)
-#    return results
-#

lemur/auth/permissions.py

@@ -9,36 +9,38 @@
 from functools import partial
 from collections import namedtuple
 
-from flask.ext.principal import Permission, RoleNeed
+from flask_principal import Permission, RoleNeed
 
 # Permissions
 operator_permission = Permission(RoleNeed('operator'))
 admin_permission = Permission(RoleNeed('admin'))
 
-CertificateCreator = namedtuple('certificate', ['method', 'value'])
-CertificateCreatorNeed = partial(CertificateCreator, 'key')
+CertificateOwner = namedtuple('certificate', ['method', 'value'])
+CertificateOwnerNeed = partial(CertificateOwner, 'role')
 
 
-class ViewKeyPermission(Permission):
-    def __init__(self, certificate_id, owner):
-        c_need = CertificateCreatorNeed(certificate_id)
-        super(ViewKeyPermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
+class SensitiveDomainPermission(Permission):
+    def __init__(self):
+        super(SensitiveDomainPermission, self).__init__(RoleNeed('admin'))
 
 
-class UpdateCertificatePermission(Permission):
-    def __init__(self, certificate_id, owner):
-        c_need = CertificateCreatorNeed(certificate_id)
-        super(UpdateCertificatePermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
+class CertificatePermission(Permission):
+    def __init__(self, owner, roles):
+        needs = [RoleNeed('admin'), RoleNeed(owner), RoleNeed('creator')]
+        for r in roles:
+            needs.append(CertificateOwnerNeed(str(r)))
+
+        super(CertificatePermission, self).__init__(*needs)
 
 
-RoleUser = namedtuple('role', ['method', 'value'])
-ViewRoleCredentialsNeed = partial(RoleUser, 'roleView')
+RoleMember = namedtuple('role', ['method', 'value'])
+RoleMemberNeed = partial(RoleMember, 'member')
 
 
-class ViewRoleCredentialsPermission(Permission):
+class RoleMemberPermission(Permission):
     def __init__(self, role_id):
-        need = ViewRoleCredentialsNeed(role_id)
-        super(ViewRoleCredentialsPermission, self).__init__(need, RoleNeed('admin'))
+        needs = [RoleNeed('admin'), RoleMemberNeed(role_id)]
+        super(RoleMemberPermission, self).__init__(*needs)
 
 
 AuthorityCreator = namedtuple('authority', ['method', 'value'])

lemur/auth/service.py

@@ -8,11 +8,8 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 
 """
-from __future__ import unicode_literals
-from builtins import bytes
 import jwt
 import json
-import base64
 import binascii
 
 from functools import wraps
@@ -20,31 +17,17 @@ from datetime import datetime, timedelta
 
 from flask import g, current_app, jsonify, request
 
-from flask.ext.restful import Resource
-from flask.ext.principal import identity_loaded, RoleNeed, UserNeed
+from flask_restful import Resource
+from flask_principal import identity_loaded, RoleNeed, UserNeed
 
-from flask.ext.principal import Identity, identity_changed
+from flask_principal import Identity, identity_changed
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
 
 from lemur.users import service as user_service
-from lemur.auth.permissions import CertificateCreatorNeed, \
-    AuthorityCreatorNeed, ViewRoleCredentialsNeed
-
-
-def base64url_decode(data):
-    rem = len(data) % 4
-
-    if rem > 0:
-        data += '=' * (4 - rem)
-
-    return base64.urlsafe_b64decode(bytes(data.encode('latin-1')))
-
-
-def base64url_encode(data):
-    return base64.urlsafe_b64encode(data).replace('=', '')
+from lemur.auth.permissions import AuthorityCreatorNeed, RoleMemberNeed
 
 
 def get_rsa_public_key(n, e):
@@ -55,8 +38,9 @@ def get_rsa_public_key(n, e):
     :param e:
     :return: a RSA Public Key in PEM format
     """
-    n = int(binascii.hexlify(base64url_decode(n)), 16)
-    e = int(binascii.hexlify(base64url_decode(e)), 16)
+    n = int(binascii.hexlify(jwt.utils.base64url_decode(bytes(n, 'utf-8'))), 16)
+    e = int(binascii.hexlify(jwt.utils.base64url_decode(bytes(e, 'utf-8'))), 16)
+
     pub = RSAPublicNumbers(e, n).public_key(default_backend())
     return pub.public_bytes(
         encoding=serialization.Encoding.PEM,
@@ -75,8 +59,8 @@ def create_token(user):
     expiration_delta = timedelta(days=int(current_app.config.get('LEMUR_TOKEN_EXPIRATION', 1)))
     payload = {
         'sub': user.id,
-        'iat': datetime.now(),
-        'exp': datetime.now() + expiration_delta
+        'iat': datetime.utcnow(),
+        'exp': datetime.utcnow() + expiration_delta
     }
     token = jwt.encode(payload, current_app.config['LEMUR_TOKEN_SECRET'])
     return token.decode('unicode_escape')
@@ -84,7 +68,7 @@ def create_token(user):
 
 def login_required(f):
     """
-    Validates the JWT and ensures that is has not expired.
+    Validates the JWT and ensures that is has not expired and the user is still active.
 
     :param f:
     :return:
@@ -110,7 +94,12 @@ def login_required(f):
         except jwt.InvalidTokenError:
             return dict(message='Token is invalid'), 403
 
-        g.current_user = user_service.get(payload['sub'])
+        user = user_service.get(payload['sub'])
+
+        if not user.active:
+            return dict(message='User is not currently active'), 403
+
+        g.current_user = user
 
         if not g.current_user:
             return dict(message='You are not logged in'), 403
@@ -138,13 +127,10 @@ def fetch_token_header(token):
         raise jwt.DecodeError('Not enough segments')
 
     try:
-        return json.loads(base64url_decode(header_segment))
+        return json.loads(jwt.utils.base64url_decode(header_segment).decode('utf-8'))
     except TypeError as e:
         current_app.logger.exception(e)
         raise jwt.DecodeError('Invalid header padding')
-    except binascii.Error as e:
-        current_app.logger.exception(e)
-        raise jwt.DecodeError('Invalid header padding')
 
 
 @identity_loaded.connect
@@ -165,19 +151,14 @@ def on_identity_loaded(sender, identity):
     # identity with the roles that the user provides
     if hasattr(user, 'roles'):
         for role in user.roles:
-            identity.provides.add(ViewRoleCredentialsNeed(role.id))
             identity.provides.add(RoleNeed(role.name))
+            identity.provides.add(RoleMemberNeed(role.id))
 
     # apply ownership for authorities
     if hasattr(user, 'authorities'):
         for authority in user.authorities:
             identity.provides.add(AuthorityCreatorNeed(authority.id))
 
-    # apply ownership of certificates
-    if hasattr(user, 'certificates'):
-        for certificate in user.certificates:
-            identity.provides.add(CertificateCreatorNeed(certificate.id))
-
     g.user = user
 
 

lemur/auth/views.py

@@ -7,13 +7,15 @@
 """
 import jwt
 import base64
+import sys
 import requests
 
-from flask import g, Blueprint, current_app
+from flask import Blueprint, current_app
 
-from flask.ext.restful import reqparse, Resource, Api
-from flask.ext.principal import Identity, identity_changed
+from flask_restful import reqparse, Resource, Api
+from flask_principal import Identity, identity_changed
 
+from lemur.extensions import metrics
 from lemur.common.utils import get_psuedo_random_string
 
 from lemur.users import service as user_service
@@ -35,7 +37,7 @@ class Login(Resource):
 
         Authorization:Bearer <token>
 
-    Tokens have a set expiration date. You can inspect the token expiration be base64 decoding the token and inspecting
+    Tokens have a set expiration date. You can inspect the token expiration by base64 decoding the token and inspecting
     it's contents.
 
     .. note:: It is recommended that the token expiration is fairly short lived (hours not days). This will largely depend \
@@ -92,22 +94,22 @@ class Login(Resource):
         else:
             user = user_service.get_by_username(args['username'])
 
-        if user and user.check_password(args['password']):
+        if user and user.check_password(args['password']) and user.active:
             # Tell Flask-Principal the identity changed
             identity_changed.send(current_app._get_current_object(),
                                   identity=Identity(user.id))
+
+            metrics.send('successful_login', 'counter', 1)
             return dict(token=create_token(user))
 
+        metrics.send('invalid_login', 'counter', 1)
         return dict(message='The supplied credentials are invalid'), 401
 
-    def get(self):
-        return {'username': g.current_user.username, 'roles': [r.name for r in g.current_user.roles]}
-
 
 class Ping(Resource):
     """
     This class serves as an example of how one might implement an SSO provider for use with Lemur. In
-    this example we use a OpenIDConnect authentication flow, that is essentially OAuth2 underneath. If you have an
+    this example we use an OpenIDConnect authentication flow, that is essentially OAuth2 underneath. If you have an
     OAuth2 provider you want to use Lemur there would be two steps:
 
     1. Define your own class that inherits from :class:`flask.ext.restful.Resource` and create the HTTP methods the \
@@ -125,7 +127,7 @@ class Ping(Resource):
 
         args = self.reqparse.parse_args()
 
-        # take the information we have received from Meechum to create a new request
+        # take the information we have received from the provider to create a new request
         params = {
             'client_id': args['clientId'],
             'grant_type': 'authorization_code',
@@ -138,9 +140,11 @@ class Ping(Resource):
         access_token_url = current_app.config.get('PING_ACCESS_TOKEN_URL')
         user_api_url = current_app.config.get('PING_USER_API_URL')
 
-        # the secret and cliendId will be given to you when you signup for meechum
-        basic = base64.b64encode('{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET")))
-        headers = {'Authorization': 'Basic {0}'.format(basic)}
+        # the secret and cliendId will be given to you when you signup for the provider
+        token = '{0}:{1}'.format(args['clientId'], current_app.config.get("PING_SECRET"))
+
+        basic = base64.b64encode(bytes(token, 'utf-8'))
+        headers = {'authorization': 'basic {0}'.format(basic.decode('utf-8'))}
 
         # exchange authorization code for access token.
 
@@ -164,7 +168,7 @@ class Ping(Resource):
 
         # validate your token based on the key it was signed with
         try:
-            jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId'])
+            jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId'])
         except jwt.DecodeError:
             return dict(message='Token is invalid'), 403
         except jwt.ExpiredSignatureError:
@@ -179,6 +183,7 @@ class Ping(Resource):
         profile = r.json()
 
         user = user_service.get_by_email(profile['email'])
+        metrics.send('successful_login', 'counter', 1)
 
         # update their google 'roles'
         roles = []
@@ -189,10 +194,14 @@ class Ping(Resource):
                 role = role_service.create(group, description='This is a google group based role created by Lemur')
             roles.append(role)
 
-        # if we get an sso user create them an account
-        # we still pick a random password in case sso is down
-        if not user:
+        role = role_service.get_by_name(profile['email'])
 
+        if not role:
+            role = role_service.create(profile['email'], description='This is a user specific role')
+        roles.append(role)
+
+        # if we get an sso user create them an account
+        if not user:
             # every user is an operator (tied to a default role)
             if current_app.config.get('LEMUR_DEFAULT_ROLE'):
                 v = role_service.get_by_name(current_app.config.get('LEMUR_DEFAULT_ROLE'))
@@ -220,7 +229,134 @@ class Ping(Resource):
                 profile['email'],
                 profile['email'],
                 True,
-                profile.get('thumbnailPhotoUrl'),  # Encase profile isn't google+ enabled
+                profile.get('thumbnailPhotoUrl'),  # incase profile isn't google+ enabled
+                roles
+            )
+
+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid'), 403
+
+        # Tell Flask-Principal the identity changed
+        identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
+
+        metrics.send('successful_login', 'counter', 1)
+        return dict(token=create_token(user))
+
+
+class OAuth2(Resource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(OAuth2, self).__init__()
+
+    def post(self):
+        self.reqparse.add_argument('clientId', type=str, required=True, location='json')
+        self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
+        self.reqparse.add_argument('code', type=str, required=True, location='json')
+
+        args = self.reqparse.parse_args()
+
+        # take the information we have received from the provider to create a new request
+        params = {
+            'grant_type': 'authorization_code',
+            'scope': 'openid email profile groups',
+            'redirect_uri': args['redirectUri'],
+            'code': args['code'],
+        }
+
+        # you can either discover these dynamically or simply configure them
+        access_token_url = current_app.config.get('OAUTH2_ACCESS_TOKEN_URL')
+        user_api_url = current_app.config.get('OAUTH2_USER_API_URL')
+
+        # the secret and cliendId will be given to you when you signup for the provider
+        token = '{0}:{1}'.format(args['clientId'], current_app.config.get("OAUTH2_SECRET"))
+
+        basic = base64.b64encode(bytes(token, 'utf-8'))
+
+        headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'authorization': 'basic {0}'.format(basic.decode('utf-8'))
+        }
+
+        # exchange authorization code for access token.
+        r = requests.post(access_token_url, headers=headers, params=params)
+        id_token = r.json()['id_token']
+        access_token = r.json()['access_token']
+
+        # fetch token public key
+        header_data = fetch_token_header(id_token)
+        jwks_url = current_app.config.get('OAUTH2_JWKS_URL')
+
+        # retrieve the key material as specified by the token header
+        r = requests.get(jwks_url)
+        for key in r.json()['keys']:
+            if key['kid'] == header_data['kid']:
+                secret = get_rsa_public_key(key['n'], key['e'])
+                algo = header_data['alg']
+                break
+        else:
+            return dict(message='Key not found'), 403
+
+        # validate your token based on the key it was signed with
+        try:
+            if sys.version_info >= (3, 0):
+                jwt.decode(id_token, secret.decode('utf-8'), algorithms=[algo], audience=args['clientId'])
+            else:
+                jwt.decode(id_token, secret, algorithms=[algo], audience=args['clientId'])
+        except jwt.DecodeError:
+            return dict(message='Token is invalid'), 403
+        except jwt.ExpiredSignatureError:
+            return dict(message='Token has expired'), 403
+        except jwt.InvalidTokenError:
+            return dict(message='Token is invalid'), 403
+
+        headers = {'authorization': 'Bearer {0}'.format(access_token)}
+
+        # retrieve information about the current user.
+        r = requests.get(user_api_url, headers=headers)
+        profile = r.json()
+
+        user = user_service.get_by_email(profile['email'])
+        metrics.send('successful_login', 'counter', 1)
+
+        # update their google 'roles'
+        roles = []
+
+        role = role_service.get_by_name(profile['email'])
+        if not role:
+            role = role_service.create(profile['email'], description='This is a user specific role')
+        roles.append(role)
+
+        # if we get an sso user create them an account
+        if not user:
+            # every user is an operator (tied to a default role)
+            if current_app.config.get('LEMUR_DEFAULT_ROLE'):
+                v = role_service.get_by_name(current_app.config.get('LEMUR_DEFAULT_ROLE'))
+                if v:
+                    roles.append(v)
+
+            user = user_service.create(
+                profile['name'],
+                get_psuedo_random_string(),
+                profile['email'],
+                True,
+                profile.get('thumbnailPhotoUrl'),
+                roles
+            )
+
+        else:
+            # we add 'lemur' specific roles, so they do not get marked as removed
+            for ur in user.roles:
+                if ur.authority_id:
+                    roles.append(ur)
+
+            # update any changes to the user
+            user_service.update(
+                user.id,
+                profile['name'],
+                profile['email'],
+                True,
+                profile.get('thumbnailPhotoUrl'),  # incase profile isn't google+ enabled
                 roles
             )
 
@@ -230,5 +366,101 @@ class Ping(Resource):
         return dict(token=create_token(user))
 
 
+class Google(Resource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(Google, self).__init__()
+
+    def post(self):
+        access_token_url = 'https://accounts.google.com/o/oauth2/token'
+        people_api_url = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect'
+
+        self.reqparse.add_argument('clientId', type=str, required=True, location='json')
+        self.reqparse.add_argument('redirectUri', type=str, required=True, location='json')
+        self.reqparse.add_argument('code', type=str, required=True, location='json')
+
+        args = self.reqparse.parse_args()
+
+        # Step 1. Exchange authorization code for access token
+        payload = {
+            'client_id': args['clientId'],
+            'grant_type': 'authorization_code',
+            'redirect_uri': args['redirectUri'],
+            'code': args['code'],
+            'client_secret': current_app.config.get('GOOGLE_SECRET')
+        }
+
+        r = requests.post(access_token_url, data=payload)
+        token = r.json()
+
+        # Step 2. Retrieve information about the current user
+        headers = {'Authorization': 'Bearer {0}'.format(token['access_token'])}
+
+        r = requests.get(people_api_url, headers=headers)
+        profile = r.json()
+
+        user = user_service.get_by_email(profile['email'])
+
+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid.'), 401
+
+        if user:
+            metrics.send('successful_login', 'counter', 1)
+            return dict(token=create_token(user))
+
+        metrics.send('invalid_login', 'counter', 1)
+
+
+class Providers(Resource):
+    def get(self):
+        active_providers = []
+
+        for provider in current_app.config.get("ACTIVE_PROVIDERS", []):
+            provider = provider.lower()
+
+            if provider == "google":
+                active_providers.append({
+                    'name': 'google',
+                    'clientId': current_app.config.get("GOOGLE_CLIENT_ID"),
+                    'url': api.url_for(Google)
+                })
+
+            elif provider == "ping":
+                active_providers.append({
+                    'name': current_app.config.get("PING_NAME"),
+                    'url': current_app.config.get('PING_REDIRECT_URI'),
+                    'redirectUri': current_app.config.get("PING_REDIRECT_URI"),
+                    'clientId': current_app.config.get("PING_CLIENT_ID"),
+                    'responseType': 'code',
+                    'scope': ['openid', 'email', 'profile', 'address'],
+                    'scopeDelimiter': ' ',
+                    'authorizationEndpoint': current_app.config.get("PING_AUTH_ENDPOINT"),
+                    'requiredUrlParams': ['scope'],
+                    'type': '2.0'
+                })
+
+            elif provider == "oauth2":
+                active_providers.append({
+                    'name': current_app.config.get("OAUTH2_NAME"),
+                    'url': current_app.config.get('OAUTH2_REDIRECT_URI'),
+                    'redirectUri': current_app.config.get("OAUTH2_REDIRECT_URI"),
+                    'clientId': current_app.config.get("OAUTH2_CLIENT_ID"),
+                    'responseType': 'code',
+                    'scope': ['openid', 'email', 'profile', 'groups'],
+                    'scopeDelimiter': ' ',
+                    'authorizationEndpoint': current_app.config.get("OAUTH2_AUTH_ENDPOINT"),
+                    'requiredUrlParams': ['scope', 'state', 'nonce'],
+                    'state': 'STATE',
+                    'nonce': get_psuedo_random_string(),
+                    'type': '2.0'
+                })
+
+        return active_providers
+
+
 api.add_resource(Login, '/auth/login', endpoint='login')
 api.add_resource(Ping, '/auth/ping', endpoint='ping')
+api.add_resource(Google, '/auth/google', endpoint='google')
+api.add_resource(OAuth2, '/auth/oauth2', endpoint='oauth2')
+api.add_resource(Providers, '/auth/providers', endpoint='providers')

lemur/authorities/models.py

@@ -1,58 +1,48 @@
 """
 .. module: lemur.authorities.models
     :platform: unix
-    :synopsis: This module contains all of the models need to create a authority within Lemur.
+    :synopsis: This module contains all of the models need to create an authority within Lemur.
     :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-from cryptography import x509
-from cryptography.hazmat.backends import default_backend
-
 from sqlalchemy.orm import relationship
 from sqlalchemy import Column, Integer, String, Text, func, ForeignKey, DateTime, PassiveDefault, Boolean
 from sqlalchemy.dialects.postgresql import JSON
 
 from lemur.database import db
-from lemur.certificates.models import cert_get_cn, cert_get_not_after, cert_get_not_before
+from lemur.plugins.base import plugins
+from lemur.models import roles_authorities
 
 
 class Authority(db.Model):
     __tablename__ = 'authorities'
     id = Column(Integer, primary_key=True)
-    owner = Column(String(128))
+    owner = Column(String(128), nullable=False)
     name = Column(String(128), unique=True)
     body = Column(Text())
     chain = Column(Text())
-    bits = Column(Integer())
-    cn = Column(String(128))
-    not_before = Column(DateTime)
-    not_after = Column(DateTime)
     active = Column(Boolean, default=True)
-    date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)
     plugin_name = Column(String(64))
     description = Column(Text)
     options = Column(JSON)
-    roles = relationship('Role', backref=db.backref('authority'), lazy='dynamic')
+    date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)
+    roles = relationship('Role', secondary=roles_authorities, passive_deletes=True, backref=db.backref('authority'), lazy='dynamic')
     user_id = Column(Integer, ForeignKey('users.id'))
-    certificates = relationship("Certificate", backref='authority')
+    authority_certificate = relationship("Certificate", backref='root_authority', uselist=False, foreign_keys='Certificate.root_authority_id')
+    certificates = relationship("Certificate", backref='authority', foreign_keys='Certificate.authority_id')
 
-    def __init__(self, name, owner, plugin_name, body, roles=None, chain=None, description=None):
-        self.name = name
-        self.body = body
-        self.chain = chain
-        self.owner = owner
-        self.plugin_name = plugin_name
-        cert = x509.load_pem_x509_certificate(str(body), default_backend())
-        self.cn = cert_get_cn(cert)
-        self.not_before = cert_get_not_before(cert)
-        self.not_after = cert_get_not_after(cert)
-        self.roles = roles
-        self.description = description
+    def __init__(self, **kwargs):
+        self.owner = kwargs['owner']
+        self.roles = kwargs.get('roles', [])
+        self.name = kwargs.get('name')
+        self.description = kwargs.get('description')
+        self.authority_certificate = kwargs['authority_certificate']
+        self.plugin_name = kwargs['plugin']['slug']
 
-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
+    @property
+    def plugin(self):
+        return plugins.get(self.plugin_name)
 
-    def serialize(self):
-        blob = self.as_dict()
-        return blob
+    def __repr__(self):
+        return "Authority(name={name})".format(name=self.name)

lemur/authorities/schemas.py

@@ -0,0 +1,119 @@
+"""
+.. module: lemur.authorities.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from flask import current_app
+
+from marshmallow import fields, validates_schema, pre_load
+from marshmallow import validate
+from marshmallow.exceptions import ValidationError
+
+from lemur.schemas import PluginInputSchema, PluginOutputSchema, ExtensionSchema, AssociatedAuthoritySchema, AssociatedRoleSchema
+from lemur.users.schemas import UserNestedOutputSchema
+from lemur.common.schema import LemurInputSchema, LemurOutputSchema
+from lemur.common import validators, missing
+
+from lemur.common.fields import ArrowDateTime
+
+
+class AuthorityInputSchema(LemurInputSchema):
+    name = fields.String(required=True)
+    owner = fields.Email(required=True)
+    description = fields.String()
+    common_name = fields.String(required=True, validate=validators.sensitive_domain)
+
+    validity_start = ArrowDateTime()
+    validity_end = ArrowDateTime()
+    validity_years = fields.Integer()
+
+    # certificate body fields
+    organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))
+    organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))
+    location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))
+    country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))
+    state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))
+
+    plugin = fields.Nested(PluginInputSchema)
+
+    # signing related options
+    type = fields.String(validate=validate.OneOf(['root', 'subca']), missing='root')
+    parent = fields.Nested(AssociatedAuthoritySchema)
+    signing_algorithm = fields.String(validate=validate.OneOf(['sha256WithRSA', 'sha1WithRSA']), missing='sha256WithRSA')
+    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')
+    key_name = fields.String()
+    sensitivity = fields.String(validate=validate.OneOf(['medium', 'high']), missing='medium')
+    serial_number = fields.Integer()
+    first_serial = fields.Integer(missing=1)
+
+    extensions = fields.Nested(ExtensionSchema)
+
+    roles = fields.Nested(AssociatedRoleSchema(many=True))
+
+    @validates_schema
+    def validate_dates(self, data):
+        validators.dates(data)
+
+    @validates_schema
+    def validate_subca(self, data):
+        if data['type'] == 'subca':
+            if not data.get('parent'):
+                raise ValidationError("If generating a subca, parent 'authority' must be specified.")
+
+    @pre_load
+    def ensure_dates(self, data):
+        return missing.convert_validity_years(data)
+
+
+class AuthorityUpdateSchema(LemurInputSchema):
+    owner = fields.Email(required=True)
+    description = fields.String()
+    active = fields.Boolean(missing=True)
+    roles = fields.Nested(AssociatedRoleSchema(many=True))
+
+
+class RootAuthorityCertificateOutputSchema(LemurOutputSchema):
+    __envelope__ = False
+    id = fields.Integer()
+    active = fields.Boolean()
+    bits = fields.Integer()
+    body = fields.String()
+    chain = fields.String()
+    description = fields.String()
+    name = fields.String()
+    cn = fields.String()
+    not_after = fields.DateTime()
+    not_before = fields.DateTime()
+    owner = fields.Email()
+    status = fields.Boolean()
+    user = fields.Nested(UserNestedOutputSchema)
+
+
+class AuthorityOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    description = fields.String()
+    name = fields.String()
+    owner = fields.Email()
+    plugin = fields.Nested(PluginOutputSchema)
+    active = fields.Boolean()
+    options = fields.Dict()
+    roles = fields.List(fields.Nested(AssociatedRoleSchema))
+    authority_certificate = fields.Nested(RootAuthorityCertificateOutputSchema)
+
+
+class AuthorityNestedOutputSchema(LemurOutputSchema):
+    __envelope__ = False
+    id = fields.Integer()
+    description = fields.String()
+    name = fields.String()
+    owner = fields.Email()
+    plugin = fields.Nested(PluginOutputSchema)
+    active = fields.Boolean()
+
+
+authority_update_schema = AuthorityUpdateSchema()
+authority_input_schema = AuthorityInputSchema()
+authority_output_schema = AuthorityOutputSchema()
+authorities_output_schema = AuthorityOutputSchema(many=True)

lemur/authorities/service.py

@@ -8,95 +8,111 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 
 """
-from flask import g
-from flask import current_app
-
 from lemur import database
+from lemur.extensions import metrics
 from lemur.authorities.models import Authority
 from lemur.roles import service as role_service
-from lemur.notifications import service as notification_service
 
-from lemur.roles.models import Role
-from lemur.certificates.models import Certificate
-
-from lemur.plugins.base import plugins
+from lemur.certificates.service import upload
 
 
 def update(authority_id, description=None, owner=None, active=None, roles=None):
     """
-    Update a an authority with new values.
+    Update an authority with new values.
 
     :param authority_id:
     :param roles: roles that are allowed to use this authority
-    :rtype : Authority
     :return:
     """
     authority = get(authority_id)
+
     if roles:
-        authority = database.update_list(authority, 'roles', Role, roles)
-
-    if active:
-        authority.active = active
+        authority.roles = roles
 
+    authority.active = active
     authority.description = description
     authority.owner = owner
     return database.update(authority)
 
 
-def create(kwargs):
+def mint(**kwargs):
     """
-    Create a new authority.
+    Creates the authority based on the plugin provided.
+    """
+    issuer = kwargs['plugin']['plugin_object']
+    values = issuer.create_authority(kwargs)
 
-    :rtype : Authority
+    # support older plugins
+    if len(values) == 3:
+        body, chain, roles = values
+        private_key = None
+    elif len(values) == 4:
+        body, private_key, chain, roles = values
+
+    roles = create_authority_roles(roles, kwargs['owner'], kwargs['plugin']['plugin_object'].title, kwargs['creator'])
+    return body, private_key, chain, roles
+
+
+def create_authority_roles(roles, owner, plugin_title, creator):
+    """
+    Creates all of the necessary authority roles.
+    :param creator:
+    :param roles:
     :return:
     """
-
-    issuer = plugins.get(kwargs.get('pluginName'))
-
-    kwargs['creator'] = g.current_user.email
-    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)
-
-    cert = Certificate(cert_body, chain=intermediate)
-    cert.owner = kwargs['ownerEmail']
-    cert.description = "This is the ROOT certificate for the {0} certificate authority".format(kwargs.get('caName'))
-    cert.user = g.current_user
-
-    cert.notifications = notification_service.create_default_expiration_notifications(
-        'DEFAULT_SECURITY',
-        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
-    )
-
-    # we create and attach any roles that the issuer gives us
     role_objs = []
-    for r in issuer_roles:
-
-        role = role_service.create(
-            r['name'],
-            password=r['password'],
-            description="{0} auto generated role".format(kwargs.get('pluginName')),
-            username=r['username'])
+    for r in roles:
+        role = role_service.get_by_name(r['name'])
+        if not role:
+            role = role_service.create(
+                r['name'],
+                password=r['password'],
+                description="Auto generated role for {0}".format(plugin_title),
+                username=r['username'])
 
         # the user creating the authority should be able to administer it
         if role.username == 'admin':
-            g.current_user.roles.append(role)
+            creator.roles.append(role)
 
         role_objs.append(role)
 
-    authority = Authority(
-        kwargs.get('caName'),
-        kwargs['ownerEmail'],
-        kwargs['pluginName'],
-        cert_body,
-        description=kwargs['caDescription'],
-        chain=intermediate,
-        roles=role_objs
-    )
+    # create an role for the owner and assign it
+    owner_role = role_service.get_by_name(owner)
+    if not owner_role:
+        owner_role = role_service.create(
+            owner,
+            description="Auto generated role based on owner: {0}".format(owner)
+        )
 
-    database.update(cert)
+    role_objs.append(owner_role)
+    return role_objs
+
+
+def create(**kwargs):
+    """
+    Creates a new authority.
+    """
+    body, private_key, chain, roles = mint(**kwargs)
+
+    kwargs['creator'].roles = list(set(list(kwargs['creator'].roles) + roles))
+
+    kwargs['body'] = body
+    kwargs['private_key'] = private_key
+    kwargs['chain'] = chain
+
+    if kwargs.get('roles'):
+        kwargs['roles'] += roles
+    else:
+        kwargs['roles'] = roles
+
+    cert = upload(**kwargs)
+    kwargs['authority_certificate'] = cert
+
+    authority = Authority(**kwargs)
     authority = database.create(authority)
+    kwargs['creator'].authorities.append(authority)
 
-    g.current_user.authorities.append(authority)
-
+    metrics.send('authority_created', 'counter', 1, metric_tags=dict(owner=authority.owner))
     return authority
 
 
@@ -115,7 +131,6 @@ def get(authority_id):
     """
     Retrieves an authority given it's ID
 
-    :rtype : Authority
     :param authority_id:
     :return:
     """
@@ -127,28 +142,22 @@ def get_by_name(authority_name):
     Retrieves an authority given it's name.
 
     :param authority_name:
-    :rtype : Authority
     :return:
     """
     return database.get(Authority, authority_name, field='name')
 
 
-def get_authority_role(ca_name):
+def get_authority_role(ca_name, creator=None):
     """
     Attempts to get the authority role for a given ca uses current_user
     as a basis for accomplishing that.
 
     :param ca_name:
     """
-    if g.current_user.is_admin:
-        authority = get_by_name(ca_name)
-        # TODO we should pick admin ca roles for admin
-        return authority.roles[0]
-    else:
-        for role in g.current_user.roles:
-            if role.authority:
-                if role.authority.name == ca_name:
-                    return role
+    if creator:
+        if creator.is_admin:
+            return role_service.get_by_name("{0}_admin".format(ca_name))
+    return role_service.get_by_name("{0}_operator".format(ca_name))
 
 
 def render(args):
@@ -158,10 +167,6 @@ def render(args):
     :return:
     """
     query = database.session_query(Authority)
-    sort_by = args.pop('sort_by')
-    sort_dir = args.pop('sort_dir')
-    page = args.pop('page')
-    count = args.pop('count')
     filt = args.pop('filter')
 
     if filt:
@@ -171,17 +176,15 @@ def render(args):
         else:
             query = database.filter(query, Authority, terms)
 
-    # we make sure that a user can only use an authority they either own are are a member of - admins can see all
-    if not g.current_user.is_admin:
+    # we make sure that a user can only use an authority they either own are a member of - admins can see all
+    if not args['user'].is_admin:
         authority_ids = []
-        for role in g.current_user.roles:
-            if role.authority:
-                authority_ids.append(role.authority.id)
+        for authority in args['user'].authorities:
+            authority_ids.append(authority.id)
+
+        for role in args['user'].roles:
+            for authority in role.authorities:
+                authority_ids.append(authority.id)
         query = query.filter(Authority.id.in_(authority_ids))
 
-    query = database.find_all(query, Authority, args)
-
-    if sort_by and sort_dir:
-        query = database.sort(query, Authority, sort_by, sort_dir)
-
-    return database.paginate(query, page, count)
+    return database.sort_and_page(query, Authority, args)

lemur/authorities/views.py

@@ -6,31 +6,18 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 from flask import Blueprint, g
-from flask.ext.restful import reqparse, fields, Api
+from flask_restful import reqparse, Api
 
-from lemur.authorities import service
-from lemur.roles import service as role_service
-from lemur.certificates import service as certificate_service
+from lemur.common.utils import paginated_parser
+from lemur.common.schema import validate_schema
 from lemur.auth.service import AuthenticatedResource
-
 from lemur.auth.permissions import AuthorityPermission
 
-from lemur.common.utils import paginated_parser, marshal_items
+from lemur.certificates import service as certificate_service
 
+from lemur.authorities import service
+from lemur.authorities.schemas import authority_input_schema, authority_output_schema, authorities_output_schema, authority_update_schema
 
-FIELDS = {
-    'name': fields.String,
-    'owner': fields.String,
-    'description': fields.String,
-    'options': fields.Raw,
-    'pluginName': fields.String,
-    'body': fields.String,
-    'chain': fields.String,
-    'active': fields.Boolean,
-    'notBefore': fields.DateTime(dt_format='iso8601', attribute='not_before'),
-    'notAfter': fields.DateTime(dt_format='iso8601', attribute='not_after'),
-    'id': fields.Integer,
-}
 
 mod = Blueprint('authorities', __name__)
 api = Api(mod)
@@ -42,7 +29,7 @@ class AuthoritiesList(AuthenticatedResource):
         self.reqparse = reqparse.RequestParser()
         super(AuthoritiesList, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, authorities_output_schema)
     def get(self):
         """
         .. http:get:: /authorities
@@ -66,28 +53,52 @@ class AuthoritiesList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "items": [
-                    {
-                      "id": 1,
-                      "name": "authority1",
-                      "description": "this is authority1",
-                      "pluginName": null,
-                      "chain": "-----Begin ...",
-                      "body": "-----Begin ...",
-                      "active": true,
-                      "notBefore": "2015-06-05T17:09:39",
-                      "notAfter": "2015-06-10T17:09:39"
-                      "options": null
-                    }
-                  ]
+                "items": [{
+                    "name": "TestAuthority",
+                    "roles": [{
+                        "id": 123,
+                        "name": "secure@example.com"
+                    }, {
+                        "id": 564,
+                        "name": "TestAuthority_admin"
+                    }, {
+                        "id": 565,
+                        "name": "TestAuthority_operator"
+                    }],
+                    "options": null,
+                    "active": true,
+                    "authorityCertificate": {
+                        "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
+                        "status": true,
+                        "cn": "AcommonName",
+                        "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
+                        "chain": "",
+                        "notBefore": "2016-06-02T00:00:15+00:00",
+                        "notAfter": "2023-06-02T23:59:15+00:00",
+                        "owner": "secure@example.com",
+                        "user": {
+                            "username": "joe@example.com",
+                            "active": true,
+                            "email": "joe@example.com",
+                            "id": 3
+                        },
+                        "active": true,
+                        "bits": 2048,
+                        "id": 2235,
+                        "name": "TestAuthority"
+                    },
+                    "owner": "secure@example.com",
+                    "id": 43,
+                    "description": "This is the ROOT certificate for the TestAuthority certificate authority."
+                }
                 "total": 1
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair. format is k;v
+           :query count: count number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
@@ -96,10 +107,11 @@ class AuthoritiesList(AuthenticatedResource):
         """
         parser = paginated_parser.copy()
         args = parser.parse_args()
+        args['user'] = g.current_user
         return service.render(args)
 
-    @marshal_items(FIELDS)
-    def post(self):
+    @validate_schema(authority_input_schema, authority_output_schema)
+    def post(self, data=None):
         """
         .. http:post:: /authorities
 
@@ -113,31 +125,30 @@ class AuthoritiesList(AuthenticatedResource):
               Host: example.com
               Accept: application/json, text/javascript
 
-              {
-                "caDN": {
-                  "country": "US",
-                  "state": "CA",
-                  "location": "A Location",
-                  "organization": "ExampleInc",
-                  "organizationalUnit": "Operations",
-                  "commonName": "a common name"
-                },
-                "caType": "root",
-                "caSigningAlgo": "sha256WithRSA",
-                "caSensitivity": "medium",
+             {
+                "country": "US",
+                "state": "California",
+                "location": "Los Gatos",
+                "organization": "Netflix",
+                "organizationalUnit": "Operations",
+                "type": "root",
+                "signingAlgorithm": "sha256WithRSA",
+                "sensitivity": "medium",
                 "keyType": "RSA2048",
-                "pluginName": "cloudca",
-                "validityStart": "2015-06-11T07:00:00.000Z",
-                "validityEnd": "2015-06-13T07:00:00.000Z",
-                "caName": "DoctestCA",
-                "ownerEmail": "jimbob@example.com",
-                "caDescription": "Example CA",
-                "extensions": {
-                  "subAltNames": {
-                    "names": []
-                  }
+                "plugin": {
+                    "slug": "cloudca-issuer",
                 },
-              }
+                "name": "TimeTestAuthority5",
+                "owner": "secure@example.com",
+                "description": "test",
+                "commonName": "AcommonName",
+                "validityYears": "20",
+                "extensions": {
+                    "subAltNames": {
+                        "names": []
+                    },
+                    "custom": []
+             }
 
            **Example response**:
 
@@ -148,57 +159,68 @@ class AuthoritiesList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "authority1",
-                "description": "this is authority1",
-                "pluginName": null,
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
+                "name": "TestAuthority",
+                "roles": [{
+                    "id": 123,
+                    "name": "secure@example.com"
+                }, {
+                    "id": 564,
+                    "name": "TestAuthority_admin"
+                }, {
+                    "id": 565,
+                    "name": "TestAuthority_operator"
+                }],
+                "options": null,
                 "active": true,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39"
-                "options": null
+                "authorityCertificate": {
+                    "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
+                    "status": true,
+                    "cn": "AcommonName",
+                    "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
+                    "chain": "",
+                    "notBefore": "2016-06-02T00:00:15+00:00",
+                    "notAfter": "2023-06-02T23:59:15+00:00",
+                    "owner": "secure@example.com",
+                    "user": {
+                        "username": "joe@example.com",
+                        "active": true,
+                        "email": "joe@example.com",
+                        "id": 3
+                    },
+                    "active": true,
+                    "bits": 2048,
+                    "id": 2235,
+                    "name": "TestAuthority"
+                },
+                "owner": "secure@example.com",
+                "id": 43,
+                "description": "This is the ROOT certificate for the TestAuthority certificate authority."
               }
 
-           :arg caName: authority's name
-           :arg caDescription: a sensible description about what the CA with be used for
-           :arg ownerEmail: the team or person who 'owns' this authority
+
+           :arg name: authority's name
+           :arg description: a sensible description about what the CA with be used for
+           :arg owner: the team or person who 'owns' this authority
            :arg validityStart: when this authority should start issuing certificates
            :arg validityEnd: when this authority should stop issuing certificates
+           :arg validityYears: starting from `now` how many years into the future the authority should be valid
            :arg extensions: certificate extensions
-           :arg pluginName: name of the plugin to create the authority
-           :arg caType: the type of authority (root/subca)
-           :arg caParent: the parent authority if this is to be a subca
-           :arg caSigningAlgo: algorithm used to sign the authority
+           :arg plugin: name of the plugin to create the authority
+           :arg type: the type of authority (root/subca)
+           :arg parent: the parent authority if this is to be a subca
+           :arg signingAlgorithm: algorithm used to sign the authority
            :arg keyType: key type
-           :arg caSensitivity: the sensitivity of the root key, for CloudCA this determines if the root keys are stored
+           :arg sensitivity: the sensitivity of the root key, for CloudCA this determines if the root keys are stored
            in an HSM
-           :arg caKeyName: name of the key to store in the HSM (CloudCA)
-           :arg caSerialNumber: serial number of the authority
-           :arg caFirstSerial: specifies the starting serial number for certificates issued off of this authority
+           :arg keyName: name of the key to store in the HSM (CloudCA)
+           :arg serialNumber: serial number of the authority
+           :arg firstSerial: specifies the starting serial number for certificates issued off of this authority
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 403: unauthenticated
            :statuscode 200: no error
         """
-        self.reqparse.add_argument('caName', type=str, location='json', required=True)
-        self.reqparse.add_argument('caDescription', type=str, location='json', required=False)
-        self.reqparse.add_argument('ownerEmail', type=str, location='json', required=True)
-        self.reqparse.add_argument('caDN', type=dict, location='json', required=False)
-        self.reqparse.add_argument('validityStart', type=str, location='json', required=False)  # TODO validate
-        self.reqparse.add_argument('validityEnd', type=str, location='json', required=False)  # TODO validate
-        self.reqparse.add_argument('extensions', type=dict, location='json', required=False)
-        self.reqparse.add_argument('pluginName', type=str, location='json', required=True)
-        self.reqparse.add_argument('caType', type=str, location='json', required=False)
-        self.reqparse.add_argument('caParent', type=str, location='json', required=False)
-        self.reqparse.add_argument('caSigningAlgo', type=str, location='json', required=False)
-        self.reqparse.add_argument('keyType', type=str, location='json', required=False)
-        self.reqparse.add_argument('caSensitivity', type=str, location='json', required=False)
-        self.reqparse.add_argument('caKeyName', type=str, location='json', required=False)
-        self.reqparse.add_argument('caSerialNumber', type=int, location='json', required=False)
-        self.reqparse.add_argument('caFirstSerial', type=int, location='json', required=False)
-
-        args = self.reqparse.parse_args()
-        return service.create(args)
+        data['creator'] = g.current_user
+        return service.create(**data)
 
 
 class Authorities(AuthenticatedResource):
@@ -206,7 +228,7 @@ class Authorities(AuthenticatedResource):
         self.reqparse = reqparse.RequestParser()
         super(Authorities, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, authority_output_schema)
     def get(self, authority_id):
         """
         .. http:get:: /authorities/1
@@ -230,30 +252,40 @@ class Authorities(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "authority1",
-                "description": "this is authority1",
-                "pluginName": null,
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
+                "roles": [{
+                    "id": 123,
+                    "name": "secure@example.com"
+                }, {
+                    "id": 564,
+                    "name": "TestAuthority_admin"
+                }, {
+                    "id": 565,
+                    "name": "TestAuthority_operator"
+                }],
                 "active": true,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39"
-                "options": null
+                "owner": "secure@example.com",
+                "id": 43,
+                "description": "This is the ROOT certificate for the TestAuthority certificate authority."
               }
 
+           :arg description: a sensible description about what the CA with be used for
+           :arg owner: the team or person who 'owns' this authority
+           :arg active: set whether this authoritity is currently in use
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 403: unauthenticated
+           :statuscode 200: no error
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
         """
         return service.get(authority_id)
 
-    @marshal_items(FIELDS)
-    def put(self, authority_id):
+    @validate_schema(authority_update_schema, authority_output_schema)
+    def put(self, authority_id, data=None):
         """
         .. http:put:: /authorities/1
 
-           Update a authority
+           Update an authority
 
            **Example request**:
 
@@ -264,11 +296,42 @@ class Authorities(AuthenticatedResource):
               Accept: application/json, text/javascript
 
               {
-                 "roles": [],
-                 "active": false,
-                 "owner": "bob@example.com",
-                 "description": "this is authority1"
-              }
+                "name": "TestAuthority5",
+                "roles": [{
+                    "id": 566,
+                    "name": "TestAuthority5_admin"
+                }, {
+                    "id": 567,
+                    "name": "TestAuthority5_operator"
+                }, {
+                    "id": 123,
+                    "name": "secure@example.com"
+                }],
+                "active": true,
+                "authorityCertificate": {
+                    "body": "-----BEGIN CERTIFICATE-----",
+                    "status": null,
+                    "cn": "AcommonName",
+                    "description": "This is the ROOT certificate for the TestAuthority5 certificate authority.",
+                    "chain": "",
+                    "notBefore": "2016-06-03T00:00:51+00:00",
+                    "notAfter": "2036-06-03T23:59:51+00:00",
+                    "owner": "secure@example.com",
+                    "user": {
+                        "username": "joe@example.com",
+                        "active": true,
+                        "email": "joe@example.com",
+                        "id": 3
+                    },
+                    "active": true,
+                    "bits": 2048,
+                    "id": 2280,
+                    "name": "TestAuthority5"
+                },
+                "owner": "secure@example.com",
+                "id": 44,
+                "description": "This is the ROOT certificate for the TestAuthority5 certificate authority."
+               }
 
            **Example response**:
 
@@ -279,64 +342,74 @@ class Authorities(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "authority1",
-                "description": "this is authority1",
-                "pluginName": null,
-                "chain": "-----begin ...",
-                "body": "-----begin ...",
-                "active": false,
-                "notBefore": "2015-06-05t17:09:39",
-                "notAfter": "2015-06-10t17:09:39"
-                "options": null
+                "name": "TestAuthority",
+                "roles": [{
+                    "id": 123,
+                    "name": "secure@example.com"
+                }, {
+                    "id": 564,
+                    "name": "TestAuthority_admin"
+                }, {
+                    "id": 565,
+                    "name": "TestAuthority_operator"
+                }],
+                "options": null,
+                "active": true,
+                "authorityCertificate": {
+                    "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
+                    "status": true,
+                    "cn": "AcommonName",
+                    "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
+                    "chain": "",
+                    "notBefore": "2016-06-02T00:00:15+00:00",
+                    "notAfter": "2023-06-02T23:59:15+00:00",
+                    "owner": "secure@example.com",
+                    "user": {
+                        "username": "joe@example.com",
+                        "active": true,
+                        "email": "joe@example.com",
+                        "id": 3
+                    },
+                    "active": true,
+                    "bits": 2048,
+                    "id": 2235,
+                    "name": "TestAuthority"
+                },
+                "owner": "secure@example.com",
+                "id": 43,
+                "description": "This is the ROOT certificate for the TestAuthority certificate authority."
               }
 
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
         """
-        self.reqparse.add_argument('roles', type=list, default=[], location='json')
-        self.reqparse.add_argument('active', type=str, location='json', required=True)
-        self.reqparse.add_argument('owner', type=str, location='json', required=True)
-        self.reqparse.add_argument('description', type=str, location='json', required=True)
-        args = self.reqparse.parse_args()
-
         authority = service.get(authority_id)
-        role = role_service.get_by_name(authority.owner)
+
+        if not authority:
+            return dict(message='Not Found'), 404
 
         # all the authority role members should be allowed
         roles = [x.name for x in authority.roles]
-
-        # allow "owner" roles by team DL
-        roles.append(role)
         permission = AuthorityPermission(authority_id, roles)
 
-        # we want to make sure that we cannot add roles that we are not members of
-        if not g.current_user.is_admin:
-            role_ids = set([r['id'] for r in args['roles']])
-            user_role_ids = set([r.id for r in g.current_user.roles])
-
-            if not role_ids.issubset(user_role_ids):
-                return dict(message="You are not allowed to associate a role which you are not a member of"), 400
-
         if permission.can():
             return service.update(
                 authority_id,
-                owner=args['owner'],
-                description=args['description'],
-                active=args['active'],
-                roles=args['roles']
+                owner=data['owner'],
+                description=data['description'],
+                active=data['active'],
+                roles=data['roles']
             )
 
-        return dict(message="You are not authorized to update this authority"), 403
+        return dict(message="You are not authorized to update this authority."), 403
 
 
 class CertificateAuthority(AuthenticatedResource):
     def __init__(self):
-        self.reqparse = reqparse.RequestParser()
         super(CertificateAuthority, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, authority_output_schema)
     def get(self, certificate_id):
         """
         .. http:get:: /certificates/1/authority
@@ -360,16 +433,42 @@ class CertificateAuthority(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "authority1",
-                "description": "this is authority1",
-                "pluginName": null,
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
+                "name": "TestAuthority",
+                "roles": [{
+                    "id": 123,
+                    "name": "secure@example.com"
+                }, {
+                    "id": 564,
+                    "name": "TestAuthority_admin"
+                }, {
+                    "id": 565,
+                    "name": "TestAuthority_operator"
+                }],
+                "options": null,
                 "active": true,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39"
-                "options": null
+                "authorityCertificate": {
+                    "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
+                    "status": true,
+                    "cn": "AcommonName",
+                    "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
+                    "chain": "",
+                    "notBefore": "2016-06-02T00:00:15+00:00",
+                    "notAfter": "2023-06-02T23:59:15+00:00",
+                    "owner": "secure@example.com",
+                    "user": {
+                        "username": "joe@example.com",
+                        "active": true,
+                        "email": "joe@example.com",
+                        "id": 3
+                    },
+                    "active": true,
+                    "bits": 2048,
+                    "id": 2235,
+                    "name": "TestAuthority"
+                },
+                "owner": "secure@example.com",
+                "id": 43,
+                "description": "This is the ROOT certificate for the TestAuthority certificate authority."
               }
 
            :reqheader Authorization: OAuth token to authenticate
@@ -378,10 +477,36 @@ class CertificateAuthority(AuthenticatedResource):
         """
         cert = certificate_service.get(certificate_id)
         if not cert:
-            return dict(message="Certificate not found"), 404
+            return dict(message="Certificate not found."), 404
 
         return cert.authority
 
+
+class AuthorityVisualizations(AuthenticatedResource):
+    def get(self, authority_id):
+        """
+        {"name": "flare",
+        "children": [
+            {
+                "name": "analytics",
+                "children": [
+                    {
+                        "name": "cluster",
+                        "children": [
+                            {"name": "AgglomerativeCluster", "size": 3938},
+                            {"name": "CommunityStructure", "size": 3812},
+                            {"name": "HierarchicalCluster", "size": 6714},
+                            {"name": "MergeEdge", "size": 743}
+                        ]
+                    }
+            }
+        ]}
+        """
+        authority = service.get(authority_id)
+        return dict(name=authority.name, children=[{"name": c.name} for c in authority.certificates])
+
+
 api.add_resource(AuthoritiesList, '/authorities', endpoint='authorities')
 api.add_resource(Authorities, '/authorities/<int:authority_id>', endpoint='authority')
+api.add_resource(AuthorityVisualizations, '/authorities/<int:authority_id>/visualize', endpoint='authority_visualizations')
 api.add_resource(CertificateAuthority, '/certificates/<int:certificate_id>/authority', endpoint='certificateAuthority')

lemur/certificates/cli.py

@@ -0,0 +1,236 @@
+"""
+.. module: lemur.certificate.cli
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+import sys
+
+from flask import current_app
+
+from flask_script import Manager
+
+from lemur import database
+from lemur.extensions import metrics
+from lemur.deployment import service as deployment_service
+from lemur.endpoints import service as endpoint_service
+from lemur.notifications.messaging import send_rotation_notification
+from lemur.certificates.service import reissue_certificate, get_certificate_primitives, get_all_pending_reissue, get_by_name, get_all_certs
+
+from lemur.certificates.verify import verify_string
+
+manager = Manager(usage="Handles all certificate related tasks.")
+
+
+def print_certificate_details(details):
+    """
+    Print the certificate details with formatting.
+    :param details:
+    :return:
+    """
+    print("[+] Re-issuing certificate with the following details: ")
+    print(
+        "\t[+] Common Name: {common_name}\n"
+        "\t[+] Subject Alternate Names: {sans}\n"
+        "\t[+] Authority: {authority_name}\n"
+        "\t[+] Validity Start: {validity_start}\n"
+        "\t[+] Validity End: {validity_end}\n"
+        "\t[+] Organization: {organization}\n"
+        "\t[+] Organizational Unit: {organizational_unit}\n"
+        "\t[+] Country: {country}\n"
+        "\t[+] State: {state}\n"
+        "\t[+] Location: {location}".format(
+            common_name=details['common_name'],
+            sans=",".join(x['value'] for x in details['extensions']['sub_alt_names']['names']) or None,
+            authority_name=details['authority'].name,
+            validity_start=details['validity_start'].isoformat(),
+            validity_end=details['validity_end'].isoformat(),
+            organization=details['organization'],
+            organizational_unit=details['organizational_unit'],
+            country=details['country'],
+            state=details['state'],
+            location=details['location']
+        )
+    )
+
+
+def validate_certificate(certificate_name):
+    """
+    Ensuring that the specified certificate exists.
+    :param certificate_name:
+    :return:
+    """
+    if certificate_name:
+        cert = get_by_name(certificate_name)
+
+        if not cert:
+            print("[-] No certificate found with name: {0}".format(certificate_name))
+            sys.exit(1)
+
+        return cert
+
+
+def validate_endpoint(endpoint_name):
+    """
+    Ensuring that the specified endpoint exists.
+    :param endpoint_name:
+    :return:
+    """
+    if endpoint_name:
+        endpoint = endpoint_service.get_by_name(endpoint_name)
+
+        if not endpoint:
+            print("[-] No endpoint found with name: {0}".format(endpoint_name))
+            sys.exit(1)
+
+        return endpoint
+
+
+def request_rotation(endpoint, certificate, message, commit):
+    """
+    Rotates a certificate and handles any exceptions during
+    execution.
+    :param endpoint:
+    :param certificate:
+    :param message:
+    :param commit:
+    :return:
+    """
+    if commit:
+        try:
+            deployment_service.rotate_certificate(endpoint, certificate)
+            metrics.send('endpoint_rotation_success', 'counter', 1)
+
+            if message:
+                send_rotation_notification(certificate)
+
+        except Exception as e:
+            metrics.send('endpoint_rotation_failure', 'counter', 1)
+            print(
+                "[!] Failed to rotate endpoint {0} to certificate {1} reason: {2}".format(
+                    endpoint.name,
+                    certificate.name,
+                    e
+                )
+            )
+
+
+def request_reissue(certificate, commit):
+    """
+    Reissuing certificate and handles any exceptions.
+    :param certificate:
+    :param commit:
+    :return:
+    """
+    details = get_certificate_primitives(certificate)
+
+    print_certificate_details(details)
+    if commit:
+        try:
+            new_cert = reissue_certificate(certificate, replace=True)
+            metrics.send('certificate_reissue_success', 'counter', 1)
+            print("[+] New certificate named: {0}".format(new_cert.name))
+        except Exception as e:
+            metrics.send('certificate_reissue_failure', 'counter', 1)
+            print(
+                "[!] Failed to reissue certificate {1} reason: {2}".format(
+                    certificate.name,
+                    e
+                )
+            )
+
+
+@manager.option('-e', '--endpoint', dest='endpoint_name', help='Name of the endpoint you wish to rotate.')
+@manager.option('-n', '--new-certificate', dest='new_certificate_name', help='Name of the certificate you wish to rotate to.')
+@manager.option('-o', '--old-certificate', dest='old_certificate_name', help='Name of the certificate you wish to rotate.')
+@manager.option('-a', '--notify', dest='message', action='store_true', help='Send a rotation notification to the certificates owner.')
+@manager.option('-c', '--commit', dest='commit', action='store_true', default=False, help='Persist changes.')
+def rotate(endpoint_name, new_certificate_name, old_certificate_name, message, commit):
+    """
+    Rotates an endpoint and reissues it if it has not already been replaced. If it has
+    been replaced, will use the replacement certificate for the rotation.
+    """
+    if commit:
+        print("[!] Running in COMMIT mode.")
+
+    print("[+] Starting endpoint rotation.")
+
+    old_cert = validate_certificate(old_certificate_name)
+    new_cert = validate_certificate(new_certificate_name)
+    endpoint = validate_endpoint(endpoint_name)
+
+    if endpoint and new_cert:
+        print("[+] Rotating endpoint: {0} to certificate {1}".format(endpoint.name, new_cert.name))
+        request_rotation(endpoint, new_cert, message, commit)
+
+    elif old_cert and new_cert:
+        print("[+] Rotating all endpoints from {0} to {1}".format(old_cert.name, new_cert.name))
+
+        for endpoint in old_cert.endpoints:
+            print("[+] Rotating {0}".format(endpoint.name))
+            request_rotation(endpoint, new_cert, message, commit)
+
+    else:
+        print("[+] Rotating all endpoints that have new certificates available")
+        for endpoint in endpoint_service.get_all_pending_rotation():
+            if len(endpoint.certificate.replaced) == 1:
+                print("[+] Rotating {0} to {1}".format(endpoint.name, endpoint.certificate.replaced[0].name))
+                request_rotation(endpoint, endpoint.certificate.replaced[0], message, commit)
+            else:
+                metrics.send('endpoint_rotation_failure', 'counter', 1)
+                print("[!] Failed to rotate endpoint {0} reason: Multiple replacement certificates found.".format(
+                    endpoint.name
+                ))
+
+    print("[+] Done!")
+
+
+@manager.option('-o', '--old-certificate', dest='old_certificate_name', help='Name of the certificate you wish to reissue.')
+@manager.option('-c', '--commit', dest='commit', action='store_true', default=False, help='Persist changes.')
+def reissue(old_certificate_name, commit):
+    """
+    Reissues certificate with the same parameters as it was originally issued with.
+    If not time period is provided, reissues certificate as valid from today to
+    today + length of original.
+    """
+    if commit:
+        print("[!] Running in COMMIT mode.")
+
+    print("[+] Starting certificate re-issuance.")
+
+    old_cert = validate_certificate(old_certificate_name)
+
+    if not old_cert:
+        for certificate in get_all_pending_reissue():
+            print("[+] {0} is eligible for re-issuance".format(certificate.name))
+            request_reissue(certificate, commit)
+    else:
+        request_reissue(old_cert, commit)
+
+    print("[+] Done!")
+
+
+@manager.command
+def check_revoked():
+    """
+    Function attempts to update Lemur's internal cache with revoked
+    certificates. This is called periodically by Lemur. It checks both
+    CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
+    encounters an issue with verification it marks the certificate status
+    as `unknown`.
+    """
+    for cert in get_all_certs():
+        try:
+            if cert.chain:
+                status = verify_string(cert.body, cert.chain)
+            else:
+                status = verify_string(cert.body, "")
+
+            cert.status = 'valid' if status else 'invalid'
+
+        except Exception as e:
+            current_app.logger.exception(e)
+            cert.status = 'unknown'
+
+        database.update(cert)

lemur/certificates/exceptions.py

@@ -1,88 +0,0 @@
-"""
-.. module: lemur.certificates.exceptions
-    :synopsis: Defines all monterey specific exceptions
-    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
-    :license: Apache, see LICENSE for more details.
-.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
-"""
-from flask import current_app
-from lemur.exceptions import LemurException
-
-
-class UnknownAuthority(LemurException):
-    def __init__(self, authority):
-        self.code = 404
-        self.authority = authority
-        self.data = {"message": "The authority specified '{}' is not a valid authority".format(self.authority)}
-
-        current_app.logger.warning(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class InsufficientDomains(LemurException):
-    def __init__(self):
-        self.code = 400
-        self.data = {"message": "Need at least one domain specified in order create a certificate"}
-
-        current_app.logger.warning(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class InvalidCertificate(LemurException):
-    def __init__(self):
-        self.code = 400
-        self.data = {"message": "Need at least one domain specified in order create a certificate"}
-
-        current_app.logger.warning(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class UnableToCreateCSR(LemurException):
-    def __init__(self):
-        self.code = 500
-        self.data = {"message": "Unable to generate CSR"}
-
-        current_app.logger.error(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class UnableToCreatePrivateKey(LemurException):
-    def __init__(self):
-        self.code = 500
-        self.data = {"message": "Unable to generate Private Key"}
-
-        current_app.logger.error(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class MissingFiles(LemurException):
-    def __init__(self, path):
-        self.code = 500
-        self.path = path
-        self.data = {"path": self.path, "message": "Expecting missing files"}
-
-        current_app.logger.error(self)
-
-    def __str__(self):
-        return repr(self.data['message'])
-
-
-class NoPersistanceFound(LemurException):
-    def __init__(self):
-        self.code = 500
-        self.data = {"code": 500, "message": "No peristence method found, Lemur cannot persist sensitive information"}
-
-        current_app.logger.error(self)
-
-    def __str__(self):
-        return repr(self.data['message'])

lemur/certificates/models.py

@@ -5,266 +5,295 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-import datetime
+import arrow
+
 from flask import current_app
 
 from cryptography import x509
-from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from idna.core import InvalidCodepoint
+
 from sqlalchemy.orm import relationship
-from sqlalchemy import event, Integer, ForeignKey, String, DateTime, PassiveDefault, func, Column, Text, Boolean
+from sqlalchemy.sql.expression import case
+from sqlalchemy.ext.hybrid import hybrid_property
+from sqlalchemy import event, Integer, ForeignKey, String, PassiveDefault, func, Column, Text, Boolean
 
-from sqlalchemy_utils import EncryptedType
+from sqlalchemy_utils.types.arrow import ArrowType
+
+import lemur.common.utils
 
-from lemur.utils import get_key
 from lemur.database import db
+
+from lemur.utils import Vault
+from lemur.common import defaults
+
 from lemur.plugins.base import plugins
 
+from lemur.extensions import metrics
+
+from lemur.models import certificate_associations, certificate_source_associations, \
+    certificate_destination_associations, certificate_notification_associations, \
+    certificate_replacement_associations, roles_certificates
+
 from lemur.domains.models import Domain
 
-from lemur.constants import SAN_NAMING_TEMPLATE, DEFAULT_NAMING_TEMPLATE
 
-from lemur.models import certificate_associations, certificate_source_associations, \
-    certificate_destination_associations, certificate_notification_associations
+def get_sequence(name):
+    if '-' not in name:
+        return name, None
 
+    parts = name.split('-')
+    end = parts.pop(-1)
+    root = '-'.join(parts)
 
-def create_name(issuer, not_before, not_after, subject, san):
-    """
-    Create a name for our certificate. A naming standard
-    is based on a series of templates. The name includes
-    useful information such as Common Name, Validation dates,
-    and Issuer.
+    if len(end) == 8:
+        return root + '-' + end, None
 
-    :rtype : str
-    :return:
-    """
-    if san:
-        t = SAN_NAMING_TEMPLATE
-    else:
-        t = DEFAULT_NAMING_TEMPLATE
-
-    temp = t.format(
-        subject=subject,
-        issuer=issuer,
-        not_before=not_before.strftime('%Y%m%d'),
-        not_after=not_after.strftime('%Y%m%d')
-    )
-
-    # NOTE we may want to give more control over naming
-    # aws doesn't allow special chars except '-'
-    disallowed_chars = ''.join(c for c in map(chr, range(256)) if not c.isalnum())
-    disallowed_chars = disallowed_chars.replace("-", "")
-    disallowed_chars = disallowed_chars.replace(".", "")
-    temp = temp.replace('*', "WILDCARD")
-
-    for c in disallowed_chars:
-        temp = temp.replace(c, "")
-
-    # white space is silly too
-    return temp.replace(" ", "-")
-
-
-def cert_get_cn(cert):
-    """
-    Attempts to get a sane common name from a given certificate.
-
-    :param cert:
-    :return: Common name or None
-    """
-    return cert.subject.get_attributes_for_oid(
-        x509.OID_COMMON_NAME
-    )[0].value.strip()
-
-
-def cert_get_domains(cert):
-    """
-    Attempts to get an domains listed in a certificate.
-    If 'subjectAltName' extension is not available we simply
-    return the common name.
-
-    :param cert:
-    :return: List of domains
-    """
-    domains = []
     try:
-        ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME)
-        entries = ext.value.get_values_for_type(x509.DNSName)
-        for entry in entries:
-            domains.append(entry)
-    except Exception as e:
-        current_app.logger.warning("Failed to get SubjectAltName: {0}".format(e))
+        end = int(end)
+    except ValueError:
+        end = None
 
-    return domains
+    return root, end
 
 
-def cert_get_serial(cert):
-    """
-    Fetch the serial number from the certificate.
+def get_or_increase_name(name):
+    name = '-'.join(name.strip().split(' '))
+    certificates = Certificate.query.filter(Certificate.name.ilike('{0}%'.format(name))).all()
 
-    :param cert:
-    :return: serial number
-    """
-    return cert.serial
+    if not certificates:
+        return name
 
+    ends = [0]
+    root, end = get_sequence(name)
+    for cert in certificates:
+        root, end = get_sequence(cert.name)
+        if end:
+            ends.append(end)
 
-def cert_is_san(cert):
-    """
-    Determines if a given certificate is a SAN certificate.
-    SAN certificates are simply certificates that cover multiple domains.
-
-    :param cert:
-    :return: Bool
-    """
-    if len(cert_get_domains(cert)) > 1:
-        return True
-
-
-def cert_is_wildcard(cert):
-    """
-    Determines if certificate is a wildcard certificate.
-
-    :param cert:
-    :return: Bool
-    """
-    domains = cert_get_domains(cert)
-    if len(domains) == 1 and domains[0][0:1] == "*":
-        return True
-
-    if cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value[0:1] == "*":
-        return True
-
-
-def cert_get_bitstrength(cert):
-    """
-    Calculates a certificates public key bit length.
-
-    :param cert:
-    :return: Integer
-    """
-    return cert.public_key().key_size
-
-
-def cert_get_issuer(cert):
-    """
-    Gets a sane issuer from a given certificate.
-
-    :param cert:
-    :return: Issuer
-    """
-    delchars = ''.join(c for c in map(chr, range(256)) if not c.isalnum())
-    try:
-        issuer = str(cert.issuer.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME)[0].value)
-        for c in delchars:
-            issuer = issuer.replace(c, "")
-        return issuer
-    except Exception as e:
-        current_app.logger.error("Unable to get issuer! {0}".format(e))
-
-
-def cert_get_not_before(cert):
-    """
-    Gets the naive datetime of the certificates 'not_before' field.
-    This field denotes the first date in time which the given certificate
-    is valid.
-
-    :param cert:
-    :return: Datetime
-    """
-    return cert.not_valid_before
-
-
-def cert_get_not_after(cert):
-    """
-    Gets the naive datetime of the certificates 'not_after' field.
-    This field denotes the last date in time which the given certificate
-    is valid.
-
-    :param cert:
-    :return: Datetime
-    """
-    return cert.not_valid_after
-
-
-def get_name_from_arn(arn):
-    """
-    Extract the certificate name from an arn.
-
-    :param arn: IAM SSL arn
-    :return: name of the certificate as uploaded to AWS
-    """
-    return arn.split("/", 1)[1]
-
-
-def get_account_number(arn):
-    """
-    Extract the account number from an arn.
-
-    :param arn: IAM SSL arn
-    :return: account number associated with ARN
-    """
-    return arn.split(":")[4]
+    return '{0}-{1}'.format(root, max(ends) + 1)
 
 
 class Certificate(db.Model):
     __tablename__ = 'certificates'
     id = Column(Integer, primary_key=True)
-    owner = Column(String(128))
-    body = Column(Text())
-    private_key = Column(EncryptedType(String, get_key))
-    status = Column(String(128))
-    deleted = Column(Boolean, index=True)
-    name = Column(String(128))
+    owner = Column(String(128), nullable=False)
+    name = Column(String(128), unique=True)
+    description = Column(String(1024))
+    notify = Column(Boolean, default=True)
+
+    body = Column(Text(), nullable=False)
     chain = Column(Text())
-    bits = Column(Integer())
+    private_key = Column(Vault)
+
     issuer = Column(String(128))
     serial = Column(String(128))
     cn = Column(String(128))
-    description = Column(String(1024))
-    active = Column(Boolean, default=True)
-    san = Column(String(1024))
-    not_before = Column(DateTime)
-    not_after = Column(DateTime)
-    date_created = Column(DateTime, PassiveDefault(func.now()), nullable=False)
+    deleted = Column(Boolean, index=True)
+
+    not_before = Column(ArrowType)
+    not_after = Column(ArrowType)
+    date_created = Column(ArrowType, PassiveDefault(func.now()), nullable=False)
+
+    signing_algorithm = Column(String(128))
+    status = Column(String(128))
+    bits = Column(Integer())
+    san = Column(String(1024))  # TODO this should be migrated to boolean
+
+    rotation = Column(Boolean, default=False)
+
     user_id = Column(Integer, ForeignKey('users.id'))
-    authority_id = Column(Integer, ForeignKey('authorities.id'))
-    notifications = relationship("Notification", secondary=certificate_notification_associations, backref='certificate')
-    destinations = relationship("Destination", secondary=certificate_destination_associations, backref='certificate')
-    sources = relationship("Source", secondary=certificate_source_associations, backref='certificate')
-    domains = relationship("Domain", secondary=certificate_associations, backref="certificate")
+    authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))
+    root_authority_id = Column(Integer, ForeignKey('authorities.id', ondelete="CASCADE"))
 
-    def __init__(self, body, private_key=None, chain=None):
-        self.body = body
-        # We encrypt the private_key on creation
-        self.private_key = private_key
-        self.chain = chain
-        cert = x509.load_pem_x509_certificate(str(self.body), default_backend())
-        self.bits = cert_get_bitstrength(cert)
-        self.issuer = cert_get_issuer(cert)
-        self.serial = cert_get_serial(cert)
-        self.cn = cert_get_cn(cert)
-        self.san = cert_is_san(cert)
-        self.not_before = cert_get_not_before(cert)
-        self.not_after = cert_get_not_after(cert)
-        self.name = create_name(self.issuer, self.not_before, self.not_after, self.cn, self.san)
+    notifications = relationship('Notification', secondary=certificate_notification_associations, backref='certificate')
+    destinations = relationship('Destination', secondary=certificate_destination_associations, backref='certificate')
+    sources = relationship('Source', secondary=certificate_source_associations, backref='certificate')
+    domains = relationship('Domain', secondary=certificate_associations, backref='certificate')
+    roles = relationship('Role', secondary=roles_certificates, backref='certificate')
+    replaces = relationship('Certificate',
+                            secondary=certificate_replacement_associations,
+                            primaryjoin=id == certificate_replacement_associations.c.certificate_id,  # noqa
+                            secondaryjoin=id == certificate_replacement_associations.c.replaced_certificate_id,  # noqa
+                            backref='replaced')
 
-        for domain in cert_get_domains(cert):
+    logs = relationship('Log', backref='certificate')
+    endpoints = relationship('Endpoint', backref='certificate')
+
+    def __init__(self, **kwargs):
+        cert = lemur.common.utils.parse_certificate(kwargs['body'])
+
+        self.issuer = defaults.issuer(cert)
+        self.cn = defaults.common_name(cert)
+        self.san = defaults.san(cert)
+        self.not_before = defaults.not_before(cert)
+        self.not_after = defaults.not_after(cert)
+
+        # when destinations are appended they require a valid name.
+        if kwargs.get('name'):
+            self.name = get_or_increase_name(kwargs['name'])
+        else:
+            self.name = get_or_increase_name(defaults.certificate_name(self.cn, self.issuer, self.not_before, self.not_after, self.san))
+
+        self.owner = kwargs['owner']
+        self.body = kwargs['body'].strip()
+
+        if kwargs.get('private_key'):
+            self.private_key = kwargs['private_key'].strip()
+
+        if kwargs.get('chain'):
+            self.chain = kwargs['chain'].strip()
+
+        self.notify = kwargs.get('notify', True)
+        self.destinations = kwargs.get('destinations', [])
+        self.notifications = kwargs.get('notifications', [])
+        self.description = kwargs.get('description')
+        self.roles = list(set(kwargs.get('roles', [])))
+        self.replaces = kwargs.get('replaces', [])
+        self.rotation = kwargs.get('rotation')
+        self.signing_algorithm = defaults.signing_algorithm(cert)
+        self.bits = defaults.bitstrength(cert)
+        self.serial = defaults.serial(cert)
+
+        for domain in defaults.domains(cert):
             self.domains.append(Domain(name=domain))
 
     @property
-    def is_expired(self):
-        if self.not_after < datetime.datetime.now():
-            return True
+    def active(self):
+        return self.notify
 
     @property
-    def is_unused(self):
-        if self.elb_listeners.count() == 0:
-            return True
+    def organization(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return defaults.organization(cert)
 
     @property
-    def is_revoked(self):
-        # we might not yet know the condition of the cert
-        if self.status:
-            if 'revoked' in self.status:
-                return True
+    def organizational_unit(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return defaults.organizational_unit(cert)
+
+    @property
+    def country(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return defaults.country(cert)
+
+    @property
+    def state(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return defaults.state(cert)
+
+    @property
+    def location(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return defaults.location(cert)
+
+    @property
+    def key_type(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        if isinstance(cert.public_key(), rsa.RSAPublicKey):
+            return 'RSA{key_size}'.format(key_size=cert.public_key().key_size)
+
+    @property
+    def validity_remaining(self):
+        return abs(self.not_after - arrow.utcnow())
+
+    @property
+    def validity_range(self):
+        return self.not_after - self.not_before
+
+    @property
+    def subject(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return cert.subject
+
+    @property
+    def public_key(self):
+        cert = lemur.common.utils.parse_certificate(self.body)
+        return cert.public_key()
+
+    @hybrid_property
+    def expired(self):
+        if self.not_after <= arrow.utcnow():
+            return True
+
+    @expired.expression
+    def expired(cls):
+        return case(
+            [
+                (cls.not_after <= arrow.utcnow(), True)
+            ],
+            else_=False
+        )
+
+    @hybrid_property
+    def revoked(self):
+        if 'revoked' == self.status:
+            return True
+
+    @revoked.expression
+    def revoked(cls):
+        return case(
+            [
+                (cls.status == 'revoked', True)
+            ],
+            else_=False
+        )
+
+    @property
+    def extensions(self):
+        # setup default values
+        return_extensions = {
+            'sub_alt_names': {'names': []}
+        }
+
+        try:
+            cert = lemur.common.utils.parse_certificate(self.body)
+            for extension in cert.extensions:
+                value = extension.value
+                if isinstance(value, x509.BasicConstraints):
+                    return_extensions['basic_constraints'] = value
+
+                elif isinstance(value, x509.SubjectAlternativeName):
+                    return_extensions['sub_alt_names']['names'] = value
+
+                elif isinstance(value, x509.ExtendedKeyUsage):
+                    return_extensions['extended_key_usage'] = value
+
+                elif isinstance(value, x509.KeyUsage):
+                    return_extensions['key_usage'] = value
+
+                elif isinstance(value, x509.SubjectKeyIdentifier):
+                    return_extensions['subject_key_identifier'] = {'include_ski': True}
+
+                elif isinstance(value, x509.AuthorityInformationAccess):
+                    return_extensions['certificate_info_access'] = {'include_aia': True}
+
+                elif isinstance(value, x509.AuthorityKeyIdentifier):
+                    aki = {
+                        'use_key_identifier': False,
+                        'use_authority_cert': False
+                    }
+
+                    if value.key_identifier:
+                        aki['use_key_identifier'] = True
+
+                    if value.authority_cert_issuer:
+                        aki['use_authority_cert'] = True
+
+                    return_extensions['authority_key_identifier'] = aki
+
+                # TODO: Don't support CRLDistributionPoints yet https://github.com/Netflix/lemur/issues/662
+                elif isinstance(value, x509.CRLDistributionPoints):
+                    current_app.logger.warning('CRLDistributionPoints not yet supported for clone operation.')
+
+                # TODO: Not supporting custom OIDs yet. https://github.com/Netflix/lemur/issues/665
+                else:
+                    current_app.logger.warning('Custom OIDs not yet supported for clone operation.')
+        except InvalidCodepoint as e:
+            current_app.logger.warning('Unable to parse extensions due to underscore in dns name')
+
+        return return_extensions
 
     def get_arn(self, account_number):
         """
@@ -276,11 +305,38 @@ class Certificate(db.Model):
         """
         return "arn:aws:iam::{}:server-certificate/{}".format(account_number, self.name)
 
-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
+    def __repr__(self):
+        return "Certificate(name={name})".format(name=self.name)
 
 
 @event.listens_for(Certificate.destinations, 'append')
 def update_destinations(target, value, initiator):
+    """
+    Attempt to upload certificate to the new destination
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
     destination_plugin = plugins.get(value.plugin_name)
-    destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
+
+    try:
+        if target.private_key:
+            destination_plugin.upload(target.name, target.body, target.private_key, target.chain, value.options)
+    except Exception as e:
+        current_app.logger.exception(e)
+        metrics.send('destination_upload_failure', 'counter', 1, metric_tags={'certificate': target.name, 'destination': value.label})
+
+
+@event.listens_for(Certificate.replaces, 'append')
+def update_replacement(target, value, initiator):
+    """
+    When a certificate is marked as 'replaced' we should not notify.
+
+    :param target:
+    :param value:
+    :param initiator:
+    :return:
+    """
+    value.notify = False

lemur/certificates/schemas.py

@@ -0,0 +1,243 @@
+"""
+.. module: lemur.certificates.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from flask import current_app
+from marshmallow import fields, validate, validates_schema, post_load, pre_load
+from marshmallow.exceptions import ValidationError
+
+from lemur.schemas import AssociatedAuthoritySchema, AssociatedDestinationSchema, AssociatedCertificateSchema, \
+    AssociatedNotificationSchema, PluginInputSchema, ExtensionSchema, AssociatedRoleSchema, EndpointNestedOutputSchema
+
+from lemur.authorities.schemas import AuthorityNestedOutputSchema
+from lemur.destinations.schemas import DestinationNestedOutputSchema
+from lemur.notifications.schemas import NotificationNestedOutputSchema
+from lemur.roles.schemas import RoleNestedOutputSchema
+from lemur.domains.schemas import DomainNestedOutputSchema
+from lemur.users.schemas import UserNestedOutputSchema
+
+from lemur.common.schema import LemurInputSchema, LemurOutputSchema
+from lemur.common import validators, missing
+from lemur.notifications import service as notification_service
+
+from lemur.common.fields import ArrowDateTime
+
+
+class CertificateSchema(LemurInputSchema):
+    owner = fields.Email(required=True)
+    description = fields.String()
+
+
+class CertificateCreationSchema(CertificateSchema):
+    @post_load
+    def default_notification(self, data):
+        if not data['notifications']:
+            notification_name = "DEFAULT_{0}".format(data['owner'].split('@')[0].upper())
+            data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, [data['owner']])
+
+        notification_name = 'DEFAULT_SECURITY'
+        data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
+        return data
+
+
+class CertificateInputSchema(CertificateCreationSchema):
+    name = fields.String()
+    common_name = fields.String(required=True, validate=validators.sensitive_domain)
+    authority = fields.Nested(AssociatedAuthoritySchema, required=True)
+
+    validity_start = ArrowDateTime()
+    validity_end = ArrowDateTime()
+    validity_years = fields.Integer()
+
+    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
+    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
+    replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
+    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)  # deprecated
+    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
+
+    csr = fields.String(validate=validators.csr)
+    key_type = fields.String(validate=validate.OneOf(['RSA2048', 'RSA4096']), missing='RSA2048')
+
+    notify = fields.Boolean(default=True)
+    rotation = fields.Boolean()
+
+    # certificate body fields
+    organizational_unit = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'))
+    organization = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'))
+    location = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_LOCATION'))
+    country = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_COUNTRY'))
+    state = fields.String(missing=lambda: current_app.config.get('LEMUR_DEFAULT_STATE'))
+
+    extensions = fields.Nested(ExtensionSchema)
+
+    @validates_schema
+    def validate_dates(self, data):
+        validators.dates(data)
+
+    @pre_load
+    def load_data(self, data):
+        if data.get('replacements'):
+            data['replaces'] = data['replacements']  # TODO remove when field is deprecated
+        return missing.convert_validity_years(data)
+
+
+class CertificateEditInputSchema(CertificateSchema):
+    owner = fields.String()
+
+    notify = fields.Boolean()
+    rotation = fields.Boolean()
+
+    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
+    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
+    replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
+    replacements = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)  # deprecated
+    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
+
+    @pre_load
+    def load_data(self, data):
+        if data.get('replacements'):
+            data['replaces'] = data['replacements']  # TODO remove when field is deprecated
+        return data
+
+    @post_load
+    def enforce_notifications(self, data):
+        """
+        Ensures that when an owner changes, default notifications are added for the new owner.
+        Old owner notifications are retained unless explicitly removed.
+        :param data:
+        :return:
+        """
+        if data['owner']:
+            notification_name = "DEFAULT_{0}".format(data['owner'].split('@')[0].upper())
+            data['notifications'] += notification_service.create_default_expiration_notifications(notification_name, [data['owner']])
+        return data
+
+
+class CertificateNestedOutputSchema(LemurOutputSchema):
+    __envelope__ = False
+    id = fields.Integer()
+    name = fields.String()
+    owner = fields.Email()
+    creator = fields.Nested(UserNestedOutputSchema)
+    description = fields.String()
+
+    status = fields.Boolean()
+
+    bits = fields.Integer()
+    body = fields.String()
+    chain = fields.String()
+    active = fields.Boolean()
+
+    rotation = fields.Boolean()
+    notify = fields.Boolean()
+
+    # Note aliasing  is the first step in deprecating these fields.
+    cn = fields.String()  # deprecated
+    common_name = fields.String(attribute='cn')
+
+    not_after = fields.DateTime()  # deprecated
+    validity_end = ArrowDateTime(attribute='not_after')
+
+    not_before = fields.DateTime()  # deprecated
+    validity_start = ArrowDateTime(attribute='not_before')
+
+    issuer = fields.Nested(AuthorityNestedOutputSchema)
+
+
+class CertificateCloneSchema(LemurOutputSchema):
+    __envelope__ = False
+    description = fields.String()
+    common_name = fields.String()
+
+
+class CertificateOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    bits = fields.Integer()
+    body = fields.String()
+    chain = fields.String()
+    deleted = fields.Boolean(default=False)
+    description = fields.String()
+    issuer = fields.String()
+    name = fields.String()
+
+    rotation = fields.Boolean()
+
+    # Note aliasing  is the first step in deprecating these fields.
+    notify = fields.Boolean()
+    active = fields.Boolean(attribute='notify')
+
+    cn = fields.String()
+    common_name = fields.String(attribute='cn')
+
+    not_after = fields.DateTime()
+    validity_end = ArrowDateTime(attribute='not_after')
+
+    not_before = fields.DateTime()
+    validity_start = ArrowDateTime(attribute='not_before')
+
+    owner = fields.Email()
+    san = fields.Boolean()
+    serial = fields.String()
+    signing_algorithm = fields.String()
+
+    status = fields.Boolean()
+    user = fields.Nested(UserNestedOutputSchema)
+
+    extensions = fields.Nested(ExtensionSchema)
+
+    # associated objects
+    domains = fields.Nested(DomainNestedOutputSchema, many=True)
+    destinations = fields.Nested(DestinationNestedOutputSchema, many=True)
+    notifications = fields.Nested(NotificationNestedOutputSchema, many=True)
+    replaces = fields.Nested(CertificateNestedOutputSchema, many=True)
+    authority = fields.Nested(AuthorityNestedOutputSchema)
+    roles = fields.Nested(RoleNestedOutputSchema, many=True)
+    endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])
+    replaced_by = fields.Nested(CertificateNestedOutputSchema, many=True, attribute='replaced')
+
+
+class CertificateUploadInputSchema(CertificateCreationSchema):
+    name = fields.String()
+    notify = fields.Boolean(missing=True)
+
+    private_key = fields.String(validate=validators.private_key)
+    body = fields.String(required=True, validate=validators.public_certificate)
+    chain = fields.String(validate=validators.public_certificate, missing=None, allow_none=True)  # TODO this could be multiple certificates
+
+    destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
+    notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
+    replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
+    roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
+
+    @validates_schema
+    def keys(self, data):
+        if data.get('destinations'):
+            if not data.get('private_key'):
+                raise ValidationError('Destinations require private key.')
+
+
+class CertificateExportInputSchema(LemurInputSchema):
+    plugin = fields.Nested(PluginInputSchema)
+
+
+class CertificateNotificationOutputSchema(LemurOutputSchema):
+    description = fields.String()
+    issuer = fields.String()
+    name = fields.String()
+    owner = fields.Email()
+    user = fields.Nested(UserNestedOutputSchema)
+    validity_end = ArrowDateTime(attribute='not_after')
+    replaced_by = fields.Nested(CertificateNestedOutputSchema, many=True, attribute='replaced')
+    endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])
+
+
+certificate_input_schema = CertificateInputSchema()
+certificate_output_schema = CertificateOutputSchema()
+certificates_output_schema = CertificateOutputSchema(many=True)
+certificate_upload_input_schema = CertificateUploadInputSchema()
+certificate_export_input_schema = CertificateExportInputSchema()
+certificate_edit_input_schema = CertificateEditInputSchema()
+certificate_notification_output_schema = CertificateNotificationOutputSchema()

lemur/certificates/service.py

@@ -1,34 +1,40 @@
 """
-.. module: service
+.. module: lemur.certificate.service
     :platform: Unix
     :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 import arrow
+from datetime import timedelta
 
-from sqlalchemy import func, or_
-from flask import g, current_app
-
-from lemur import database
-from lemur.plugins.base import plugins
-from lemur.certificates.models import Certificate
-
-from lemur.destinations.models import Destination
-from lemur.notifications.models import Notification
-from lemur.authorities.models import Authority
-
-from lemur.roles.models import Role
+from flask import current_app
+from sqlalchemy import func, or_, not_, cast, Boolean, Integer
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
+
+from lemur import database
+from lemur.extensions import metrics
+from lemur.plugins.base import plugins
+from lemur.common.utils import generate_private_key
+
+from lemur.roles.models import Role
+from lemur.domains.models import Domain
+from lemur.authorities.models import Authority
+from lemur.destinations.models import Destination
+from lemur.certificates.models import Certificate
+from lemur.notifications.models import Notification
+
+from lemur.certificates.schemas import CertificateOutputSchema, CertificateInputSchema
+
+from lemur.roles import service as role_service
 
 
 def get(cert_id):
     """
-    Retrieves certificate by it's ID.
+    Retrieves certificate by its ID.
 
     :param cert_id:
     :return:
@@ -38,7 +44,7 @@ def get(cert_id):
 
 def get_by_name(name):
     """
-    Retrieves certificate by it's Name.
+    Retrieves certificate by its Name.
 
     :param name:
     :return:
@@ -64,74 +70,116 @@ def get_all_certs():
     return Certificate.query.all()
 
 
-def find_duplicates(cert_body):
+def get_all_pending_cleaning(source):
+    """
+    Retrieves all certificates that are available for cleaning.
+
+    :param source:
+    :return:
+    """
+    return Certificate.query.filter(Certificate.sources.any(id=source.id))\
+                            .filter(not_(Certificate.endpoints.any())).all()
+
+
+def get_all_pending_reissue():
+    """
+    Retrieves all certificates that need to be rotated.
+
+    Must be X days from expiration, uses `LEMUR_DEFAULT_ROTATION_INTERVAL`
+    to determine how many days from expiration the certificate must be
+    for rotation to be pending.
+
+    :return:
+    """
+    now = arrow.utcnow()
+    interval = current_app.config.get('LEMUR_DEFAULT_ROTATION_INTERVAL', 30)
+    end = now + timedelta(days=interval)
+
+    return Certificate.query.filter(Certificate.rotation == True)\
+        .filter(Certificate.endpoints.any())\
+        .filter(not_(Certificate.replaced.any()))\
+        .filter(Certificate.not_after <= end.format('YYYY-MM-DD')).all()  # noqa
+
+
+def find_duplicates(cert):
     """
     Finds certificates that already exist within Lemur. We do this by looking for
     certificate bodies that are the same. This is the most reliable way to determine
     if a certificate is already being tracked by Lemur.
 
-    :param cert_body:
+    :param cert:
     :return:
     """
-    return Certificate.query.filter_by(body=cert_body).all()
+    if cert['chain']:
+        return Certificate.query.filter_by(body=cert['body'].strip(), chain=cert['chain'].strip()).all()
+    else:
+        return Certificate.query.filter_by(body=cert['body'].strip(), chain=None).all()
 
 
-def update(cert_id, owner, description, active, destinations, notifications):
+def export(cert, export_plugin):
     """
-    Updates a certificate.
+    Exports a certificate to the requested format. This format
+    may be a binary format.
 
+    :param export_plugin:
+    :param cert:
+    :return:
+    """
+    plugin = plugins.get(export_plugin['slug'])
+    return plugin.export(cert.body, cert.chain, cert.private_key, export_plugin['pluginOptions'])
+
+
+def update(cert_id, **kwargs):
+    """
+    Updates a certificate
     :param cert_id:
-    :param owner:
-    :param active:
     :return:
     """
-    from lemur.notifications import service as notification_service
     cert = get(cert_id)
-    cert.active = active
-    cert.description = description
 
-    # we might have to create new notifications if the owner changes
-    new_notifications = []
-    # get existing names to remove
-    notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
-    for n in notifications:
-        if notification_name not in n.label:
-            new_notifications.append(n)
-
-    notification_name = "DEFAULT_{0}".format(owner.split('@')[0].upper())
-    new_notifications += notification_service.create_default_expiration_notifications(notification_name, owner)
-
-    cert.notifications = new_notifications
-
-    database.update_list(cert, 'destinations', Destination, destinations)
-
-    cert.owner = owner
+    for key, value in kwargs.items():
+        setattr(cert, key, value)
 
     return database.update(cert)
 
 
-def mint(issuer_options):
+def create_certificate_roles(**kwargs):
+    # create an role for the owner and assign it
+    owner_role = role_service.get_by_name(kwargs['owner'])
+
+    if not owner_role:
+        owner_role = role_service.create(
+            kwargs['owner'],
+            description="Auto generated role based on owner: {0}".format(kwargs['owner'])
+        )
+
+    # ensure that the authority's owner is also associated with the certificate
+    if kwargs.get('authority'):
+        authority_owner_role = role_service.get_by_name(kwargs['authority'].owner)
+        return [owner_role, authority_owner_role]
+
+    return [owner_role]
+
+
+def mint(**kwargs):
     """
     Minting is slightly different for each authority.
     Support for multiple authorities is handled by individual plugins.
 
-    :param issuer_options:
     """
-    authority = issuer_options['authority']
+    authority = kwargs['authority']
 
     issuer = plugins.get(authority.plugin_name)
 
-    csr, private_key = create_csr(issuer_options)
+    # allow the CSR to be specified by the user
+    if not kwargs.get('csr'):
+        csr, private_key = create_csr(**kwargs)
+    else:
+        csr = str(kwargs.get('csr'))
+        private_key = None
 
-    issuer_options['creator'] = g.user.email
-    cert_body, cert_chain = issuer.create_certificate(csr, issuer_options)
-
-    cert = Certificate(cert_body, private_key, cert_chain)
-
-    cert.user = g.user
-    cert.authority = authority
-    database.update(cert)
-    return cert, private_key, cert_chain,
+    cert_body, cert_chain = issuer.create_certificate(csr, kwargs)
+    return cert_body, private_key, cert_chain,
 
 
 def import_certificate(**kwargs):
@@ -147,102 +195,59 @@ def import_certificate(**kwargs):
 
     :param kwargs:
     """
-    from lemur.users import service as user_service
-    from lemur.notifications import service as notification_service
-    cert = Certificate(kwargs['public_certificate'], chain=kwargs['intermediate_certificate'])
+    if not kwargs.get('owner'):
+        kwargs['owner'] = current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0]
 
-    # TODO future source plugins might have a better understanding of who the 'owner' is we should support this
-    cert.owner = kwargs.get('owner', current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0])
-    cert.creator = kwargs.get('creator', user_service.get_by_email('lemur@nobody'))
-
-    # NOTE existing certs may not follow our naming standard we will
-    # overwrite the generated name with the actual cert name
-    if kwargs.get('name'):
-        cert.name = kwargs.get('name')
-
-    if kwargs.get('user'):
-        cert.user = kwargs.get('user')
-
-    notification_name = 'DEFAULT_SECURITY'
-    notifications = notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
-    cert.notifications = notifications
-
-    cert = database.create(cert)
-    return cert
+    return upload(**kwargs)
 
 
 def upload(**kwargs):
     """
     Allows for pre-made certificates to be imported into Lemur.
     """
-    from lemur.notifications import service as notification_service
-    cert = Certificate(
-        kwargs.get('public_cert'),
-        kwargs.get('private_key'),
-        kwargs.get('intermediate_cert'),
-    )
+    roles = create_certificate_roles(**kwargs)
 
-    # we override the generated name if one is provided
-    if kwargs.get('name'):
-        cert.name = kwargs['name']
+    if kwargs.get('roles'):
+        kwargs['roles'] += roles
+    else:
+        kwargs['roles'] = roles
 
-    cert.description = kwargs.get('description')
+    if kwargs.get('private_key'):
+        private_key = kwargs['private_key']
+        if not isinstance(private_key, bytes):
+            kwargs['private_key'] = private_key.encode('utf-8')
+
+    cert = Certificate(**kwargs)
 
-    cert.owner = kwargs['owner']
     cert = database.create(cert)
 
-    g.user.certificates.append(cert)
-
-    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
-
-    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
-
-    # create default notifications for this certificate if none are provided
-    notifications = []
-    if not kwargs.get('notifications'):
-        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
-        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])
-
-    notification_name = 'DEFAULT_SECURITY'
-    notifications += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
-    cert.notifications = notifications
-
-    database.update(cert)
-    return cert
+    kwargs['creator'].certificates.append(cert)
+    return database.update(cert)
 
 
 def create(**kwargs):
     """
     Creates a new certificate.
     """
-    from lemur.notifications import service as notification_service
-    cert, private_key, cert_chain = mint(kwargs)
+    cert_body, private_key, cert_chain = mint(**kwargs)
+    kwargs['body'] = cert_body
+    kwargs['private_key'] = private_key
+    kwargs['chain'] = cert_chain
 
-    cert.owner = kwargs['owner']
+    roles = create_certificate_roles(**kwargs)
 
-    database.create(cert)
-    cert.description = kwargs['description']
-    g.user.certificates.append(cert)
-    database.update(g.user)
+    if kwargs.get('roles'):
+        kwargs['roles'] += roles
+    else:
+        kwargs['roles'] = roles
 
-    # do this after the certificate has already been created because if it fails to upload to the third party
-    # we do not want to lose the certificate information.
-    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
+    cert = Certificate(**kwargs)
 
-    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
+    kwargs['creator'].certificates.append(cert)
+    cert.authority = kwargs['authority']
+    database.commit()
 
-    # create default notifications for this certificate if none are provided
-    notifications = []
-    if not kwargs.get('notifications'):
-        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
-        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])
-
-    notification_name = 'DEFAULT_SECURITY'
-    notifications += notification_service.create_default_expiration_notifications(notification_name,
-                                                                                  current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
-    cert.notifications = notifications
-
-    database.update(cert)
+    metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer))
     return cert
 
 
@@ -266,6 +271,7 @@ def render(args):
 
     if filt:
         terms = filt.split(';')
+
         if 'issuer' in terms:
             # we can't rely on issuer being correct in the cert directly so we combine queries
             sub_query = database.session_query(Authority.id)\
@@ -280,18 +286,29 @@ def render(args):
             )
             return database.sort_and_page(query, Certificate, args)
 
-        if 'destination' in terms:
+        elif 'destination' in terms:
             query = query.filter(Certificate.destinations.any(Destination.id == terms[1]))
-        elif 'active' in filt:  # this is really weird but strcmp seems to not work here??
+        elif 'notify' in filt:
+            query = query.filter(Certificate.notify == cast(terms[1], Boolean))
+        elif 'active' in filt:
             query = query.filter(Certificate.active == terms[1])
+        elif 'cn' in terms:
+            query = query.filter(
+                or_(
+                    Certificate.cn.ilike('%{0}%'.format(terms[1])),
+                    Certificate.domains.any(Domain.name.ilike('%{0}%'.format(terms[1])))
+                )
+            )
+        elif 'id' in terms:
+            query = query.filter(Certificate.id == cast(terms[1], Integer))
         else:
             query = database.filter(query, Certificate, terms)
 
     if show:
-        sub_query = database.session_query(Role.name).filter(Role.user_id == g.user.id).subquery()
+        sub_query = database.session_query(Role.name).filter(Role.user_id == args['user'].id).subquery()
         query = query.filter(
             or_(
-                Certificate.user_id == g.user.id,
+                Certificate.user_id == args['user'].id,
                 Certificate.owner.in_(sub_query)
             )
         )
@@ -310,106 +327,72 @@ def render(args):
     return database.sort_and_page(query, Certificate, args)
 
 
-def create_csr(csr_config):
+def create_csr(**csr_config):
     """
     Given a list of domains create the appropriate csr
     for those domains
 
     :param csr_config:
     """
-    private_key = rsa.generate_private_key(
-        public_exponent=65537,
-        key_size=2048,
-        backend=default_backend()
-    )
+    private_key = generate_private_key(csr_config.get('key_type'))
 
-    # TODO When we figure out a better way to validate these options they should be parsed as str
     builder = x509.CertificateSigningRequestBuilder()
-    builder = builder.subject_name(x509.Name([
-        x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['commonName']),
-        x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config['organization']),
-        x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, csr_config['organizationalUnit']),
-        x509.NameAttribute(x509.OID_COUNTRY_NAME, csr_config['country']),
-        x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, csr_config['state']),
-        x509.NameAttribute(x509.OID_LOCALITY_NAME, csr_config['location']),
-    ]))
+    name_list = [x509.NameAttribute(x509.OID_COMMON_NAME, csr_config['common_name']),
+                 x509.NameAttribute(x509.OID_EMAIL_ADDRESS, csr_config['owner'])]
+    if 'organization' in csr_config and csr_config['organization'].strip():
+        name_list.append(x509.NameAttribute(x509.OID_ORGANIZATION_NAME, csr_config['organization']))
+    if 'organizational_unit' in csr_config and csr_config['organizational_unit'].strip():
+        name_list.append(x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, csr_config['organizational_unit']))
+    if 'country' in csr_config and csr_config['country'].strip():
+        name_list.append(x509.NameAttribute(x509.OID_COUNTRY_NAME, csr_config['country']))
+    if 'state' in csr_config and csr_config['state'].strip():
+        name_list.append(x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, csr_config['state']))
+    if 'location' in csr_config and csr_config['location'].strip():
+        name_list.append(x509.NameAttribute(x509.OID_LOCALITY_NAME, csr_config['location']))
+    builder = builder.subject_name(x509.Name(name_list))
 
-    builder = builder.add_extension(
-        x509.BasicConstraints(ca=False, path_length=None), critical=True,
-    )
+    extensions = csr_config.get('extensions', {})
+    critical_extensions = ['basic_constraints', 'sub_alt_names', 'key_usage']
+    noncritical_extensions = ['extended_key_usage']
+    for k, v in extensions.items():
+        if v:
+            if k in critical_extensions:
+                current_app.logger.debug('Adding Critical Extension: {0} {1}'.format(k, v))
+                if k == 'sub_alt_names':
+                    builder = builder.add_extension(v['names'], critical=True)
+                else:
+                    builder = builder.add_extension(v, critical=True)
 
-    if csr_config.get('extensions'):
-        for k, v in csr_config.get('extensions', {}).items():
-            if k == 'subAltNames':
-                # map types to their x509 objects
-                general_names = []
-                for name in v['names']:
-                    if name['nameType'] == 'DNSName':
-                        general_names.append(x509.DNSName(name['value']))
+            if k in noncritical_extensions:
+                current_app.logger.debug('Adding Extension: {0} {1}'.format(k, v))
+                builder = builder.add_extension(v, critical=False)
 
-                builder = builder.add_extension(
-                    x509.SubjectAlternativeName(general_names), critical=True
-                )
-
-    # TODO support more CSR options, none of the authority plugins currently support these options
-    #    builder.add_extension(
-    #        x509.KeyUsage(
-    #            digital_signature=digital_signature,
-    #            content_commitment=content_commitment,
-    #            key_encipherment=key_enipherment,
-    #            data_encipherment=data_encipherment,
-    #            key_agreement=key_agreement,
-    #            key_cert_sign=key_cert_sign,
-    #            crl_sign=crl_sign,
-    #            encipher_only=enchipher_only,
-    #            decipher_only=decipher_only
-    #        ), critical=True
-    #    )
-    #
-    #    # we must maintain our own list of OIDs here
-    #    builder.add_extension(
-    #        x509.ExtendedKeyUsage(
-    #            server_authentication=server_authentication,
-    #            email=
-    #        )
-    #    )
-    #
-    #    builder.add_extension(
-    #        x509.AuthorityInformationAccess()
-    #    )
-    #
-    #    builder.add_extension(
-    #        x509.AuthorityKeyIdentifier()
-    #    )
-    #
-    #    builder.add_extension(
-    #        x509.SubjectKeyIdentifier()
-    #    )
-    #
-    #    builder.add_extension(
-    #        x509.CRLDistributionPoints()
-    #    )
-    #
-    #    builder.add_extension(
-    #        x509.ObjectIdentifier(oid)
-    #    )
+    ski = extensions.get('subject_key_identifier', {})
+    if ski.get('include_ski', False):
+        builder = builder.add_extension(
+            x509.SubjectKeyIdentifier.from_public_key(private_key.public_key()),
+            critical=False
+        )
 
     request = builder.sign(
         private_key, hashes.SHA256(), default_backend()
     )
 
     # serialize our private key and CSR
-    pem = private_key.private_bytes(
+    private_key = private_key.private_bytes(
         encoding=serialization.Encoding.PEM,
         format=serialization.PrivateFormat.TraditionalOpenSSL,  # would like to use PKCS8 but AWS ELBs don't like it
         encryption_algorithm=serialization.NoEncryption()
     )
 
+    if isinstance(private_key, bytes):
+        private_key = private_key.decode('utf-8')
+
     csr = request.public_bytes(
         encoding=serialization.Encoding.PEM
-    )
+    ).decode('utf-8')
 
-    return csr, pem
+    return csr, private_key
 
 
 def stats(**kwargs):
@@ -440,3 +423,82 @@ def stats(**kwargs):
         values.append(count)
 
     return {'labels': keys, 'values': values}
+
+
+def get_account_number(arn):
+    """
+    Extract the account number from an arn.
+
+    :param arn: IAM SSL arn
+    :return: account number associated with ARN
+    """
+    return arn.split(":")[4]
+
+
+def get_name_from_arn(arn):
+    """
+    Extract the certificate name from an arn.
+
+    :param arn: IAM SSL arn
+    :return: name of the certificate as uploaded to AWS
+    """
+    return arn.split("/", 1)[1]
+
+
+def calculate_reissue_range(start, end):
+    """
+    Determine what the new validity_start and validity_end dates should be.
+    :param start:
+    :param end:
+    :return:
+    """
+    span = end - start
+
+    new_start = arrow.utcnow()
+    new_end = new_start + span
+
+    return new_start, arrow.get(new_end)
+
+
+def get_certificate_primitives(certificate):
+    """
+    Retrieve key primitive from a certificate such that the certificate
+    could be recreated with new expiration or be used to build upon.
+    :param certificate:
+    :return: dict of certificate primitives, should be enough to effectively re-issue
+    certificate via `create`.
+    """
+    start, end = calculate_reissue_range(certificate.not_before, certificate.not_after)
+    data = CertificateInputSchema().load(CertificateOutputSchema().dump(certificate).data).data
+
+    # we can't quite tell if we are using a custom name, as this is an automated process (typically)
+    # we will rely on the Lemur generated name
+    data.pop('name', None)
+
+    data['validity_start'] = start
+    data['validity_end'] = end
+    return data
+
+
+def reissue_certificate(certificate, replace=None, user=None):
+    """
+    Reissue certificate with the same properties of the given certificate.
+    :param certificate:
+    :param replace:
+    :param user:
+    :return:
+    """
+    primitives = get_certificate_primitives(certificate)
+
+    if not user:
+        primitives['creator'] = certificate.user
+
+    else:
+        primitives['creator'] = user
+
+    if replace:
+        primitives['replaces'] = [certificate]
+
+    new_cert = create(**primitives)
+
+    return new_cert

lemur/certificates/verify.py

@@ -5,28 +5,14 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-import os
 import requests
 import subprocess
-from OpenSSL import crypto
+from requests.exceptions import ConnectionError
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 
-from flask import current_app
-
-from contextlib import contextmanager
-from tempfile import NamedTemporaryFile
-
-
-@contextmanager
-def mktempfile():
-    with NamedTemporaryFile(delete=False) as f:
-        name = f.name
-
-    try:
-        yield name
-    finally:
-        os.unlink(name)
+from lemur.utils import mktempfile
+from lemur.common.utils import parse_certificate
 
 
 def ocsp_verify(cert_path, issuer_chain_path):
@@ -47,13 +33,16 @@ def ocsp_verify(cert_path, issuer_chain_path):
                            '-cert', cert_path, "-url", url.strip()], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 
     message, err = p2.communicate()
-    if 'error' in message or 'Error' in message:
+
+    p_message = message.decode('utf-8')
+
+    if 'error' in p_message or 'Error' in p_message:
         raise Exception("Got error when parsing OCSP url")
 
-    elif 'revoked' in message:
+    elif 'revoked' in p_message:
         return
 
-    elif 'good' not in message:
+    elif 'good' not in p_message:
         raise Exception("Did not receive a valid response")
 
     return True
@@ -68,17 +57,27 @@ def crl_verify(cert_path):
     :raise Exception: If certificate does not have CRL
     """
     with open(cert_path, 'rt') as c:
-        cert = x509.load_pem_x509_certificate(c.read(), default_backend())
+        cert = parse_certificate(c.read())
 
     distribution_points = cert.extensions.get_extension_for_oid(x509.OID_CRL_DISTRIBUTION_POINTS).value
+
     for p in distribution_points:
         point = p.full_name[0].value
-        response = requests.get(point)
-        crl = crypto.load_crl(crypto.FILETYPE_ASN1, response.content)  # TODO this should be switched to cryptography when support exists
-        revoked = crl.get_revoked()
-        for r in revoked:
-            if cert.serial == r.get_serial():
+
+        try:
+            response = requests.get(point)
+
+            if response.status_code != 200:
+                raise Exception("Unable to retrieve CRL: {0}".format(point))
+        except ConnectionError:
+            raise Exception("Unable to retrieve CRL: {0}".format(point))
+
+        crl = x509.load_der_x509_crl(response.content, backend=default_backend())
+
+        for r in crl:
+            if cert.serial == r.serial_number:
                 return
+
     return True
 
 
@@ -95,13 +94,10 @@ def verify(cert_path, issuer_chain_path):
     try:
         return ocsp_verify(cert_path, issuer_chain_path)
     except Exception as e:
-        current_app.logger.debug("Could not use OCSP: {0}".format(e))
         try:
             return crl_verify(cert_path)
         except Exception as e:
-            current_app.logger.debug("Could not use CRL: {0}".format(e))
             raise Exception("Failed to verify")
-        raise Exception("Failed to verify")
 
 
 def verify_string(cert_string, issuer_string):

lemur/certificates/views.py

@@ -5,108 +5,38 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
+import base64
 from builtins import str
 
-from flask import Blueprint, current_app, make_response, jsonify
-from flask.ext.restful import reqparse, Api, fields
+from flask import Blueprint, make_response, jsonify, g
+from flask_restful import reqparse, Api
 
-from cryptography import x509
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-
-from lemur.certificates import service
-from lemur.authorities.models import Authority
+from lemur.common.schema import validate_schema
+from lemur.common.utils import paginated_parser
 
 from lemur.auth.service import AuthenticatedResource
-from lemur.auth.permissions import ViewKeyPermission, AuthorityPermission, UpdateCertificatePermission
+from lemur.auth.permissions import AuthorityPermission, CertificatePermission
+
+from lemur.certificates import service
+from lemur.certificates.schemas import certificate_input_schema, certificate_output_schema, \
+    certificate_upload_input_schema, certificates_output_schema, certificate_export_input_schema, certificate_edit_input_schema
 
 from lemur.roles import service as role_service
-
-from lemur.common.utils import marshal_items, paginated_parser
-
-from lemur.notifications.views import notification_list
+from lemur.logs import service as log_service
 
 
 mod = Blueprint('certificates', __name__)
 api = Api(mod)
 
 
-FIELDS = {
-    'name': fields.String,
-    'id': fields.Integer,
-    'bits': fields.Integer,
-    'deleted': fields.String,
-    'issuer': fields.String,
-    'serial': fields.String,
-    'owner': fields.String,
-    'chain': fields.String,
-    'san': fields.String,
-    'active': fields.Boolean,
-    'description': fields.String,
-    'notBefore': fields.DateTime(dt_format='iso8601', attribute='not_before'),
-    'notAfter': fields.DateTime(dt_format='iso8601', attribute='not_after'),
-    'cn': fields.String,
-    'status': fields.String,
-    'body': fields.String
-}
-
-
-def valid_authority(authority_options):
-    """
-    Defends against invalid authorities
-
-    :param authority_options:
-    :return: :raise ValueError:
-    """
-    name = authority_options['name']
-    authority = Authority.query.filter(Authority.name == name).one()
-
-    if not authority:
-        raise ValueError("Unable to find authority specified")
-
-    if not authority.active:
-        raise ValueError("Selected authority [{0}] is not currently active".format(name))
-
-    return authority
-
-
-def pem_str(value, name):
-    """
-    Used to validate that the given string is a PEM formatted string
-
-    :param value:
-    :param name:
-    :return: :raise ValueError:
-    """
-    try:
-        x509.load_pem_x509_certificate(bytes(value), default_backend())
-    except Exception:
-        raise ValueError("The parameter '{0}' needs to be a valid PEM string".format(name))
-    return value
-
-
-def private_key_str(value, name):
-    """
-    User to validate that a given string is a RSA private key
-
-    :param value:
-    :param name:
-    :return: :raise ValueError:
-    """
-    try:
-        serialization.load_pem_private_key(bytes(value), None, backend=default_backend())
-    except Exception:
-        raise ValueError("The parameter '{0}' needs to be a valid RSA private key".format(name))
-    return value
-
-
 class CertificatesList(AuthenticatedResource):
     """ Defines the 'certificates' endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesList, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, certificates_output_schema)
     def get(self):
         """
         .. http:get:: /certificates
@@ -130,37 +60,66 @@ class CertificatesList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "items": [
-                    {
-                      "id": 1,
-                      "name": "cert1",
-                      "description": "this is cert1",
-                      "bits": 2048,
-                      "deleted": false,
-                      "issuer": "ExampeInc.",
-                      "serial": "123450",
-                      "chain": "-----Begin ...",
-                      "body": "-----Begin ...",
-                      "san": true,
-                      "owner": 'bob@example.com",
-                      "active": true,
-                      "notBefore": "2015-06-05T17:09:39",
-                      "notAfter": "2015-06-10T17:09:39",
-                      "cn": "example.com",
-                      "status": "unknown"
-                    }
-                  ]
+                "items": [{
+                    "status": null,
+                    "cn": "*.test.example.net",
+                    "chain": "",
+                    "authority": {
+                        "active": true,
+                        "owner": "secure@example.com",
+                        "id": 1,
+                        "description": "verisign test authority",
+                        "name": "verisign"
+                    },
+                    "owner": "joe@example.com",
+                    "serial": "82311058732025924142789179368889309156",
+                    "id": 2288,
+                    "issuer": "SymantecCorporation",
+                    "notBefore": "2016-06-03T00:00:00+00:00",
+                    "notAfter": "2018-01-12T23:59:59+00:00",
+                    "destinations": [],
+                    "bits": 2048,
+                    "body": "-----BEGIN CERTIFICATE-----...",
+                    "description": null,
+                    "deleted": null,
+                    "notifications": [{
+                        "id": 1
+                    }]
+                    "signingAlgorithm": "sha256",
+                    "user": {
+                        "username": "jane",
+                        "active": true,
+                        "email": "jane@example.com",
+                        "id": 2
+                    },
+                    "active": true,
+                    "domains": [{
+                        "sensitive": false,
+                        "id": 1090,
+                        "name": "*.test.example.net"
+                    }],
+                    "replaces": [],
+                    "replaced": [],
+                    "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                    "roles": [{
+                        "id": 464,
+                        "description": "This is a google group based role created by Lemur",
+                        "name": "joe@example.com"
+                    }],
+                    "san": null
+                }],
                 "total": 1
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
+           :query sortDir: asc or desc
            :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query filter: key value pair format is k;v
+           :query count: count number. default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
         parser = paginated_parser.copy()
         parser.add_argument('timeRange', type=int, dest='time_range', location='args')
@@ -172,10 +131,11 @@ class CertificatesList(AuthenticatedResource):
         parser.add_argument('show', type=str, location='args')
 
         args = parser.parse_args()
+        args['user'] = g.user
         return service.render(args)
 
-    @marshal_items(FIELDS)
-    def post(self):
+    @validate_schema(certificate_input_schema, certificate_output_schema)
+    def post(self, data=None):
         """
         .. http:post:: /certificates
 
@@ -190,46 +150,38 @@ class CertificatesList(AuthenticatedResource):
               Accept: application/json, text/javascript
 
               {
-                "country": "US",
-                "state": "CA",
-                "location": "A Place",
-                "organization": "ExampleInc.",
-                "organizationalUnit": "Operations",
-                "owner": "bob@example.com",
-                "description": "test",
-                "selectedAuthority": "timetest2",
-                "authority": {
-                    "body": "-----BEGIN...",
-                    "name": "timetest2",
-                    "chain": "",
-                    "notBefore": "2015-06-05T15:20:59",
-                    "active": true,
-                    "id": 50,
-                    "notAfter": "2015-06-17T15:21:08",
-                    "description": "dsfdsf"
-                },
-                "extensions": {
-                    "basicConstraints": {},
-                    "keyUsage": {
-                        "isCritical": true,
-                        "useKeyEncipherment": true,
-                        "useDigitalSignature": true
-                    },
-                    "extendedKeyUsage": {
-                        "isCritical": true,
-                        "useServerAuthentication": true
-                    },
-                    "subjectKeyIdentifier": {
-                        "includeSKI": true
-                    },
+                  "owner": "secure@example.net",
+                  "commonName": "test.example.net",
+                  "country": "US",
+                  "extensions": {
                     "subAltNames": {
-                        "names": []
+                      "names": [
+                        {
+                          "nameType": "DNSName",
+                          "value": "*.test.example.net"
+                        },
+                        {
+                          "nameType": "DNSName",
+                          "value": "www.test.example.net"
+                        }
+                      ]
                     }
-                },
-                "commonName": "test",
-                "validityStart": "2015-06-05T07:00:00.000Z",
-                "validityEnd": "2015-06-16T07:00:00.000Z"
-             }
+                  },
+                  "replacements": [{
+                    "id": 1
+                  },
+                  "notify": true,
+                  "validityEnd": "2026-01-01T08:00:00.000Z",
+                  "authority": {
+                    "name": "verisign"
+                  },
+                  "organization": "Netflix, Inc.",
+                  "location": "Los Gatos",
+                  "state": "California",
+                  "validityStart": "2016-11-11T04:19:48.000Z",
+                  "organizationalUnit": "Operations"
+              }
+
 
            **Example response**:
 
@@ -240,24 +192,56 @@ class CertificatesList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "cert1",
-                "description": "this is cert1",
+                "status": null,
+                "cn": "*.test.example.net",
+                "chain": "",
+                "authority": {
+                    "active": true,
+                    "owner": "secure@example.com",
+                    "id": 1,
+                    "description": "verisign test authority",
+                    "name": "verisign"
+                },
+                "owner": "joe@example.com",
+                "serial": "82311058732025924142789179368889309156",
+                "id": 2288,
+                "issuer": "SymantecCorporation",
+                "notBefore": "2016-06-03T00:00:00+00:00",
+                "notAfter": "2018-01-12T23:59:59+00:00",
+                "destinations": [],
                 "bits": 2048,
-                "deleted": false,
-                "issuer": "ExampeInc.",
-                "serial": "123450",
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
-                "san": true,
-                "owner": "jimbob@example.com",
-                "active": false,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39",
-                "cn": "example.com",
-                "status": "unknown"
+                "body": "-----BEGIN CERTIFICATE-----...",
+                "description": null,
+                "deleted": null,
+                "notifications": [{
+                    "id": 1
+                }]
+                "signingAlgorithm": "sha256",
+                "user": {
+                    "username": "jane",
+                    "active": true,
+                    "email": "jane@example.com",
+                    "id": 2
+                },
+                "active": true,
+                "domains": [{
+                    "sensitive": false,
+                    "id": 1090,
+                    "name": "*.test.example.net"
+                }],
+                "replaces": [{
+                    "id": 1
+                }],
+                "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                "roles": [{
+                    "id": 464,
+                    "description": "This is a google group based role created by Lemur",
+                    "name": "joe@example.com"
+                }],
+                "san": null
               }
 
+
            :arg extensions: extensions to be used in the certificate
            :arg description: description for new certificate
            :arg owner: owner email
@@ -268,53 +252,37 @@ class CertificatesList(AuthenticatedResource):
            :arg state: state for the CSR
            :arg location: location for the CSR
            :arg organization: organization for CSR
-           :arg commonName: certiifcate common name
+           :arg commonName: certificate common name
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
-        self.reqparse.add_argument('extensions', type=dict, location='json')
-        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
-        self.reqparse.add_argument('notifications', type=list, default=[], location='json')
-        self.reqparse.add_argument('owner', type=str, location='json')
-        self.reqparse.add_argument('validityStart', type=str, location='json')  # TODO validate
-        self.reqparse.add_argument('validityEnd', type=str, location='json')  # TODO validate
-        self.reqparse.add_argument('authority', type=valid_authority, location='json')
-        self.reqparse.add_argument('description', type=str, location='json')
-        self.reqparse.add_argument('country', type=str, location='json')
-        self.reqparse.add_argument('state', type=str, location='json')
-        self.reqparse.add_argument('location', type=str, location='json')
-        self.reqparse.add_argument('organization', type=str, location='json')
-        self.reqparse.add_argument('organizationalUnit', type=str, location='json')
-        self.reqparse.add_argument('owner', type=str, location='json')
-        self.reqparse.add_argument('commonName', type=str, location='json')
-
-        args = self.reqparse.parse_args()
-
-        authority = args['authority']
-        role = role_service.get_by_name(authority.owner)
+        role = role_service.get_by_name(data['authority'].owner)
 
         # all the authority role members should be allowed
-        roles = [x.name for x in authority.roles]
+        roles = [x.name for x in data['authority'].roles]
 
         # allow "owner" roles by team DL
         roles.append(role)
-        permission = AuthorityPermission(authority.id, roles)
+        authority_permission = AuthorityPermission(data['authority'].id, roles)
 
-        if permission.can():
-            return service.create(**args)
+        if authority_permission.can():
+            data['creator'] = g.user
+            return service.create(**data)
 
-        return dict(message="You are not authorized to use {0}".format(args['authority'].name)), 403
+        return dict(message="You are not authorized to use {0}".format(data['authority'].name)), 403
 
 
 class CertificatesUpload(AuthenticatedResource):
     """ Defines the 'certificates' upload endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesUpload, self).__init__()
 
-    @marshal_items(FIELDS)
-    def post(self):
+    @validate_schema(certificate_upload_input_schema, certificate_output_schema)
+    def post(self, data=None):
         """
         .. http:post:: /certificates/upload
 
@@ -329,12 +297,13 @@ class CertificatesUpload(AuthenticatedResource):
               Accept: application/json, text/javascript
 
               {
-                 "owner": "joe@exmaple.com",
-                 "publicCert": "---Begin Public...",
-                 "intermediateCert": "---Begin Public...",
-                 "privateKey": "---Begin Private..."
+                 "owner": "joe@example.com",
+                 "publicCert": "-----BEGIN CERTIFICATE-----...",
+                 "intermediateCert": "-----BEGIN CERTIFICATE-----...",
+                 "privateKey": "-----BEGIN RSA PRIVATE KEY-----..."
                  "destinations": [],
                  "notifications": [],
+                 "replacements": [],
                  "name": "cert1"
               }
 
@@ -347,22 +316,51 @@ class CertificatesUpload(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                 "id": 1,
-                 "name": "cert1",
-                 "description": "this is cert1",
-                 "bits": 2048,
-                 "deleted": false,
-                 "issuer": "ExampeInc.",
-                 "serial": "123450",
-                 "chain": "-----Begin ...",
-                 "body": "-----Begin ...",
-                 "san": true,
-                 "owner": "joe@example.com",
-                 "active": true,
-                 "notBefore": "2015-06-05T17:09:39",
-                 "notAfter": "2015-06-10T17:09:39",
-                 "cn": "example.com",
-                 "status": "unknown"
+                "status": null,
+                "cn": "*.test.example.net",
+                "chain": "",
+                "authority": {
+                    "active": true,
+                    "owner": "secure@example.com",
+                    "id": 1,
+                    "description": "verisign test authority",
+                    "name": "verisign"
+                },
+                "owner": "joe@example.com",
+                "serial": "82311058732025924142789179368889309156",
+                "id": 2288,
+                "issuer": "SymantecCorporation",
+                "notBefore": "2016-06-03T00:00:00+00:00",
+                "notAfter": "2018-01-12T23:59:59+00:00",
+                "destinations": [],
+                "bits": 2048,
+                "body": "-----BEGIN CERTIFICATE-----...",
+                "description": null,
+                "deleted": null,
+                "notifications": [{
+                    "id": 1
+                }]
+                "signingAlgorithm": "sha256",
+                "user": {
+                    "username": "jane",
+                    "active": true,
+                    "email": "jane@example.com",
+                    "id": 2
+                },
+                "active": true,
+                "domains": [{
+                    "sensitive": false,
+                    "id": 1090,
+                    "name": "*.test.example.net"
+                }],
+                "replaces": [],
+                "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                "roles": [{
+                    "id": 464,
+                    "description": "This is a google group based role created by Lemur",
+                    "name": "joe@example.com"
+                }],
+                "san": null
               }
 
            :arg owner: owner email for certificate
@@ -373,27 +371,20 @@ class CertificatesUpload(AuthenticatedResource):
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 403: unauthenticated
            :statuscode 200: no error
-        """
-        self.reqparse.add_argument('description', type=str, location='json')
-        self.reqparse.add_argument('owner', type=str, required=True, location='json')
-        self.reqparse.add_argument('name', type=str, location='json')
-        self.reqparse.add_argument('publicCert', type=pem_str, required=True, dest='public_cert', location='json')
-        self.reqparse.add_argument('destinations', type=list, default=[], dest='destinations', location='json')
-        self.reqparse.add_argument('notifications', type=list, default=[], dest='notifications', location='json')
-        self.reqparse.add_argument('intermediateCert', type=pem_str, dest='intermediate_cert', location='json')
-        self.reqparse.add_argument('privateKey', type=private_key_str, dest='private_key', location='json')
 
-        args = self.reqparse.parse_args()
-        if args.get('destinations'):
-            if args.get('private_key'):
-                return service.upload(**args)
+        """
+        data['creator'] = g.user
+        if data.get('destinations'):
+            if data.get('private_key'):
+                return service.upload(**data)
             else:
                 raise Exception("Private key must be provided in order to upload certificate to AWS")
-        return service.upload(**args)
+        return service.upload(**data)
 
 
 class CertificatesStats(AuthenticatedResource):
     """ Defines the 'certificates' stats endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(CertificatesStats, self).__init__()
@@ -437,7 +428,7 @@ class CertificatePrivateKey(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                 "key": "----Begin ...",
+                 "key": "-----BEGIN ...",
               }
 
            :reqheader Authorization: OAuth token to authenticate
@@ -448,17 +439,19 @@ class CertificatePrivateKey(AuthenticatedResource):
         if not cert:
             return dict(message="Cannot find specified certificate"), 404
 
-        role = role_service.get_by_name(cert.owner)
+        # allow creators
+        if g.current_user != cert.user:
+            owner_role = role_service.get_by_name(cert.owner)
+            permission = CertificatePermission(owner_role, [x.name for x in cert.roles])
 
-        permission = ViewKeyPermission(certificate_id, getattr(role, 'name', None))
+            if not permission.can():
+                return dict(message='You are not authorized to view this key'), 403
 
-        if permission.can():
-            response = make_response(jsonify(key=cert.private_key), 200)
-            response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store'
-            response.headers['pragma'] = 'no-cache'
-            return response
-
-        return dict(message='You are not authorized to view this key'), 403
+        log_service.create(g.current_user, 'key_view', certificate=cert)
+        response = make_response(jsonify(key=cert.private_key), 200)
+        response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store'
+        response.headers['pragma'] = 'no-cache'
+        return response
 
 
 class Certificates(AuthenticatedResource):
@@ -466,7 +459,7 @@ class Certificates(AuthenticatedResource):
         self.reqparse = reqparse.RequestParser()
         super(Certificates, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, certificate_output_schema)
     def get(self, certificate_id):
         """
         .. http:get:: /certificates/1
@@ -490,32 +483,63 @@ class Certificates(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "cert1",
-                "description": "this is cert1",
+                "status": null,
+                "cn": "*.test.example.net",
+                "chain": "",
+                "authority": {
+                    "active": true,
+                    "owner": "secure@example.com",
+                    "id": 1,
+                    "description": "verisign test authority",
+                    "name": "verisign"
+                },
+                "owner": "joe@example.com",
+                "serial": "82311058732025924142789179368889309156",
+                "id": 2288,
+                "issuer": "SymantecCorporation",
+                "notBefore": "2016-06-03T00:00:00+00:00",
+                "notAfter": "2018-01-12T23:59:59+00:00",
+                "destinations": [],
                 "bits": 2048,
-                "deleted": false,
-                "issuer": "ExampeInc.",
-                "serial": "123450",
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
-                "san": true,
-                "owner": "bob@example.com",
+                "body": "-----BEGIN CERTIFICATE-----...",
+                "description": null,
+                "deleted": null,
+                "notifications": [{
+                    "id": 1
+                }]
+                "signingAlgorithm": "sha256",
+                "user": {
+                    "username": "jane",
+                    "active": true,
+                    "email": "jane@example.com",
+                    "id": 2
+                },
                 "active": true,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39",
-                "cn": "example.com",
-                "status": "unknown"
+                "domains": [{
+                    "sensitive": false,
+                    "id": 1090,
+                    "name": "*.test.example.net"
+                }],
+                "replaces": [],
+                "replaced": [],
+                "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                "roles": [{
+                    "id": 464,
+                    "description": "This is a google group based role created by Lemur",
+                    "name": "joe@example.com"
+                }],
+                "san": null
               }
 
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
         return service.get(certificate_id)
 
-    @marshal_items(FIELDS)
-    def put(self, certificate_id):
+    @validate_schema(certificate_edit_input_schema, certificate_output_schema)
+    def put(self, certificate_id, data=None):
         """
         .. http:put:: /certificates/1
 
@@ -533,7 +557,8 @@ class Certificates(AuthenticatedResource):
                  "owner": "jimbob@example.com",
                  "active": false
                  "notifications": [],
-                 "destinations": []
+                 "destinations": [],
+                 "replacements": []
               }
 
            **Example response**:
@@ -545,60 +570,91 @@ class Certificates(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "id": 1,
-                "name": "cert1",
-                "description": "this is cert1",
+                "status": null,
+                "cn": "*.test.example.net",
+                "chain": "",
+                "authority": {
+                    "active": true,
+                    "owner": "secure@example.com",
+                    "id": 1,
+                    "description": "verisign test authority",
+                    "name": "verisign"
+                },
+                "owner": "joe@example.com",
+                "serial": "82311058732025924142789179368889309156",
+                "id": 2288,
+                "issuer": "SymantecCorporation",
+                "notBefore": "2016-06-03T00:00:00+00:00",
+                "notAfter": "2018-01-12T23:59:59+00:00",
+                "destinations": [],
                 "bits": 2048,
-                "deleted": false,
-                "issuer": "ExampeInc.",
-                "serial": "123450",
-                "chain": "-----Begin ...",
-                "body": "-----Begin ...",
-                "san": true,
-                "owner": "jimbob@example.com",
-                "active": false,
-                "notBefore": "2015-06-05T17:09:39",
-                "notAfter": "2015-06-10T17:09:39",
-                "cn": "example.com",
-                "status": "unknown",
+                "body": "-----BEGIN CERTIFICATE-----...",
+                "description": null,
+                "deleted": null,
+                "notifications": [{
+                    "id": 1
+                }]
+                "signingAlgorithm": "sha256",
+                "user": {
+                    "username": "jane",
+                    "active": true,
+                    "email": "jane@example.com",
+                    "id": 2
+                },
+                "active": true,
+                "domains": [{
+                    "sensitive": false,
+                    "id": 1090,
+                    "name": "*.test.example.net"
+                }],
+                "replaces": [],
+                "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                "roles": [{
+                    "id": 464,
+                    "description": "This is a google group based role created by Lemur",
+                    "name": "joe@example.com"
+                }],
+                "san": null
               }
 
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
-        self.reqparse.add_argument('active', type=bool, location='json')
-        self.reqparse.add_argument('owner', type=str, location='json')
-        self.reqparse.add_argument('description', type=str, location='json')
-        self.reqparse.add_argument('destinations', type=list, default=[], location='json')
-        self.reqparse.add_argument('notifications', type=notification_list, default=[], location='json')
-        args = self.reqparse.parse_args()
-
         cert = service.get(certificate_id)
-        role = role_service.get_by_name(cert.owner)
 
-        permission = UpdateCertificatePermission(certificate_id, getattr(role, 'name', None))
+        if not cert:
+            return dict(message="Cannot find specified certificate"), 404
 
-        if permission.can():
-            return service.update(
-                certificate_id,
-                args['owner'],
-                args['description'],
-                args['active'],
-                args['destinations'],
-                args['notifications']
-            )
+        # allow creators
+        if g.current_user != cert.user:
+            owner_role = role_service.get_by_name(cert.owner)
+            permission = CertificatePermission(owner_role, [x.name for x in cert.roles])
 
-        return dict(message='You are not authorized to update this certificate'), 403
+            if not permission.can():
+                return dict(message='You are not authorized to update this certificate'), 403
+
+        for destination in data['destinations']:
+            if destination.plugin.requires_key:
+                if not cert.private_key:
+                    return dict(
+                        message='Unable to add destination: {0}. Certificate does not have required private key.'.format(
+                            destination.label
+                        )
+                    ), 400
+
+        return service.update(certificate_id, **data)
 
 
 class NotificationCertificatesList(AuthenticatedResource):
     """ Defines the 'certificates' endpoint """
+
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(NotificationCertificatesList, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, certificates_output_schema)
     def get(self, notification_id):
         """
         .. http:get:: /notifications/1/certificates
@@ -622,37 +678,66 @@ class NotificationCertificatesList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "items": [
-                    {
-                      "id": 1,
-                      "name": "cert1",
-                      "description": "this is cert1",
-                      "bits": 2048,
-                      "deleted": false,
-                      "issuer": "ExampeInc.",
-                      "serial": "123450",
-                      "chain": "-----Begin ...",
-                      "body": "-----Begin ...",
-                      "san": true,
-                      "owner": 'bob@example.com",
-                      "active": true,
-                      "notBefore": "2015-06-05T17:09:39",
-                      "notAfter": "2015-06-10T17:09:39",
-                      "cn": "example.com",
-                      "status": "unknown"
-                    }
-                  ]
+                "items": [{
+                    "status": null,
+                    "cn": "*.test.example.net",
+                    "chain": "",
+                    "authority": {
+                        "active": true,
+                        "owner": "secure@example.com",
+                        "id": 1,
+                        "description": "verisign test authority",
+                        "name": "verisign"
+                    },
+                    "owner": "joe@example.com",
+                    "serial": "82311058732025924142789179368889309156",
+                    "id": 2288,
+                    "issuer": "SymantecCorporation",
+                    "notBefore": "2016-06-03T00:00:00+00:00",
+                    "notAfter": "2018-01-12T23:59:59+00:00",
+                    "destinations": [],
+                    "bits": 2048,
+                    "body": "-----BEGIN CERTIFICATE-----...",
+                    "description": null,
+                    "deleted": null,
+                    "notifications": [{
+                        "id": 1
+                    }]
+                    "signingAlgorithm": "sha256",
+                    "user": {
+                        "username": "jane",
+                        "active": true,
+                        "email": "jane@example.com",
+                        "id": 2
+                    },
+                    "active": true,
+                    "domains": [{
+                        "sensitive": false,
+                        "id": 1090,
+                        "name": "*.test.example.net"
+                    }],
+                    "replaces": [],
+                    "replaced": [],
+                    "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                    "roles": [{
+                        "id": 464,
+                        "description": "This is a google group based role created by Lemur",
+                        "name": "joe@example.com"
+                    }],
+                    "san": null
+                }],
                 "total": 1
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
         parser = paginated_parser.copy()
         parser.add_argument('timeRange', type=int, dest='time_range', location='args')
@@ -665,25 +750,27 @@ class NotificationCertificatesList(AuthenticatedResource):
 
         args = parser.parse_args()
         args['notification_id'] = notification_id
+        args['user'] = g.current_user
         return service.render(args)
 
 
-class CertificatesDefaults(AuthenticatedResource):
-    """ Defineds the 'certificates' defaults endpoint """
+class CertificatesReplacementsList(AuthenticatedResource):
     def __init__(self):
-        super(CertificatesDefaults)
+        self.reqparse = reqparse.RequestParser()
+        super(CertificatesReplacementsList, self).__init__()
 
-    def get(self):
+    @validate_schema(None, certificates_output_schema)
+    def get(self, certificate_id):
         """
-        .. http:get:: /certificates/defaults
+        .. http:get:: /certificates/1/replacements
 
-            Returns defaults needed to generate CSRs
+           One certificate
 
            **Example request**:
 
            .. sourcecode:: http
 
-              GET /certificates/defaults HTTP/1.1
+              GET /certificates/1/replacements HTTP/1.1
               Host: example.com
               Accept: application/json, text/javascript
 
@@ -696,24 +783,166 @@ class CertificatesDefaults(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                 "country": "US",
-                 "state": "CA",
-                 "location": "Los Gatos",
-                 "organization": "Netflix",
-                 "organizationalUnit": "Operations"
+                "items": [{
+                    "status": null,
+                    "cn": "*.test.example.net",
+                    "chain": "",
+                    "authority": {
+                        "active": true,
+                        "owner": "secure@example.com",
+                        "id": 1,
+                        "description": "verisign test authority",
+                        "name": "verisign"
+                    },
+                    "owner": "joe@example.com",
+                    "serial": "82311058732025924142789179368889309156",
+                    "id": 2288,
+                    "issuer": "SymantecCorporation",
+                    "notBefore": "2016-06-03T00:00:00+00:00",
+                    "notAfter": "2018-01-12T23:59:59+00:00",
+                    "destinations": [],
+                    "bits": 2048,
+                    "body": "-----BEGIN CERTIFICATE-----...",
+                    "description": null,
+                    "deleted": null,
+                    "notifications": [{
+                        "id": 1
+                    }]
+                    "signingAlgorithm": "sha256",
+                    "user": {
+                        "username": "jane",
+                        "active": true,
+                        "email": "jane@example.com",
+                        "id": 2
+                    },
+                    "active": true,
+                    "domains": [{
+                        "sensitive": false,
+                        "id": 1090,
+                        "name": "*.test.example.net"
+                    }],
+                    "replaces": [],
+                    "replaced": [],
+                    "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112",
+                    "roles": [{
+                        "id": 464,
+                        "description": "This is a google group based role created by Lemur",
+                        "name": "joe@example.com"
+                    }],
+                    "san": null
+                }],
+                "total": 1
               }
 
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
+
         """
-        return dict(
-            country=current_app.config.get('LEMUR_DEFAULT_COUNTRY'),
-            state=current_app.config.get('LEMUR_DEFAULT_STATE'),
-            location=current_app.config.get('LEMUR_DEFAULT_LOCATION'),
-            organization=current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'),
-            organizationalUnit=current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT')
-        )
+        return service.get(certificate_id).replaces
+
+
+class CertificateExport(AuthenticatedResource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(CertificateExport, self).__init__()
+
+    @validate_schema(certificate_export_input_schema, None)
+    def post(self, certificate_id, data=None):
+        """
+        .. http:post:: /certificates/1/export
+
+           Export a certificate
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              PUT /certificates/1/export HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+              {
+                "export": {
+                    "plugin": {
+                        "pluginOptions": [{
+                            "available": ["Java Key Store (JKS)"],
+                            "required": true,
+                            "type": "select",
+                            "name": "type",
+                            "helpMessage": "Choose the format you wish to export",
+                            "value": "Java Key Store (JKS)"
+                        }, {
+                            "required": false,
+                            "type": "str",
+                            "name": "passphrase",
+                            "validation": "^(?=.*[A-Za-z])(?=.*\\d)(?=.*[$@$!%*#?&])[A-Za-z\\d$@$!%*#?&]{8,}$",
+                            "helpMessage": "If no passphrase is given one will be generated for you, we highly recommend this. Minimum length is 8."
+                        }, {
+                            "required": false,
+                            "type": "str",
+                            "name": "alias",
+                            "helpMessage": "Enter the alias you wish to use for the keystore."
+                        }],
+                        "version": "unknown",
+                        "description": "Attempts to generate a JKS keystore or truststore",
+                        "title": "Java",
+                        "author": "Kevin Glisson",
+                        "type": "export",
+                        "slug": "java-export"
+                    }
+                }
+              }
+
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                "data": "base64encodedstring",
+                "passphrase": "UAWOHW#&@_%!tnwmxh832025",
+                "extension": "jks"
+              }
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+
+        """
+        cert = service.get(certificate_id)
+
+        if not cert:
+            return dict(message="Cannot find specified certificate"), 404
+
+        plugin = data['plugin']['plugin_object']
+
+        if plugin.requires_key:
+            if not cert.private_key:
+                return dict(
+                    message='Unable to export certificate, plugin: {0} requires a private key but no key was found.'.format(
+                        plugin.slug)), 400
+
+            else:
+                # allow creators
+                if g.current_user != cert.user:
+                    owner_role = role_service.get_by_name(cert.owner)
+                    permission = CertificatePermission(owner_role, [x.name for x in cert.roles])
+
+                    if not permission.can():
+                        return dict(message='You are not authorized to export this certificate.'), 403
+
+        options = data['plugin']['plugin_options']
+
+        log_service.create(g.current_user, 'key_view', certificate=cert)
+        extension, passphrase, data = plugin.export(cert.body, cert.chain, cert.private_key, options)
+
+        # we take a hit in message size when b64 encoding
+        return dict(extension=extension, passphrase=passphrase, data=base64.b64encode(data).decode('utf-8'))
 
 
 api.add_resource(CertificatesList, '/certificates', endpoint='certificates')
@@ -721,5 +950,8 @@ api.add_resource(Certificates, '/certificates/<int:certificate_id>', endpoint='c
 api.add_resource(CertificatesStats, '/certificates/stats', endpoint='certificateStats')
 api.add_resource(CertificatesUpload, '/certificates/upload', endpoint='certificateUpload')
 api.add_resource(CertificatePrivateKey, '/certificates/<int:certificate_id>/key', endpoint='privateKeyCertificates')
-api.add_resource(NotificationCertificatesList, '/notifications/<int:notification_id>/certificates', endpoint='notificationCertificates')
-api.add_resource(CertificatesDefaults, '/certificates/defaults', endpoint='certificatesDefault')
+api.add_resource(CertificateExport, '/certificates/<int:certificate_id>/export', endpoint='exportCertificate')
+api.add_resource(NotificationCertificatesList, '/notifications/<int:notification_id>/certificates',
+                 endpoint='notificationCertificates')
+api.add_resource(CertificatesReplacementsList, '/certificates/<int:certificate_id>/replacements',
+                 endpoint='replacements')

lemur/common/defaults.py

@@ -0,0 +1,246 @@
+from cryptography import x509
+from flask import current_app
+from lemur.constants import SAN_NAMING_TEMPLATE, DEFAULT_NAMING_TEMPLATE
+
+
+def certificate_name(common_name, issuer, not_before, not_after, san):
+    """
+    Create a name for our certificate. A naming standard
+    is based on a series of templates. The name includes
+    useful information such as Common Name, Validation dates,
+    and Issuer.
+
+    :param san:
+    :param common_name:
+    :param not_after:
+    :param issuer:
+    :param not_before:
+    :rtype: str
+    :return:
+    """
+    if san:
+        t = SAN_NAMING_TEMPLATE
+    else:
+        t = DEFAULT_NAMING_TEMPLATE
+
+    temp = t.format(
+        subject=common_name,
+        issuer=issuer,
+        not_before=not_before.strftime('%Y%m%d'),
+        not_after=not_after.strftime('%Y%m%d')
+    )
+
+    disallowed_chars = ''.join(c for c in map(chr, range(256)) if not c.isalnum())
+    disallowed_chars = disallowed_chars.replace("-", "")
+    disallowed_chars = disallowed_chars.replace(".", "")
+    temp = temp.replace('*', "WILDCARD")
+
+    for c in disallowed_chars:
+        temp = temp.replace(c, "")
+
+    # white space is silly too
+    return temp.replace(" ", "-")
+
+
+def signing_algorithm(cert):
+    return cert.signature_hash_algorithm.name
+
+
+def common_name(cert):
+    """
+    Attempts to get a sane common name from a given certificate.
+
+    :param cert:
+    :return: Common name or None
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_COMMON_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get common name! {0}".format(e))
+
+
+def organization(cert):
+    """
+    Attempt to get the organization name from a given certificate.
+    :param cert:
+    :return:
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_ORGANIZATION_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get organization! {0}".format(e))
+
+
+def organizational_unit(cert):
+    """
+    Attempt to get the organization unit from a given certificate.
+    :param cert:
+    :return:
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_ORGANIZATIONAL_UNIT_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get organizational unit! {0}".format(e))
+
+
+def country(cert):
+    """
+    Attempt to get the country from a given certificate.
+    :param cert:
+    :return:
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_COUNTRY_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get country! {0}".format(e))
+
+
+def state(cert):
+    """
+    Attempt to get the from a given certificate.
+    :param cert:
+    :return:
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_STATE_OR_PROVINCE_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get state! {0}".format(e))
+
+
+def location(cert):
+    """
+    Attempt to get the location name from a given certificate.
+    :param cert:
+    :return:
+    """
+    try:
+        return cert.subject.get_attributes_for_oid(
+            x509.OID_LOCALITY_NAME
+        )[0].value.strip()
+    except Exception as e:
+        current_app.logger.error("Unable to get location! {0}".format(e))
+
+
+def domains(cert):
+    """
+    Attempts to get an domains listed in a certificate.
+    If 'subjectAltName' extension is not available we simply
+    return the common name.
+
+    :param cert:
+    :return: List of domains
+    """
+    domains = []
+    try:
+        ext = cert.extensions.get_extension_for_oid(x509.OID_SUBJECT_ALTERNATIVE_NAME)
+        entries = ext.value.get_values_for_type(x509.DNSName)
+        for entry in entries:
+            domains.append(entry)
+    except Exception as e:
+        pass
+
+    return domains
+
+
+def serial(cert):
+    """
+    Fetch the serial number from the certificate.
+
+    :param cert:
+    :return: serial number
+    """
+    return cert.serial
+
+
+def san(cert):
+    """
+    Determines if a given certificate is a SAN certificate.
+    SAN certificates are simply certificates that cover multiple domains.
+
+    :param cert:
+    :return: Bool
+    """
+    if len(domains(cert)) > 1:
+        return True
+
+
+def is_wildcard(cert):
+    """
+    Determines if certificate is a wildcard certificate.
+
+    :param cert:
+    :return: Bool
+    """
+    d = domains(cert)
+    if len(d) == 1 and d[0][0:1] == "*":
+        return True
+
+    if cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0].value[0:1] == "*":
+        return True
+
+
+def bitstrength(cert):
+    """
+    Calculates a certificates public key bit length.
+
+    :param cert:
+    :return: Integer
+    """
+    try:
+        return cert.public_key().key_size
+    except AttributeError:
+        current_app.logger.debug('Unable to get bitstrength.')
+
+
+def issuer(cert):
+    """
+    Gets a sane issuer name from a given certificate.
+
+    :param cert:
+    :return: Issuer
+    """
+    delchars = ''.join(c for c in map(chr, range(256)) if not c.isalnum())
+    try:
+        # Try organization name or fall back to CN
+        issuer = (cert.issuer.get_attributes_for_oid(x509.OID_ORGANIZATION_NAME)
+                  or cert.issuer.get_attributes_for_oid(x509.OID_COMMON_NAME))
+        issuer = str(issuer[0].value)
+        for c in delchars:
+            issuer = issuer.replace(c, "")
+        return issuer
+    except Exception as e:
+        current_app.logger.error("Unable to get issuer! {0}".format(e))
+        return "Unknown"
+
+
+def not_before(cert):
+    """
+    Gets the naive datetime of the certificates 'not_before' field.
+    This field denotes the first date in time which the given certificate
+    is valid.
+
+    :param cert:
+    :return: Datetime
+    """
+    return cert.not_valid_before
+
+
+def not_after(cert):
+    """
+    Gets the naive datetime of the certificates 'not_after' field.
+    This field denotes the last date in time which the given certificate
+    is valid.
+
+    :return: Datetime
+    """
+    return cert.not_valid_after

lemur/common/fields.py

@@ -0,0 +1,396 @@
+"""
+.. module: lemur.common.fields
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+import arrow
+import warnings
+import ipaddress
+
+from flask import current_app
+from datetime import datetime as dt
+
+from cryptography import x509
+
+from marshmallow import utils
+from marshmallow.fields import Field
+from marshmallow.exceptions import ValidationError
+
+
+class ArrowDateTime(Field):
+    """A formatted datetime string in UTC.
+
+    Example: ``'2014-12-22T03:12:58.019077+00:00'``
+
+    Timezone-naive `datetime` objects are converted to
+    UTC (+00:00) by :meth:`Schema.dump <marshmallow.Schema.dump>`.
+    :meth:`Schema.load <marshmallow.Schema.load>` returns `datetime`
+    objects that are timezone-aware.
+
+    :param str format: Either ``"rfc"`` (for RFC822), ``"iso"`` (for ISO8601),
+        or a date format string. If `None`, defaults to "iso".
+    :param kwargs: The same keyword arguments that :class:`Field` receives.
+
+    """
+
+    DATEFORMAT_SERIALIZATION_FUNCS = {
+        'iso': utils.isoformat,
+        'iso8601': utils.isoformat,
+        'rfc': utils.rfcformat,
+        'rfc822': utils.rfcformat,
+    }
+
+    DATEFORMAT_DESERIALIZATION_FUNCS = {
+        'iso': utils.from_iso,
+        'iso8601': utils.from_iso,
+        'rfc': utils.from_rfc,
+        'rfc822': utils.from_rfc,
+    }
+
+    DEFAULT_FORMAT = 'iso'
+
+    localtime = False
+    default_error_messages = {
+        'invalid': 'Not a valid datetime.',
+        'format': '"{input}" cannot be formatted as a datetime.',
+    }
+
+    def __init__(self, format=None, **kwargs):
+        super(ArrowDateTime, self).__init__(**kwargs)
+        # Allow this to be None. It may be set later in the ``_serialize``
+        # or ``_desrialize`` methods This allows a Schema to dynamically set the
+        # dateformat, e.g. from a Meta option
+        self.dateformat = format
+
+    def _add_to_schema(self, field_name, schema):
+        super(ArrowDateTime, self)._add_to_schema(field_name, schema)
+        self.dateformat = self.dateformat or schema.opts.dateformat
+
+    def _serialize(self, value, attr, obj):
+        if value is None:
+            return None
+        self.dateformat = self.dateformat or self.DEFAULT_FORMAT
+        format_func = self.DATEFORMAT_SERIALIZATION_FUNCS.get(self.dateformat, None)
+        if format_func:
+            try:
+                return format_func(value, localtime=self.localtime)
+            except (AttributeError, ValueError) as err:
+                self.fail('format', input=value)
+        else:
+            return value.strftime(self.dateformat)
+
+    def _deserialize(self, value, attr, data):
+        if not value:  # Falsy values, e.g. '', None, [] are not valid
+            raise self.fail('invalid')
+        self.dateformat = self.dateformat or self.DEFAULT_FORMAT
+        func = self.DATEFORMAT_DESERIALIZATION_FUNCS.get(self.dateformat)
+        if func:
+            try:
+                return arrow.get(func(value))
+            except (TypeError, AttributeError, ValueError):
+                raise self.fail('invalid')
+        elif self.dateformat:
+            try:
+                return dt.datetime.strptime(value, self.dateformat)
+            except (TypeError, AttributeError, ValueError):
+                raise self.fail('invalid')
+        elif utils.dateutil_available:
+            try:
+                return arrow.get(utils.from_datestring(value))
+            except TypeError:
+                raise self.fail('invalid')
+        else:
+            warnings.warn('It is recommended that you install python-dateutil '
+                          'for improved datetime deserialization.')
+            raise self.fail('invalid')
+
+
+class KeyUsageExtension(Field):
+    """An x509.KeyUsage ExtensionType object
+
+    Dict of KeyUsage names/values are deserialized into an x509.KeyUsage object
+    and back.
+
+    :param kwargs: The same keyword arguments that :class:`Field` receives.
+
+    """
+
+    def _serialize(self, value, attr, obj):
+        return {
+            'useDigitalSignature': value.digital_signature,
+            'useNonRepudiation': value.content_commitment,
+            'useKeyEncipherment': value.key_encipherment,
+            'useDataEncipherment': value.data_encipherment,
+            'useKeyAgreement': value.key_agreement,
+            'useKeyCertSign': value.key_cert_sign,
+            'useCRLSign': value.crl_sign,
+            'useEncipherOnly': value._encipher_only,
+            'useDecipherOnly': value._decipher_only
+        }
+
+    def _deserialize(self, value, attr, data):
+        keyusages = {
+            'digital_signature': False,
+            'content_commitment': False,
+            'key_encipherment': False,
+            'data_encipherment': False,
+            'key_agreement': False,
+            'key_cert_sign': False,
+            'crl_sign': False,
+            'encipher_only': False,
+            'decipher_only': False
+        }
+
+        for k, v in value.items():
+            if k == 'useDigitalSignature':
+                keyusages['digital_signature'] = v
+
+            elif k == 'useNonRepudiation':
+                keyusages['content_commitment'] = v
+
+            elif k == 'useKeyEncipherment':
+                keyusages['key_encipherment'] = v
+
+            elif k == 'useDataEncipherment':
+                keyusages['data_encipherment'] = v
+
+            elif k == 'useKeyCertSign':
+                keyusages['key_cert_sign'] = v
+
+            elif k == 'useCRLSign':
+                keyusages['crl_sign'] = v
+
+            elif k == 'useKeyAgreement':
+                keyusages['key_agreement'] = v
+
+            elif k == 'useEncipherOnly' and v:
+                keyusages['encipher_only'] = True
+                keyusages['key_agreement'] = True
+
+            elif k == 'useDecipherOnly' and v:
+                keyusages['decipher_only'] = True
+                keyusages['key_agreement'] = True
+
+        if keyusages['encipher_only'] and keyusages['decipher_only']:
+            raise ValidationError('A certificate cannot have both Encipher Only and Decipher Only Extended Key Usages.')
+
+        return x509.KeyUsage(
+            digital_signature=keyusages['digital_signature'],
+            content_commitment=keyusages['content_commitment'],
+            key_encipherment=keyusages['key_encipherment'],
+            data_encipherment=keyusages['data_encipherment'],
+            key_agreement=keyusages['key_agreement'],
+            key_cert_sign=keyusages['key_cert_sign'],
+            crl_sign=keyusages['crl_sign'],
+            encipher_only=keyusages['encipher_only'],
+            decipher_only=keyusages['decipher_only']
+        )
+
+
+class ExtendedKeyUsageExtension(Field):
+    """An x509.ExtendedKeyUsage ExtensionType object
+
+    Dict of ExtendedKeyUsage names/values are deserialized into an x509.ExtendedKeyUsage object
+    and back.
+
+    :param kwargs: The same keyword arguments that :class:`Field` receives.
+
+    """
+
+    def _serialize(self, value, attr, obj):
+        usages = value._usages
+        usage_list = {}
+        for usage in usages:
+            if usage == x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH:
+                usage_list['useClientAuthentication'] = True
+
+            elif usage == x509.oid.ExtendedKeyUsageOID.SERVER_AUTH:
+                usage_list['useServerAuthentication'] = True
+
+            elif usage == x509.oid.ExtendedKeyUsageOID.CODE_SIGNING:
+                usage_list['useCodeSigning'] = True
+
+            elif usage == x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION:
+                usage_list['useEmailProtection'] = True
+
+            elif usage == x509.oid.ExtendedKeyUsageOID.TIME_STAMPING:
+                usage_list['useTimestamping'] = True
+
+            elif usage == x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING:
+                usage_list['useOCSPSigning'] = True
+
+            elif usage.dotted_string == '1.3.6.1.5.5.7.3.14':
+                usage_list['useEapOverLAN'] = True
+
+            elif usage.dotted_string == '1.3.6.1.5.5.7.3.13':
+                usage_list['useEapOverPPP'] = True
+
+            elif usage.dotted_string == '1.3.6.1.4.1.311.20.2.2':
+                usage_list['useSmartCardLogon'] = True
+
+            else:
+                current_app.logger.warning('Unable to serialize ExtendedKeyUsage with OID: {usage}'.format(usage=usage.dotted_string))
+
+        return usage_list
+
+    def _deserialize(self, value, attr, data):
+        usage_oids = []
+        for k, v in value.items():
+            if k == 'useClientAuthentication' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH)
+
+            elif k == 'useServerAuthentication' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.SERVER_AUTH)
+
+            elif k == 'useCodeSigning' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.CODE_SIGNING)
+
+            elif k == 'useEmailProtection' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION)
+
+            elif k == 'useTimestamping' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.TIME_STAMPING)
+
+            elif k == 'useOCSPSigning' and v:
+                usage_oids.append(x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING)
+
+            elif k == 'useEapOverLAN' and v:
+                usage_oids.append(x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.14"))
+
+            elif k == 'useEapOverPPP' and v:
+                usage_oids.append(x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.13"))
+
+            elif k == 'useSmartCardLogon' and v:
+                usage_oids.append(x509.oid.ObjectIdentifier("1.3.6.1.4.1.311.20.2.2"))
+
+            else:
+                current_app.logger.warning('Unable to deserialize ExtendedKeyUsage with name: {key}'.format(key=k))
+
+        return x509.ExtendedKeyUsage(usage_oids)
+
+
+class BasicConstraintsExtension(Field):
+    """An x509.BasicConstraints ExtensionType object
+
+    Dict of CA boolean and a path_length integer names/values are deserialized into an x509.BasicConstraints object
+    and back.
+
+    :param kwargs: The same keyword arguments that :class:`Field` receives.
+
+    """
+
+    def _serialize(self, value, attr, obj):
+        return {'ca': value.ca, 'path_length': value.path_length}
+
+    def _deserialize(self, value, attr, data):
+        ca = value.get('ca', False)
+        path_length = value.get('path_length', None)
+
+        if ca:
+            if not isinstance(path_length, (type(None), int)):
+                raise ValidationError('A CA certificate path_length (for BasicConstraints) must be None or an integer.')
+            return x509.BasicConstraints(ca=True, path_length=path_length)
+        else:
+            return x509.BasicConstraints(ca=False, path_length=None)
+
+
+class SubjectAlternativeNameExtension(Field):
+    """An x509.SubjectAlternativeName ExtensionType object
+
+    Dict of CA boolean and a path_length integer names/values are deserialized into an x509.BasicConstraints object
+    and back.
+
+    :param kwargs: The same keyword arguments that :class:`Field` receives.
+
+    """
+    def _serialize(self, value, attr, obj):
+        general_names = []
+        name_type = None
+
+        if value:
+            for name in value._general_names:
+                value = name.value
+
+                if isinstance(name, x509.DNSName):
+                    name_type = 'DNSName'
+
+                elif isinstance(name, x509.IPAddress):
+                    name_type = 'IPAddress'
+
+                elif isinstance(name, x509.UniformResourceIdentifier):
+                    name_type = 'uniformResourceIdentifier'
+
+                elif isinstance(name, x509.DirectoryName):
+                    name_type = 'directoryName'
+
+                elif isinstance(name, x509.RFC822Name):
+                    name_type = 'rfc822Name'
+
+                elif isinstance(name, x509.RegisteredID):
+                    name_type = 'registeredID'
+                    value = value.dotted_string
+                else:
+                    current_app.logger.warning('Unknown SubAltName type: {name}'.format(name=name))
+
+                general_names.append({'nameType': name_type, 'value': value})
+
+        return general_names
+
+    def _deserialize(self, value, attr, data):
+        general_names = []
+        for name in value:
+            if name['nameType'] == 'DNSName':
+                general_names.append(x509.DNSName(name['value']))
+
+            elif name['nameType'] == 'IPAddress':
+                general_names.append(x509.IPAddress(ipaddress.ip_address(name['value'])))
+
+            elif name['nameType'] == 'IPNetwork':
+                general_names.append(x509.IPAddress(ipaddress.ip_network(name['value'])))
+
+            elif name['nameType'] == 'uniformResourceIdentifier':
+                general_names.append(x509.UniformResourceIdentifier(name['value']))
+
+            elif name['nameType'] == 'directoryName':
+                # TODO: Need to parse a string in name['value'] like:
+                # 'CN=Common Name, O=Org Name, OU=OrgUnit Name, C=US, ST=ST, L=City/emailAddress=person@example.com'
+                # or
+                # 'CN=Common Name/O=Org Name/OU=OrgUnit Name/C=US/ST=NH/L=City/emailAddress=person@example.com'
+                # and turn it into something like:
+                # x509.Name([
+                #     x509.NameAttribute(x509.OID_COMMON_NAME, "Common Name"),
+                #     x509.NameAttribute(x509.OID_ORGANIZATION_NAME, "Org Name"),
+                #     x509.NameAttribute(x509.OID_ORGANIZATIONAL_UNIT_NAME, "OrgUnit Name"),
+                #     x509.NameAttribute(x509.OID_COUNTRY_NAME, "US"),
+                #     x509.NameAttribute(x509.OID_STATE_OR_PROVINCE_NAME, "NH"),
+                #     x509.NameAttribute(x509.OID_LOCALITY_NAME, "City"),
+                #     x509.NameAttribute(x509.OID_EMAIL_ADDRESS, "person@example.com")
+                # ]
+                # general_names.append(x509.DirectoryName(x509.Name(BLAH))))
+                pass
+
+            elif name['nameType'] == 'rfc822Name':
+                general_names.append(x509.RFC822Name(name['value']))
+
+            elif name['nameType'] == 'registeredID':
+                general_names.append(x509.RegisteredID(x509.ObjectIdentifier(name['value'])))
+
+            elif name['nameType'] == 'otherName':
+                # This has two inputs (type and value), so it doesn't fit the mold of the rest of these GeneralName entities.
+                # general_names.append(x509.OtherName(name['type'], bytes(name['value']), 'utf-8'))
+                pass
+
+            elif name['nameType'] == 'x400Address':
+                # The Python Cryptography library doesn't support x400Address types (yet?)
+                pass
+
+            elif name['nameType'] == 'EDIPartyName':
+                # The Python Cryptography library doesn't support EDIPartyName types (yet?)
+                pass
+
+            else:
+                current_app.logger.warning('Unable to deserialize SubAltName with type: {name_type}'.format(name_type=name['nameType']))
+
+        return x509.SubjectAlternativeName(general_names)

lemur/common/managers.py

@@ -8,6 +8,8 @@
 """
 from flask import current_app
 
+from lemur.exceptions import InvalidConfiguration
+
 
 # inspired by https://github.com/getsentry/sentry
 class InstanceManager(object):
@@ -22,7 +24,8 @@ class InstanceManager(object):
 
     def add(self, class_path):
         self.cache = None
-        self.class_list.append(class_path)
+        if class_path not in self.class_list:
+            self.class_list.append(class_path)
 
     def remove(self, class_path):
         self.cache = None
@@ -57,9 +60,14 @@ class InstanceManager(object):
                     results.append(cls())
                 else:
                     results.append(cls)
-            except Exception:
-                current_app.logger.exception('Unable to import %s', cls_path)
+
+            except InvalidConfiguration as e:
+                current_app.logger.warning("Plugin '{0}' may not work correctly. {1}".format(class_name, e))
+
+            except Exception as e:
+                current_app.logger.exception("Unable to import {0}. Reason: {1}".format(cls_path, e))
                 continue
+
         self.cache = results
 
         return results

lemur/common/missing.py

@@ -0,0 +1,24 @@
+import arrow
+from flask import current_app
+
+from lemur.common.utils import is_weekend
+
+
+def convert_validity_years(data):
+    """
+    Convert validity years to validity_start and validity_end
+
+    :param data:
+    :return:
+    """
+    if data.get('validity_years'):
+        now = arrow.utcnow()
+        data['validity_start'] = now.isoformat()
+
+        end = now.replace(years=+int(data['validity_years']))
+        if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
+            if is_weekend(end):
+                end = end.replace(days=-2)
+
+        data['validity_end'] = end.isoformat()
+    return data

lemur/common/schema.py

@@ -0,0 +1,172 @@
+"""
+.. module: lemur.common.schema
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+
+"""
+from functools import wraps
+from flask import request, current_app
+
+from sqlalchemy.orm.collections import InstrumentedList
+
+from inflection import camelize, underscore
+from marshmallow import Schema, post_dump, pre_load
+
+
+class LemurSchema(Schema):
+    """
+    Base schema from which all grouper schema's inherit
+    """
+    __envelope__ = True
+
+    def under(self, data, many=None):
+        items = []
+        if many:
+            for i in data:
+                items.append(
+                    {underscore(key): value for key, value in i.items()}
+                )
+            return items
+        return {
+            underscore(key): value
+            for key, value in data.items()
+        }
+
+    def camel(self, data, many=None):
+        items = []
+        if many:
+            for i in data:
+                items.append(
+                    {camelize(key, uppercase_first_letter=False): value for key, value in i.items()}
+                )
+            return items
+        return {
+            camelize(key, uppercase_first_letter=False): value
+            for key, value in data.items()
+        }
+
+    def wrap_with_envelope(self, data, many):
+        if many:
+            if 'total' in self.context.keys():
+                return dict(total=self.context['total'], items=data)
+        return data
+
+
+class LemurInputSchema(LemurSchema):
+    @pre_load(pass_many=True)
+    def preprocess(self, data, many):
+        return self.under(data, many=many)
+
+
+class LemurOutputSchema(LemurSchema):
+    @pre_load(pass_many=True)
+    def preprocess(self, data, many):
+        if many:
+            data = self.unwrap_envelope(data, many)
+        return self.under(data, many=many)
+
+    def unwrap_envelope(self, data, many):
+        if many:
+            if data['items']:
+                if isinstance(data, InstrumentedList) or isinstance(data, list):
+                    self.context['total'] = len(data)
+                    return data
+                else:
+                    self.context['total'] = data['total']
+            else:
+                self.context['total'] = 0
+                data = {'items': []}
+
+            return data['items']
+
+        return data
+
+    @post_dump(pass_many=True)
+    def post_process(self, data, many):
+        if data:
+            data = self.camel(data, many=many)
+        if self.__envelope__:
+            return self.wrap_with_envelope(data, many=many)
+        else:
+            return data
+
+
+def format_errors(messages):
+    errors = {}
+    for k, v in messages.items():
+        key = camelize(k, uppercase_first_letter=False)
+        if isinstance(v, dict):
+            errors[key] = format_errors(v)
+        elif isinstance(v, list):
+            errors[key] = v[0]
+    return errors
+
+
+def wrap_errors(messages):
+    errors = dict(message='Validation Error.')
+    if messages.get('_schema'):
+        errors['reasons'] = {'Schema': {'rule': messages['_schema']}}
+    else:
+        errors['reasons'] = format_errors(messages)
+    return errors
+
+
+def unwrap_pagination(data, output_schema):
+    if not output_schema:
+        return data
+
+    if isinstance(data, dict):
+        if 'total' in data.keys():
+            if data.get('total') == 0:
+                return data
+
+            marshaled_data = {'total': data['total']}
+            marshaled_data['items'] = output_schema.dump(data['items'], many=True).data
+            return marshaled_data
+
+        return output_schema.dump(data).data
+
+    elif isinstance(data, list):
+        marshaled_data = {'total': len(data)}
+        marshaled_data['items'] = output_schema.dump(data, many=True).data
+        return marshaled_data
+
+    return output_schema.dump(data).data
+
+
+def validate_schema(input_schema, output_schema):
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if input_schema:
+                if request.get_json():
+                    request_data = request.get_json()
+                else:
+                    request_data = request.args
+
+                data, errors = input_schema.load(request_data)
+
+                if errors:
+                    return wrap_errors(errors), 400
+
+                kwargs['data'] = data
+
+            try:
+                resp = f(*args, **kwargs)
+            except Exception as e:
+                current_app.logger.exception(e)
+                return dict(message=str(e)), 500
+
+            if isinstance(resp, tuple):
+                return resp[0], resp[1]
+
+            if not resp:
+                return dict(message="No data found"), 404
+
+            return unwrap_pagination(resp, output_schema), 200
+
+        return decorated_function
+    return decorator

lemur/common/utils.py

@@ -8,13 +8,25 @@
 """
 import string
 import random
-from functools import wraps
 
-from flask import current_app
+import sqlalchemy
+from sqlalchemy import and_, func
 
-from flask.ext.restful import marshal
-from flask.ext.restful.reqparse import RequestParser
-from flask.ext.sqlalchemy import Pagination
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+
+from flask_restful.reqparse import RequestParser
+
+from lemur.exceptions import InvalidConfiguration
+
+paginated_parser = RequestParser()
+
+paginated_parser.add_argument('count', type=int, default=10, location='args')
+paginated_parser.add_argument('page', type=int, default=1, location='args')
+paginated_parser.add_argument('sortDir', type=str, dest='sort_dir', location='args')
+paginated_parser.add_argument('sortBy', type=str, dest='sort_by', location='args')
+paginated_parser.add_argument('filter', type=str, location='args')
 
 
 def get_psuedo_random_string():
@@ -28,51 +40,117 @@ def get_psuedo_random_string():
     return challenge
 
 
-class marshal_items(object):
-    def __init__(self, fields, envelope=None):
-        self.fields = fields
-        self.envelop = envelope
+def parse_certificate(body):
+    """
+    Helper function that parses a PEM certificate.
 
-    def __call__(self, f):
-        def _filter_items(items):
-            filtered_items = []
-            for item in items:
-                filtered_items.append(marshal(item, self.fields))
-            return filtered_items
+    :param body:
+    :return:
+    """
+    if isinstance(body, str):
+        body = body.encode('utf-8')
 
-        @wraps(f)
-        def wrapper(*args, **kwargs):
-            try:
-                resp = f(*args, **kwargs)
-
-                # this is a bit weird way to handle non standard error codes returned from the marshaled function
-                if isinstance(resp, tuple):
-                    return resp[0], resp[1]
-
-                if isinstance(resp, Pagination):
-                    return {'items': _filter_items(resp.items), 'total': resp.total}
-
-                if isinstance(resp, list):
-                    return {'items': _filter_items(resp), 'total': len(resp)}
-
-                return marshal(resp, self.fields)
-            except Exception as e:
-                current_app.logger.exception(e)
-                # this is a little weird hack to respect flask restful parsing errors on marshaled functions
-                if hasattr(e, 'code'):
-                    if hasattr(e, 'data'):
-                        return {'message': e.data['message']}, 400
-                    else:
-                        return {'message': 'unknown'}, 400
-                else:
-                    return {'message': str(e)}, 400
-        return wrapper
+    return x509.load_pem_x509_certificate(body, default_backend())
 
 
-paginated_parser = RequestParser()
+def generate_private_key(key_type):
+    """
+    Generates a new private key based on key_type.
 
-paginated_parser.add_argument('count', type=int, default=10, location='args')
-paginated_parser.add_argument('page', type=int, default=1, location='args')
-paginated_parser.add_argument('sortDir', type=str, dest='sort_dir', location='args')
-paginated_parser.add_argument('sortBy', type=str, dest='sort_by', location='args')
-paginated_parser.add_argument('filter', type=str, location='args')
+    Valid key types: RSA2048, RSA4096
+
+    :param key_type:
+    :return:
+    """
+    valid_key_types = ['RSA2048', 'RSA4096']
+
+    if key_type not in valid_key_types:
+        raise Exception("Invalid key type: {key_type}. Supported key types: {choices}".format(
+            key_type=key_type,
+            choices=",".join(valid_key_types)
+        ))
+
+    if 'RSA' in key_type:
+        key_size = int(key_type[3:])
+        return rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=key_size,
+            backend=default_backend()
+        )
+
+
+def is_weekend(date):
+    """
+    Determines if a given date is on a weekend.
+
+    :param date:
+    :return:
+    """
+    if date.weekday() > 5:
+        return True
+
+
+def validate_conf(app, required_vars):
+    """
+    Ensures that the given fields are set in the applications conf.
+
+    :param app:
+    :param required_vars: list
+    """
+    for var in required_vars:
+        if not app.config.get(var):
+            raise InvalidConfiguration("Required variable '{var}' is not set in Lemur's conf.".format(var=var))
+
+
+# https://bitbucket.org/zzzeek/sqlalchemy/wiki/UsageRecipes/WindowedRangeQuery
+def column_windows(session, column, windowsize):
+    """Return a series of WHERE clauses against
+    a given column that break it into windows.
+
+    Result is an iterable of tuples, consisting of
+    ((start, end), whereclause), where (start, end) are the ids.
+
+    Requires a database that supports window functions,
+    i.e. Postgresql, SQL Server, Oracle.
+
+    Enhance this yourself !  Add a "where" argument
+    so that windows of just a subset of rows can
+    be computed.
+
+    """
+    def int_for_range(start_id, end_id):
+        if end_id:
+            return and_(
+                column >= start_id,
+                column < end_id
+            )
+        else:
+            return column >= start_id
+
+    q = session.query(
+        column,
+        func.row_number().over(order_by=column).label('rownum')
+    ).from_self(column)
+
+    if windowsize > 1:
+        q = q.filter(sqlalchemy.text("rownum %% %d=1" % windowsize))
+
+    intervals = [id for id, in q]
+
+    while intervals:
+        start = intervals.pop(0)
+        if intervals:
+            end = intervals[0]
+        else:
+            end = None
+        yield int_for_range(start, end)
+
+
+def windowed_query(q, column, windowsize):
+    """"Break a Query into windows on a given column."""
+
+    for whereclause in column_windows(
+            q.session,
+            column, windowsize):
+        for row in q.filter(whereclause).order_by(column):
+            yield row

lemur/common/validators.py

@@ -0,0 +1,119 @@
+import re
+
+from flask import current_app
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from marshmallow.exceptions import ValidationError
+
+from lemur.auth.permissions import SensitiveDomainPermission
+from lemur.common.utils import parse_certificate, is_weekend
+from lemur.domains import service as domain_service
+
+
+def public_certificate(body):
+    """
+    Determines if specified string is valid public certificate.
+
+    :param body:
+    :return:
+    """
+    try:
+        parse_certificate(body)
+    except Exception as e:
+        current_app.logger.exception(e)
+        raise ValidationError('Public certificate presented is not valid.')
+
+
+def private_key(key):
+    """
+    User to validate that a given string is a RSA private key
+
+    :param key:
+    :return: :raise ValueError:
+    """
+    try:
+        if isinstance(key, bytes):
+            serialization.load_pem_private_key(key, None, backend=default_backend())
+        else:
+            serialization.load_pem_private_key(key.encode('utf-8'), None, backend=default_backend())
+    except Exception:
+        raise ValidationError('Private key presented is not valid.')
+
+
+def sensitive_domain(domain):
+    """
+    Determines if domain has been marked as sensitive.
+    :param domain:
+    :return:
+    """
+    restricted_domains = current_app.config.get('LEMUR_RESTRICTED_DOMAINS', [])
+    if restricted_domains:
+        domains = domain_service.get_by_name(domain)
+        for domain in domains:
+            # we only care about non-admins
+            if not SensitiveDomainPermission().can():
+                if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
+                    raise ValidationError(
+                        'Domain {0} has been marked as sensitive, contact and administrator \
+                        to issue the certificate.'.format(domain))
+
+
+def encoding(oid_encoding):
+    """
+    Determines if the specified oid type is valid.
+    :param oid_encoding:
+    :return:
+    """
+    valid_types = ['b64asn1', 'string', 'ia5string']
+    if oid_encoding.lower() not in [o_type.lower() for o_type in valid_types]:
+        raise ValidationError('Invalid Oid Encoding: {0} choose from {1}'.format(oid_encoding, ",".join(valid_types)))
+
+
+def sub_alt_type(alt_type):
+    """
+    Determines if the specified subject alternate type is valid.
+    :param alt_type:
+    :return:
+    """
+    valid_types = ['DNSName', 'IPAddress', 'uniFormResourceIdentifier', 'directoryName', 'rfc822Name', 'registrationID',
+                   'otherName', 'x400Address', 'EDIPartyName']
+    if alt_type.lower() not in [a_type.lower() for a_type in valid_types]:
+        raise ValidationError('Invalid SubAltName Type: {0} choose from {1}'.format(type, ",".join(valid_types)))
+
+
+def csr(data):
+    """
+    Determines if the CSR is valid.
+    :param data:
+    :return:
+    """
+    try:
+        x509.load_pem_x509_csr(data.encode('utf-8'), default_backend())
+    except Exception:
+        raise ValidationError('CSR presented is not valid.')
+
+
+def dates(data):
+    if not data.get('validity_start') and data.get('validity_end'):
+        raise ValidationError('If validity start is specified so must validity end.')
+
+    if not data.get('validity_end') and data.get('validity_start'):
+        raise ValidationError('If validity end is specified so must validity start.')
+
+    if data.get('validity_start') and data.get('validity_end'):
+        if not current_app.config.get('LEMUR_ALLOW_WEEKEND_EXPIRATION', True):
+            if is_weekend(data.get('validity_end')):
+                raise ValidationError('Validity end must not land on a weekend.')
+
+        if not data['validity_start'] < data['validity_end']:
+            raise ValidationError('Validity start must be before validity end.')
+
+        if data.get('authority'):
+            if data.get('validity_start').date() < data['authority'].authority_certificate.not_before.date():
+                raise ValidationError('Validity start must not be before {0}'.format(data['authority'].authority_certificate.not_before))
+
+            if data.get('validity_end').date() > data['authority'].authority_certificate.not_after.date():
+                raise ValidationError('Validity end must not be after {0}'.format(data['authority'].authority_certificate.not_after))
+
+    return data

lemur/database.py

@@ -11,7 +11,7 @@
 """
 from sqlalchemy import exc
 from sqlalchemy.sql import and_, or_
-from sqlalchemy.orm.exc import NoResultFound
+from sqlalchemy.orm import make_transient
 
 from lemur.extensions import db
 from lemur.exceptions import AttrNotFound, DuplicateError
@@ -123,10 +123,7 @@ def get(model, value, field="id"):
     :return:
     """
     query = session_query(model)
-    try:
-        return query.filter(getattr(model, field) == value).one()
-    except NoResultFound as e:
-        return
+    return query.filter(getattr(model, field) == value).scalar()
 
 
 def get_all(model, value, field="id"):
@@ -237,9 +234,6 @@ def update_list(model, model_attr, item_model, items):
     """
     ids = []
 
-    for i in items:
-        ids.append(i['id'])
-
     for i in getattr(model, model_attr):
         if i.id not in ids:
             getattr(model, model_attr).remove(i)
@@ -254,6 +248,18 @@ def update_list(model, model_attr, item_model, items):
     return model
 
 
+def clone(model):
+    """
+    Clones the given model and removes it's primary key
+    :param model:
+    :return:
+    """
+    db.session.expunge(model)
+    make_transient(model)
+    model.id = None
+    return model
+
+
 def sort_and_page(query, model, args):
     """
     Helper that allows us to combine sorting and paging
@@ -268,9 +274,17 @@ def sort_and_page(query, model, args):
     page = args.pop('page')
     count = args.pop('count')
 
+    if args.get('user'):
+        user = args.pop('user')
+
     query = find_all(query, model, args)
 
     if sort_by and sort_dir:
         query = sort(query, model, sort_by, sort_dir)
 
-    return paginate(query, page, count)
+    total = query.count()
+
+    # offset calculated at zero
+    page -= 1
+    items = query.offset(count * page).limit(count).all()
+    return dict(items=items, total=total)

lemur/default.conf.py

@@ -3,8 +3,6 @@
 import os
 _basedir = os.path.abspath(os.path.dirname(__file__))
 
-ADMINS = frozenset([''])
-
 THREADS_PER_PAGE = 8
 
 # General

lemur/defaults/schemas.py

@@ -0,0 +1,23 @@
+"""
+.. module: lemur.defaults.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from marshmallow import fields
+from lemur.common.schema import LemurOutputSchema
+from lemur.authorities.schemas import AuthorityNestedOutputSchema
+
+
+class DefaultOutputSchema(LemurOutputSchema):
+    authority = fields.Nested(AuthorityNestedOutputSchema)
+    country = fields.String()
+    state = fields.String()
+    location = fields.String()
+    organization = fields.String()
+    organizational_unit = fields.String()
+    issuer_plugin = fields.String()
+
+
+default_output_schema = DefaultOutputSchema()

lemur/defaults/views.py

@@ -0,0 +1,74 @@
+"""
+.. module: lemur.defaults.views
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+"""
+from flask import current_app, Blueprint
+from flask_restful import Api
+
+from lemur.common.schema import validate_schema
+from lemur.authorities.service import get_by_name
+from lemur.auth.service import AuthenticatedResource
+
+from lemur.defaults.schemas import default_output_schema
+
+
+mod = Blueprint('default', __name__)
+api = Api(mod)
+
+
+class LemurDefaults(AuthenticatedResource):
+    """ Defines the 'defaults' endpoint """
+    def __init__(self):
+        super(LemurDefaults)
+
+    @validate_schema(None, default_output_schema)
+    def get(self):
+        """
+        .. http:get:: /defaults
+
+            Returns defaults needed to generate CSRs
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /defaults HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                 "country": "US",
+                 "state": "CA",
+                 "location": "Los Gatos",
+                 "organization": "Netflix",
+                 "organizationalUnit": "Operations"
+              }
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+
+        default_authority = get_by_name(current_app.config.get('LEMUR_DEFAULT_AUTHORITY'))
+
+        return dict(
+            country=current_app.config.get('LEMUR_DEFAULT_COUNTRY'),
+            state=current_app.config.get('LEMUR_DEFAULT_STATE'),
+            location=current_app.config.get('LEMUR_DEFAULT_LOCATION'),
+            organization=current_app.config.get('LEMUR_DEFAULT_ORGANIZATION'),
+            organizational_unit=current_app.config.get('LEMUR_DEFAULT_ORGANIZATIONAL_UNIT'),
+            issuer_plugin=current_app.config.get('LEMUR_DEFAULT_ISSUER_PLUGIN'),
+            authority=default_authority
+        )
+
+
+api.add_resource(LemurDefaults, '/defaults', endpoint='default')

lemur/deployment/service.py

@@ -0,0 +1,16 @@
+from lemur import database
+
+
+def rotate_certificate(endpoint, new_cert):
+    """
+    Rotates a certificate on a given endpoint.
+
+    :param endpoint:
+    :param new_cert:
+    :return:
+    """
+    # ensure that certificate is available for rotation
+
+    endpoint.source.plugin.update_endpoint(endpoint, new_cert)
+    endpoint.certificate = new_cert
+    database.update(endpoint)

lemur/destinations/models.py

@@ -5,7 +5,6 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-import copy
 from sqlalchemy import Column, Integer, String, Text
 from sqlalchemy_utils import JSONType
 from lemur.database import db
@@ -23,7 +22,7 @@ class Destination(db.Model):
 
     @property
     def plugin(self):
-        p = plugins.get(self.plugin_name)
-        c = copy.deepcopy(p)
-        c.options = self.options
-        return c
+        return plugins.get(self.plugin_name)
+
+    def __repr__(self):
+        return "Destination(label={label})".format(label=self.label)

lemur/destinations/schemas.py

@@ -0,0 +1,43 @@
+"""
+.. module: lemur.destinations.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+
+from marshmallow import fields, post_dump
+from lemur.common.schema import LemurInputSchema, LemurOutputSchema
+from lemur.schemas import PluginInputSchema, PluginOutputSchema
+
+
+class DestinationInputSchema(LemurInputSchema):
+    id = fields.Integer()
+    label = fields.String(required=True)
+    description = fields.String(required=True)
+    active = fields.Boolean()
+    plugin = fields.Nested(PluginInputSchema, required=True)
+
+
+class DestinationOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    label = fields.String()
+    description = fields.String()
+    active = fields.Boolean()
+    plugin = fields.Nested(PluginOutputSchema)
+    options = fields.List(fields.Dict())
+
+    @post_dump
+    def fill_object(self, data):
+        if data:
+            data['plugin']['pluginOptions'] = data['options']
+        return data
+
+
+class DestinationNestedOutputSchema(DestinationOutputSchema):
+    __envelope__ = False
+
+
+destination_input_schema = DestinationInputSchema()
+destinations_output_schema = DestinationOutputSchema(many=True)
+destination_output_schema = DestinationOutputSchema()

lemur/destinations/service.py

@@ -8,6 +8,7 @@
 from sqlalchemy import func
 
 from lemur import database
+from lemur.models import certificate_destination_associations
 from lemur.destinations.models import Destination
 from lemur.certificates.models import Certificate
 
@@ -55,7 +56,7 @@ def delete(destination_id):
 
 def get(destination_id):
     """
-    Retrieves an destination by it's lemur assigned ID.
+    Retrieves an destination by its lemur assigned ID.
 
     :param destination_id: Lemur assigned ID
     :rtype : Destination
@@ -66,7 +67,7 @@ def get(destination_id):
 
 def get_by_label(label):
     """
-    Retrieves a destination by it's label
+    Retrieves a destination by its label
 
     :param label:
     :return:
@@ -85,10 +86,6 @@ def get_all():
 
 
 def render(args):
-    sort_by = args.pop('sort_by')
-    sort_dir = args.pop('sort_dir')
-    page = args.pop('page')
-    count = args.pop('count')
     filt = args.pop('filter')
     certificate_id = args.pop('certificate_id', None)
 
@@ -102,12 +99,7 @@ def render(args):
         terms = filt.split(';')
         query = database.filter(query, Destination, terms)
 
-    query = database.find_all(query, Destination, args)
-
-    if sort_by and sort_dir:
-        query = database.sort(query, Destination, sort_by, sort_dir)
-
-    return database.paginate(query, page, count)
+    return database.sort_and_page(query, Destination, args)
 
 
 def stats(**kwargs):
@@ -117,10 +109,9 @@ def stats(**kwargs):
     :param kwargs:
     :return:
     """
-    attr = getattr(Destination, kwargs.get('metric'))
-    query = database.db.session.query(attr, func.count(attr))
-
-    items = query.group_by(attr).all()
+    items = database.db.session.query(Destination.label, func.count(certificate_destination_associations.c.certificate_id))\
+        .join(certificate_destination_associations)\
+        .group_by(Destination.label).all()
 
     keys = []
     values = []

lemur/destinations/views.py

@@ -7,34 +7,28 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
 from flask import Blueprint
-from flask.ext.restful import Api, reqparse, fields
+from flask_restful import Api, reqparse
 from lemur.destinations import service
 
 from lemur.auth.service import AuthenticatedResource
 from lemur.auth.permissions import admin_permission
-from lemur.common.utils import paginated_parser, marshal_items
+from lemur.common.utils import paginated_parser
+
+from lemur.common.schema import validate_schema
+from lemur.destinations.schemas import destinations_output_schema, destination_input_schema, destination_output_schema
 
 
 mod = Blueprint('destinations', __name__)
 api = Api(mod)
 
 
-FIELDS = {
-    'description': fields.String,
-    'destinationOptions': fields.Raw(attribute='options'),
-    'pluginName': fields.String(attribute='plugin_name'),
-    'label': fields.String,
-    'id': fields.Integer,
-}
-
-
 class DestinationsList(AuthenticatedResource):
     """ Defines the 'destinations' endpoint """
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(DestinationsList, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, destinations_output_schema)
     def get(self):
         """
         .. http:get:: /destinations
@@ -58,32 +52,40 @@ class DestinationsList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "items": [
-                    {
-                        "destinationOptions": [
-                            {
-                                "name": "accountNumber",
-                                "required": true,
-                                "value": 111111111112,
-                                "helpMessage": "Must be a valid AWS account number!",
-                                "validation": "/^[0-9]{12,12}$/",
-                                "type": "int"
-                            }
-                        ],
-                        "pluginName": "aws-destination",
-                        "id": 3,
-                        "description": "test",
-                        "label": "test"
-                    }
-                ],
+                "items": [{
+                    "description": "test",
+                    "options": [{
+                        "name": "accountNumber",
+                        "required": true,
+                        "value": "111111111111111",
+                        "helpMessage": "Must be a valid AWS account number!",
+                        "validation": "/^[0-9]{12,12}$/",
+                        "type": "str"
+                    }],
+                    "id": 4,
+                    "plugin": {
+                        "pluginOptions": [{
+                            "name": "accountNumber",
+                            "required": true,
+                            "value": "111111111111111",
+                            "helpMessage": "Must be a valid AWS account number!",
+                            "validation": "/^[0-9]{12,12}$/",
+                            "type": "str"
+                        }],
+                        "description": "Allow the uploading of certificates to AWS IAM",
+                        "slug": "aws-destination",
+                        "title": "AWS"
+                    },
+                    "label": "test546"
+                }
                 "total": 1
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
+           :query sortDir: asc or desc
            :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
@@ -92,8 +94,8 @@ class DestinationsList(AuthenticatedResource):
         return service.render(args)
 
     @admin_permission.require(http_exception=403)
-    @marshal_items(FIELDS)
-    def post(self):
+    @validate_schema(destination_input_schema, destination_output_schema)
+    def post(self, data=None):
         """
         .. http:post:: /destinations
 
@@ -108,20 +110,30 @@ class DestinationsList(AuthenticatedResource):
               Accept: application/json, text/javascript
 
               {
-                "destinationOptions": [
-                    {
+                "description": "test33",
+                "options": [{
+                    "name": "accountNumber",
+                    "required": true,
+                    "value": "34324324",
+                    "helpMessage": "Must be a valid AWS account number!",
+                    "validation": "/^[0-9]{12,12}$/",
+                    "type": "str"
+                }],
+                "id": 4,
+                "plugin": {
+                    "pluginOptions": [{
                         "name": "accountNumber",
                         "required": true,
-                        "value": 111111111112,
+                        "value": "34324324",
                         "helpMessage": "Must be a valid AWS account number!",
                         "validation": "/^[0-9]{12,12}$/",
-                        "type": "int"
-                    }
-                ],
-                "pluginName": "aws-destination",
-                "id": 3,
-                "description": "test",
-                "label": "test"
+                        "type": "str"
+                    }],
+                    "description": "Allow the uploading of certificates to AWS IAM",
+                    "slug": "aws-destination",
+                    "title": "AWS"
+                },
+                "label": "test546"
               }
 
            **Example response**:
@@ -133,20 +145,30 @@ class DestinationsList(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "destinationOptions": [
-                    {
+                "description": "test33",
+                "options": [{
+                    "name": "accountNumber",
+                    "required": true,
+                    "value": "34324324",
+                    "helpMessage": "Must be a valid AWS account number!",
+                    "validation": "/^[0-9]{12,12}$/",
+                    "type": "str"
+                }],
+                "id": 4,
+                "plugin": {
+                    "pluginOptions": [{
                         "name": "accountNumber",
                         "required": true,
-                        "value": 111111111112,
+                        "value": "111111111111111",
                         "helpMessage": "Must be a valid AWS account number!",
                         "validation": "/^[0-9]{12,12}$/",
-                        "type": "int"
-                    }
-                ],
-                "pluginName": "aws-destination",
-                "id": 3,
-                "description": "test",
-                "label": "test"
+                        "type": "str"
+                    }],
+                    "description": "Allow the uploading of certificates to AWS IAM",
+                    "slug": "aws-destination",
+                    "title": "AWS"
+                },
+                "label": "test546"
               }
 
            :arg label: human readable account label
@@ -154,12 +176,7 @@ class DestinationsList(AuthenticatedResource):
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
-        self.reqparse.add_argument('label', type=str, location='json', required=True)
-        self.reqparse.add_argument('plugin', type=dict, location='json', required=True)
-        self.reqparse.add_argument('description', type=str, location='json')
-
-        args = self.reqparse.parse_args()
-        return service.create(args['label'], args['plugin']['slug'], args['plugin']['pluginOptions'], args['description'])
+        return service.create(data['label'], data['plugin']['slug'], data['plugin']['plugin_options'], data['description'])
 
 
 class Destinations(AuthenticatedResource):
@@ -167,7 +184,7 @@ class Destinations(AuthenticatedResource):
         self.reqparse = reqparse.RequestParser()
         super(Destinations, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, destination_output_schema)
     def get(self, destination_id):
         """
         .. http:get:: /destinations/1
@@ -191,20 +208,30 @@ class Destinations(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "destinationOptions": [
-                    {
+                "description": "test",
+                "options": [{
+                    "name": "accountNumber",
+                    "required": true,
+                    "value": "111111111111111",
+                    "helpMessage": "Must be a valid AWS account number!",
+                    "validation": "/^[0-9]{12,12}$/",
+                    "type": "str"
+                }],
+                "id": 4,
+                "plugin": {
+                    "pluginOptions": [{
                         "name": "accountNumber",
                         "required": true,
-                        "value": 111111111112,
+                        "value": "111111111111111",
                         "helpMessage": "Must be a valid AWS account number!",
                         "validation": "/^[0-9]{12,12}$/",
-                        "type": "int"
-                    }
-                ],
-                "pluginName": "aws-destination",
-                "id": 3,
-                "description": "test",
-                "label": "test"
+                        "type": "str"
+                    }],
+                    "description": "Allow the uploading of certificates to AWS IAM",
+                    "slug": "aws-destination",
+                    "title": "AWS"
+                },
+                "label": "test546"
               }
 
            :reqheader Authorization: OAuth token to authenticate
@@ -213,8 +240,8 @@ class Destinations(AuthenticatedResource):
         return service.get(destination_id)
 
     @admin_permission.require(http_exception=403)
-    @marshal_items(FIELDS)
-    def put(self, destination_id):
+    @validate_schema(destination_input_schema, destination_output_schema)
+    def put(self, destination_id, data=None):
         """
         .. http:put:: /destinations/1
 
@@ -228,23 +255,35 @@ class Destinations(AuthenticatedResource):
               Host: example.com
               Accept: application/json, text/javascript
 
+
               {
-                "destinationOptions": [
-                    {
+                "description": "test33",
+                "options": [{
+                    "name": "accountNumber",
+                    "required": true,
+                    "value": "34324324",
+                    "helpMessage": "Must be a valid AWS account number!",
+                    "validation": "/^[0-9]{12,12}$/",
+                    "type": "str"
+                }],
+                "id": 4,
+                "plugin": {
+                    "pluginOptions": [{
                         "name": "accountNumber",
                         "required": true,
-                        "value": 111111111112,
+                        "value": "34324324",
                         "helpMessage": "Must be a valid AWS account number!",
                         "validation": "/^[0-9]{12,12}$/",
-                        "type": "int"
-                    }
-                ],
-                "pluginName": "aws-destination",
-                "id": 3,
-                "description": "test",
-                "label": "test"
+                        "type": "str"
+                    }],
+                    "description": "Allow the uploading of certificates to AWS IAM",
+                    "slug": "aws-destination",
+                    "title": "AWS"
+                },
+                "label": "test546"
               }
 
+
            **Example response**:
 
            .. sourcecode:: http
@@ -254,20 +293,30 @@ class Destinations(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "destinationOptions": [
-                    {
+                "description": "test",
+                "options": [{
+                    "name": "accountNumber",
+                    "required": true,
+                    "value": "111111111111111",
+                    "helpMessage": "Must be a valid AWS account number!",
+                    "validation": "/^[0-9]{12,12}$/",
+                    "type": "str"
+                }],
+                "id": 4,
+                "plugin": {
+                    "pluginOptions": [{
                         "name": "accountNumber",
                         "required": true,
-                        "value": 111111111112,
+                        "value": "111111111111111",
                         "helpMessage": "Must be a valid AWS account number!",
                         "validation": "/^[0-9]{12,12}$/",
-                        "type": "int"
-                    }
-                ],
-                "pluginName": "aws-destination",
-                "id": 3,
-                "description": "test",
-                "label": "test"
+                        "type": "str"
+                    }],
+                    "description": "Allow the uploading of certificates to AWS IAM",
+                    "slug": "aws-destination",
+                    "title": "AWS"
+                },
+                "label": "test546"
               }
 
            :arg accountNumber: aws account number
@@ -276,12 +325,7 @@ class Destinations(AuthenticatedResource):
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """
-        self.reqparse.add_argument('label', type=str, location='json', required=True)
-        self.reqparse.add_argument('plugin', type=dict, location='json', required=True)
-        self.reqparse.add_argument('description', type=str, location='json')
-
-        args = self.reqparse.parse_args()
-        return service.update(destination_id, args['label'], args['plugin']['pluginOptions'], args['description'])
+        return service.update(destination_id, data['label'], data['plugin']['plugin_options'], data['description'])
 
     @admin_permission.require(http_exception=403)
     def delete(self, destination_id):
@@ -294,7 +338,7 @@ class CertificateDestinations(AuthenticatedResource):
     def __init__(self):
         super(CertificateDestinations, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, destination_output_schema)
     def get(self, certificate_id):
         """
         .. http:get:: /certificates/1/destinations
@@ -318,32 +362,40 @@ class CertificateDestinations(AuthenticatedResource):
               Content-Type: text/javascript
 
               {
-                "items": [
-                    {
-                        "destinationOptions": [
-                            {
-                                "name": "accountNumber",
-                                "required": true,
-                                "value": 111111111112,
-                                "helpMessage": "Must be a valid AWS account number!",
-                                "validation": "/^[0-9]{12,12}$/",
-                                "type": "int"
-                            }
-                        ],
-                        "pluginName": "aws-destination",
-                        "id": 3,
-                        "description": "test",
-                        "label": "test"
-                    }
-                ],
+                "items": [{
+                    "description": "test",
+                    "options": [{
+                        "name": "accountNumber",
+                        "required": true,
+                        "value": "111111111111111",
+                        "helpMessage": "Must be a valid AWS account number!",
+                        "validation": "/^[0-9]{12,12}$/",
+                        "type": "str"
+                    }],
+                    "id": 4,
+                    "plugin": {
+                        "pluginOptions": [{
+                            "name": "accountNumber",
+                            "required": true,
+                            "value": "111111111111111",
+                            "helpMessage": "Must be a valid AWS account number!",
+                            "validation": "/^[0-9]{12,12}$/",
+                            "type": "str"
+                        }],
+                        "description": "Allow the uploading of certificates to AWS IAM",
+                        "slug": "aws-destination",
+                        "title": "AWS"
+                    },
+                    "label": "test546"
+                }
                 "total": 1
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
         """

lemur/domains/models.py

@@ -7,7 +7,7 @@
 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 
 """
-from sqlalchemy import Column, Integer, String
+from sqlalchemy import Column, Integer, String, Boolean
 
 from lemur.database import db
 
@@ -16,11 +16,7 @@ class Domain(db.Model):
     __tablename__ = 'domains'
     id = Column(Integer, primary_key=True)
     name = Column(String(256))
+    sensitive = Column(Boolean, default=False)
 
-    def as_dict(self):
-        return {c.name: getattr(self, c.name) for c in self.__table__.columns}
-
-    def serialize(self):
-        blob = self.as_dict()
-        blob['certificates'] = [x.id for x in self.certificate]
-        return blob
+    def __repr__(self):
+        return "Domain(name={name})".format(name=self.name)

lemur/domains/schemas.py

@@ -0,0 +1,35 @@
+"""
+.. module: lemur.domains.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from marshmallow import fields
+from lemur.common.schema import LemurInputSchema, LemurOutputSchema
+from lemur.schemas import AssociatedCertificateSchema
+
+# from lemur.certificates.schemas import CertificateNestedOutputSchema
+
+
+class DomainInputSchema(LemurInputSchema):
+    id = fields.Integer()
+    name = fields.String(required=True)
+    sensitive = fields.Boolean()
+    certificates = fields.Nested(AssociatedCertificateSchema, many=True, missing=[])
+
+
+class DomainOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    name = fields.String()
+    sensitive = fields.Boolean()
+    # certificates = fields.Nested(CertificateNestedOutputSchema, many=True, missing=[])
+
+
+class DomainNestedOutputSchema(DomainOutputSchema):
+    __envelope__ = False
+
+
+domain_input_schema = DomainInputSchema()
+domain_output_schema = DomainOutputSchema()
+domains_output_schema = DomainOutputSchema(many=True)

lemur/domains/service.py

@@ -32,6 +32,43 @@ def get_all():
     return database.find_all(query, Domain, {}).all()
 
 
+def get_by_name(name):
+    """
+    Fetches domain by its name
+
+    :param name:
+    :return:
+    """
+    return database.get_all(Domain, name, field="name").all()
+
+
+def create(name, sensitive):
+    """
+    Create a new domain
+
+    :param name:
+    :param sensitive:
+    :return:
+    """
+    domain = Domain(name=name, sensitive=sensitive)
+    return database.create(domain)
+
+
+def update(domain_id, name, sensitive):
+    """
+    Update an existing domain
+
+    :param domain_id:
+    :param name:
+    :param sensitive:
+    :return:
+    """
+    domain = get(domain_id)
+    domain.name = name
+    domain.sensitive = sensitive
+    database.update(domain)
+
+
 def render(args):
     """
     Helper to parse REST Api requests
@@ -40,11 +77,6 @@ def render(args):
     :return:
     """
     query = database.session_query(Domain).join(Certificate, Domain.certificate)
-
-    sort_by = args.pop('sort_by')
-    sort_dir = args.pop('sort_dir')
-    page = args.pop('page')
-    count = args.pop('count')
     filt = args.pop('filter')
     certificate_id = args.pop('certificate_id', None)
 
@@ -55,9 +87,4 @@ def render(args):
     if certificate_id:
         query = query.filter(Certificate.id == certificate_id)
 
-    query = database.find_all(query, Domain, args)
-
-    if sort_by and sort_dir:
-        query = database.sort(query, Domain, sort_by, sort_dir)
-
-    return database.paginate(query, page, count)
+    return database.sort_and_page(query, Domain, args)

lemur/domains/views.py

@@ -8,17 +8,16 @@
 
 """
 from flask import Blueprint
-from flask.ext.restful import reqparse, Api, fields
+from flask_restful import reqparse, Api
 
 from lemur.domains import service
 from lemur.auth.service import AuthenticatedResource
+from lemur.auth.permissions import SensitiveDomainPermission
 
-from lemur.common.utils import paginated_parser, marshal_items
+from lemur.common.schema import validate_schema
+from lemur.common.utils import paginated_parser
 
-FIELDS = {
-    'id': fields.Integer,
-    'name': fields.String
-}
+from lemur.domains.schemas import domain_input_schema, domain_output_schema, domains_output_schema
 
 mod = Blueprint('domains', __name__)
 api = Api(mod)
@@ -29,7 +28,7 @@ class DomainsList(AuthenticatedResource):
     def __init__(self):
         super(DomainsList, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, domains_output_schema)
     def get(self):
         """
         .. http:get:: /domains
@@ -57,20 +56,22 @@ class DomainsList(AuthenticatedResource):
                     {
                       "id": 1,
                       "name": "www.example.com",
+                      "sensitive": false
                     },
                     {
                       "id": 2,
                       "name": "www.example2.com",
+                      "sensitive": false
                     }
                   ]
                 "total": 2
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number. default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated
@@ -79,13 +80,58 @@ class DomainsList(AuthenticatedResource):
         args = parser.parse_args()
         return service.render(args)
 
+    @validate_schema(domain_input_schema, domain_output_schema)
+    def post(self, data=None):
+        """
+        .. http:post:: /domains
+
+           The current domain list
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /domains HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+              {
+                "name": "www.example.com",
+                "sensitive": false
+              }
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                "id": 1,
+                "name": "www.example.com",
+                "sensitive": false
+              }
+
+           :query sortBy: field to sort on
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        return service.create(data['name'], data['sensitive'])
+
 
 class Domains(AuthenticatedResource):
     def __init__(self):
         self.reqparse = reqparse.RequestParser()
         super(Domains, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, domain_output_schema)
     def get(self, domain_id):
         """
         .. http:get:: /domains/1
@@ -111,6 +157,7 @@ class Domains(AuthenticatedResource):
               {
                   "id": 1,
                   "name": "www.example.com",
+                  "sensitive": false
               }
 
            :reqheader Authorization: OAuth token to authenticate
@@ -119,13 +166,56 @@ class Domains(AuthenticatedResource):
         """
         return service.get(domain_id)
 
+    @validate_schema(domain_input_schema, domain_output_schema)
+    def put(self, domain_id, data=None):
+        """
+        .. http:get:: /domains/1
+
+           update one domain
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /domains HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+              {
+                  "name": "www.example.com",
+                  "sensitive": false
+              }
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                  "id": 1,
+                  "name": "www.example.com",
+                  "sensitive": false
+              }
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        if SensitiveDomainPermission().can():
+            return service.update(domain_id, data['name'], data['sensitive'])
+
+        return dict(message='You are not authorized to modify this domain'), 403
+
 
 class CertificateDomains(AuthenticatedResource):
     """ Defines the 'domains' endpoint """
     def __init__(self):
         super(CertificateDomains, self).__init__()
 
-    @marshal_items(FIELDS)
+    @validate_schema(None, domains_output_schema)
     def get(self, certificate_id):
         """
         .. http:get:: /certificates/1/domains
@@ -153,20 +243,22 @@ class CertificateDomains(AuthenticatedResource):
                     {
                       "id": 1,
                       "name": "www.example.com",
+                      "sensitive": false
                     },
                     {
                       "id": 2,
                       "name": "www.example2.com",
+                      "sensitive": false
                     }
                   ]
                 "total": 2
               }
 
            :query sortBy: field to sort on
-           :query sortDir: acs or desc
-           :query page: int. default is 1
-           :query filter: key value pair. format is k=v;
-           :query limit: limit number. default is 10
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
            :reqheader Authorization: OAuth token to authenticate
            :statuscode 200: no error
            :statuscode 403: unauthenticated

lemur/endpoints/cli.py

@@ -0,0 +1,39 @@
+"""
+.. module: lemur.endpoints.cli
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from flask_script import Manager
+
+import arrow
+from datetime import timedelta
+
+from sqlalchemy import cast
+from sqlalchemy_utils import ArrowType
+
+from lemur import database
+from lemur.extensions import metrics
+from lemur.endpoints.models import Endpoint
+
+
+manager = Manager(usage="Handles all endpoint related tasks.")
+
+
+@manager.option('-ttl', '--time-to-live', type=int, dest='ttl', default=2, help='Time in hours, which endpoint has not been refreshed to remove the endpoint.')
+def expire(ttl):
+    """
+    Removed all endpoints that have not been recently updated.
+    """
+    print("[+] Staring expiration of old endpoints.")
+    now = arrow.utcnow()
+    expiration = now - timedelta(hours=ttl)
+    endpoints = database.session_query(Endpoint).filter(cast(Endpoint.last_updated, ArrowType) <= expiration)
+
+    for endpoint in endpoints:
+        print("[!] Expiring endpoint: {name} Last Updated: {last_updated}".format(name=endpoint.name, last_updated=endpoint.last_updated))
+        database.delete(endpoint)
+        metrics.send('endpoint_expired', 'counter', 1)
+
+    print("[+] Finished expiration.")

lemur/endpoints/models.py

@@ -0,0 +1,93 @@
+"""
+.. module: lemur.endpoints.models
+    :platform: unix
+    :synopsis: This module contains all of the models need to create an authority within Lemur.
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+import arrow
+from sqlalchemy.orm import relationship
+from sqlalchemy.ext.associationproxy import association_proxy
+from sqlalchemy import Column, Integer, String, Boolean, ForeignKey
+from sqlalchemy.ext.hybrid import hybrid_property
+from sqlalchemy.sql.expression import case
+
+from sqlalchemy_utils import ArrowType
+
+from lemur.database import db
+
+from lemur.models import policies_ciphers
+
+
+BAD_CIPHERS = [
+    'Protocol-SSLv3',
+    'Protocol-SSLv2',
+    'Protocol-TLSv1'
+]
+
+
+class Cipher(db.Model):
+    __tablename__ = 'ciphers'
+    id = Column(Integer, primary_key=True)
+    name = Column(String(128), nullable=False)
+
+    @hybrid_property
+    def deprecated(self):
+        return self.name in BAD_CIPHERS
+
+    @deprecated.expression
+    def deprecated(cls):
+        return case(
+            [
+                (cls.name in BAD_CIPHERS, True)
+            ],
+            else_=False
+        )
+
+
+class Policy(db.Model):
+    ___tablename__ = 'policies'
+    id = Column(Integer, primary_key=True)
+    name = Column(String(128), nullable=True)
+    ciphers = relationship('Cipher', secondary=policies_ciphers, backref='policy')
+
+
+class Endpoint(db.Model):
+    __tablename__ = 'endpoints'
+    id = Column(Integer, primary_key=True)
+    owner = Column(String(128))
+    name = Column(String(128))
+    dnsname = Column(String(256))
+    type = Column(String(128))
+    active = Column(Boolean, default=True)
+    port = Column(Integer)
+    policy_id = Column(Integer, ForeignKey('policy.id'))
+    policy = relationship('Policy', backref='endpoint')
+    certificate_id = Column(Integer, ForeignKey('certificates.id'))
+    source_id = Column(Integer, ForeignKey('sources.id'))
+    sensitive = Column(Boolean, default=False)
+    source = relationship('Source', back_populates='endpoints')
+    last_updated = Column(ArrowType, default=arrow.utcnow, nullable=False)
+    date_created = Column(ArrowType, default=arrow.utcnow, onupdate=arrow.utcnow, nullable=False)
+
+    replaced = association_proxy('certificate', 'replaced')
+
+    @property
+    def issues(self):
+        issues = []
+
+        for cipher in self.policy.ciphers:
+            if cipher.deprecated:
+                issues.append({'name': 'deprecated cipher', 'value': '{0} has been deprecated consider removing it.'.format(cipher.name)})
+
+        if self.certificate.expired:
+            issues.append({'name': 'expired certificate', 'value': 'There is an expired certificate attached to this endpoint consider replacing it.'})
+
+        if self.certificate.revoked:
+            issues.append({'name': 'revoked', 'value': 'There is a revoked certificate attached to this endpoint consider replacing it.'})
+
+        return issues
+
+    def __repr__(self):
+        return "Endpoint(name={name})".format(name=self.name)

lemur/endpoints/schemas.py

@@ -0,0 +1,44 @@
+"""
+.. module: lemur.endpoints.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from marshmallow import fields
+
+from lemur.common.schema import LemurOutputSchema
+from lemur.certificates.schemas import CertificateNestedOutputSchema
+
+
+class CipherNestedOutputSchema(LemurOutputSchema):
+    __envelope__ = False
+    id = fields.Integer()
+    deprecated = fields.Boolean()
+    name = fields.String()
+
+
+class PolicyNestedOutputSchema(LemurOutputSchema):
+    __envelope__ = False
+    id = fields.Integer()
+    name = fields.String()
+    ciphers = fields.Nested(CipherNestedOutputSchema, many=True)
+
+
+class EndpointOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    description = fields.String()
+    name = fields.String()
+    dnsname = fields.String()
+    owner = fields.Email()
+    type = fields.String()
+    port = fields.Integer()
+    active = fields.Boolean()
+    certificate = fields.Nested(CertificateNestedOutputSchema)
+    policy = fields.Nested(PolicyNestedOutputSchema)
+
+    issues = fields.List(fields.Dict())
+
+
+endpoint_output_schema = EndpointOutputSchema()
+endpoints_output_schema = EndpointOutputSchema(many=True)

lemur/endpoints/service.py

@@ -0,0 +1,182 @@
+"""
+.. module: lemur.endpoints.service
+    :platform: Unix
+    :synopsis: This module contains all of the services level functions used to
+    administer endpoints in Lemur
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+
+"""
+import arrow
+
+from flask import current_app
+
+from sqlalchemy import func
+
+from lemur import database
+from lemur.endpoints.models import Endpoint, Policy, Cipher
+from lemur.extensions import metrics
+
+
+def get_all():
+    """
+    Get all endpoints that are currently in Lemur.
+
+    :rtype : List
+    :return:
+    """
+    query = database.session_query(Endpoint)
+    return database.find_all(query, Endpoint, {}).all()
+
+
+def get(endpoint_id):
+    """
+    Retrieves an endpoint given it's ID
+
+    :param endpoint_id:
+    :return:
+    """
+    return database.get(Endpoint, endpoint_id)
+
+
+def get_by_name(name):
+    """
+    Retrieves an endpoint given it's name.
+
+    :param name:
+    :return:
+    """
+    return database.get(Endpoint, name, field='name')
+
+
+def get_by_dnsname(dnsname):
+    """
+    Retrieves an endpoint given it's name.
+
+    :param dnsname:
+    :return:
+    """
+    return database.get(Endpoint, dnsname, field='dnsname')
+
+
+def get_by_source(source_label):
+    """
+    Retrieves all endpoints for a given source.
+    :param source_label:
+    :return:
+    """
+    return Endpoint.query.filter(Endpoint.source.label == source_label).all()  # noqa
+
+
+def get_all_pending_rotation():
+    """
+    Retrieves all endpoints which have certificates deployed
+    that have been replaced.
+    :return:
+    """
+    return Endpoint.query.filter(Endpoint.replaced.any()).all()
+
+
+def create(**kwargs):
+    """
+    Creates a new endpoint.
+    :param kwargs:
+    :return:
+    """
+    endpoint = Endpoint(**kwargs)
+    database.create(endpoint)
+    metrics.send('endpoint_added', 'counter', 1, metric_tags={'source': endpoint.source.label})
+    return endpoint
+
+
+def get_or_create_policy(**kwargs):
+    policy = database.get(Policy, kwargs['name'], field='name')
+
+    if not policy:
+        policy = Policy(**kwargs)
+        database.create(policy)
+
+    return policy
+
+
+def get_or_create_cipher(**kwargs):
+    cipher = database.get(Cipher, kwargs['name'], field='name')
+
+    if not cipher:
+        cipher = Cipher(**kwargs)
+        database.create(cipher)
+
+    return cipher
+
+
+def update(endpoint_id, **kwargs):
+    endpoint = database.get(Endpoint, endpoint_id)
+
+    endpoint.policy = kwargs['policy']
+    endpoint.certificate = kwargs['certificate']
+    endpoint.source = kwargs['source']
+    endpoint.last_updated = arrow.utcnow()
+    metrics.send('endpoint_updated', 'counter', 1, metric_tags={'source': endpoint.source.label})
+    database.update(endpoint)
+    return endpoint
+
+
+def rotate_certificate(endpoint, new_cert):
+    """Rotates a certificate on a given endpoint."""
+    try:
+        endpoint.source.plugin.update_endpoint(endpoint, new_cert)
+        endpoint.certificate = new_cert
+        database.update(endpoint)
+        metrics.send('certificate_rotate_success', 'counter', 1, metric_tags={'endpoint': endpoint.name, 'source': endpoint.source.label})
+    except Exception as e:
+        metrics.send('certificate_rotate_failure', 'counter', 1, metric_tags={'endpoint': endpoint.name})
+        current_app.logger.exception(e)
+        raise e
+
+
+def render(args):
+    """
+    Helper that helps us render the REST Api responses.
+    :param args:
+    :return:
+    """
+    query = database.session_query(Endpoint)
+    filt = args.pop('filter')
+
+    if filt:
+        terms = filt.split(';')
+        if 'active' in filt:  # this is really weird but strcmp seems to not work here??
+            query = query.filter(Endpoint.active == terms[1])
+        elif 'port' in filt:
+            if terms[1] != 'null':  # ng-table adds 'null' if a number is removed
+                query = query.filter(Endpoint.port == terms[1])
+        elif 'ciphers' in filt:
+            query = query.filter(
+                Cipher.name == terms[1]
+            )
+        else:
+            query = database.filter(query, Endpoint, terms)
+
+    return database.sort_and_page(query, Endpoint, args)
+
+
+def stats(**kwargs):
+    """
+    Helper that defines some useful statistics about endpoints.
+
+    :param kwargs:
+    :return:
+    """
+    attr = getattr(Endpoint, kwargs.get('metric'))
+    query = database.db.session.query(attr, func.count(attr))
+
+    items = query.group_by(attr).all()
+
+    keys = []
+    values = []
+    for key, count in items:
+        keys.append(key)
+        values.append(count)
+
+    return {'labels': keys, 'values': values}

lemur/endpoints/views.py

@@ -0,0 +1,107 @@
+"""
+.. module: lemur.endpoints.views
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from flask import Blueprint, g
+from flask_restful import reqparse, Api
+
+from lemur.common.utils import paginated_parser
+from lemur.common.schema import validate_schema
+from lemur.auth.service import AuthenticatedResource
+
+from lemur.endpoints import service
+from lemur.endpoints.schemas import endpoint_output_schema, endpoints_output_schema
+
+
+mod = Blueprint('endpoints', __name__)
+api = Api(mod)
+
+
+class EndpointsList(AuthenticatedResource):
+    """ Defines the 'endpoints' endpoint """
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(EndpointsList, self).__init__()
+
+    @validate_schema(None, endpoints_output_schema)
+    def get(self):
+        """
+        .. http:get:: /endpoints
+
+           The current list of endpoints
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /endpoints HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+
+           :query sortBy: field to sort on
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair. format is k;v
+           :query limit: limit number default is 10
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+
+           :note: this will only show certificates that the current user is authorized to use
+        """
+        parser = paginated_parser.copy()
+        args = parser.parse_args()
+        args['user'] = g.current_user
+        return service.render(args)
+
+
+class Endpoints(AuthenticatedResource):
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(Endpoints, self).__init__()
+
+    @validate_schema(None, endpoint_output_schema)
+    def get(self, endpoint_id):
+        """
+        .. http:get:: /endpoints/1
+
+           One endpoint
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /endpoints/1 HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+           :statuscode 403: unauthenticated
+        """
+        return service.get(endpoint_id)
+
+
+api.add_resource(EndpointsList, '/endpoints', endpoint='endpoints')
+api.add_resource(Endpoints, '/endpoints/<int:endpoint_id>', endpoint='endpoint')

lemur/exceptions.py

@@ -7,8 +7,8 @@ from flask import current_app
 
 
 class LemurException(Exception):
-    def __init__(self):
-        current_app.logger.error(self)
+    def __init__(self, *args, **kwargs):
+        current_app.logger.exception(self)
 
 
 class DuplicateError(LemurException):
@@ -19,33 +19,11 @@ class DuplicateError(LemurException):
         return repr("Duplicate found! Could not create: {0}".format(self.key))
 
 
-class AuthenticationFailedException(LemurException):
-    def __init__(self, remote_ip, user_agent):
-        self.remote_ip = remote_ip
-        self.user_agent = user_agent
-
-    def __str__(self):
-        return repr("Failed login from: {} {}".format(self.remote_ip, self.user_agent))
-
-
-class IntegrityError(LemurException):
-    def __init__(self, message):
-        self.message = message
-
-    def __str__(self):
-        return repr(self.message)
-
-
 class InvalidListener(LemurException):
     def __str__(self):
         return repr("Invalid listener, ensure you select a certificate if you are using a secure protocol")
 
 
-class CertificateUnavailable(LemurException):
-    def __str__(self):
-        return repr("The certificate requested is not available")
-
-
 class AttrNotFound(LemurException):
     def __init__(self, field):
         self.field = field
@@ -54,16 +32,5 @@ class AttrNotFound(LemurException):
         return repr("The field '{0}' is not sortable".format(self.field))
 
 
-class NoPersistanceFound(Exception):
-    def __str__(self):
-        return repr("No peristence method found, Lemur cannot persist sensitive information")
-
-
-class NoEncryptionKeyFound(Exception):
-    def __str__(self):
-        return repr("Aborting... Lemur cannot locate db encryption key, is ENCRYPTION_KEY set?")
-
-
-class InvalidToken(Exception):
-    def __str__(self):
-        return repr("Invalid token")
+class InvalidConfiguration(Exception):
+    pass

lemur/extensions.py

@@ -3,17 +3,20 @@
     :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
     :license: Apache, see LICENSE for more details.
 """
-from flask.ext.sqlalchemy import SQLAlchemy
+from flask_sqlalchemy import SQLAlchemy
 db = SQLAlchemy()
 
-from flask.ext.migrate import Migrate
+from flask_migrate import Migrate
 migrate = Migrate()
 
-from flask.ext.bcrypt import Bcrypt
+from flask_bcrypt import Bcrypt
 bcrypt = Bcrypt()
 
-from flask.ext.principal import Principal
+from flask_principal import Principal
 principal = Principal()
 
 from flask_mail import Mail
 smtp_mail = Mail()
+
+from lemur.metrics import Metrics
+metrics = Metrics()

lemur/factory.py

@@ -14,12 +14,12 @@ import imp
 import errno
 import pkg_resources
 
-from logging import Formatter
+from logging import Formatter, StreamHandler
 from logging.handlers import RotatingFileHandler
 
 from flask import Flask
 from lemur.common.health import mod as health
-from lemur.extensions import db, migrate, principal, smtp_mail
+from lemur.extensions import db, migrate, principal, smtp_mail, metrics
 
 
 DEFAULT_BLUEPRINTS = (
@@ -90,15 +90,22 @@ def configure_app(app, config=None):
     :param config:
     :return:
     """
-    try:
-        app.config.from_envvar("LEMUR_CONF")
-    except RuntimeError:
-        if config and config != 'None':
-            app.config.from_object(from_file(config))
-        elif os.path.isfile(os.path.expanduser("~/.lemur/lemur.conf.py")):
-            app.config.from_object(from_file(os.path.expanduser("~/.lemur/lemur.conf.py")))
-        else:
-            app.config.from_object(from_file(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'default.conf.py')))
+    # respect the config first
+    if config and config != 'None':
+        app.config['CONFIG_PATH'] = config
+        app.config.from_object(from_file(config))
+    else:
+        try:
+            app.config.from_envvar("LEMUR_CONF")
+        except RuntimeError:
+            # look in default paths
+            if os.path.isfile(os.path.expanduser("~/.lemur/lemur.conf.py")):
+                app.config.from_object(from_file(os.path.expanduser("~/.lemur/lemur.conf.py")))
+            else:
+                app.config.from_object(from_file(os.path.join(os.path.dirname(os.path.realpath(__file__)), 'default.conf.py')))
+
+    # we don't use this
+    app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 
 
 def configure_extensions(app):
@@ -112,6 +119,7 @@ def configure_extensions(app):
     migrate.init_app(app, db)
     principal.init_app(app)
     smtp_mail.init_app(app)
+    metrics.init_app(app)
 
 
 def configure_blueprints(app, blueprints):
@@ -143,14 +151,19 @@ def configure_logging(app):
     app.logger.setLevel(app.config.get('LOG_LEVEL', 'DEBUG'))
     app.logger.addHandler(handler)
 
+    stream_handler = StreamHandler()
+    stream_handler.setLevel(app.config.get('LOG_LEVEL'))
+    app.logger.addHandler(stream_handler)
+
 
 def install_plugins(app):
     """
     Installs new issuers that are not currently bundled with Lemur.
 
-    :param settings:
+    :param app:
     :return:
     """
+    from lemur.plugins import plugins
     from lemur.plugins.base import register
     # entry_points={
     #    'lemur.plugins': [
@@ -165,3 +178,11 @@ def install_plugins(app):
             app.logger.error("Failed to load plugin %r:\n%s\n" % (ep.name, traceback.format_exc()))
         else:
             register(plugin)
+
+    # ensure that we have some way to notify
+    with app.app_context():
+        try:
+            slug = app.config.get("LEMUR_DEFAULT_NOTIFICATION_PLUGIN", "email-notification")
+            plugins.get(slug)
+        except KeyError:
+            raise Exception("Unable to location notification plugin: {slug}. Ensure that LEMUR_DEFAULT_NOTIFICATION_PLUGIN is set to a valid and installed notification plugin.".format(slug=slug))

lemur/logs/models.py

@@ -0,0 +1,23 @@
+"""
+.. module: lemur.logs.models
+    :platform: unix
+    :synopsis: This module contains all of the models related private key audit log.
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from sqlalchemy import Column, Integer, ForeignKey, PassiveDefault, func, Enum
+
+from sqlalchemy_utils.types.arrow import ArrowType
+
+from lemur.database import db
+
+
+class Log(db.Model):
+    __tablename__ = 'logs'
+    id = Column(Integer, primary_key=True)
+    certificate_id = Column(Integer, ForeignKey('certificates.id'))
+    log_type = Column(Enum('key_view', name='log_type'), nullable=False)
+    logged_at = Column(ArrowType(), PassiveDefault(func.now()), nullable=False)
+    user_id = Column(Integer, ForeignKey('users.id'), nullable=False)

lemur/logs/schemas.py

@@ -0,0 +1,23 @@
+"""
+.. module: lemur.logs.schemas
+    :platform: unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from marshmallow import fields
+
+from lemur.common.schema import LemurOutputSchema
+from lemur.certificates.schemas import CertificateNestedOutputSchema
+from lemur.users.schemas import UserNestedOutputSchema
+
+
+class LogOutputSchema(LemurOutputSchema):
+    id = fields.Integer()
+    certificate = fields.Nested(CertificateNestedOutputSchema)
+    user = fields.Nested(UserNestedOutputSchema)
+    logged_at = fields.DateTime()
+    log_type = fields.String()
+
+
+logs_output_schema = LogOutputSchema(many=True)

lemur/logs/service.py

@@ -0,0 +1,54 @@
+"""
+.. module: lemur.logs.service
+    :platform: Unix
+    :synopsis: This module contains all of the services level functions used to
+    administer logs in Lemur
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from lemur import database
+from lemur.logs.models import Log
+
+
+def create(user, type, certificate=None):
+    """
+    Creates logs a given action.
+
+    :param user:
+    :param type:
+    :param certificate:
+    :return:
+    """
+    view = Log(user_id=user.id, log_type=type, certificate_id=certificate.id)
+    database.add(view)
+    database.commit()
+
+
+def get_all():
+    """
+    Retrieve all logs from the database.
+
+    :return:
+    """
+    query = database.session_query(Log)
+    return database.find_all(query, Log, {}).all()
+
+
+def render(args):
+    """
+    Helper that paginates and filters data when requested
+    through the REST Api
+
+    :param args:
+    :return:
+    """
+    query = database.session_query(Log)
+
+    filt = args.pop('filter')
+
+    if filt:
+        terms = filt.split(';')
+        query = database.filter(query, Log, terms)
+
+    return database.sort_and_page(query, Log, args)

lemur/logs/views.py

@@ -0,0 +1,74 @@
+"""
+.. module: lemur.logs.views
+    :platform: Unix
+    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
+    :license: Apache, see LICENSE for more details.
+.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
+"""
+from flask import Blueprint
+from flask_restful import reqparse, Api
+
+from lemur.common.schema import validate_schema
+from lemur.common.utils import paginated_parser
+
+from lemur.auth.service import AuthenticatedResource
+from lemur.logs.schemas import logs_output_schema
+
+from lemur.logs import service
+
+
+mod = Blueprint('logs', __name__)
+api = Api(mod)
+
+
+class LogsList(AuthenticatedResource):
+    """ Defines the 'logs' endpoint """
+    def __init__(self):
+        self.reqparse = reqparse.RequestParser()
+        super(LogsList, self).__init__()
+
+    @validate_schema(None, logs_output_schema)
+    def get(self):
+        """
+        .. http:get:: /logs
+
+           The current log list
+
+           **Example request**:
+
+           .. sourcecode:: http
+
+              GET /logs HTTP/1.1
+              Host: example.com
+              Accept: application/json, text/javascript
+
+           **Example response**:
+
+           .. sourcecode:: http
+
+              HTTP/1.1 200 OK
+              Vary: Accept
+              Content-Type: text/javascript
+
+              {
+                "items": [
+                  ]
+                "total": 2
+              }
+
+           :query sortBy: field to sort on
+           :query sortDir: asc or desc
+           :query page: int default is 1
+           :query filter: key value pair format is k;v
+           :query count: count number default is 10
+           :reqheader Authorization: OAuth token to authenticate
+           :statuscode 200: no error
+        """
+        parser = paginated_parser.copy()
+        parser.add_argument('owner', type=str, location='args')
+        parser.add_argument('id', type=str, location='args')
+        args = parser.parse_args()
+        return service.render(args)
+
+
+api.add_resource(LogsList, '/logs', endpoint='logs')