def sync(labels=None): new, updated = 0, 0 c_certificates = cert_service.get_all_certs() for source in database.get_all(Source, True, field='active'): # we should be able to specify, individual sources to sync if labels: if source.label not in labels: continue current_app.logger.debug("Retrieving certificates from {0}".format( source.label)) s = plugins.get(source.plugin_name) certificates = s.get_certificates(source.options) for certificate in certificates: exists = cert_service.find_duplicates( certificate['public_certificate']) if not exists: sync_create(certificate, source) new += 1 # check to make sure that existing certificates have the current source associated with it elif len(exists) == 1: sync_update(exists[0], source) updated += 1 else: current_app.logger.warning( "Multiple certificates found, attempt to deduplicate the following certificates: {0}" .format(",".join([x.name for x in exists]))) # we need to try and find the absent of certificates so we can properly disassociate them when they are deleted _disassociate_certs_from_source(c_certificates, certificates, source)
def sync(labels=None): new, updated = 0, 0 c_certificates = cert_service.get_all_certs() for source in database.get_all(Source, True, field='active'): # we should be able to specify, individual sources to sync if labels: if source.label not in labels: continue current_app.logger.debug("Retrieving certificates from {0}".format(source.label)) s = plugins.get(source.plugin_name) certificates = s.get_certificates(source.options) for certificate in certificates: exists = cert_service.find_duplicates(certificate['body']) if not exists: sync_create(certificate, source) new += 1 # check to make sure that existing certificates have the current source associated with it elif len(exists) == 1: sync_update(exists[0], source) updated += 1 else: current_app.logger.warning( "Multiple certificates found, attempt to deduplicate the following certificates: {0}".format( ",".join([x.name for x in exists]) ) ) # we need to try and find the absent of certificates so we can properly disassociate them when they are deleted _disassociate_certs_from_source(c_certificates, certificates, source)
def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ for cert in get_all_certs(): try: if cert.chain: status = verify_string(cert.body, cert.chain) else: status = verify_string(cert.body, "") if status is None: cert.status = 'unknown' else: cert.status = 'valid' if status else 'revoked' except Exception as e: sentry.captureException() current_app.logger.exception(e) cert.status = 'unknown' database.update(cert)
def backfill_signing_algo(): """ Will attempt to backfill the signing_algorithm column :return: """ from cryptography import x509 from cryptography.hazmat.backends import default_backend from lemur.certificates.models import get_signing_algorithm for c in cert_service.get_all_certs(): cert = x509.load_pem_x509_certificate(str(c.body), default_backend()) c.signing_algorithm = get_signing_algorithm(cert) c.signing_algorithm database.update(c) print(c.signing_algorithm)
def check_revoked(): """ Function attempts to update Lemur's internal cache with revoked certificates. This is called periodically by Lemur. It checks both CRLs and OCSP to see if a certificate is revoked. If Lemur is unable encounters an issue with verification it marks the certificate status as `unknown`. """ for cert in cert_service.get_all_certs(): try: if cert.chain: status = verify_string(cert.body, cert.chain) else: status = verify_string(cert.body, "") cert.status = 'valid' if status else 'invalid' except Exception as e: cert.status = 'unknown' database.update(cert)
def active_fqdns(): """ Generates a report that gives the number of active fqdns, but root domain. :return: """ from lemur.certificates.service import get_all_certs sys.stdout.write( "FQDN, Root Domain, Issuer, Total Length (days), Time until expiration (days)\n" ) for cert in get_all_certs(): if not cert.expired: now = arrow.utcnow() ttl = now - cert.not_before total_length = cert.not_after - cert.not_before for fqdn in cert.domains: root_domain = ".".join(fqdn.name.split('.')[-2:]) sys.stdout.write(", ".join([ fqdn.name, root_domain, cert.issuer, str(total_length.days), str(ttl.days) ]) + "\n")
def test_get_all_certs(session, certificate): from lemur.certificates.service import get_all_certs assert len(get_all_certs()) > 1