Пример #1
0
def create(**kwargs):
    """
    Creates a new certificate.
    """
    from lemur.notifications import service as notification_service

    cert, private_key, cert_chain = mint(kwargs)

    cert.owner = kwargs["owner"]

    database.create(cert)
    cert.description = kwargs["description"]
    g.user.certificates.append(cert)
    database.update(g.user)

    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, "destinations", Destination, kwargs.get("destinations"))

    database.update_list(cert, "notifications", Notification, kwargs.get("notifications"))

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get("notifications"):
        notification_name = "DEFAULT_{0}".format(cert.owner.split("@")[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = "DEFAULT_SECURITY"
    notifications += notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
    )
    cert.notifications = notifications

    database.update(cert)
    return cert
Пример #2
0
def update(cert_id, owner, description, active, destinations, notifications):
    """
    Updates a certificate.

    :param cert_id:
    :param owner:
    :param active:
    :return:
    """
    from lemur.notifications import service as notification_service

    cert = get(cert_id)
    cert.active = active
    cert.description = description

    # we might have to create new notifications if the owner changes
    new_notifications = []
    # get existing names to remove
    notification_name = "DEFAULT_{0}".format(cert.owner.split("@")[0].upper())
    for n in notifications:
        if notification_name not in n.label:
            new_notifications.append(n)

    notification_name = "DEFAULT_{0}".format(owner.split("@")[0].upper())
    new_notifications += notification_service.create_default_expiration_notifications(notification_name, owner)

    cert.notifications = new_notifications

    database.update_list(cert, "destinations", Destination, destinations)

    cert.owner = owner

    return database.update(cert)
Пример #3
0
    def run(self, elb_list, chain_path, cert_name, cert_prefix, description):

        for e in open(elb_list, 'r').readlines():
            elb_name, account_id, region, from_port, to_port, protocol = e.strip().split(',')

            if cert_name:
                arn = "arn:aws:iam::{0}:server-certificate/{1}".format(account_id, cert_name)

            else:
                # if no cert name is provided we need to discover it
                listeners = elb.get_listeners(account_id, region, elb_name)

                # get the listener we care about
                for listener in listeners:
                    if listener[0] == int(from_port) and listener[1] == int(to_port):
                        arn = listener[4]
                        name = get_name_from_arn(arn)
                        certificate = cert_service.get_by_name(name)
                        break
                else:
                    sys.stdout.write("[-] Could not find ELB {0}".format(elb_name))
                    continue

                if not certificate:
                    sys.stdout.write("[-] Could not find certificate {0} in Lemur".format(name))
                    continue

                dests = []
                for d in certificate.destinations:
                    dests.append({'id': d.id})

                nots = []
                for n in certificate.notifications:
                    nots.append({'id': n.id})

                new_certificate = database.clone(certificate)

                if cert_prefix:
                    new_certificate.name = "{0}-{1}".format(cert_prefix, new_certificate.name)

                new_certificate.chain = open(chain_path, 'r').read()
                new_certificate.description = "{0} - {1}".format(new_certificate.description, description)

                new_certificate = database.create(new_certificate)
                database.update_list(new_certificate, 'destinations', Destination, dests)
                database.update_list(new_certificate, 'notifications', Notification, nots)
                database.update(new_certificate)

                arn = new_certificate.get_arn(account_id)

            elb.update_listeners(account_id, region, elb_name, [(from_port, to_port, protocol, arn)], [from_port])

            sys.stdout.write("[+] Updated {0} to use {1}\n".format(elb_name, new_certificate.name))
Пример #4
0
    def run(self, elb_list, chain_path, cert_name, cert_prefix, description):

        for e in open(elb_list, 'r').readlines():
            elb_name, account_id, region, from_port, to_port, protocol = e.strip().split(',')

            if cert_name:
                arn = "arn:aws:iam::{0}:server-certificate/{1}".format(account_id, cert_name)

            else:
                # if no cert name is provided we need to discover it
                listeners = elb.get_listeners(account_id, region, elb_name)

                # get the listener we care about
                for listener in listeners:
                    if listener[0] == int(from_port) and listener[1] == int(to_port):
                        arn = listener[4]
                        name = get_name_from_arn(arn)
                        certificate = cert_service.get_by_name(name)
                        break
                else:
                    sys.stdout.write("[-] Could not find ELB {0}".format(elb_name))
                    continue

                if not certificate:
                    sys.stdout.write("[-] Could not find certificate {0} in Lemur".format(name))
                    continue

                dests = []
                for d in certificate.destinations:
                    dests.append({'id': d.id})

                nots = []
                for n in certificate.notifications:
                    nots.append({'id': n.id})

                new_certificate = database.clone(certificate)

                if cert_prefix:
                    new_certificate.name = "{0}-{1}".format(cert_prefix, new_certificate.name)

                new_certificate.chain = open(chain_path, 'r').read()
                new_certificate.description = "{0} - {1}".format(new_certificate.description, description)

                new_certificate = database.create(new_certificate)
                database.update_list(new_certificate, 'destinations', Destination, dests)
                database.update_list(new_certificate, 'notifications', Notification, nots)
                database.update(new_certificate)

                arn = new_certificate.get_arn(account_id)

            elb.update_listeners(account_id, region, elb_name, [(from_port, to_port, protocol, arn)], [from_port])

            sys.stdout.write("[+] Updated {0} to use {1}\n".format(elb_name, new_certificate.name))
Пример #5
0
def import_certificate(**kwargs):
    """
    Uploads already minted certificates and pulls the required information into Lemur.

    This is to be used for certificates that are created outside of Lemur but
    should still be tracked.

    Internally this is used to bootstrap Lemur with external
    certificates, and used when certificates are 'discovered' through various discovery
    techniques. was still in aws.

    :param kwargs:
    """
    from lemur.users import service as user_service
    from lemur.notifications import service as notification_service
    cert = Certificate(kwargs['public_certificate'],
                       chain=kwargs['intermediate_certificate'])

    # TODO future source plugins might have a better understanding of who the 'owner' is we should support this
    cert.owner = kwargs.get(
        'owner',
        current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0])
    cert.creator = kwargs.get('creator',
                              user_service.get_by_email('lemur@nobody'))

    # NOTE existing certs may not follow our naming standard we will
    # overwrite the generated name with the actual cert name
    if kwargs.get('name'):
        cert.name = kwargs.get('name')

    if kwargs.get('user'):
        cert.user = kwargs.get('user')

    notification_name = 'DEFAULT_SECURITY'
    notifications = notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))

    if kwargs.get('replacements'):
        database.update_list(cert, 'replaces', Certificate,
                             kwargs['replacements'])

    cert.notifications = notifications

    cert = database.create(cert)
    return cert
Пример #6
0
def create(**kwargs):
    """
    Creates a new certificate.
    """
    from lemur.notifications import service as notification_service
    cert, private_key, cert_chain = mint(kwargs)

    cert.owner = kwargs['owner']

    database.create(cert)
    cert.description = kwargs['description']
    g.user.certificates.append(cert)
    database.update(g.user)

    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))

    # create default notifications for this certificate if none are provided
    notifications = cert.notifications
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name,
                                                                                  current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    return cert
Пример #7
0
def import_certificate(**kwargs):
    """
    Uploads already minted certificates and pulls the required information into Lemur.

    This is to be used for certificates that are created outside of Lemur but
    should still be tracked.

    Internally this is used to bootstrap Lemur with external
    certificates, and used when certificates are 'discovered' through various discovery
    techniques. was still in aws.

    :param kwargs:
    """
    from lemur.users import service as user_service
    from lemur.notifications import service as notification_service
    cert = Certificate(kwargs['public_certificate'], chain=kwargs['intermediate_certificate'])

    # TODO future source plugins might have a better understanding of who the 'owner' is we should support this
    cert.owner = kwargs.get('owner', current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL')[0])
    cert.creator = kwargs.get('creator', user_service.get_by_email('lemur@nobody'))

    # NOTE existing certs may not follow our naming standard we will
    # overwrite the generated name with the actual cert name
    if kwargs.get('name'):
        cert.name = kwargs.get('name')

    if kwargs.get('user'):
        cert.user = kwargs.get('user')

    notification_name = 'DEFAULT_SECURITY'
    notifications = notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))

    if kwargs.get('replacements'):
        database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])

    cert.notifications = notifications

    cert = database.create(cert)
    return cert
Пример #8
0
def update(cert_id, owner, description, active, destinations, notifications,
           replaces):
    """
    Updates a certificate
    :param cert_id:
    :param owner:
    :param description:
    :param active:
    :param destinations:
    :param notifications:
    :param replaces:
    :return:
    """
    from lemur.notifications import service as notification_service
    cert = get(cert_id)
    cert.active = active
    cert.description = description

    # we might have to create new notifications if the owner changes
    new_notifications = []
    # get existing names to remove
    notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
    for n in notifications:
        if notification_name not in n.label:
            new_notifications.append(n)

    notification_name = "DEFAULT_{0}".format(owner.split('@')[0].upper())
    new_notifications += notification_service.create_default_expiration_notifications(
        notification_name, owner)

    cert.notifications = new_notifications

    database.update_list(cert, 'destinations', Destination, destinations)
    database.update_list(cert, 'replaces', Certificate, replaces)

    cert.owner = owner

    return database.update(cert)
Пример #9
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.notifications import service as notification_service
    cert = Certificate(
        kwargs.get('public_cert'),
        kwargs.get('private_key'),
        kwargs.get('intermediate_cert'),
    )

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    cert.description = kwargs.get('description')

    cert.owner = kwargs['owner']
    cert = database.create(cert)

    g.user.certificates.append(cert)

    database.update_list(cert, 'destinations', Destination, kwargs.get('destinations'))

    database.update_list(cert, 'notifications', Notification, kwargs.get('notifications'))

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    return cert
Пример #10
0
def create(label, plugin_name, options, description, certificates):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Notification common name
    :param plugin_name:
    :param options:
    :param description:
    :rtype : Notification
    :return:
    """
    notification = Notification(label=label, options=options, plugin_name=plugin_name, description=description)
    notification = database.update_list(notification, 'certificates', Certificate, certificates)
    return database.create(notification)
Пример #11
0
def create(label, plugin_name, options, description, certificates):
    """
    Creates a new destination, that can then be used as a destination for certificates.

    :param label: Notification common name
    :param plugin_name:
    :param options:
    :param description:
    :rtype : Notification
    :return:
    """
    notification = Notification(label=label, options=options, plugin_name=plugin_name, description=description)
    notification = database.update_list(notification, 'certificates', Certificate, certificates)
    return database.create(notification)
Пример #12
0
def update(role_id, name, description, users):
    """
    Update a role

    :param role_id:
    :param name:
    :param description:
    :param users:
    :return:
    """
    role = get(role_id)
    role.name = name
    role.description = description
    role = database.update_list(role, 'users', User, users)
    database.update(role)
    return role
Пример #13
0
def create(name, password=None, description=None, username=None, users=None):
    """
    Create a new role

    :param name:
    :param users:
    :param description:
    :param username:
    :param password:
    :return:
    """
    role = Role(name=name, description=description, username=username, password=password)

    if users:
        role = database.update_list(role, 'users', User, users)

    return database.create(role)
Пример #14
0
def update(authority_id, description=None, owner=None, active=None, roles=None):
    """
    Update a an authority with new values.

    :param authority_id:
    :param roles: roles that are allowed to use this authority
    :return:
    """
    authority = get(authority_id)
    if roles:
        authority = database.update_list(authority, 'roles', Role, roles)

    if active:
        authority.active = active

    authority.description = description
    authority.owner = owner
    return database.update(authority)
Пример #15
0
def update(notification_id, label, options, description, active, certificates):
    """
    Updates an existing destination.

    :param label: Notification common name
    :param options:
    :param description:
    :rtype : Notification
    :return:
    """
    notification = get(notification_id)

    notification.label = label
    notification.options = options
    notification.description = description
    notification.active = active
    notification = database.update_list(notification, 'certificates', Certificate, certificates)

    return database.update(notification)
Пример #16
0
def update(notification_id, label, options, description, active, certificates):
    """
    Updates an existing destination.

    :param label: Notification common name
    :param options:
    :param description:
    :rtype : Notification
    :return:
    """
    notification = get(notification_id)

    notification.label = label
    notification.options = options
    notification.description = description
    notification.active = active
    notification = database.update_list(notification, "certificates", Certificate, certificates)

    return database.update(notification)
Пример #17
0
def update(authority_id, description=None, owner=None, active=None, roles=None):
    """
    Update a an authority with new values.

    :param authority_id:
    :param roles: roles that are allowed to use this authority
    :rtype : Authority
    :return:
    """
    authority = get(authority_id)
    if roles:
        authority = database.update_list(authority, 'roles', Role, roles)

    if active:
        authority.active = active

    authority.description = description
    authority.owner = owner
    return database.update(authority)
Пример #18
0
def upload(**kwargs):
    """
    Allows for pre-made certificates to be imported into Lemur.
    """
    from lemur.notifications import service as notification_service
    cert = Certificate(
        kwargs.get('public_cert'),
        kwargs.get('private_key'),
        kwargs.get('intermediate_cert'),
    )

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    cert.description = kwargs.get('description')

    cert.owner = kwargs['owner']
    cert = database.create(cert)

    g.user.certificates.append(cert)

    database.update_list(cert, 'destinations', Destination,
                         kwargs.get('destinations'))
    database.update_list(cert, 'notifications', Notification,
                         kwargs.get('notifications'))
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])

    # create default notifications for this certificate if none are provided
    notifications = []
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(
            cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(
            notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(
        notification_name, current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    return cert
Пример #19
0
def create(**kwargs):
    """
    Creates a new certificate.
    """
    from lemur.notifications import service as notification_service
    cert, private_key, cert_chain = mint(kwargs)

    cert.owner = kwargs['owner']

    # we override the generated name if one is provided
    if kwargs.get('name'):
        cert.name = kwargs['name']

    database.create(cert)
    cert.description = kwargs.get('description')
    g.user.certificates.append(cert)
    database.update(g.user)

    # do this after the certificate has already been created because if it fails to upload to the third party
    # we do not want to lose the certificate information.
    database.update_list(cert, 'destinations', Destination, kwargs['destinations'])
    database.update_list(cert, 'replaces', Certificate, kwargs['replacements'])
    database.update_list(cert, 'notifications', Notification, kwargs['notifications'])

    # create default notifications for this certificate if none are provided
    notifications = cert.notifications
    if not kwargs.get('notifications'):
        notification_name = "DEFAULT_{0}".format(cert.owner.split('@')[0].upper())
        notifications += notification_service.create_default_expiration_notifications(notification_name, [cert.owner])

    notification_name = 'DEFAULT_SECURITY'
    notifications += notification_service.create_default_expiration_notifications(notification_name,
                                                                                  current_app.config.get('LEMUR_SECURITY_TEAM_EMAIL'))
    cert.notifications = notifications

    database.update(cert)
    metrics.send('certificate_issued', 'counter', 1, metric_tags=dict(owner=cert.owner, issuer=cert.issuer))
    return cert