def get_endpoint_certificate_names(self, endpoint):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
region = get_region_from_dns(endpoint.dnsname)
certificate_names = []
if endpoint.type == "elb":
elb_details = elb.get_elbs(account_number=account_number,
region=region,
LoadBalancerNames=[endpoint.name],)
for lb_description in elb_details["LoadBalancerDescriptions"]:
for listener_description in lb_description["ListenerDescriptions"]:
listener = listener_description.get("Listener")
if not listener.get("SSLCertificateId"):
continue
certificate_names.append(iam.get_name_from_arn(listener.get("SSLCertificateId")))
elif endpoint.type == "elbv2":
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb.get_load_balancer_arn_from_endpoint(endpoint.name,
account_number=account_number,
region=region),
)
for listener in listeners["Listeners"]:
if not listener.get("Certificates"):
continue
for certificate in listener["Certificates"]:
certificate_names.append(iam.get_name_from_arn(certificate["CertificateArn"]))
return certificate_names
def get_endpoint_certificate_names(self, endpoint):
options = endpoint.source.options
account_number = self.get_option("accountNumber", options)
region = get_region_from_dns(endpoint.dnsname)
certificate_names = []
if endpoint.type == "elb":
elb_details = elb.get_elbs(
account_number=account_number,
region=region,
LoadBalancerNames=[endpoint.name],
)
for lb_description in elb_details["LoadBalancerDescriptions"]:
for listener_description in lb_description[
"ListenerDescriptions"]:
listener = listener_description.get("Listener")
if not listener.get("SSLCertificateId"):
continue
certificate_names.append(
iam.get_name_from_arn(
listener.get("SSLCertificateId")))
elif endpoint.type == "elbv2":
listeners = elb.describe_listeners_v2(
account_number=account_number,
region=region,
LoadBalancerArn=elb.get_load_balancer_arn_from_endpoint(
endpoint.name,
account_number=account_number,
region=region),
)
for listener in listeners["Listeners"]:
if not listener.get("Certificates"):
continue
for certificate in listener["Certificates"]:
certificate_names.append(
iam.get_name_from_arn(certificate["CertificateArn"]))
elif endpoint.type == "cloudfront":
cert_id_to_name = iam.get_certificate_id_to_name(
account_number=account_number)
dist = cloudfront.get_distribution(account_number=account_number,
distribution_id=endpoint.name)
loaded = get_distribution_endpoint(account_number, cert_id_to_name,
dist)
if loaded:
certificate_names.append(loaded["certificate_name"])
else:
raise NotImplementedError()
return certificate_names
def test_get_all_elb_and_elbv2s(app, aws_credentials):
from copy import deepcopy
from lemur.plugins.lemur_aws.elb import get_load_balancer_arn_from_endpoint
from lemur.plugins.base import plugins
from lemur.plugins.utils import set_plugin_option
acm_client = boto3.client("acm", region_name="us-east-1")
acm_request_response = acm_client.request_certificate(
DomainName="test.example.com",
DomainValidationOptions=[
{
"DomainName": "test.example.com",
"ValidationDomain": "test.example.com"
},
],
)
arn1 = acm_request_response["CertificateArn"]
cert_name1 = arn1.split("/")[-1]
acm_request_response = acm_client.request_certificate(
DomainName="test2.example.com",
DomainValidationOptions=[
{
"DomainName": "test2.example.com",
"ValidationDomain": "test2.example.com"
},
],
)
arn2 = acm_request_response["CertificateArn"]
cert_name2 = arn2.split("/")[-1]
client = boto3.client("elb", region_name="us-east-1")
client.create_load_balancer(
LoadBalancerName="example-lb",
Listeners=[{
"Protocol": "string",
"LoadBalancerPort": 443,
"InstanceProtocol": "tcp",
"InstancePort": 5443,
"SSLCertificateId": arn1,
}],
)
ec2 = boto3.resource("ec2", region_name="us-east-1")
elbv2 = boto3.client("elbv2", region_name="us-east-1")
vpc = ec2.create_vpc(CidrBlock="10.0.1.0/24")
subnet1 = ec2.create_subnet(VpcId=vpc.id,
CidrBlock="10.0.1.128/25",
AvailabilityZone="us-east-1b")
elbv2.create_load_balancer(
Name="test-lbv2",
Subnets=[
subnet1.id,
],
)
lb_arn = get_load_balancer_arn_from_endpoint("test-lbv2",
account_number="123456789012",
region="us-east-1")
target_group_arn = elbv2.create_target_group(
Name="a-target", Protocol="HTTPS", Port=443,
VpcId=vpc.id).get("TargetGroups")[0]["TargetGroupArn"]
listener = elbv2.create_listener(
LoadBalancerArn=lb_arn,
Protocol="HTTPS",
Port=1443,
Certificates=[{
"CertificateArn": arn2
}],
DefaultActions=[{
"Type": "forward",
"TargetGroupArn": target_group_arn
}],
)
aws_source = plugins.get("aws-source")
options = deepcopy(aws_source.options)
set_plugin_option("accountNumber", "123456789012", options)
set_plugin_option("endpointType", "elb", options)
set_plugin_option("regions", "us-east-1", options)
elbs = aws_source.get_endpoints(options)
elb_map = {}
for elb in elbs:
elb_map[elb["name"]] = elb
assert elb_map["example-lb"]["certificate_name"] == cert_name1
assert elb_map["example-lb"]["registry_type"] == "acm"
assert elb_map["example-lb"]["port"] == 443
assert elb_map["test-lbv2"]["certificate_name"] == cert_name2
assert elb_map["test-lbv2"]["registry_type"] == "acm"
assert elb_map["test-lbv2"]["port"] == 1443
def test_create_elb_with_https_listener_miscellaneous(app, aws_credentials):
from lemur.plugins.lemur_aws import iam, elb
endpoint_name = "example-lbv2"
account_number = "123456789012"
region_ue1 = "us-east-1"
client = boto3.client("elbv2", region_name="us-east-1")
ec2 = boto3.resource("ec2", region_name="us-east-1")
# Create VPC
vpc = ec2.create_vpc(CidrBlock="172.28.7.0/24")
# Create LB (elbv2) in above VPC
assert create_load_balancer(client, ec2, vpc.id, endpoint_name)
# Create target group
target_group_arn = create_target_group(client, vpc.id)
assert target_group_arn
# Test get_load_balancer_arn_from_endpoint
lb_arn = elb.get_load_balancer_arn_from_endpoint(
endpoint_name, account_number=account_number, region=region_ue1)
assert lb_arn
# Test describe_listeners_v2
listeners = elb.describe_listeners_v2(account_number=account_number,
region=region_ue1,
LoadBalancerArn=lb_arn)
assert listeners
assert not listeners["Listeners"]
# Upload cert
response = iam.upload_cert("LemurTestCert",
"testCert",
"cert1",
"cert2",
account_number=account_number)
assert response
cert_arn = response["ServerCertificateMetadata"]["Arn"]
assert cert_arn
# Create https listener using above cert
listeners = client.create_listener(
LoadBalancerArn=lb_arn,
Protocol="HTTPS",
Port=443,
Certificates=[{
"CertificateArn": cert_arn
}],
DefaultActions=[{
"Type": "forward",
"TargetGroupArn": target_group_arn
}],
)
assert listeners
listener_arn = listeners["Listeners"][0]["ListenerArn"]
assert listener_arn
assert listeners["Listeners"]
for listener in listeners["Listeners"]:
if listener["Port"] == 443:
assert listener["Certificates"]
assert cert_arn == listener["Certificates"][0]["CertificateArn"]
# Test get_listener_arn_from_endpoint
assert listener_arn == elb.get_listener_arn_from_endpoint(
endpoint_name,
443,
account_number=account_number,
region=region_ue1,
)
def test_get_all_elb_and_elbv2s(app, aws_credentials):
from copy import deepcopy
from lemur.plugins.lemur_aws.elb import get_load_balancer_arn_from_endpoint
from lemur.plugins.base import plugins
from lemur.plugins.utils import set_plugin_option
cert_arn_prefix = "arn:aws:iam::123456789012:server-certificate/"
cert_arn = cert_arn_prefix + "plugin-test.example.com-R3-20211023-20220121"
cert_arn_v2 = cert_arn_prefix + "plugin-test-v2.example.com-R3-20211023-20220121"
client = boto3.client("elb", region_name="us-east-1")
client.create_load_balancer(
LoadBalancerName="example-lb",
Listeners=[{
"Protocol": "string",
"LoadBalancerPort": 443,
"InstanceProtocol": "tcp",
"InstancePort": 5443,
"SSLCertificateId": cert_arn,
}],
)
ec2 = boto3.resource("ec2", region_name="us-east-1")
elbv2 = boto3.client("elbv2", region_name="us-east-1")
vpc = ec2.create_vpc(CidrBlock="10.0.1.0/24")
subnet1 = ec2.create_subnet(VpcId=vpc.id,
CidrBlock="10.0.1.128/25",
AvailabilityZone="us-east-1b")
elbv2.create_load_balancer(
Name="test-lbv2",
Subnets=[
subnet1.id,
],
)
lb_arn = get_load_balancer_arn_from_endpoint("test-lbv2",
account_number="123456789012",
region="us-east-1")
target_group_arn = elbv2.create_target_group(
Name="a-target", Protocol="HTTPS", Port=443,
VpcId=vpc.id).get("TargetGroups")[0]["TargetGroupArn"]
listener = elbv2.create_listener(
LoadBalancerArn=lb_arn,
Protocol="HTTPS",
Port=1443,
Certificates=[{
"CertificateArn": cert_arn_v2
}],
DefaultActions=[{
"Type": "forward",
"TargetGroupArn": target_group_arn
}],
)
aws_source = plugins.get("aws-source")
options = deepcopy(aws_source.options)
set_plugin_option("accountNumber", "123456789012", options)
set_plugin_option("endpointType", "elb", options)
set_plugin_option("regions", "us-east-1", options)
elbs = aws_source.get_endpoints(options)
elb_map = {}
for elb in elbs:
elb_map[elb["name"]] = elb
assert elb_map["example-lb"][
"certificate_name"] == "plugin-test.example.com-R3-20211023-20220121"
assert elb_map["example-lb"]["registry_type"] == "iam"
assert elb_map["example-lb"]["port"] == 443
assert elb_map["test-lbv2"][
"certificate_name"] == "plugin-test-v2.example.com-R3-20211023-20220121"
assert elb_map["test-lbv2"]["registry_type"] == "iam"
assert elb_map["test-lbv2"]["port"] == 1443