def create(**kwargs): """ Creates a new certificate. """ kwargs['creator'] = g.user.email cert_body, private_key, cert_chain = mint(**kwargs) kwargs['body'] = cert_body kwargs['private_key'] = private_key kwargs['chain'] = cert_chain roles = create_certificate_roles(**kwargs) if kwargs.get('roles'): kwargs['roles'] += roles else: kwargs['roles'] = roles cert = Certificate(**kwargs) g.user.certificates.append(cert) cert.authority = kwargs['authority'] database.commit() metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) return cert
def find_and_persist_domains_where_cert_is_deployed(certificate, timeout_seconds_per_network_call): """ Checks if the specified cert is still deployed. Returns a list of domains to which it's deployed. We use the serial number to identify that a certificate is identical. If there were multiple certificates issued for the same domain with identical serial numbers, this could return a false positive. Note that this checks *all* configured ports (specified in config LEMUR_PORTS_FOR_DEPLOYED_CERTIFICATE_CHECK) for all the domains in the cert. If the domain is valid but the port is not, we have to wait for the connection to time out, which means this can be quite slow. :return: A dictionary of the form {'domain1': [ports], 'domain2': [ports]} """ matched_domains = defaultdict(list) # filter out wildcards, we can't check them for cert_association in [assoc for assoc in certificate.certificate_associations if '*' not in assoc.domain.name]: domain = cert_association.domain matched_ports_for_domain = [] for port in current_app.config.get("LEMUR_PORTS_FOR_DEPLOYED_CERTIFICATE_CHECK", [443]): try: parsed_serial = parse_serial(get_certificate_via_tls(domain.name, port, timeout_seconds_per_network_call)) if parsed_serial == int(certificate.serial): matched_ports_for_domain.append(port) except Exception: current_app.logger.info(f'Unable to check certificate for domain {domain} on port {port}', exc_info=True) if len(matched_ports_for_domain) > 0: matched_domains[domain.name] = matched_ports_for_domain # Update the DB cert_association.ports = matched_ports_for_domain database.commit() return matched_domains
def find_and_persist_domains_where_cert_is_deployed( certificate, excluded_domains, commit, timeout_seconds_per_network_call): """ Checks if the specified cert is still deployed. Returns a list of domains to which it's deployed. We use the serial number to identify that a certificate is identical. If there were multiple certificates issued for the same domain with identical serial numbers, this could return a false positive. Note that this checks *all* configured ports (specified in config LEMUR_PORTS_FOR_DEPLOYED_CERTIFICATE_CHECK) for all the domains in the cert. If the domain is valid but the port is not, we have to wait for the connection to time out, which means this can be quite slow. :return: A dictionary of the form {'domain1': [ports], 'domain2': [ports]} """ matched_domains = defaultdict(list) # filter out wildcards, we can't check them for cert_association in [ assoc for assoc in certificate.certificate_associations if '*' not in assoc.domain.name ]: domain_name = cert_association.domain.name # skip this domain if excluded if not any(excluded in domain_name for excluded in excluded_domains): matched_ports_for_domain = [] for port in current_app.config.get( "LEMUR_PORTS_FOR_DEPLOYED_CERTIFICATE_CHECK", [443]): start_time = time.time() status = FAILURE_METRIC_STATUS match = False try: parsed_serial = parse_serial( get_certificate_via_tls( domain_name, port, timeout_seconds_per_network_call)) if parsed_serial == int(certificate.serial): matched_ports_for_domain.append(port) match = True status = SUCCESS_METRIC_STATUS except Exception: current_app.logger.info( f'Unable to check certificate for domain {domain_name} on port {port}', exc_info=True) elapsed = int(round(1000 * (time.time() - start_time))) metrics.send("deployed_certificate_check", "TIMER", elapsed, metric_tags={ "certificate": certificate.name, "domain": domain_name, "port": port, "status": status, "match": match }) matched_domains[domain_name] = matched_ports_for_domain if commit: # Update the DB cert_association.ports = matched_ports_for_domain database.commit() return matched_domains
def create(**kwargs): """ Creates a new certificate. """ cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) kwargs['body'] = cert_body kwargs['private_key'] = private_key kwargs['chain'] = cert_chain kwargs['external_id'] = external_id kwargs['csr'] = csr roles = create_certificate_roles(**kwargs) if kwargs.get('roles'): kwargs['roles'] += roles else: kwargs['roles'] = roles if cert_body: cert = Certificate(**kwargs) kwargs['creator'].certificates.append(cert) else: cert = PendingCertificate(**kwargs) kwargs['creator'].pending_certificates.append(cert) cert.authority = kwargs['authority'] database.commit() if isinstance(cert, Certificate): certificate_issued.send(certificate=cert, authority=cert.authority) metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) return cert
def create(**kwargs): """ Creates a new certificate. """ try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: log_data = { "message": "Exception minting certificate", "issuer": kwargs["authority"].name, "cn": kwargs["common_name"], } current_app.logger.error(log_data, exc_info=True) capture_exception() raise kwargs["body"] = cert_body kwargs["private_key"] = private_key kwargs["chain"] = cert_chain kwargs["external_id"] = external_id kwargs["csr"] = csr roles = create_certificate_roles(**kwargs) if kwargs.get("roles"): kwargs["roles"] += roles else: kwargs["roles"] = roles if cert_body: cert = Certificate(**kwargs) kwargs["creator"].certificates.append(cert) else: # ACME path cert = PendingCertificate(**kwargs) kwargs["creator"].pending_certificates.append(cert) cert.authority = kwargs["authority"] database.commit() if isinstance(cert, Certificate): certificate_issued.send(certificate=cert, authority=cert.authority) metrics.send( "certificate_issued", "counter", 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer), ) if isinstance(cert, PendingCertificate): # We need to refresh the pending certificate to avoid "Instance is not bound to a Session; " # "attribute refresh operation cannot proceed" pending_cert = database.session_query(PendingCertificate).get(cert.id) from lemur.common.celery import fetch_acme_cert if not current_app.config.get("ACME_DISABLE_AUTORESOLVE", False): fetch_acme_cert.apply_async((pending_cert.id,), countdown=5) return cert
def create(user, type, certificate=None): """ Creates logs a given action. :param user: :param type: :param certificate: :return: """ view = Log(user_id=user.id, log_type=type, certificate_id=certificate.id) database.add(view) database.commit()
def create(user, type, certificate=None): """ Creates logs a given action. :param user: :param type: :param certificate: :return: """ current_app.logger.info("[lemur-audit] action: {0}, user: {1}, certificate: {2}.".format(type, user.email, certificate.name)) view = Log(user_id=user.id, log_type=type, certificate_id=certificate.id) database.add(view) database.commit()
def create(**kwargs): """ Creates a new certificate. """ try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: current_app.logger.error("Exception minting certificate", exc_info=True) sentry.captureException() raise kwargs['body'] = cert_body kwargs['private_key'] = private_key kwargs['chain'] = cert_chain kwargs['external_id'] = external_id kwargs['csr'] = csr roles = create_certificate_roles(**kwargs) if kwargs.get('roles'): kwargs['roles'] += roles else: kwargs['roles'] = roles if cert_body: cert = Certificate(**kwargs) kwargs['creator'].certificates.append(cert) else: cert = PendingCertificate(**kwargs) kwargs['creator'].pending_certificates.append(cert) cert.authority = kwargs['authority'] database.commit() if isinstance(cert, Certificate): certificate_issued.send(certificate=cert, authority=cert.authority) metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) if isinstance(cert, PendingCertificate): # We need to refresh the pending certificate to avoid "Instance is not bound to a Session; " # "attribute refresh operation cannot proceed" pending_cert = database.session_query(PendingCertificate).get(cert.id) from lemur.common.celery import fetch_acme_cert if not current_app.config.get("ACME_DISABLE_AUTORESOLVE", False): fetch_acme_cert.apply_async((pending_cert.id, ), countdown=5) return cert
def create(**kwargs): """ Creates a new certificate. """ try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: current_app.logger.error("Exception minting certificate", exc_info=True) sentry.captureException() raise kwargs['body'] = cert_body kwargs['private_key'] = private_key kwargs['chain'] = cert_chain kwargs['external_id'] = external_id kwargs['csr'] = csr roles = create_certificate_roles(**kwargs) if kwargs.get('roles'): kwargs['roles'] += roles else: kwargs['roles'] = roles if cert_body: cert = Certificate(**kwargs) kwargs['creator'].certificates.append(cert) else: cert = PendingCertificate(**kwargs) kwargs['creator'].pending_certificates.append(cert) cert.authority = kwargs['authority'] database.commit() if isinstance(cert, Certificate): certificate_issued.send(certificate=cert, authority=cert.authority) metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer)) if isinstance(cert, PendingCertificate): # We need to refresh the pending certificate to avoid "Instance is not bound to a Session; " # "attribute refresh operation cannot proceed" pending_cert = database.session_query(PendingCertificate).get(cert.id) from lemur.common.celery import fetch_acme_cert if not current_app.config.get("ACME_DISABLE_AUTORESOLVE", False): fetch_acme_cert.apply_async((pending_cert.id,), countdown=5) return cert
def run(self, username): user = user_service.get_by_username(username) if not user: sys.stderr.write("[!] No user found for username: {0}\n".format(username)) sys.exit(1) sys.stderr.write("[+] Resetting password for {0}\n".format(username)) password1 = prompt_pass("Password") password2 = prompt_pass("Confirm Password") if password1 != password2: sys.stderr.write("[!] Passwords do not match\n") sys.exit(1) user.password = password1 user.hash_password() database.commit()
def create(user, type, certificate=None): """ Creates logs a given action. :param user: :param type: :param certificate: :return: """ log_data = { "function": "lemur-audit", "action": type, "user": user.email, "certificate": certificate.name } # format before August 2021: f"[lemur-audit] action: {type}, user: {user.email}, certificate: {certificate.name}." current_app.logger.info(log_data) view = Log(user_id=user.id, log_type=type, certificate_id=certificate.id) database.add(view) database.commit()
def create(**kwargs): """ Creates a new certificate. """ # Validate destinations do not overlap accounts if "destinations" in kwargs: dest_accounts = {} for dest in kwargs["destinations"]: account = get_plugin_option("accountNumber", dest.options) if account in dest_accounts: raise Exception(f"Only one destination allowed per account: {account}") dest_accounts[account] = True try: cert_body, private_key, cert_chain, external_id, csr = mint(**kwargs) except Exception: log_data = { "message": "Exception minting certificate", "issuer": kwargs["authority"].name, "cn": kwargs.get("common_name"), } current_app.logger.error(log_data, exc_info=True) capture_exception() raise kwargs["body"] = cert_body kwargs["private_key"] = private_key kwargs["chain"] = cert_chain kwargs["external_id"] = external_id kwargs["csr"] = csr roles = create_certificate_roles(**kwargs) if kwargs.get("roles"): kwargs["roles"] += roles else: kwargs["roles"] = roles if cert_body: cert = Certificate(**kwargs) kwargs["creator"].certificates.append(cert) else: # ACME path cert = PendingCertificate(**kwargs) kwargs["creator"].pending_certificates.append(cert) cert.authority = kwargs["authority"] database.commit() if isinstance(cert, Certificate): certificate_issued.send(certificate=cert, authority=cert.authority) metrics.send( "certificate_issued", "counter", 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer), ) log_data = { "function": "lemur.certificates.service.create", "owner": cert.owner, "name": cert.name, "serial": cert.serial, "issuer": cert.issuer, "not_after": cert.not_after.format('YYYY-MM-DD HH:mm:ss'), "not_before": cert.not_before.format('YYYY-MM-DD HH:mm:ss'), "sans": str(', '.join([domain.name for domain in cert.domains])), } current_app.logger.info(log_data) if isinstance(cert, PendingCertificate): # We need to refresh the pending certificate to avoid "Instance is not bound to a Session; " # "attribute refresh operation cannot proceed" pending_cert = database.session_query(PendingCertificate).get(cert.id) from lemur.common.celery import fetch_acme_cert if not current_app.config.get("ACME_DISABLE_AUTORESOLVE", False): fetch_acme_cert.apply_async((pending_cert.id, kwargs.get("async_reissue_notification_cert_id", None)), countdown=5) return cert