Ejemplo n.º 1
0
def sensitive_domain(domain):
    """
    Checks if user has the admin role, the domain does not match sensitive domains and whitelisted domain patterns.
    :param domain: domain name (str)
    :return:
    """
    if SensitiveDomainPermission().can():
        # User has permission, no need to check anything
        return

    whitelist = current_app.config.get("LEMUR_WHITELISTED_DOMAINS", [])
    if whitelist and not any(
            re.match(pattern, domain) for pattern in whitelist):
        raise ValidationError(
            "Domain {0} does not match whitelisted domain patterns. "
            "Contact an administrator to issue the certificate.".format(
                domain))

    # Avoid circular import.
    from lemur.domains import service as domain_service

    if domain_service.is_domain_sensitive(domain):
        raise ValidationError(
            "Domain {0} has been marked as sensitive. "
            "Contact an administrator to issue the certificate.".format(
                domain))
Ejemplo n.º 2
0
def sensitive_domain(domain):
    """
    Determines if domain has been marked as sensitive.
    :param domain:
    :return:
    """
    domains = domain_service.get_by_name(domain)
    for domain in domains:
        # we only care about non-admins
        if not SensitiveDomainPermission().can():
            if domain.sensitive:
                raise ValidationError(
                    'Domain {0} has been marked as sensitive, contact and administrator \
                    to issue the certificate.'.format(domain))
Ejemplo n.º 3
0
    def put(self, domain_id):
        """
        .. http:get:: /domains/1

           update one domain

           **Example request**:

           .. sourcecode:: http

              GET /domains HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                  "name": "www.example.com",
                  "sensitive": false
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 1,
                  "name": "www.example.com",
                  "sensitive": false
              }

           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        self.reqparse.add_argument('name', type=str, location='json')
        self.reqparse.add_argument('sensitive',
                                   type=bool,
                                   default=False,
                                   location='json')
        args = self.reqparse.parse_args()

        if SensitiveDomainPermission().can():
            return service.update(domain_id, args['name'], args['sensitive'])

        return dict(
            message='You are not authorized to modify this domain'), 403
Ejemplo n.º 4
0
def sensitive_domain(domain):
    """
    Determines if domain has been marked as sensitive.
    :param domain:
    :return:
    """
    restricted_domains = current_app.config['LEMUR_RESTRICTED_DOMAINS']
    domains = domain_service.get_by_name(domain)
    for domain in domains:
        # we only care about non-admins
        if not SensitiveDomainPermission().can():
            if domain.sensitive or any([
                    re.match(pattern, domain.name)
                    for pattern in restricted_domains
            ]):
                raise ValidationError(
                    'Domain {0} has been marked as sensitive, contact and administrator \
                    to issue the certificate.'.format(domain))
Ejemplo n.º 5
0
def sensitive_domain(domain):
    """
    Checks if user has the admin role, the domain does not match sensitive domains and whitelisted domain patterns.
    :param domain: domain name (str)
    :return:
    """
    if SensitiveDomainPermission().can():
        # User has permission, no need to check anything
        return

    whitelist = current_app.config.get('LEMUR_WHITELISTED_DOMAINS', [])
    if whitelist and not any(re.match(pattern, domain) for pattern in whitelist):
        raise ValidationError('Domain {0} does not match whitelisted domain patterns. '
                              'Contact an administrator to issue the certificate.'.format(domain))

    if any(d.sensitive for d in domain_service.get_by_name(domain)):
        raise ValidationError('Domain {0} has been marked as sensitive. '
                              'Contact an administrator to issue the certificate.'.format(domain))
Ejemplo n.º 6
0
    def put(self, domain_id, data=None):
        """
        .. http:get:: /domains/1

           update one domain

           **Example request**:

           .. sourcecode:: http

              GET /domains HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                  "name": "www.example.com",
                  "sensitive": false
              }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                  "id": 1,
                  "name": "www.example.com",
                  "sensitive": false
              }

           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        if SensitiveDomainPermission().can():
            return service.update(domain_id, data["name"], data["sensitive"])

        return dict(
            message="You are not authorized to modify this domain"), 403
Ejemplo n.º 7
0
    def post(self):
        """
        .. http:post:: /certificates

           Creates a new certificate

           **Example request**:

           .. sourcecode:: http

              POST /certificates HTTP/1.1
              Host: example.com
              Accept: application/json, text/javascript

              {
                "country": "US",
                "state": "CA",
                "location": "A Place",
                "organization": "ExampleInc.",
                "organizationalUnit": "Operations",
                "owner": "*****@*****.**",
                "description": "test",
                "selectedAuthority": "timetest2",
                "csr": "----BEGIN CERTIFICATE REQUEST-----...",
                "authority": {
                    "body": "-----BEGIN...",
                    "name": "timetest2",
                    "chain": "",
                    "notBefore": "2015-06-05T15:20:59",
                    "active": true,
                    "id": 50,
                    "notAfter": "2015-06-17T15:21:08",
                    "description": "dsfdsf"
                },
                "notifications": [
                    {
                      "description": "Default 30 day expiration notification",
                      "notificationOptions": [
                        {
                          "name": "interval",
                          "required": true,
                          "value": 30,
                          "helpMessage": "Number of days to be alert before expiration.",
                          "validation": "^\\d+$",
                          "type": "int"
                        },
                        {
                          "available": [
                            "days",
                            "weeks",
                            "months"
                          ],
                          "name": "unit",
                          "required": true,
                          "value": "days",
                          "helpMessage": "Interval unit",
                          "validation": "",
                          "type": "select"
                        },
                        {
                          "name": "recipients",
                          "required": true,
                          "value": "*****@*****.**",
                          "helpMessage": "Comma delimited list of email addresses",
                          "validation": "^([\\w+-.%]+@[\\w-.]+\\.[A-Za-z]{2,4},?)+$",
                            "type": "str"
                          }
                        ],
                        "label": "DEFAULT_KGLISSON_30_DAY",
                        "pluginName": "email-notification",
                        "active": true,
                        "id": 7
                    }
                ],
                "extensions": {
                    "basicConstraints": {},
                    "keyUsage": {
                        "isCritical": true,
                        "useKeyEncipherment": true,
                        "useDigitalSignature": true
                    },
                    "extendedKeyUsage": {
                        "isCritical": true,
                        "useServerAuthentication": true
                    },
                    "subjectKeyIdentifier": {
                        "includeSKI": true
                    },
                    "subAltNames": {
                        "names": []
                    }
                },
                "commonName": "test",
                "validityStart": "2015-06-05T07:00:00.000Z",
                "validityEnd": "2015-06-16T07:00:00.000Z",
                "replacements": [
                    {'id': 123}
                ]
             }

           **Example response**:

           .. sourcecode:: http

              HTTP/1.1 200 OK
              Vary: Accept
              Content-Type: text/javascript

              {
                "id": 1,
                "name": "cert1",
                "description": "this is cert1",
                "bits": 2048,
                "deleted": false,
                "issuer": "ExampeInc.",
                "serial": "123450",
                "chain": "-----Begin ...",
                "body": "-----Begin ...",
                "san": true,
                "owner": "*****@*****.**",
                "active": false,
                "notBefore": "2015-06-05T17:09:39",
                "notAfter": "2015-06-10T17:09:39",
                "cn": "example.com",
                "status": "unknown"
              }

           :arg extensions: extensions to be used in the certificate
           :arg description: description for new certificate
           :arg owner: owner email
           :arg validityStart: when the certificate should start being valid
           :arg validityEnd: when the certificate should expire
           :arg authority: authority that should issue the certificate
           :arg country: country for the CSR
           :arg state: state for the CSR
           :arg location: location for the CSR
           :arg organization: organization for CSR
           :arg commonName: certiifcate common name
           :reqheader Authorization: OAuth token to authenticate
           :statuscode 200: no error
           :statuscode 403: unauthenticated
        """
        self.reqparse.add_argument('extensions', type=dict, location='json')
        self.reqparse.add_argument('destinations',
                                   type=list,
                                   default=[],
                                   location='json')
        self.reqparse.add_argument('notifications',
                                   type=list,
                                   default=[],
                                   location='json')
        self.reqparse.add_argument('replacements',
                                   type=list,
                                   default=[],
                                   location='json')
        self.reqparse.add_argument('validityStart', type=str,
                                   location='json')  # TODO validate
        self.reqparse.add_argument('validityEnd', type=str,
                                   location='json')  # TODO validate
        self.reqparse.add_argument('validityYears', type=int,
                                   location='json')  # TODO validate
        self.reqparse.add_argument('authority',
                                   type=valid_authority,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('description', type=str, location='json')
        self.reqparse.add_argument('country',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('state',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('location',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('organization',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('organizationalUnit',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('owner',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('commonName',
                                   type=str,
                                   location='json',
                                   required=True)
        self.reqparse.add_argument('csr', type=str, location='json')

        args = self.reqparse.parse_args()

        authority = args['authority']
        role = role_service.get_by_name(authority.owner)

        # all the authority role members should be allowed
        roles = [x.name for x in authority.roles]

        # allow "owner" roles by team DL
        roles.append(role)
        authority_permission = AuthorityPermission(authority.id, roles)

        if authority_permission.can():
            # if we are not admins lets make sure we aren't issuing anything sensitive
            if not SensitiveDomainPermission().can():
                check_sensitive_domains(get_domains_from_options(args))
            return service.create(**args)

        return dict(message="You are not authorized to use {0}".format(
            args['authority'].name)), 403