373 lines
13 KiB
Python
373 lines
13 KiB
Python
"""
|
|
.. module: lemur.certificates.schemas
|
|
:platform: unix
|
|
:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
|
|
:license: Apache, see LICENSE for more details.
|
|
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
|
"""
|
|
from flask import current_app
|
|
from marshmallow import fields, validate, validates_schema, post_load, pre_load
|
|
from marshmallow.exceptions import ValidationError
|
|
|
|
from lemur.authorities.schemas import AuthorityNestedOutputSchema
|
|
from lemur.certificates import utils as cert_utils
|
|
from lemur.common import missing, utils, validators
|
|
from lemur.common.fields import ArrowDateTime, Hex
|
|
from lemur.common.schema import LemurInputSchema, LemurOutputSchema
|
|
from lemur.constants import CERTIFICATE_KEY_TYPES
|
|
from lemur.destinations.schemas import DestinationNestedOutputSchema
|
|
from lemur.dns_providers.schemas import DnsProvidersNestedOutputSchema
|
|
from lemur.domains.schemas import DomainNestedOutputSchema
|
|
from lemur.notifications import service as notification_service
|
|
from lemur.notifications.schemas import NotificationNestedOutputSchema
|
|
from lemur.policies.schemas import RotationPolicyNestedOutputSchema
|
|
from lemur.roles.schemas import RoleNestedOutputSchema
|
|
from lemur.schemas import (
|
|
AssociatedAuthoritySchema,
|
|
AssociatedDestinationSchema,
|
|
AssociatedCertificateSchema,
|
|
AssociatedNotificationSchema,
|
|
AssociatedDnsProviderSchema,
|
|
PluginInputSchema,
|
|
ExtensionSchema,
|
|
AssociatedRoleSchema,
|
|
EndpointNestedOutputSchema,
|
|
AssociatedRotationPolicySchema,
|
|
)
|
|
from lemur.users.schemas import UserNestedOutputSchema
|
|
|
|
|
|
class CertificateSchema(LemurInputSchema):
|
|
owner = fields.Email(required=True)
|
|
description = fields.String(missing="", allow_none=True)
|
|
|
|
|
|
class CertificateCreationSchema(CertificateSchema):
|
|
@post_load
|
|
def default_notification(self, data):
|
|
if not data["notifications"]:
|
|
data[
|
|
"notifications"
|
|
] += notification_service.create_default_expiration_notifications(
|
|
"DEFAULT_{0}".format(data["owner"].split("@")[0].upper()),
|
|
[data["owner"]],
|
|
)
|
|
|
|
data[
|
|
"notifications"
|
|
] += notification_service.create_default_expiration_notifications(
|
|
"DEFAULT_SECURITY",
|
|
current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL"),
|
|
current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL_INTERVALS", None),
|
|
)
|
|
return data
|
|
|
|
|
|
class CertificateInputSchema(CertificateCreationSchema):
|
|
name = fields.String()
|
|
common_name = fields.String(required=True, validate=validators.common_name)
|
|
authority = fields.Nested(AssociatedAuthoritySchema, required=True)
|
|
|
|
validity_start = ArrowDateTime(allow_none=True)
|
|
validity_end = ArrowDateTime(allow_none=True)
|
|
validity_years = fields.Integer(allow_none=True)
|
|
|
|
destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
|
|
notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
|
|
replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
|
|
replacements = fields.Nested(
|
|
AssociatedCertificateSchema, missing=[], many=True
|
|
) # deprecated
|
|
roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
|
|
dns_provider = fields.Nested(
|
|
AssociatedDnsProviderSchema, missing=None, allow_none=True, required=False
|
|
)
|
|
|
|
csr = fields.String(allow_none=True, validate=validators.csr)
|
|
|
|
key_type = fields.String(
|
|
validate=validate.OneOf(CERTIFICATE_KEY_TYPES), missing="RSA2048"
|
|
)
|
|
|
|
notify = fields.Boolean(default=True)
|
|
rotation = fields.Boolean()
|
|
rotation_policy = fields.Nested(
|
|
AssociatedRotationPolicySchema,
|
|
missing={"name": "default"},
|
|
allow_none=True,
|
|
default={"name": "default"},
|
|
)
|
|
|
|
# certificate body fields
|
|
organizational_unit = fields.String(
|
|
missing=lambda: current_app.config.get("LEMUR_DEFAULT_ORGANIZATIONAL_UNIT")
|
|
)
|
|
organization = fields.String(
|
|
missing=lambda: current_app.config.get("LEMUR_DEFAULT_ORGANIZATION")
|
|
)
|
|
location = fields.String(
|
|
missing=lambda: current_app.config.get("LEMUR_DEFAULT_LOCATION")
|
|
)
|
|
country = fields.String(
|
|
missing=lambda: current_app.config.get("LEMUR_DEFAULT_COUNTRY")
|
|
)
|
|
state = fields.String(missing=lambda: current_app.config.get("LEMUR_DEFAULT_STATE"))
|
|
|
|
extensions = fields.Nested(ExtensionSchema)
|
|
|
|
@validates_schema
|
|
def validate_authority(self, data):
|
|
if isinstance(data["authority"], str):
|
|
raise ValidationError("Authority not found.")
|
|
|
|
if not data["authority"].active:
|
|
raise ValidationError("The authority is inactive.", ["authority"])
|
|
|
|
@validates_schema
|
|
def validate_dates(self, data):
|
|
validators.dates(data)
|
|
|
|
@pre_load
|
|
def load_data(self, data):
|
|
if data.get("replacements"):
|
|
data["replaces"] = data[
|
|
"replacements"
|
|
] # TODO remove when field is deprecated
|
|
if data.get("csr"):
|
|
csr_sans = cert_utils.get_sans_from_csr(data["csr"])
|
|
if not data.get("extensions"):
|
|
data["extensions"] = {"subAltNames": {"names": []}}
|
|
elif not data["extensions"].get("subAltNames"):
|
|
data["extensions"]["subAltNames"] = {"names": []}
|
|
elif not data["extensions"]["subAltNames"].get("names"):
|
|
data["extensions"]["subAltNames"]["names"] = []
|
|
data["extensions"]["subAltNames"]["names"] += csr_sans
|
|
return missing.convert_validity_years(data)
|
|
|
|
|
|
class CertificateEditInputSchema(CertificateSchema):
|
|
owner = fields.String()
|
|
|
|
notify = fields.Boolean()
|
|
rotation = fields.Boolean()
|
|
|
|
destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
|
|
notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
|
|
replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
|
|
replacements = fields.Nested(
|
|
AssociatedCertificateSchema, missing=[], many=True
|
|
) # deprecated
|
|
roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
|
|
|
|
@pre_load
|
|
def load_data(self, data):
|
|
if data.get("replacements"):
|
|
data["replaces"] = data[
|
|
"replacements"
|
|
] # TODO remove when field is deprecated
|
|
return data
|
|
|
|
@post_load
|
|
def enforce_notifications(self, data):
|
|
"""
|
|
Ensures that when an owner changes, default notifications are added for the new owner.
|
|
Old owner notifications are retained unless explicitly removed.
|
|
:param data:
|
|
:return:
|
|
"""
|
|
if data["owner"]:
|
|
notification_name = "DEFAULT_{0}".format(
|
|
data["owner"].split("@")[0].upper()
|
|
)
|
|
data[
|
|
"notifications"
|
|
] += notification_service.create_default_expiration_notifications(
|
|
notification_name, [data["owner"]]
|
|
)
|
|
return data
|
|
|
|
|
|
class CertificateNestedOutputSchema(LemurOutputSchema):
|
|
__envelope__ = False
|
|
id = fields.Integer()
|
|
name = fields.String()
|
|
owner = fields.Email()
|
|
creator = fields.Nested(UserNestedOutputSchema)
|
|
description = fields.String()
|
|
|
|
status = fields.String()
|
|
|
|
bits = fields.Integer()
|
|
body = fields.String()
|
|
chain = fields.String()
|
|
csr = fields.String()
|
|
active = fields.Boolean()
|
|
|
|
rotation = fields.Boolean()
|
|
notify = fields.Boolean()
|
|
rotation_policy = fields.Nested(RotationPolicyNestedOutputSchema)
|
|
|
|
# Note aliasing is the first step in deprecating these fields.
|
|
cn = fields.String() # deprecated
|
|
common_name = fields.String(attribute="cn")
|
|
|
|
not_after = fields.DateTime() # deprecated
|
|
validity_end = ArrowDateTime(attribute="not_after")
|
|
|
|
not_before = fields.DateTime() # deprecated
|
|
validity_start = ArrowDateTime(attribute="not_before")
|
|
|
|
issuer = fields.Nested(AuthorityNestedOutputSchema)
|
|
|
|
|
|
class CertificateCloneSchema(LemurOutputSchema):
|
|
__envelope__ = False
|
|
description = fields.String()
|
|
common_name = fields.String()
|
|
|
|
|
|
class CertificateOutputSchema(LemurOutputSchema):
|
|
id = fields.Integer()
|
|
external_id = fields.String()
|
|
bits = fields.Integer()
|
|
body = fields.String()
|
|
chain = fields.String()
|
|
csr = fields.String()
|
|
deleted = fields.Boolean(default=False)
|
|
description = fields.String()
|
|
issuer = fields.String()
|
|
name = fields.String()
|
|
dns_provider_id = fields.Integer(required=False, allow_none=True)
|
|
date_created = ArrowDateTime()
|
|
resolved = fields.Boolean(required=False, allow_none=True)
|
|
resolved_cert_id = fields.Integer(required=False, allow_none=True)
|
|
|
|
rotation = fields.Boolean()
|
|
|
|
# Note aliasing is the first step in deprecating these fields.
|
|
notify = fields.Boolean()
|
|
active = fields.Boolean(attribute="notify")
|
|
|
|
cn = fields.String()
|
|
common_name = fields.String(attribute="cn")
|
|
distinguished_name = fields.String()
|
|
|
|
not_after = fields.DateTime()
|
|
validity_end = ArrowDateTime(attribute="not_after")
|
|
|
|
not_before = fields.DateTime()
|
|
validity_start = ArrowDateTime(attribute="not_before")
|
|
|
|
owner = fields.Email()
|
|
san = fields.Boolean()
|
|
serial = fields.String()
|
|
serial_hex = Hex(attribute="serial")
|
|
signing_algorithm = fields.String()
|
|
|
|
status = fields.String()
|
|
user = fields.Nested(UserNestedOutputSchema)
|
|
|
|
extensions = fields.Nested(ExtensionSchema)
|
|
|
|
# associated objects
|
|
domains = fields.Nested(DomainNestedOutputSchema, many=True)
|
|
destinations = fields.Nested(DestinationNestedOutputSchema, many=True)
|
|
notifications = fields.Nested(NotificationNestedOutputSchema, many=True)
|
|
replaces = fields.Nested(CertificateNestedOutputSchema, many=True)
|
|
authority = fields.Nested(AuthorityNestedOutputSchema)
|
|
dns_provider = fields.Nested(DnsProvidersNestedOutputSchema)
|
|
roles = fields.Nested(RoleNestedOutputSchema, many=True)
|
|
endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])
|
|
replaced_by = fields.Nested(
|
|
CertificateNestedOutputSchema, many=True, attribute="replaced"
|
|
)
|
|
rotation_policy = fields.Nested(RotationPolicyNestedOutputSchema)
|
|
|
|
|
|
class CertificateUploadInputSchema(CertificateCreationSchema):
|
|
name = fields.String()
|
|
authority = fields.Nested(AssociatedAuthoritySchema, required=False)
|
|
notify = fields.Boolean(missing=True)
|
|
external_id = fields.String(missing=None, allow_none=True)
|
|
private_key = fields.String()
|
|
body = fields.String(required=True)
|
|
chain = fields.String(missing=None, allow_none=True)
|
|
csr = fields.String(required=False, allow_none=True, validate=validators.csr)
|
|
|
|
destinations = fields.Nested(AssociatedDestinationSchema, missing=[], many=True)
|
|
notifications = fields.Nested(AssociatedNotificationSchema, missing=[], many=True)
|
|
replaces = fields.Nested(AssociatedCertificateSchema, missing=[], many=True)
|
|
roles = fields.Nested(AssociatedRoleSchema, missing=[], many=True)
|
|
|
|
@validates_schema
|
|
def keys(self, data):
|
|
if data.get("destinations"):
|
|
if not data.get("private_key"):
|
|
raise ValidationError("Destinations require private key.")
|
|
|
|
@validates_schema
|
|
def validate_cert_private_key_chain(self, data):
|
|
cert = None
|
|
key = None
|
|
if data.get("body"):
|
|
try:
|
|
cert = utils.parse_certificate(data["body"])
|
|
except ValueError:
|
|
raise ValidationError(
|
|
"Public certificate presented is not valid.", field_names=["body"]
|
|
)
|
|
|
|
if data.get("private_key"):
|
|
try:
|
|
key = utils.parse_private_key(data["private_key"])
|
|
except ValueError:
|
|
raise ValidationError(
|
|
"Private key presented is not valid.", field_names=["private_key"]
|
|
)
|
|
|
|
if cert and key:
|
|
# Throws ValidationError
|
|
validators.verify_private_key_match(key, cert)
|
|
|
|
if data.get("chain"):
|
|
try:
|
|
chain = utils.parse_cert_chain(data["chain"])
|
|
except ValueError:
|
|
raise ValidationError(
|
|
"Invalid certificate in certificate chain.", field_names=["chain"]
|
|
)
|
|
|
|
# Throws ValidationError
|
|
validators.verify_cert_chain([cert] + chain)
|
|
|
|
|
|
class CertificateExportInputSchema(LemurInputSchema):
|
|
plugin = fields.Nested(PluginInputSchema)
|
|
|
|
|
|
class CertificateNotificationOutputSchema(LemurOutputSchema):
|
|
description = fields.String()
|
|
issuer = fields.String()
|
|
name = fields.String()
|
|
owner = fields.Email()
|
|
user = fields.Nested(UserNestedOutputSchema)
|
|
validity_end = ArrowDateTime(attribute="not_after")
|
|
replaced_by = fields.Nested(
|
|
CertificateNestedOutputSchema, many=True, attribute="replaced"
|
|
)
|
|
endpoints = fields.Nested(EndpointNestedOutputSchema, many=True, missing=[])
|
|
|
|
|
|
class CertificateRevokeSchema(LemurInputSchema):
|
|
comments = fields.String()
|
|
|
|
|
|
certificate_input_schema = CertificateInputSchema()
|
|
certificate_output_schema = CertificateOutputSchema()
|
|
certificates_output_schema = CertificateOutputSchema(many=True)
|
|
certificate_upload_input_schema = CertificateUploadInputSchema()
|
|
certificate_export_input_schema = CertificateExportInputSchema()
|
|
certificate_edit_input_schema = CertificateEditInputSchema()
|
|
certificate_notification_output_schema = CertificateNotificationOutputSchema()
|
|
certificate_revoke_schema = CertificateRevokeSchema()
|