def test_get_certificate_primitives(certificate):
from lemur.certificates.service import get_certificate_primitives
names = [x509.DNSName(x.name) for x in certificate.domains]
data = {
'common_name': certificate.cn,
'owner': certificate.owner,
'authority': certificate.authority,
'description': certificate.description,
'extensions': {
'sub_alt_names': x509.SubjectAlternativeName(names)
},
'destinations': [],
'roles': [],
'validity_end': arrow.get(2021, 5, 7),
'validity_start': arrow.get(2016, 10, 30),
'country': 'US',
'location': 'A place',
'organization': 'Example',
'organizational_unit': 'Operations',
'state': 'CA'
}
with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate)
assert len(primitives) == 23
def test_get_certificate_primitives(certificate):
from lemur.certificates.service import get_certificate_primitives
names = [x509.DNSName(x.name) for x in certificate.domains]
data = {
'common_name': certificate.cn,
'owner': certificate.owner,
'authority': certificate.authority,
'description': certificate.description,
'extensions': {
'sub_alt_names': x509.SubjectAlternativeName(names)
},
'destinations': [],
'roles': [],
'validity_end': arrow.get(2021, 5, 7),
'validity_start': arrow.get(2016, 10, 30),
'country': 'US',
'location': 'A place',
'organization': 'Example',
'organizational_unit': 'Operations',
'state': 'CA'
}
with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate)
assert len(primitives) == 23
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
status = SUCCESS_METRIC_STATUS
except Exception as e:
sentry.captureException()
print(
"[!] Failed to reissue certificates. Reason: {}".format(
e
)
)
metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
status = SUCCESS_METRIC_STATUS
except Exception as e:
sentry.captureException()
current_app.logger.exception("Error reissuing certificate.", exc_info=True)
print(
"[!] Failed to reissue certificates. Reason: {}".format(
e
)
)
metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def certificate_reissue():
"""
This celery task reissues certificates which are pending reissue
:return:
"""
function = f"{__name__}.{sys._getframe().f_code.co_name}"
task_id = None
if celery.current_task:
task_id = celery.current_task.request.id
log_data = {
"function": function,
"message": "reissuing certificates",
"task_id": task_id,
}
if task_id and is_task_active(function, task_id, None):
log_data["message"] = "Skipping task: Task is already active"
current_app.logger.debug(log_data)
return
current_app.logger.debug(log_data)
# set the lemur identity
identity_changed.send(current_app._get_current_object(),
identity=Identity(1))
for certificate in certificate_service.get_all_pending_reissue():
log_data["message"] = f"{certificate.name} is eligible for re-issuance"
current_app.logger.info(log_data)
details = certificate_service.get_certificate_primitives(certificate)
details, errors = CertificateOutputSchema().dump(details)
current_app.logger.info(
"Re-issuing certificate",
extra=dict(
certificate={
"common_name":
details["commonName"],
"sans":
",".join(x["value"] for x in details["extensions"]
["subAltNames"]["names"]),
"authority_name":
details["authority"]["name"],
"validity_start":
details["validityStart"],
"validity_end":
details["validityEnd"],
}),
)
new_cert = certificate_service.reissue_certificate(certificate,
replace=True)
log_data["message"] = f"New certificate named:{new_cert.name}"
current_app.logger.info(log_data)
log_data["message"] = "reissuance completed"
current_app.logger.info(log_data)
metrics.send(f"{function}.success", "counter", 1)
return log_data
def test_get_certificate_primitives(certificate):
from lemur.certificates.service import get_certificate_primitives
names = [{
'name_type': 'DNSName',
'value': x.name
} for x in certificate.domains]
data = {
'common_name': certificate.cn,
'owner': certificate.owner,
'authority': certificate.authority,
'description': certificate.description,
'extensions': {
'sub_alt_names': {
'names': names
}
},
'destinations': [],
'roles': [],
'validity_end': datetime.date(year=2021, month=5, day=7),
'validity_start': datetime.date(year=2016, month=10, day=30)
}
with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate)
assert data == primitives
def test_get_certificate_primitives(certificate):
from lemur.certificates.service import get_certificate_primitives
names = [x509.DNSName(x.name) for x in certificate.domains]
with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate)
assert len(primitives) == 26
def test_get_certificate_primitives(certificate):
from lemur.certificates.service import get_certificate_primitives
names = [x509.DNSName(x.name) for x in certificate.domains]
with freeze_time(datetime.date(year=2016, month=10, day=30)):
primitives = get_certificate_primitives(certificate)
assert len(primitives) == 26
def rotate(new_certificate_name, old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
from lemur.endpoints.service import rotate_certificate
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if new_certificate_name:
new_cert = get_by_name(new_certificate_name)
if not new_cert:
sys.stdout.write(
"[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if commit:
sys.stdout.write("[!] Running in COMMIT mode.\n")
if not new_certificate_name:
sys.stdout.write(
"[!] No new certificate provided. Attempting to re-issue old certificate: {0}.\n"
.format(old_certificate_name))
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
sys.stdout.write("[+] Issued new certificate named: {0}\n".format(
new_cert.name))
sys.stdout.write("[+] Done! \n")
if len(old_cert.endpoints) > 0:
for endpoint in old_cert.endpoints:
sys.stdout.write(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}\n"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
sys.stdout.write(
"[+] Rotating certificate from: {0} to: {1}\n".format(
old_certificate_name, new_cert.name))
if commit:
rotate_certificate(endpoint, new_cert)
sys.stdout.write("[+] Done! \n")
else:
sys.stdout.write(
"[!] Certificate not found on any existing endpoints. Nothing to rotate.\n"
)
def reissue_and_rotate(old_certificate,
new_certificate=None,
commit=False,
message=False):
if not new_certificate:
# we don't want to re-issue if it's already been replaced
if not old_certificate.replaced:
details = get_certificate_primitives(old_certificate)
print_certificate_details(details)
if commit:
new_certificate = reissue_certificate(old_certificate,
replace=True)
print("[+] Issued new certificate named: {0}".format(
new_certificate.name))
time.sleep(10)
print(
"[!] Sleeping to ensure that certificate propagates before rotating."
)
else:
new_certificate = old_certificate
print("[+] Done!")
else:
if len(old_certificate.replaced) > 1:
raise Exception(
"Unable to rotate certificate based on replacement, found more than one!"
)
else:
new_certificate = old_certificate.replaced[0]
print("[!] Certificate has been replaced by: {0}".format(
old_certificate.replaced[0].name))
if len(old_certificate.endpoints) > 0:
for endpoint in old_certificate.endpoints:
print(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
print("[+] Rotating certificate from: {0} to: {1}".format(
old_certificate.name, new_certificate.name))
if commit:
rotate_certificate(endpoint, new_certificate)
print("[+] Done!")
if message:
send_rotation_notification(old_certificate)
def request_reissue(certificate, notify, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param notify:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
notify = notify and certificate.notify
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(),
identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate,
notify=notify,
replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
if notify and isinstance(
new_cert,
Certificate): # let celery handle PendingCertificates
send_reissue_no_endpoints_notification(certificate, new_cert)
status = SUCCESS_METRIC_STATUS
except Exception as e:
capture_exception(extra={"certificate_name": str(certificate.name)})
current_app.logger.exception(
f"Error reissuing certificate: {certificate.name}", exc_info=True)
print(
f"[!] Failed to reissue certificate: {certificate.name}. Reason: {e}"
)
if notify:
send_reissue_failed_notification(certificate)
metrics.send(
"certificate_reissue",
"counter",
1,
metric_tags={
"status": status,
"certificate": certificate.name
},
)
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def reissue(old_certificate_name, commit=False):
old_cert = get_by_name(old_certificate_name)
if not old_cert:
print("[-] No certificate found with name: {0}".format(
old_certificate_name))
sys.exit(1)
if commit:
print("[!] Running in COMMIT mode.")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
print("[+] Issued new certificate named: {0}".format(new_cert.name))
print("[+] Done!")
def reissue_and_rotate(old_certificate,
new_certificate=None,
commit=False,
message=False):
if not new_certificate:
# we don't want to re-issue if it's already been replaced
if not old_certificate.replaced:
details = get_certificate_primitives(old_certificate)
print_certificate_details(details)
if commit:
new_certificate = reissue_certificate(old_certificate,
replace=True)
print("[+] Issued new certificate named: {0}".format(
new_certificate.name))
print("[+] Done!")
else:
new_certificate = old_certificate.replaced
print("[!] Certificate has been replaced by: {0}".format(
old_certificate.replaced.name))
if len(old_certificate.endpoints) > 0:
for endpoint in old_certificate.endpoints:
print(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
print("[+] Rotating certificate from: {0} to: {1}".format(
old_certificate.name, new_certificate.name))
if commit:
rotate_certificate(endpoint, new_certificate)
print("[+] Done!")
if message:
send_rotation_notification(old_certificate)
def reissue(old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if commit:
sys.stdout.write("[!] Running in COMMIT mode.\n")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
sys.stdout.write("[+] Issued new certificate named: {0}\n".format(
new_cert.name))
sys.stdout.write("[+] Done! \n")
def reissue(old_certificate_name, validity_start, validity_end, commit):
"""
Reissues certificate with the same parameters as it was originally issued with.
If not time period is provided, reissues certificate as valid from today to
today + length of original.
"""
old_cert = get_by_name(old_certificate_name)
if not old_cert:
print("[-] No certificate found with name: {0}".format(
old_certificate_name))
sys.exit(1)
if commit:
print("[!] Running in COMMIT mode.")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
print("[+] Issued new certificate named: {0}".format(new_cert.name))
print("[+] Done!")