def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
status = SUCCESS_METRIC_STATUS
except Exception as e:
sentry.captureException()
print(
"[!] Failed to reissue certificates. Reason: {}".format(
e
)
)
metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def certificate_reissue():
"""
This celery task reissues certificates which are pending reissue
:return:
"""
function = f"{__name__}.{sys._getframe().f_code.co_name}"
task_id = None
if celery.current_task:
task_id = celery.current_task.request.id
log_data = {
"function": function,
"message": "reissuing certificates",
"task_id": task_id,
}
if task_id and is_task_active(function, task_id, None):
log_data["message"] = "Skipping task: Task is already active"
current_app.logger.debug(log_data)
return
current_app.logger.debug(log_data)
# set the lemur identity
identity_changed.send(current_app._get_current_object(),
identity=Identity(1))
for certificate in certificate_service.get_all_pending_reissue():
log_data["message"] = f"{certificate.name} is eligible for re-issuance"
current_app.logger.info(log_data)
details = certificate_service.get_certificate_primitives(certificate)
details, errors = CertificateOutputSchema().dump(details)
current_app.logger.info(
"Re-issuing certificate",
extra=dict(
certificate={
"common_name":
details["commonName"],
"sans":
",".join(x["value"] for x in details["extensions"]
["subAltNames"]["names"]),
"authority_name":
details["authority"]["name"],
"validity_start":
details["validityStart"],
"validity_end":
details["validityEnd"],
}),
)
new_cert = certificate_service.reissue_certificate(certificate,
replace=True)
log_data["message"] = f"New certificate named:{new_cert.name}"
current_app.logger.info(log_data)
log_data["message"] = "reissuance completed"
current_app.logger.info(log_data)
metrics.send(f"{function}.success", "counter", 1)
return log_data
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
status = SUCCESS_METRIC_STATUS
except Exception as e:
sentry.captureException()
current_app.logger.exception("Error reissuing certificate.", exc_info=True)
print(
"[!] Failed to reissue certificates. Reason: {}".format(
e
)
)
metrics.send('certificate_reissue', 'counter', 1, metric_tags={'status': status})
def test_reissue_certificate(issuer_plugin, crypto_authority, certificate, logged_in_user):
from lemur.certificates.service import reissue_certificate
# test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
certificate.authority = crypto_authority
new_cert = reissue_certificate(certificate)
assert new_cert
def test_reissue_certificate(issuer_plugin, crypto_authority, certificate,
logged_in_user):
from lemur.certificates.service import reissue_certificate
# test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
certificate.authority = crypto_authority
new_cert = reissue_certificate(certificate)
assert new_cert
def rotate(new_certificate_name, old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
from lemur.endpoints.service import rotate_certificate
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if new_certificate_name:
new_cert = get_by_name(new_certificate_name)
if not new_cert:
sys.stdout.write(
"[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if commit:
sys.stdout.write("[!] Running in COMMIT mode.\n")
if not new_certificate_name:
sys.stdout.write(
"[!] No new certificate provided. Attempting to re-issue old certificate: {0}.\n"
.format(old_certificate_name))
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
sys.stdout.write("[+] Issued new certificate named: {0}\n".format(
new_cert.name))
sys.stdout.write("[+] Done! \n")
if len(old_cert.endpoints) > 0:
for endpoint in old_cert.endpoints:
sys.stdout.write(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}\n"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
sys.stdout.write(
"[+] Rotating certificate from: {0} to: {1}\n".format(
old_certificate_name, new_cert.name))
if commit:
rotate_certificate(endpoint, new_cert)
sys.stdout.write("[+] Done! \n")
else:
sys.stdout.write(
"[!] Certificate not found on any existing endpoints. Nothing to rotate.\n"
)
def test_reissue_certificate(
issuer_plugin, crypto_authority, certificate, logged_in_user
):
from lemur.certificates.service import reissue_certificate
from lemur.authorities.service import update_options
from lemur.tests.conf import LEMUR_DEFAULT_ORGANIZATION
# test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
certificate.authority = crypto_authority
new_cert = reissue_certificate(certificate)
assert new_cert
assert new_cert.key_type == "RSA2048"
assert new_cert.organization != certificate.organization
# Check for default value since authority does not have cab_compliant option set
assert new_cert.organization == LEMUR_DEFAULT_ORGANIZATION
assert new_cert.description.startswith(f"Reissued by Lemur for cert ID {certificate.id}")
# update cab_compliant option to false for crypto_authority to maintain subject details
update_options(crypto_authority.id, '[{"name": "cab_compliant","value":false}]')
new_cert = reissue_certificate(certificate)
assert new_cert.organization == certificate.organization
def reissue_and_rotate(old_certificate,
new_certificate=None,
commit=False,
message=False):
if not new_certificate:
# we don't want to re-issue if it's already been replaced
if not old_certificate.replaced:
details = get_certificate_primitives(old_certificate)
print_certificate_details(details)
if commit:
new_certificate = reissue_certificate(old_certificate,
replace=True)
print("[+] Issued new certificate named: {0}".format(
new_certificate.name))
time.sleep(10)
print(
"[!] Sleeping to ensure that certificate propagates before rotating."
)
else:
new_certificate = old_certificate
print("[+] Done!")
else:
if len(old_certificate.replaced) > 1:
raise Exception(
"Unable to rotate certificate based on replacement, found more than one!"
)
else:
new_certificate = old_certificate.replaced[0]
print("[!] Certificate has been replaced by: {0}".format(
old_certificate.replaced[0].name))
if len(old_certificate.endpoints) > 0:
for endpoint in old_certificate.endpoints:
print(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
print("[+] Rotating certificate from: {0} to: {1}".format(
old_certificate.name, new_certificate.name))
if commit:
rotate_certificate(endpoint, new_certificate)
print("[+] Done!")
if message:
send_rotation_notification(old_certificate)
def request_reissue(certificate, notify, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param notify:
:param commit:
:return:
"""
status = FAILURE_METRIC_STATUS
notify = notify and certificate.notify
try:
print("[+] {0} is eligible for re-issuance".format(certificate.name))
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(),
identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate,
notify=notify,
replace=True)
print("[+] New certificate named: {0}".format(new_cert.name))
if notify and isinstance(
new_cert,
Certificate): # let celery handle PendingCertificates
send_reissue_no_endpoints_notification(certificate, new_cert)
status = SUCCESS_METRIC_STATUS
except Exception as e:
capture_exception(extra={"certificate_name": str(certificate.name)})
current_app.logger.exception(
f"Error reissuing certificate: {certificate.name}", exc_info=True)
print(
f"[!] Failed to reissue certificate: {certificate.name}. Reason: {e}"
)
if notify:
send_reissue_failed_notification(certificate)
metrics.send(
"certificate_reissue",
"counter",
1,
metric_tags={
"status": status,
"certificate": certificate.name
},
)
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def request_reissue(certificate, commit):
"""
Reissuing certificate and handles any exceptions.
:param certificate:
:param commit:
:return:
"""
# set the lemur identity for all cli commands
identity_changed.send(current_app._get_current_object(), identity=Identity(1))
details = get_certificate_primitives(certificate)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(certificate, replace=True)
metrics.send('certificate_reissue_success', 'counter', 1)
print("[+] New certificate named: {0}".format(new_cert.name))
def reissue(old_certificate_name, commit=False):
old_cert = get_by_name(old_certificate_name)
if not old_cert:
print("[-] No certificate found with name: {0}".format(
old_certificate_name))
sys.exit(1)
if commit:
print("[!] Running in COMMIT mode.")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
print("[+] Issued new certificate named: {0}".format(new_cert.name))
print("[+] Done!")
def reissue_and_rotate(old_certificate,
new_certificate=None,
commit=False,
message=False):
if not new_certificate:
# we don't want to re-issue if it's already been replaced
if not old_certificate.replaced:
details = get_certificate_primitives(old_certificate)
print_certificate_details(details)
if commit:
new_certificate = reissue_certificate(old_certificate,
replace=True)
print("[+] Issued new certificate named: {0}".format(
new_certificate.name))
print("[+] Done!")
else:
new_certificate = old_certificate.replaced
print("[!] Certificate has been replaced by: {0}".format(
old_certificate.replaced.name))
if len(old_certificate.endpoints) > 0:
for endpoint in old_certificate.endpoints:
print(
"[+] Certificate deployed on endpoint: name:{name} dnsname:{dnsname} port:{port} type:{type}"
.format(name=endpoint.name,
dnsname=endpoint.dnsname,
port=endpoint.port,
type=endpoint.type))
print("[+] Rotating certificate from: {0} to: {1}".format(
old_certificate.name, new_certificate.name))
if commit:
rotate_certificate(endpoint, new_certificate)
print("[+] Done!")
if message:
send_rotation_notification(old_certificate)
def reissue(old_certificate_name, commit=False):
from lemur.certificates.service import get_by_name, reissue_certificate, get_certificate_primitives
old_cert = get_by_name(old_certificate_name)
if not old_cert:
sys.stdout.write("[-] No certificate found with name: {0}\n".format(
old_certificate_name))
sys.exit(1)
if commit:
sys.stdout.write("[!] Running in COMMIT mode.\n")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
sys.stdout.write("[+] Issued new certificate named: {0}\n".format(
new_cert.name))
sys.stdout.write("[+] Done! \n")
def reissue(old_certificate_name, validity_start, validity_end, commit):
"""
Reissues certificate with the same parameters as it was originally issued with.
If not time period is provided, reissues certificate as valid from today to
today + length of original.
"""
old_cert = get_by_name(old_certificate_name)
if not old_cert:
print("[-] No certificate found with name: {0}".format(
old_certificate_name))
sys.exit(1)
if commit:
print("[!] Running in COMMIT mode.")
details = get_certificate_primitives(old_cert)
print_certificate_details(details)
if commit:
new_cert = reissue_certificate(old_cert, replace=True)
print("[+] Issued new certificate named: {0}".format(new_cert.name))
print("[+] Done!")
def test_reissue_certificate(issuer_plugin, authority, certificate):
from lemur.certificates.service import reissue_certificate
new_cert = reissue_certificate(certificate)
assert new_cert
def test_reissue_certificate(issuer_plugin, authority, certificate):
from lemur.certificates.service import reissue_certificate
new_cert = reissue_certificate(certificate)
assert new_cert
