def test_create_certificate(issuer_plugin, authority, user): from lemur.certificates.service import create cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**', creator=user['user']) assert str(cert.not_after) == '2040-01-01T20:30:52+00:00' assert str(cert.not_before) == '2015-06-26T20:30:52+00:00' assert cert.issuer == 'Example' assert cert.name == 'long.lived.com-Example-20150626-20400101' cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**', name='ACustomName1', creator=user['user']) assert cert.name == 'ACustomName1'
def test_create_certificate(issuer_plugin, authority, user): from lemur.certificates.service import create cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**', creator=user['user']) assert str(cert.not_after) == '2047-12-31T22:00:00+00:00' assert str(cert.not_before) == '2017-12-31T22:00:00+00:00' assert cert.issuer == 'LemurTrustUnittestsClass1CA2018' assert cert.name == 'SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231-AFF2DB4F8D2D4D8E80FA382AE27C2333' cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**', name='ACustomName1', creator=user['user']) assert cert.name == 'ACustomName1'
def test_create_certificate(issuer_plugin, authority, logged_in_admin): from lemur.certificates.service import create cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**') assert str(cert.not_after) == '2040-01-01 20:30:52' assert str(cert.not_before) == '2015-06-26 20:30:52' assert cert.issuer == 'Example' assert cert.name == 'long.lived.com-Example-20150626-20400101' cert = create(authority=authority, csr=CSR_STR, owner='*****@*****.**', name='ACustomName1') assert cert.name == 'ACustomName1'
def test_create_pending_certificate(async_issuer_plugin, async_authority, user): from lemur.certificates.service import create pending_cert = create(authority=async_authority, csr=CSR_STR, owner='*****@*****.**', creator=user['user'], common_name='ACommonName') assert pending_cert.external_id == '12345'
def test_create_certificate(issuer_plugin, authority, user): from lemur.certificates.service import create cert = create( authority=authority, csr=CSR_STR, owner="*****@*****.**", creator=user["user"] ) assert str(cert.not_after) == "2047-12-31T22:00:00+00:00" assert str(cert.not_before) == "2017-12-31T22:00:00+00:00" assert cert.issuer == "LemurTrustUnittestsClass1CA2018" assert ( cert.name == "SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231-AFF2DB4F8D2D4D8E80FA382AE27C2333" ) cert = create( authority=authority, csr=CSR_STR, owner="*****@*****.**", name="ACustomName1", creator=user["user"], ) assert cert.name == "ACustomName1"
def post(self, data=None): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "owner": "*****@*****.**", "commonName": "test.example.net", "country": "US", "extensions": { "subAltNames": { "names": [ { "nameType": "DNSName", "value": "*.test.example.net" }, { "nameType": "DNSName", "value": "www.test.example.net" } ] } }, "replacements": [{ "id": 1 }, "notify": true, "validityEnd": "2026-01-01T08:00:00.000Z", "authority": { "name": "verisign" }, "organization": "Netflix, Inc.", "location": "Los Gatos", "state": "California", "validityStart": "2016-11-11T04:19:48.000Z", "organizationalUnit": "Operations" } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "status": null, "cn": "*.test.example.net", "chain": "", "authority": { "active": true, "owner": "*****@*****.**", "id": 1, "description": "verisign test authority", "name": "verisign" }, "owner": "*****@*****.**", "serial": "82311058732025924142789179368889309156", "id": 2288, "issuer": "SymantecCorporation", "notBefore": "2016-06-03T00:00:00+00:00", "notAfter": "2018-01-12T23:59:59+00:00", "destinations": [], "bits": 2048, "body": "-----BEGIN CERTIFICATE-----...", "description": null, "deleted": null, "notifications": [{ "id": 1 }] "signingAlgorithm": "sha256", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 2 }, "active": true, "domains": [{ "sensitive": false, "id": 1090, "name": "*.test.example.net" }], "replaces": [{ "id": 1 }], "rotation": True, "rotationPolicy": {"name": "default"}, "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", "roles": [{ "id": 464, "description": "This is a google group based role created by Lemur", "name": "*****@*****.**" }], "san": null } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ role = role_service.get_by_name(data['authority'].owner) # all the authority role members should be allowed roles = [x.name for x in data['authority'].roles] # allow "owner" roles by team DL roles.append(role) authority_permission = AuthorityPermission(data['authority'].id, roles) if authority_permission.can(): data['creator'] = g.user cert = service.create(**data) log_service.create(g.user, 'create_cert', certificate=cert) return cert return dict(message="You are not authorized to use the authority: {0}". format(data['authority'].name)), 403
def post(self, data=None): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "status": null, "cn": "*.test.example.net", "chain": "", "authority": { "active": true, "owner": "*****@*****.**", "id": 1, "description": "verisign test authority", "name": "verisign" }, "owner": "*****@*****.**", "serial": "82311058732025924142789179368889309156", "id": 2288, "issuer": "SymantecCorporation", "notBefore": "2016-06-03T00:00:00+00:00", "notAfter": "2018-01-12T23:59:59+00:00", "destinations": [], "bits": 2048, "body": "-----BEGIN CERTIFICATE-----...", "description": null, "deleted": null, "notifications": [{ "id": 1 }] "signingAlgorithm": "sha256", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 2 }, "active": true, "domains": [{ "sensitive": false, "id": 1090, "name": "*.test.example.net" }], "replaces": [], "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", "roles": [{ "id": 464, "description": "This is a google group based role created by Lemur", "name": "*****@*****.**" }], "san": null } :arg extensions: extensions to be used in the certificate :arg description: description for new certificate :arg owner: owner email :arg validityStart: when the certificate should start being valid :arg validityEnd: when the certificate should expire :arg authority: authority that should issue the certificate :arg country: country for the CSR :arg state: state for the CSR :arg location: location for the CSR :arg organization: organization for CSR :arg commonName: certificate common name :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ role = role_service.get_by_name(data['authority'].owner) # all the authority role members should be allowed roles = [x.name for x in data['authority'].roles] # allow "owner" roles by team DL roles.append(role) authority_permission = AuthorityPermission(data['authority'].id, roles) if authority_permission.can(): return service.create(**data) return dict(message="You are not authorized to use {0}".format( data['authority'].name)), 403
def post(self): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "country": "US", "state": "CA", "location": "A Place", "organization": "ExampleInc.", "organizationalUnit": "Operations", "owner": "*****@*****.**", "description": "test", "selectedAuthority": "timetest2", "csr", "authority": { "body": "-----BEGIN...", "name": "timetest2", "chain": "", "notBefore": "2015-06-05T15:20:59", "active": true, "id": 50, "notAfter": "2015-06-17T15:21:08", "description": "dsfdsf" }, "notifications": [ { "description": "Default 30 day expiration notification", "notificationOptions": [ { "name": "interval", "required": true, "value": 30, "helpMessage": "Number of days to be alert before expiration.", "validation": "^\\d+$", "type": "int" }, { "available": [ "days", "weeks", "months" ], "name": "unit", "required": true, "value": "days", "helpMessage": "Interval unit", "validation": "", "type": "select" }, { "name": "recipients", "required": true, "value": "*****@*****.**", "helpMessage": "Comma delimited list of email addresses", "validation": "^([\\w+-.%]+@[\\w-.]+\\.[A-Za-z]{2,4},?)+$", "type": "str" } ], "label": "DEFAULT_KGLISSON_30_DAY", "pluginName": "email-notification", "active": true, "id": 7 } ], "extensions": { "basicConstraints": {}, "keyUsage": { "isCritical": true, "useKeyEncipherment": true, "useDigitalSignature": true }, "extendedKeyUsage": { "isCritical": true, "useServerAuthentication": true }, "subjectKeyIdentifier": { "includeSKI": true }, "subAltNames": { "names": [] } }, "commonName": "test", "validityStart": "2015-06-05T07:00:00.000Z", "validityEnd": "2015-06-16T07:00:00.000Z", "replacements": [ {'id': 123} ] } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "id": 1, "name": "cert1", "description": "this is cert1", "bits": 2048, "deleted": false, "issuer": "ExampeInc.", "serial": "123450", "chain": "-----Begin ...", "body": "-----Begin ...", "san": true, "owner": "*****@*****.**", "active": false, "notBefore": "2015-06-05T17:09:39", "notAfter": "2015-06-10T17:09:39", "cn": "example.com", "status": "unknown" } :arg extensions: extensions to be used in the certificate :arg description: description for new certificate :arg owner: owner email :arg validityStart: when the certificate should start being valid :arg validityEnd: when the certificate should expire :arg authority: authority that should issue the certificate :arg country: country for the CSR :arg state: state for the CSR :arg location: location for the CSR :arg organization: organization for CSR :arg commonName: certiifcate common name :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ self.reqparse.add_argument('extensions', type=dict, location='json') self.reqparse.add_argument('destinations', type=list, default=[], location='json') self.reqparse.add_argument('notifications', type=list, default=[], location='json') self.reqparse.add_argument('replacements', type=list, default=[], location='json') self.reqparse.add_argument('validityStart', type=str, location='json') # TODO validate self.reqparse.add_argument('validityEnd', type=str, location='json') # TODO validate self.reqparse.add_argument('authority', type=valid_authority, location='json', required=True) self.reqparse.add_argument('description', type=str, location='json') self.reqparse.add_argument('country', type=str, location='json', required=True) self.reqparse.add_argument('state', type=str, location='json', required=True) self.reqparse.add_argument('location', type=str, location='json', required=True) self.reqparse.add_argument('organization', type=str, location='json', required=True) self.reqparse.add_argument('organizationalUnit', type=str, location='json', required=True) self.reqparse.add_argument('owner', type=str, location='json', required=True) self.reqparse.add_argument('commonName', type=str, location='json', required=True) self.reqparse.add_argument('csr', type=str, location='json') args = self.reqparse.parse_args() authority = args['authority'] role = role_service.get_by_name(authority.owner) # all the authority role members should be allowed roles = [x.name for x in authority.roles] # allow "owner" roles by team DL roles.append(role) permission = AuthorityPermission(authority.id, roles) if permission.can(): return service.create(**args) return dict(message="You are not authorized to use {0}".format(args['authority'].name)), 403
def post(self, data=None): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "owner": "*****@*****.**", "commonName": "test.example.net", "country": "US", "extensions": { "subAltNames": { "names": [ { "nameType": "DNSName", "value": "*.test.example.net" }, { "nameType": "DNSName", "value": "www.test.example.net" } ] } }, "replacements": [{ "id": 1 }], "notify": true, "validityEnd": "2026-01-01T08:00:00.000Z", "authority": { "name": "verisign" }, "organization": "Netflix, Inc.", "location": "Los Gatos", "state": "California", "validityStart": "2016-11-11T04:19:48.000Z", "organizationalUnit": "Operations" } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "status": null, "cn": "*.test.example.net", "chain": "", "authority": { "active": true, "owner": "*****@*****.**", "id": 1, "description": "verisign test authority", "name": "verisign" }, "owner": "*****@*****.**", "serial": "82311058732025924142789179368889309156", "id": 2288, "issuer": "SymantecCorporation", "dateCreated": "2016-06-03T06:09:42.133769+00:00", "notBefore": "2016-06-03T00:00:00+00:00", "notAfter": "2018-01-12T23:59:59+00:00", "destinations": [], "bits": 2048, "body": "-----BEGIN CERTIFICATE-----...", "description": null, "deleted": null, "notifications": [{ "id": 1 }], "signingAlgorithm": "sha256", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 2 }, "active": true, "domains": [{ "sensitive": false, "id": 1090, "name": "*.test.example.net" }], "replaces": [{ "id": 1 }], "rotation": true, "rotationPolicy": {"name": "default"}, "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", "roles": [{ "id": 464, "description": "This is a google group based role created by Lemur", "name": "*****@*****.**" }], "san": null } :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ role = role_service.get_by_name(data['authority'].owner) # all the authority role members should be allowed roles = [x.name for x in data['authority'].roles] # allow "owner" roles by team DL roles.append(role) authority_permission = AuthorityPermission(data['authority'].id, roles) if authority_permission.can(): data['creator'] = g.user cert = service.create(**data) if isinstance(cert, Certificate): # only log if created, not pending log_service.create(g.user, 'create_cert', certificate=cert) return cert return dict(message="You are not authorized to use the authority: {0}".format(data['authority'].name)), 403
def post(self): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript { "country": "US", "state": "CA", "location": "A Place", "organization": "ExampleInc.", "organizationalUnit": "Operations", "owner": "*****@*****.**", "description": "test", "selectedAuthority": "timetest2", "csr": "----BEGIN CERTIFICATE REQUEST-----...", "authority": { "body": "-----BEGIN...", "name": "timetest2", "chain": "", "notBefore": "2015-06-05T15:20:59", "active": true, "id": 50, "notAfter": "2015-06-17T15:21:08", "description": "dsfdsf" }, "notifications": [ { "description": "Default 30 day expiration notification", "notificationOptions": [ { "name": "interval", "required": true, "value": 30, "helpMessage": "Number of days to be alert before expiration.", "validation": "^\\d+$", "type": "int" }, { "available": [ "days", "weeks", "months" ], "name": "unit", "required": true, "value": "days", "helpMessage": "Interval unit", "validation": "", "type": "select" }, { "name": "recipients", "required": true, "value": "*****@*****.**", "helpMessage": "Comma delimited list of email addresses", "validation": "^([\\w+-.%]+@[\\w-.]+\\.[A-Za-z]{2,4},?)+$", "type": "str" } ], "label": "DEFAULT_KGLISSON_30_DAY", "pluginName": "email-notification", "active": true, "id": 7 } ], "extensions": { "basicConstraints": {}, "keyUsage": { "isCritical": true, "useKeyEncipherment": true, "useDigitalSignature": true }, "extendedKeyUsage": { "isCritical": true, "useServerAuthentication": true }, "subjectKeyIdentifier": { "includeSKI": true }, "subAltNames": { "names": [] } }, "commonName": "test", "validityStart": "2015-06-05T07:00:00.000Z", "validityEnd": "2015-06-16T07:00:00.000Z", "replacements": [ {'id': 123} ] } **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "id": 1, "name": "cert1", "description": "this is cert1", "bits": 2048, "deleted": false, "issuer": "ExampeInc.", "serial": "123450", "chain": "-----Begin ...", "body": "-----Begin ...", "san": true, "owner": "*****@*****.**", "active": false, "notBefore": "2015-06-05T17:09:39", "notAfter": "2015-06-10T17:09:39", "cn": "example.com", "status": "unknown" } :arg extensions: extensions to be used in the certificate :arg description: description for new certificate :arg owner: owner email :arg validityStart: when the certificate should start being valid :arg validityEnd: when the certificate should expire :arg authority: authority that should issue the certificate :arg country: country for the CSR :arg state: state for the CSR :arg location: location for the CSR :arg organization: organization for CSR :arg commonName: certiifcate common name :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ self.reqparse.add_argument('extensions', type=dict, location='json') self.reqparse.add_argument('destinations', type=list, default=[], location='json') self.reqparse.add_argument('notifications', type=list, default=[], location='json') self.reqparse.add_argument('replacements', type=list, default=[], location='json') self.reqparse.add_argument('validityStart', type=str, location='json') # TODO validate self.reqparse.add_argument('validityEnd', type=str, location='json') # TODO validate self.reqparse.add_argument('validityYears', type=int, location='json') # TODO validate self.reqparse.add_argument('authority', type=valid_authority, location='json', required=True) self.reqparse.add_argument('description', type=str, location='json') self.reqparse.add_argument('country', type=str, location='json', required=True) self.reqparse.add_argument('state', type=str, location='json', required=True) self.reqparse.add_argument('location', type=str, location='json', required=True) self.reqparse.add_argument('organization', type=str, location='json', required=True) self.reqparse.add_argument('organizationalUnit', type=str, location='json', required=True) self.reqparse.add_argument('owner', type=str, location='json', required=True) self.reqparse.add_argument('commonName', type=str, location='json', required=True) self.reqparse.add_argument('csr', type=str, location='json') args = self.reqparse.parse_args() authority = args['authority'] role = role_service.get_by_name(authority.owner) # all the authority role members should be allowed roles = [x.name for x in authority.roles] # allow "owner" roles by team DL roles.append(role) authority_permission = AuthorityPermission(authority.id, roles) if authority_permission.can(): # if we are not admins lets make sure we aren't issuing anything sensitive if not SensitiveDomainPermission().can(): check_sensitive_domains(get_domains_from_options(args)) return service.create(**args) return dict(message="You are not authorized to use {0}".format( args['authority'].name)), 403
def post(self, data=None): """ .. http:post:: /certificates Creates a new certificate **Example request**: .. sourcecode:: http POST /certificates HTTP/1.1 Host: example.com Accept: application/json, text/javascript **Example response**: .. sourcecode:: http HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "status": null, "cn": "*.test.example.net", "chain": "", "authority": { "active": true, "owner": "*****@*****.**", "id": 1, "description": "verisign test authority", "name": "verisign" }, "owner": "*****@*****.**", "serial": "82311058732025924142789179368889309156", "id": 2288, "issuer": "SymantecCorporation", "notBefore": "2016-06-03T00:00:00+00:00", "notAfter": "2018-01-12T23:59:59+00:00", "destinations": [], "bits": 2048, "body": "-----BEGIN CERTIFICATE-----...", "description": null, "deleted": null, "notifications": [{ "id": 1 }] "signingAlgorithm": "sha256", "user": { "username": "******", "active": true, "email": "*****@*****.**", "id": 2 }, "active": true, "domains": [{ "sensitive": false, "id": 1090, "name": "*.test.example.net" }], "replaces": [], "name": "WILDCARD.test.example.net-SymantecCorporation-20160603-20180112", "roles": [{ "id": 464, "description": "This is a google group based role created by Lemur", "name": "*****@*****.**" }], "san": null } :arg extensions: extensions to be used in the certificate :arg description: description for new certificate :arg owner: owner email :arg validityStart: when the certificate should start being valid :arg validityEnd: when the certificate should expire :arg authority: authority that should issue the certificate :arg country: country for the CSR :arg state: state for the CSR :arg location: location for the CSR :arg organization: organization for CSR :arg commonName: certificate common name :reqheader Authorization: OAuth token to authenticate :statuscode 200: no error :statuscode 403: unauthenticated """ role = role_service.get_by_name(data['authority'].owner) # all the authority role members should be allowed roles = [x.name for x in data['authority'].roles] # allow "owner" roles by team DL roles.append(role) authority_permission = AuthorityPermission(data['authority'].id, roles) if authority_permission.can(): return service.create(**data) return dict(message="You are not authorized to use {0}".format(data['authority'].name)), 403