Beispiel #1
0
def create(**kwargs):
    """
    Creates a new certificate.
    """
    from lemur.notifications import service as notification_service

    cert, private_key, cert_chain = mint(kwargs)

    cert.owner = kwargs["owner"]

    database.create(cert)
    cert.description = kwargs["description"]
    g.user.certificates.append(cert)
    database.update(g.user)

    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, "destinations", Destination, kwargs.get("destinations"))

    database.update_list(cert, "notifications", Notification, kwargs.get("notifications"))

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get("notifications"):
        notification_name = "DEFAULT_{0}".format(cert.owner.split("@")[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = "DEFAULT_SECURITY"
    notifications += notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
    )
    cert.notifications = notifications

    database.update(cert)
    return cert
Beispiel #2
0
def get_or_create_cipher(**kwargs):
    cipher = database.get(Cipher, kwargs['name'], field='name')

    if not cipher:
        cipher = Cipher(**kwargs)
        database.create(cipher)

    return cipher
Beispiel #3
0
def get_or_create_policy(**kwargs):
    policy = database.get(Policy, kwargs['name'], field='name')

    if not policy:
        policy = Policy(**kwargs)
        database.create(policy)

    return policy
Beispiel #4
0
def create(**kwargs):
    """
    Creates a new rotation policy.

    :param kwargs:
    :return:
    """
    policy = RotationPolicy(**kwargs)
    database.create(policy)
    return policy
Beispiel #5
0
def create(**kwargs):
    """
    Creates a new endpoint.
    :param kwargs:
    :return:
    """
    endpoint = Endpoint(**kwargs)
    database.create(endpoint)
    metrics.send('endpoint_added', 'counter', 1)
    return endpoint
Beispiel #6
0
def create(**kwargs):
    """
    Creates a new endpoint.
    :param kwargs:
    :return:
    """
    endpoint = Endpoint(**kwargs)
    database.create(endpoint)
    metrics.send('endpoint_added', 'counter', 1, metric_tags={'source': endpoint.source.label})
    return endpoint
Beispiel #7
0
def create(**kwargs):
    """
    Creates a new authority.
    """
    body, private_key, chain, roles = mint(**kwargs)

    kwargs['creator'].roles = list(set(list(kwargs['creator'].roles) + roles))

    kwargs['body'] = body
    kwargs['private_key'] = private_key
    kwargs['chain'] = chain

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = upload(**kwargs)
    kwargs['authority_certificate'] = cert
    if kwargs.get('plugin', {}).get('plugin_options', []):
        kwargs['options'] = json.dumps(kwargs['plugin']['plugin_options'])

    authority = Authority(**kwargs)
    authority = database.create(authority)
    kwargs['creator'].authorities.append(authority)

    metrics.send('authority_created', 'counter', 1, metric_tags=dict(owner=authority.owner))
    return authority
Beispiel #8
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    if kwargs.get('private_key'):
        private_key = kwargs['private_key']
        if not isinstance(private_key, bytes):
            kwargs['private_key'] = private_key.encode('utf-8')

    cert = Certificate(**kwargs)

    cert = database.create(cert)

    kwargs['creator'].certificates.append(cert)

    cert = database.update(cert)
    certificate_imported.send(certificate=cert, authority=cert.authority)
    return cert
Beispiel #9
0
def create(account_number, domains, dns_provider_type, options=None):
    """
    Creates a new dns authorization.
    """

    authorization = Authorization(account_number, domains, dns_provider_type, options)
    return database.create(authorization)
Beispiel #10
0
def import_certificate(**kwargs):
    """
    Uploads already minted certificates and pulls the required information into Lemur.

    This is to be used for certificates that are created outside of Lemur but
    should still be tracked.

    Internally this is used to bootstrap Lemur with external
    certificates, and used when certificates are 'discovered' through various discovery
    techniques. was still in aws.

    :param kwargs:
    """
    from lemur.users import service as user_service
    from lemur.notifications import service as notification_service
    cert = Certificate(kwargs['public_certificate'], chain=kwargs['intermediate_certificate'])

    # TODO future source plugins might have a better understanding of who the 'owner' is we should support this
    cert.owner = kwargs.get('owner', current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0])
    cert.creator = kwargs.get('creator', user_service.get_by_email('lemur@nobody'))

    # NOTE existing certs may not follow our naming standard we will
    # overwrite the generated name with the actual cert name
    if kwargs.get('name'):
        cert.name = kwargs.get('name')

    if kwargs.get('user'):
        cert.user = kwargs.get('user')

    notification_name = 'DEFAULT_SECURITY'
    notifications = notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    cert = database.create(cert)
    return cert
Beispiel #11
0
def create(**kwargs):
    """
    Creates a new authority.
    """
    kwargs['creator'] = g.user.email
    body, private_key, chain, roles = mint(**kwargs)

    g.user.roles = list(set(list(g.user.roles) + roles))

    kwargs['body'] = body
    kwargs['private_key'] = private_key
    kwargs['chain'] = chain

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = upload(**kwargs)
    kwargs['authority_certificate'] = cert

    authority = Authority(**kwargs)
    authority = database.create(authority)
    g.user.authorities.append(authority)

    metrics.send('authority_created', 'counter', 1, metric_tags=dict(owner=authority.owner))
    return authority
Beispiel #12
0
def create(**kwargs):
    """
    Creates a new authority.
    """
    kwargs['creator'] = g.user.email
    body, chain, roles = mint(**kwargs)

    kwargs['body'] = body
    kwargs['chain'] = chain

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    if kwargs['type'] == 'subca':
        description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
                                authority is {1}.".format(kwargs.get('name'), kwargs.get('parent'))
    else:
        description = "This is the ROOT certificate for the {0} certificate authority.".format(
            kwargs.get('name')
        )

    kwargs['description'] = description

    cert = upload(**kwargs)
    kwargs['authority_certificate'] = cert

    authority = Authority(**kwargs)
    authority = database.create(authority)
    g.user.authorities.append(authority)

    metrics.send('authority_created', 'counter', 1, metric_tags=dict(owner=authority.owner))
    return authority
Beispiel #13
0
def create(name, sensitive):
    """
    Create a new domain

    :param name:
    :param sensitive:
    :return:
    """
    domain = Domain(name=name, sensitive=sensitive)
    return database.create(domain)
Beispiel #14
0
def create(kwargs):
    """
    Create a new authority.

    :rtype : Authority
    :return:
    """

    issuer = plugins.get(kwargs.get('pluginName'))

    kwargs['creator'] = g.current_user.email
    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)

    cert = Certificate(cert_body, chain=intermediate)
    cert.owner = kwargs['ownerEmail']
    cert.description = "This is the ROOT certificate for the {0} certificate authority".format(kwargs.get('caName'))
    cert.user = g.current_user

    cert.notifications = notification_service.create_default_expiration_notifications(
        'DEFAULT_SECURITY',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
    )

    # we create and attach any roles that the issuer gives us
    role_objs = []
    for r in issuer_roles:

        role = role_service.create(
            r['name'],
            password=r['password'],
            description="{0} auto generated role".format(kwargs.get('pluginName')),
            username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    authority = Authority(
        kwargs.get('caName'),
        kwargs['ownerEmail'],
        kwargs['pluginName'],
        cert_body,
        description=kwargs['caDescription'],
        chain=intermediate,
        roles=role_objs
    )

    database.update(cert)
    authority = database.create(authority)

    g.current_user.authorities.append(authority)

    return authority
Beispiel #15
0
def create(label, plugin_name, options, description=None):
    """
    Creates a new source, that can then be used as a source for certificates.

    :param label: Source common name
    :param description:
    :rtype : Source
    :return: New source
    """
    source = Source(label=label, options=options, plugin_name=plugin_name, description=description)
    return database.create(source)
Beispiel #16
0
def create(label, plugin_name, options, description=None):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Destination common name
    :param description:
    :rtype : Destination
    :return: New destination
    """
    destination = Destination(label=label, options=options, plugin_name=plugin_name, description=description)
    return database.create(destination)
Beispiel #17
0
    def run(self, elb_list, chain_path, cert_name, cert_prefix, description):

        for e in open(elb_list, 'r').readlines():
            elb_name, account_id, region, from_port, to_port, protocol = e.strip().split(',')

            if cert_name:
                arn = "arn:aws:iam::{0}:server-certificate/{1}".format(account_id, cert_name)

            else:
                # if no cert name is provided we need to discover it
                listeners = elb.get_listeners(account_id, region, elb_name)

                # get the listener we care about
                for listener in listeners:
                    if listener[0] == int(from_port) and listener[1] == int(to_port):
                        arn = listener[4]
                        name = get_name_from_arn(arn)
                        certificate = cert_service.get_by_name(name)
                        break
                else:
                    sys.stdout.write("[-] Could not find ELB {0}".format(elb_name))
                    continue

                if not certificate:
                    sys.stdout.write("[-] Could not find certificate {0} in Lemur".format(name))
                    continue

                dests = []
                for d in certificate.destinations:
                    dests.append({'id': d.id})

                nots = []
                for n in certificate.notifications:
                    nots.append({'id': n.id})

                new_certificate = database.clone(certificate)

                if cert_prefix:
                    new_certificate.name = "{0}-{1}".format(cert_prefix, new_certificate.name)

                new_certificate.chain = open(chain_path, 'r').read()
                new_certificate.description = "{0} - {1}".format(new_certificate.description, description)

                new_certificate = database.create(new_certificate)
                database.update_list(new_certificate, 'destinations', Destination, dests)
                database.update_list(new_certificate, 'notifications', Notification, nots)
                database.update(new_certificate)

                arn = new_certificate.get_arn(account_id)

            elb.update_listeners(account_id, region, elb_name, [(from_port, to_port, protocol, arn)], [from_port])

            sys.stdout.write("[+] Updated {0} to use {1}\n".format(elb_name, new_certificate.name))
Beispiel #18
0
def create(**kwargs):
    """
    Creates a new certificate.
    """
    from lemur.notifications import service as notification_service
    cert, private_key, cert_chain = mint(kwargs)

    cert.owner = kwargs['owner']

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    database.create(cert)
    cert.description = kwargs.get('description')
    g.user.certificates.append(cert)
    database.update(g.user)

    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, 'destinations', Destination, kwargs['destinations'])
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    database.update_list(cert, 'notifications', Notification, kwargs['notifications'])

    # create default notifications for this certificate if none are provided
    notifications = cert.notifications
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name,
                                                                                  current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer))
    return cert
Beispiel #19
0
def create(label, plugin_name, options, description, certificates):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Notification common name
    :param plugin_name:
    :param options:
    :param description:
    :rtype : Notification
    :return:
    """
    notification = Notification(label=label, options=options, plugin_name=plugin_name, description=description)
    notification = database.update_list(notification, 'certificates', Certificate, certificates)
    return database.create(notification)
Beispiel #20
0
def create(label, plugin_name, options, description, certificates):
    """
    Creates a new notification.

    :param label: Notification label
    :param plugin_name:
    :param options:
    :param description:
    :param certificates:
    :rtype : Notification
    :return:
    """
    notification = Notification(label=label, options=options, plugin_name=plugin_name, description=description)
    notification.certificates = certificates
    return database.create(notification)
Beispiel #21
0
def create(label, plugin_name, options, description=None):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Destination common name
    :param description:
    :rtype : Destination
    :return: New destination
    """
    # remove any sub-plugin objects before try to save the json options
    for option in options:
        if 'plugin' in option['type']:
            del option['value']['plugin_object']

    destination = Destination(label=label, options=options, plugin_name=plugin_name, description=description)
    return database.create(destination)
Beispiel #22
0
def create(name, password=None, description=None, username=None, users=None):
    """
    Create a new role

    :param name:
    :param users:
    :param description:
    :param username:
    :param password:
    :return:
    """
    role = Role(name=name, description=description, username=username, password=password)

    if users:
        role.users = users

    return database.create(role)
Beispiel #23
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = Certificate(**kwargs)

    cert = database.create(cert)
    g.user.certificates.append(cert)

    database.update(cert)
    return cert
Beispiel #24
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get("roles"):
        kwargs["roles"] += roles
    else:
        kwargs["roles"] = roles

    cert = Certificate(**kwargs)
    cert.authority = kwargs.get("authority")
    cert = database.create(cert)

    kwargs["creator"].certificates.append(cert)

    cert = database.update(cert)
    certificate_imported.send(certificate=cert, authority=cert.authority)
    return cert
Beispiel #25
0
def create(name, password=None, description=None, username=None, users=None):
    """
    Create a new role

    :param name:
    :param users:
    :param description:
    :param username:
    :param password:
    :return:
    """
    role = Role(name=name,
                description=description,
                username=username,
                password=password)

    if users:
        role.users = users

    return database.create(role)
Beispiel #26
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = Certificate(**kwargs)
    cert.authority = kwargs.get('authority')
    cert = database.create(cert)

    kwargs['creator'].certificates.append(cert)

    cert = database.update(cert)
    certificate_imported.send(certificate=cert, authority=cert.authority)
    return cert
Beispiel #27
0
def import_certificate(**kwargs):
    """
    Uploads already minted certificates and pulls the required information into Lemur.

    This is to be used for certificates that are created outside of Lemur but
    should still be tracked.

    Internally this is used to bootstrap Lemur with external
    certificates, and used when certificates are 'discovered' through various discovery
    techniques. was still in aws.

    :param kwargs:
    """
    from lemur.users import service as user_service
    from lemur.notifications import service as notification_service
    cert = Certificate(kwargs['public_certificate'],
                       chain=kwargs['intermediate_certificate'])

    # TODO future source plugins might have a better understanding of who the 'owner' is we should support this
    cert.owner = kwargs.get(
        'owner',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0])
    cert.creator = kwargs.get('creator',
                              user_service.get_by_email('lemur@nobody'))

    # NOTE existing certs may not follow our naming standard we will
    # overwrite the generated name with the actual cert name
    if kwargs.get('name'):
        cert.name = kwargs.get('name')

    if kwargs.get('user'):
        cert.user = kwargs.get('user')

    notification_name = 'DEFAULT_SECURITY'
    notifications = notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    cert.notifications = notifications

    cert = database.create(cert)
    return cert
Beispiel #28
0
def create(**kwargs):
    """
    Creates a new authority.
    """
    ca_name = kwargs.get("name")
    if get_by_name(ca_name):
        raise Exception(f"Authority with name {ca_name} already exists")
    if role_service.get_by_name(
            f"{ca_name}_admin") or role_service.get_by_name(
                f"{ca_name}_operator"):
        raise Exception(
            f"Admin and/or operator roles for authority {ca_name} already exist"
        )

    body, private_key, chain, roles = mint(**kwargs)

    kwargs["creator"].roles = list(set(list(kwargs["creator"].roles) + roles))

    kwargs["body"] = body
    kwargs["private_key"] = private_key
    kwargs["chain"] = chain

    if kwargs.get("roles"):
        kwargs["roles"] += roles
    else:
        kwargs["roles"] = roles

    cert = upload(**kwargs)
    kwargs["authority_certificate"] = cert
    if kwargs.get("plugin", {}).get("plugin_options", []):
        kwargs["options"] = json.dumps(kwargs["plugin"]["plugin_options"])

    authority = Authority(**kwargs)
    authority = database.create(authority)
    kwargs["creator"].authorities.append(authority)

    metrics.send("authority_created",
                 "counter",
                 1,
                 metric_tags=dict(owner=authority.owner))
    return authority
Beispiel #29
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = Certificate(**kwargs)

    cert = database.create(cert)

    try:
        g.user.certificates.append(cert)
    except AttributeError:
        current_app.logger.debug("No user to associate uploaded certificate to.")

    return database.update(cert)
Beispiel #30
0
def create(username, password, email, active, profile_picture, roles):
    """
    Create a new user

    :param username:
    :param password:
    :param email:
    :param active:
    :param profile_picture:
    :param roles:
    :return:
    """
    user = User(
        password=password,
        username=username,
        email=email,
        active=active,
        profile_picture=profile_picture,
    )
    user.roles = roles
    return database.create(user)
Beispiel #31
0
def create(label, plugin_name, options, description=None):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Destination common name
    :param description:
    :rtype : Destination
    :return: New destination
    """
    # remove any sub-plugin objects before try to save the json options
    for option in options:
        if 'plugin' in option['type']:
            del option['value']['plugin_object']

    destination = Destination(label=label, options=options, plugin_name=plugin_name, description=description)
    current_app.logger.info("Destination: %s created", label)

    # add the destination as source, to avoid new destinations that are not in source, as long as an AWS destination
    if add_aws_destination_to_sources(destination):
        current_app.logger.info("Source: %s created", label)

    return database.create(destination)
Beispiel #32
0
def create(username, password, email, active, profile_picture, roles):
    """
    Create a new user

    :param username:
    :param password:
    :param email:
    :param active:
    :param profile_picture:
    :param roles:
    :return:
    """
    user = User(
        password=password,
        username=username,
        email=email,
        active=active,
        profile_picture=profile_picture,
    )
    user.roles = roles
    log_service.audit_log("create_user", username, "Creating new user")
    return database.create(user)
Beispiel #33
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    if kwargs.get('private_key'):
        private_key = kwargs['private_key']
        if not isinstance(private_key, bytes):
            kwargs['private_key'] = private_key.encode('utf-8')

    cert = Certificate(**kwargs)

    cert = database.create(cert)

    kwargs['creator'].certificates.append(cert)
    return database.update(cert)
Beispiel #34
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.notifications import service as notification_service
    cert = Certificate(
        kwargs.get('public_cert'),
        kwargs.get('private_key'),
        kwargs.get('intermediate_cert'),
    )

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    cert.description = kwargs.get('description')

    cert.owner = kwargs['owner']
    cert = database.create(cert)

    g.user.certificates.append(cert)

    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    return cert
Beispiel #35
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.notifications import service as notification_service
    cert = Certificate(
        kwargs.get('public_cert'),
        kwargs.get('private_key'),
        kwargs.get('intermediate_cert'),
    )

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    cert.description = kwargs.get('description')

    cert.owner = kwargs['owner']
    cert = database.create(cert)

    g.user.certificates.append(cert)

    database.update_list(cert, 'destinations', Destination, kwargs['destinations'])
    database.update_list(cert, 'notifications', Notification, kwargs['notifications'])
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    return cert
Beispiel #36
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.users import service as user_service
    roles = create_certificate_roles(**kwargs)

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    cert = Certificate(**kwargs)

    cert = database.create(cert)

    try:
        g.user.certificates.append(cert)
    except AttributeError:
        user = user_service.get_by_email('lemur@nobody')
        user.certificates.append(cert)

    return database.update(cert)
Beispiel #37
0
def create(**kwargs):
    """
    Creates a new authority.
    """
    kwargs['creator'] = g.user.email
    body, chain, roles = mint(**kwargs)

    kwargs['body'] = body
    kwargs['chain'] = chain

    if kwargs.get('roles'):
        kwargs['roles'] += roles
    else:
        kwargs['roles'] = roles

    if kwargs['type'] == 'subca':
        description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
                                authority is {1}.".format(
            kwargs.get('name'), kwargs.get('parent'))
    else:
        description = "This is the ROOT certificate for the {0} certificate authority.".format(
            kwargs.get('name'))

    kwargs['description'] = description

    cert = upload(**kwargs)
    kwargs['authority_certificate'] = cert

    authority = Authority(**kwargs)
    authority = database.create(authority)
    g.user.authorities.append(authority)

    metrics.send('authority_created',
                 'counter',
                 1,
                 metric_tags=dict(owner=authority.owner))
    return authority
Beispiel #38
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.notifications import service as notification_service

    cert = Certificate(kwargs.get("public_cert"), kwargs.get("private_key"), kwargs.get("intermediate_cert"))

    # we override the generated name if one is provided
    if kwargs.get("name"):
        cert.name = kwargs["name"]

    cert.description = kwargs.get("description")

    cert.owner = kwargs["owner"]
    cert = database.create(cert)

    g.user.certificates.append(cert)

    database.update_list(cert, "destinations", Destination, kwargs.get("destinations"))

    database.update_list(cert, "notifications", Notification, kwargs.get("notifications"))

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get("notifications"):
        notification_name = "DEFAULT_{0}".format(cert.owner.split("@")[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = "DEFAULT_SECURITY"
    notifications += notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
    )
    cert.notifications = notifications

    database.update(cert)
    return cert
Beispiel #39
0
def create(label, plugin_name, options, description=None):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Destination common name
    :param description:
    :rtype : Destination
    :return: New destination
    """
    # remove any sub-plugin objects before try to save the json options
    for option in options:
        if "plugin" in option["type"]:
            del option["value"]["plugin_object"]

    destination = Destination(
        label=label, options=options, plugin_name=plugin_name, description=description
    )
    current_app.logger.info("Destination: %s created", label)

    # add the destination as source, to avoid new destinations that are not in source, as long as an AWS destination
    if add_aws_destination_to_sources(destination):
        current_app.logger.info("Source: %s created", label)

    return database.create(destination)
Beispiel #40
0
    def run(self, elb_list, chain_path, cert_name, cert_prefix, description):

        for e in open(elb_list, 'r').readlines():
            elb_name, account_id, region, from_port, to_port, protocol = e.strip(
            ).split(',')

            if cert_name:
                arn = "arn:aws:iam::{0}:server-certificate/{1}".format(
                    account_id, cert_name)

            else:
                # if no cert name is provided we need to discover it
                listeners = elb.get_listeners(account_id, region, elb_name)

                # get the listener we care about
                for listener in listeners:
                    if listener[0] == int(from_port) and listener[1] == int(
                            to_port):
                        arn = listener[4]
                        name = get_name_from_arn(arn)
                        certificate = cert_service.get_by_name(name)
                        break
                else:
                    sys.stdout.write(
                        "[-] Could not find ELB {0}".format(elb_name))
                    continue

                if not certificate:
                    sys.stdout.write(
                        "[-] Could not find certificate {0} in Lemur".format(
                            name))
                    continue

                dests = []
                for d in certificate.destinations:
                    dests.append({'id': d.id})

                nots = []
                for n in certificate.notifications:
                    nots.append({'id': n.id})

                new_certificate = database.clone(certificate)

                if cert_prefix:
                    new_certificate.name = "{0}-{1}".format(
                        cert_prefix, new_certificate.name)

                new_certificate.chain = open(chain_path, 'r').read()
                new_certificate.description = "{0} - {1}".format(
                    new_certificate.description, description)

                new_certificate = database.create(new_certificate)
                database.update_list(new_certificate, 'destinations',
                                     Destination, dests)
                database.update_list(new_certificate, 'notifications',
                                     Notification, nots)
                database.update(new_certificate)

                arn = new_certificate.get_arn(account_id)

            elb.update_listeners(account_id, region, elb_name,
                                 [(from_port, to_port, protocol, arn)],
                                 [from_port])

            sys.stdout.write("[+] Updated {0} to use {1}\n".format(
                elb_name, new_certificate.name))
Beispiel #41
0
def create(kwargs):
    """
    Create a new authority.

    :rtype : Authority
    :return:
    """

    issuer = plugins.get(kwargs.get('pluginName'))

    kwargs['creator'] = g.current_user.email
    cert_body, intermediate, issuer_roles = issuer.create_authority(kwargs)

    cert = Certificate(cert_body, chain=intermediate)
    cert.owner = kwargs['ownerEmail']

    if kwargs['caType'] == 'subca':
        cert.description = "This is the ROOT certificate for the {0} sub certificate authority the parent \
                                authority is {1}.".format(kwargs.get('caName'), kwargs.get('caParent'))
    else:
        cert.description = "This is the ROOT certificate for the {0} certificate authority.".format(
            kwargs.get('caName')
        )

    cert.user = g.current_user

    cert.notifications = notification_service.create_default_expiration_notifications(
        'DEFAULT_SECURITY',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')
    )

    # we create and attach any roles that the issuer gives us
    role_objs = []
    for r in issuer_roles:

        role = role_service.create(
            r['name'],
            password=r['password'],
            description="{0} auto generated role".format(kwargs.get('pluginName')),
            username=r['username'])

        # the user creating the authority should be able to administer it
        if role.username == 'admin':
            g.current_user.roles.append(role)

        role_objs.append(role)

    authority = Authority(
        kwargs.get('caName'),
        kwargs['ownerEmail'],
        kwargs['pluginName'],
        cert_body,
        description=kwargs['caDescription'],
        chain=intermediate,
        roles=role_objs
    )

    database.update(cert)
    authority = database.create(authority)

    g.current_user.authorities.append(authority)

    return authority