packaging

debian/compat

@@ -0,0 +1 @@
+11

debian/control

@@ -0,0 +1,102 @@
+Source: lemur
+Section: admin
+Priority: extra
+Maintainer: Cadoles <contact@cadoles.com>
+Build-depends: debhelper (>=11),
+	python3-all,
+	python3-setuptools,
+	dh-python,
+	git,
+	npm
+Standards-Version: 3.9.4
+Homepage: https://forge.cadoles.com/Infra/lemur
+
+Package: lemur
+Architecture: any
+Pre-Depends: dpkg, python3, ${misc:Pre-Depends}
+Depends: ${python:Depends}, ${misc:Depends},
+	python3-lemur
+Description: Lemur
+
+Package: python3-lemur
+Architecture: any
+Pre-Depends: dpkg, python3, ${misc:Pre-Depends}
+Depends: python3-acme,
+	python3-alembic,
+	python3-amqp,
+	python3-aniso8601,
+	python3-arrow,
+	python3-bcrypt,
+	python3-bs4,
+	python3-billiard,
+	python3-blinker,
+	python3-boto3,
+	python3-botocore,
+	python3-celery,
+	python3-certifi,
+	python3-cffi,
+	python3-chardet,
+	python3-click,
+	python3-cloudflare,
+	python3-dnspython,
+	python3-flask-bcrypt,
+	python3-flask-cors,
+	python3-flask-mail,
+	python3-flask-migrate,
+	python3-flask-principal,
+	python3-flask-restful,
+	python3-flask-script,
+	python3-flask-sqlalchemy,
+	python3-flask,
+	python3-future,
+	python3-gunicorn,
+	python3-hvac,
+	python3-idna,
+	python3-inflection,
+	python3-itsdangerous,
+	python3-jinja2,
+	python3-jmespath,
+	python3-josepy,
+	python3-kombu,
+	python3-lockfile,
+	python3-mako,
+	python3-markupsafe,
+	python3-marshmallow-sqlalchemy,
+	python3-ndg-httpsclient,
+	python3-paramiko,
+	python3-pem,
+	python3-psycopg2,
+	python3-pyasn1-modules,
+	python3-pyasn1,
+	python3-pycparser,
+	python3-jwt,
+	python3-nacl,
+	python3-openssl,
+	python3-rfc3339,
+	python3-dateutil,
+	python3-editor,
+	python3-pythonjsonlogger,
+	python3-ldap,
+	python3-tz,
+	python3-yaml,
+	python3-redis,
+	python3-requests-toolbelt,
+	python3-requests,
+	python3-retrying,
+	python3-s3transfer,
+	python3-six,
+	python3-soupsieve,
+	python3-sqlalchemy-utils,
+	python3-sqlalchemy,
+	python3-tabulate,
+	python3-urllib3,
+	python3-vine,
+	python3-werkzeug,
+	python3-xmltodict
+Description: Lemur - library part
+
+Package: lemur-static
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${misc:Depends}
+Description: static HTML/JS/CSS file

debian/copyright

@@ -0,0 +1,10 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: lemur
+Upstream-Contact: Cadoles <contact@cadoles.com>
+Source: https://forge.cadoles.com/Infra/lemur
+
+Files: *
+Copyright: Lemur
+License: Apache-2.0 License 
+
+License: Apache-2.0 License 

debian/lemur-static.install

@@ -0,0 +1,2 @@
+lemur/static/dist/* usr/share/lemur/static/
+lemur/migrations usr/share/lemur

debian/rules

@@ -0,0 +1,30 @@
+#!/usr/bin/make -f
+# See debhelper(7) (uncomment to enable)
+# output every command that modifies files on the build system.
+#DH_VERBOSE = 1
+
+export PYBUILD_NAME = lemur
+export PYBUILD_DISABLE_python3 = test
+
+%:
+	# suppression requirements version of package
+	# only last version are supported by lemur
+	# but Ubuntu has not last version
+	sed -i "s/==\(\([[:digit:]]\)*\(\.\)*\)*//g" requirements.txt
+	# unecessary dependency
+	sed -i "s/zope.deferredimport/#zope.deferredimport/g" requirements.txt
+	dh $@ --with python3 --buildsystem=pybuild
+
+override_dh_install:
+	rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/lemur/static/
+	rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/lemur/tests/
+	rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/trustores
+	mkdir -p debian/lemur/usr
+	mv debian/python3-lemur/usr/bin debian/lemur/usr
+	dh_install
+
+override_dh_auto_build:
+	npm install --unsafe-perm
+	node_modules/.bin/gulp build
+	node_modules/.bin/gulp package --urlContextPath=lemur
+	dh_auto_build

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

lemur/certificates/schemas.py

@@ -373,8 +373,7 @@ class CertificateOutputSchema(LemurOutputSchema):
             plugin = plugins.get(cert['authority']['plugin']['slug'])
         if plugin:
             plugin.wrap_certificate(cert)
-        if 'root_authority' in cert:
+        del cert['root_authority']
-            del cert['root_authority']
 
 
 class CertificateShortOutputSchema(LemurOutputSchema):

lemur/plugins/lemur_openssh/plugin.py

@@ -48,15 +48,10 @@ def split_cert(body):
 
 
 def sign_certificate(common_name, public_key, authority_private_key, user, extensions, not_before, not_after):
-    private_key = parse_private_key(authority_private_key).private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.OpenSSH,
-        encryption_algorithm=serialization.NoEncryption(),
-    ).decode()
     with mktempfile() as issuer_tmp:
         cmd = ['ssh-keygen', '-s', issuer_tmp]
         with open(issuer_tmp, 'w') as i:
-            i.writelines(private_key)
+            i.writelines(authority_private_key)
         if 'extendedKeyUsage' in extensions and extensions['extendedKeyUsage'].get('useClientAuthentication'):
             cmd.extend(['-I', user['username'] + ' user key',
                         '-n', user['username']])
@@ -68,9 +63,9 @@ def sign_certificate(common_name, public_key, authority_private_key, user, exten
             cmd.extend(['-I', common_name + ' host key',
                         '-n', ','.join(domains),
                         '-h'])
-        # something like 20201024102030
+        # something like 20201024
-        ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d%H%M%S")
+        ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d")
-        ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d%H%M%S")
+        ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d")
         cmd.extend(['-V', ssh_not_before + ':' + ssh_not_after])
         with mktempfile() as cert_tmp:
             with open(cert_tmp, 'w') as f:
@@ -107,8 +102,6 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
         return cert_pem, private_key, chain_cert_pem, roles
 
     def wrap_certificate(self, cert):
-        if 'body' not in cert:
-            return
         # get public_key in OpenSSH format
         public_key = parse_certificate(cert['body']).public_key().public_bytes(
             encoding=serialization.Encoding.OpenSSH,
@@ -116,11 +109,10 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
         ).decode()
         public_key += ' ' + cert['user']['email']
         # sign it with authority private key
-        if 'root_authority' in cert and cert['root_authority']:
+        if 'root_authority' in cert:
-            authority = cert['root_authority']
+            root_authority = cert['root_authority']
         else:
-            authority = cert['authority']
+            root_authority = get_by_root_authority(cert['authority']['id'])
-        root_authority = get_by_root_authority(authority['id'])
         authority_private_key = root_authority.private_key
         cert['body'] = sign_certificate(
             cert['common_name'],