def test_import(user):
from lemur.certificates.service import import_certificate
cert = import_certificate(
body=SAN_CERT_STR,
chain=INTERMEDIATE_CERT_STR,
private_key=SAN_CERT_KEY,
creator=user["user"],
)
assert str(cert.not_after) == "2047-12-31T22:00:00+00:00"
assert str(cert.not_before) == "2017-12-31T22:00:00+00:00"
assert cert.issuer == "LemurTrustUnittestsClass1CA2018"
assert cert.name.startswith(
"SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231"
)
cert = import_certificate(
body=SAN_CERT_STR,
chain=INTERMEDIATE_CERT_STR,
private_key=SAN_CERT_KEY,
owner="*****@*****.**",
name="ACustomName2",
creator=user["user"],
)
assert cert.name == "ACustomName2"
def test_import(user):
from lemur.certificates.service import import_certificate
cert = import_certificate(body=INTERNAL_VALID_LONG_STR, chain=INTERNAL_VALID_SAN_STR, private_key=PRIVATE_KEY_STR, creator=user['user'])
assert str(cert.not_after) == '2040-01-01T20:30:52+00:00'
assert str(cert.not_before) == '2015-06-26T20:30:52+00:00'
assert cert.issuer == 'Example'
assert cert.name == 'long.lived.com-Example-20150626-20400101-2'
cert = import_certificate(body=INTERNAL_VALID_LONG_STR, chain=INTERNAL_VALID_SAN_STR, private_key=PRIVATE_KEY_STR, owner='*****@*****.**', name='ACustomName2', creator=user['user'])
assert cert.name == 'ACustomName2'
def test_import(logged_in_user):
from lemur.certificates.service import import_certificate
cert = import_certificate(body=INTERNAL_VALID_LONG_STR, chain=INTERNAL_VALID_SAN_STR, private_key=PRIVATE_KEY_STR)
assert str(cert.not_after) == '2040-01-01 20:30:52'
assert str(cert.not_before) == '2015-06-26 20:30:52'
assert cert.issuer == 'Example'
assert cert.name == 'long.lived.com-Example-20150626-20400101-1'
cert = import_certificate(body=INTERNAL_VALID_LONG_STR, chain=INTERNAL_VALID_SAN_STR, private_key=PRIVATE_KEY_STR, owner='*****@*****.**', name='ACustomName2')
assert cert.name == 'ACustomName2'
def test_import(user):
from lemur.certificates.service import import_certificate
cert = import_certificate(body=SAN_CERT_STR, chain=INTERMEDIATE_CERT_STR, private_key=SAN_CERT_KEY, creator=user['user'])
assert str(cert.not_after) == '2047-12-31T22:00:00+00:00'
assert str(cert.not_before) == '2017-12-31T22:00:00+00:00'
assert cert.issuer == 'LemurTrustUnittestsClass1CA2018'
assert cert.name == 'SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231-AFF2DB4F8D2D4D8E80FA382AE27C2333-2'
cert = import_certificate(body=SAN_CERT_STR, chain=INTERMEDIATE_CERT_STR, private_key=SAN_CERT_KEY, owner='*****@*****.**', name='ACustomName2', creator=user['user'])
assert cert.name == 'ACustomName2'
def create_certificate(pending_certificate, certificate, user):
"""
Create and store a certificate with pending certificate's info
:arg pending_certificate: PendingCertificate which will populate the certificate
:arg certificate: dict from Authority, which contains the body, chain and external id
:arg user: User that called this function, used as 'creator' of the certificate if it does not have an owner
"""
certificate["owner"] = pending_certificate.owner
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception(
"Unable to create certificate: {reasons}".format(reasons=errors))
data.update(vars(pending_certificate))
# Copy relationships, vars doesn't copy this without explicit fields
data["notifications"] = list(pending_certificate.notifications)
data["destinations"] = list(pending_certificate.destinations)
data["sources"] = list(pending_certificate.sources)
data["roles"] = list(pending_certificate.roles)
data["replaces"] = list(pending_certificate.replaces)
data["rotation_policy"] = pending_certificate.rotation_policy
# Replace external id and chain with the one fetched from source
data["external_id"] = certificate["external_id"]
data["chain"] = certificate["chain"]
creator = user_service.get_by_email(pending_certificate.owner)
if not creator:
# Owner of the pending certificate is not the creator, so use the current user who called
# this as the creator (usually lemur)
creator = user
if pending_certificate.rename:
# If generating name from certificate, remove the one from pending certificate
del data["name"]
data["creator"] = creator
cert = certificate_service.import_certificate(**data)
database.update(cert)
metrics.send("certificate_issued",
"counter",
1,
metric_tags=dict(owner=cert.owner, issuer=cert.issuer))
log_service.audit_log(
"certificate_from_pending_certificate", cert.name,
f"Created from the pending certificate {pending_certificate.name}")
log_data = {
"function": "lemur.certificates.service.create",
"owner": cert.owner,
"name": cert.name,
"serial": cert.serial,
"issuer": cert.issuer,
"not_after": cert.not_after.format('YYYY-MM-DD HH:mm:ss'),
"not_before": cert.not_before.format('YYYY-MM-DD HH:mm:ss'),
"sans": cert.san,
}
current_app.logger.info(log_data)
return cert
def test_import(user):
from lemur.certificates.service import import_certificate
cert = import_certificate(body=SAN_CERT_STR,
chain=INTERMEDIATE_CERT_STR,
private_key=SAN_CERT_KEY,
creator=user['user'])
assert str(cert.not_after) == '2047-12-31T22:00:00+00:00'
assert str(cert.not_before) == '2017-12-31T22:00:00+00:00'
assert cert.issuer == 'LemurTrustUnittestsClass1CA2018'
assert cert.name == 'SAN-san.example.org-LemurTrustUnittestsClass1CA2018-20171231-20471231-AFF2DB4F8D2D4D8E80FA382AE27C2333-2'
cert = import_certificate(body=SAN_CERT_STR,
chain=INTERMEDIATE_CERT_STR,
private_key=SAN_CERT_KEY,
owner='*****@*****.**',
name='ACustomName2',
creator=user['user'])
assert cert.name == 'ACustomName2'
def sync_endpoints(source):
new, updated = 0, 0
current_app.logger.debug("Retrieving endpoints from {0}".format(
source.label))
s = plugins.get(source.plugin_name)
try:
endpoints = s.get_endpoints(source.options)
except NotImplementedError:
current_app.logger.warning(
"Unable to sync endpoints for source {0} plugin has not implemented 'get_endpoints'"
.format(source.label))
return
for endpoint in endpoints:
exists = endpoint_service.get_by_dnsname(endpoint['dnsname'])
certificate_name = endpoint.pop('certificate_name', None)
certificate = endpoint.pop('certificate', None)
if certificate_name:
current_app.logger.debug(certificate_name)
cert = cert_service.get_by_name(certificate_name)
elif certificate:
cert = cert_service.get_by_body(certificate['body'])
if not cert:
cert = cert_service.import_certificate(**certificate)
if not cert:
current_app.logger.error(
"Unable to find associated certificate, be sure that certificates are sync'ed before endpoints"
)
continue
endpoint['certificate'] = cert
policy = endpoint.pop('policy')
policy_ciphers = []
for nc in policy['ciphers']:
policy_ciphers.append(
endpoint_service.get_or_create_cipher(name=nc))
policy['ciphers'] = policy_ciphers
endpoint['policy'] = endpoint_service.get_or_create_policy(**policy)
endpoint['source'] = source
if not exists:
endpoint_service.create(**endpoint)
new += 1
else:
endpoint_service.update(exists.id, **endpoint)
updated += 1
_disassociate_endpoints_from_source(endpoints, source)
def certificate_create(certificate, source):
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception(
"Unable to import certificate: {reasons}".format(reasons=errors))
cert = cert_service.import_certificate(**data)
cert.description = "This certificate was automatically discovered by Lemur"
cert.sources.append(source)
sync_update_destination(cert, source)
database.update(cert)
return cert
def create_certificate(pending_certificate, certificate, user):
"""
Create and store a certificate with pending certificate's info
Args:
pending_certificate: PendingCertificate which will populate the certificate
certificate: dict from Authority, which contains the body, chain and external id
user: User that called this function, used as 'creator' of the certificate if it does
not have an owner
"""
# check if the pending_certificate already has been resolved, in that case return
# existing certificate
maybe_resolved_cert = get(pending_certificate.id)
if maybe_resolved_cert and maybe_resolved_cert.resolved and maybe_resolved_cert.resolved_cert_id:
current_app.logger.warning(
"Trying to resolve an already resolved certificate, returning existing resolved certificate"
)
return certificate_service.get(maybe_resolved_cert.resolved_cert_id)
certificate["owner"] = pending_certificate.owner
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception(
"Unable to create certificate: {reasons}".format(reasons=errors))
data.update(vars(pending_certificate))
# Copy relationships, vars doesn't copy this without explicit fields
data["notifications"] = list(pending_certificate.notifications)
data["destinations"] = list(pending_certificate.destinations)
data["sources"] = list(pending_certificate.sources)
data["roles"] = list(pending_certificate.roles)
data["replaces"] = list(pending_certificate.replaces)
data["rotation_policy"] = pending_certificate.rotation_policy
data["authority"] = pending_certificate.authority
# Replace external id and chain with the one fetched from source
data["external_id"] = certificate["external_id"]
data["chain"] = certificate["chain"]
creator = user_service.get_by_email(pending_certificate.owner)
if not creator:
# Owner of the pending certificate is not the creator, so use the current user who called
# this as the creator (usually lemur)
creator = user
if pending_certificate.rename:
# If generating name from certificate, remove the one from pending certificate
del data["name"]
data["creator"] = creator
cert = certificate_service.import_certificate(**data)
database.update(cert)
return cert
def sync_endpoints(source):
new, updated = 0, 0
current_app.logger.debug("Retrieving endpoints from {0}".format(source.label))
s = plugins.get(source.plugin_name)
try:
endpoints = s.get_endpoints(source.options)
except NotImplementedError:
current_app.logger.warning("Unable to sync endpoints for source {0} plugin has not implemented 'get_endpoints'".format(source.label))
return
for endpoint in endpoints:
exists = endpoint_service.get_by_dnsname(endpoint['dnsname'])
certificate_name = endpoint.pop('certificate_name', None)
certificate = endpoint.pop('certificate', None)
if certificate_name:
current_app.logger.debug(certificate_name)
cert = cert_service.get_by_name(certificate_name)
elif certificate:
cert = cert_service.get_by_body(certificate['body'])
if not cert:
cert = cert_service.import_certificate(**certificate)
if not cert:
current_app.logger.error(
"Unable to find associated certificate, be sure that certificates are sync'ed before endpoints")
continue
endpoint['certificate'] = cert
policy = endpoint.pop('policy')
policy_ciphers = []
for nc in policy['ciphers']:
policy_ciphers.append(endpoint_service.get_or_create_cipher(name=nc))
policy['ciphers'] = policy_ciphers
endpoint['policy'] = endpoint_service.get_or_create_policy(**policy)
if not exists:
endpoint_service.create(**endpoint)
new += 1
else:
endpoint_service.update(exists.id, **endpoint)
updated += 1
_disassociate_endpoints_from_source(endpoints, source)
def certificate_create(certificate, source):
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception("Unable to import certificate: {reasons}".format(reasons=errors))
data['creator'] = certificate['creator']
cert = certificate_service.import_certificate(**data)
cert.description = "This certificate was automatically discovered by Lemur"
cert.sources.append(source)
sync_update_destination(cert, source)
database.update(cert)
return cert
def certificate_create(certificate, source):
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
current_app.logger.error(f"Unable to import certificate: {errors}")
return
data["creator"] = certificate["creator"]
cert = certificate_service.import_certificate(**data)
cert.description = "This certificate was automatically discovered by Lemur"
cert.sources.append(source)
sync_update_destination(cert, source)
database.update(cert)
return cert
def create_certificate(pending_certificate, certificate, user):
"""
Create and store a certificate with pending certificate's info
Args:
pending_certificate: PendingCertificate which will populate the certificate
certificate: dict from Authority, which contains the body, chain and external id
user: User that called this function, used as 'creator' of the certificate if it does
not have an owner
"""
certificate['owner'] = pending_certificate.owner
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception(
"Unable to create certificate: {reasons}".format(reasons=errors))
data.update(vars(pending_certificate))
# Copy relationships, vars doesn't copy this without explicit fields
data['notifications'] = list(pending_certificate.notifications)
data['destinations'] = list(pending_certificate.destinations)
data['sources'] = list(pending_certificate.sources)
data['roles'] = list(pending_certificate.roles)
data['replaces'] = list(pending_certificate.replaces)
data['rotation_policy'] = pending_certificate.rotation_policy
# Replace external id and chain with the one fetched from source
data['external_id'] = certificate['external_id']
data['chain'] = certificate['chain']
creator = user_service.get_by_email(pending_certificate.owner)
if not creator:
# Owner of the pending certificate is not the creator, so use the current user who called
# this as the creator (usually lemur)
creator = user
if pending_certificate.rename:
# If generating name from certificate, remove the one from pending certificate
del data['name']
data['creator'] = creator
cert = certificate_service.import_certificate(**data)
database.update(cert)
return cert
def create_certificate(pending_certificate, certificate, user):
"""
Create and store a certificate with pending certificate's info
Args:
pending_certificate: PendingCertificate which will populate the certificate
certificate: dict from Authority, which contains the body, chain and external id
user: User that called this function, used as 'creator' of the certificate if it does
not have an owner
"""
certificate['owner'] = pending_certificate.owner
data, errors = CertificateUploadInputSchema().load(certificate)
if errors:
raise Exception("Unable to create certificate: {reasons}".format(reasons=errors))
data.update(vars(pending_certificate))
# Copy relationships, vars doesn't copy this without explicit fields
data['notifications'] = list(pending_certificate.notifications)
data['destinations'] = list(pending_certificate.destinations)
data['sources'] = list(pending_certificate.sources)
data['roles'] = list(pending_certificate.roles)
data['replaces'] = list(pending_certificate.replaces)
data['rotation_policy'] = pending_certificate.rotation_policy
# Replace external id and chain with the one fetched from source
data['external_id'] = certificate['external_id']
data['chain'] = certificate['chain']
creator = user_service.get_by_email(pending_certificate.owner)
if not creator:
# Owner of the pending certificate is not the creator, so use the current user who called
# this as the creator (usually lemur)
creator = user
if pending_certificate.rename:
# If generating name from certificate, remove the one from pending certificate
del data['name']
data['creator'] = creator
cert = certificate_service.import_certificate(**data)
database.update(cert)
return cert
def certificate_create(certificate, source):
cert = cert_service.import_certificate(**certificate)
cert.description = "This certificate was automatically discovered by Lemur"
cert.sources.append(source)
sync_update_destination(cert, source)
database.update(cert)
def sync_create(certificate, source):
cert = cert_service.import_certificate(**certificate)
cert.description = "This certificate was automatically discovered by Lemur"
cert.sources.append(source)
sync_update_destination(cert, source)
database.update(cert)
