Merge branch 'enable-coveralls' of github.com:jtschladen/lemur into e…

…nable-coveralls
jtschladen · Feb 12, 2025 · 040d7e9 · 040d7e9
2 parents 2fd5261 + aa071aa
commit 040d7e9
Show file tree

Hide file tree

Showing 8 changed files with 111 additions and 84 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,2 @@
 # These owners will be the default owners for everything in the repo.
-*                            @hosseinsh @charhate @jtschladen @douglasc-nflx @jmcrawford45
+*                            @hosssha @charhate @jtschladen @douglasc-nflx @jmcrawford45
diff --git a/docs/administration.rst b/docs/administration.rst
@@ -517,6 +517,15 @@ This needs 2 configurations
         AUTHORITY_TO_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES = ["LetsEncrypt"]
 
 
+
+**Certificate re-issuance**
+
+When a cert is reissued (i.e. a new certificate is minted to replace it), *and* the re-issuance either fails or
+succeeds but the certificate has no associated endpoints (meaning the subsequent rotation step will not occur),
+Lemur will send a notification via email to the certificate owner. This notification is disabled by default;
+to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
+``ENABLE_REISSUE_NOTIFICATION`` (when using celery).
+
 .. data:: DAYS_SINCE_ISSUANCE_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES
     :noindex:
 
@@ -530,13 +539,17 @@ This needs 2 configurations
         DAYS_SINCE_ISSUANCE_DISABLE_ROTATE_OF_DUPLICATE_CERTIFICATES = 7
 
 
-**Certificate re-issuance**
 
-When a cert is reissued (i.e. a new certificate is minted to replace it), *and* the re-issuance either fails or
-succeeds but the certificate has no associated endpoints (meaning the subsequent rotation step will not occur),
-Lemur will send a notification via email to the certificate owner. This notification is disabled by default;
-to enable it, you must set the option ``--notify`` (when using cron) or the configuration parameter
-``ENABLE_REISSUE_NOTIFICATION`` (when using celery).
+.. data:: ROTATE_AUTHORITY_TRANSLATION
+    :noindex:
+
+        Use this config (optional) to migrate from one authority id to another on reissuance (useful for expiring authorities,
+        key migrations, etc).
+
+    ::
+
+        ROTATE_AUTHORITY_TRANSLATION = {1: 2}
+
 
 **Certificate rotation**
 

diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py
@@ -986,6 +986,11 @@ def reissue_certificate(certificate, notify=None, replace=None, user=None):
     if replace:
         primitives["replaces"] = [certificate]
 
+    if primitives["authority"].id in current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {}):
+        primitives["authority"] = database.get(Authority,
+            current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {})[primitives["authority"].id]
+        )
+
     # Modify description to include the certificate ID being reissued and mention that this is created by Lemur
     # as part of reissue
     reissue_message_prefix = "Reissued by Lemur for cert ID "
@@ -999,15 +1004,6 @@ def reissue_certificate(certificate, notify=None, replace=None, user=None):
     else:
         primitives["description"] = f"{reissue_message_prefix}{certificate.id}"
 
-    # Rotate the certificate to ECCPRIME256V1 if cert owner is present in the configured list
-    # This is a temporary change intending to rotate certificates to ECC, if opted in by certificate owners
-    # Unless identified a use case, this will be removed in mid-Q2 2021
-    ecc_reissue_owner_list = current_app.config.get("ROTATE_TO_ECC_OWNER_LIST", [])
-    ecc_reissue_exclude_cn_list = current_app.config.get("ECC_NON_COMPATIBLE_COMMON_NAMES", [])
-
-    if (certificate.owner in ecc_reissue_owner_list) and (certificate.cn not in ecc_reissue_exclude_cn_list):
-        primitives["key_type"] = "ECCPRIME256V1"
-
     # allow celery to send notifications for PendingCertificates using the old cert
     if notify:
         primitives["async_reissue_notification_cert_id"] = certificate.id

diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py
@@ -1,4 +1,5 @@
 import datetime
+from flask import current_app
 import json
 import ssl
 import threading
@@ -979,6 +980,18 @@ def test_reissue_certificate(
     assert new_cert.organization == certificate.organization
 
 
+def test_reissue_certificate_authority_translation(
+    issuer_plugin, crypto_authority, certificate, logged_in_user, authority
+):
+    from lemur.certificates.service import reissue_certificate
+
+    # test-authority would return a mismatching private key, so use 'cryptography-issuer' plugin instead.
+    certificate.authority = authority
+    current_app.config["ROTATE_AUTHORITY_TRANSLATION"] = {authority.id: crypto_authority.id}
+    new_cert = reissue_certificate(certificate)
+    assert new_cert.authority_id == crypto_authority.id
+
+
 def test_reissue_command_by_name(
         issuer_plugin, crypto_authority, logged_in_user
 ):

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -63,20 +63,20 @@ billiard==4.2.0
     # via
     #   -r requirements-tests.txt
     #   celery
-black==24.10.0
+black==25.1.0
     # via -r requirements-tests.txt
 blinker==1.7.0
     # via
     #   -r requirements-tests.txt
     #   flask
     #   flask-mail
     #   flask-principal
-boto3==1.35.97
+boto3==1.36.17
     # via
     #   -r requirements-tests.txt
     #   aws-sam-translator
     #   moto
-botocore==1.35.97
+botocore==1.36.17
     # via
     #   -r requirements-tests.txt
     #   aws-xray-sdk
@@ -144,9 +144,9 @@ configobj==5.0.9
     # via
     #   -r requirements-tests.txt
     #   certbot
-coverage==7.6.10
+coverage==7.6.11
     # via -r requirements-tests.txt
-cryptography==43.0.3
+cryptography==44.0.0
     # via
     #   -r requirements-tests.txt
     #   acme
@@ -197,13 +197,13 @@ exceptiongroup==1.2.0
     # via
     #   -r requirements-tests.txt
     #   pytest
-factory-boy==3.3.1
+factory-boy==3.3.3
     # via -r requirements-tests.txt
-faker==33.3.1
+faker==35.2.0
     # via
     #   -r requirements-tests.txt
     #   factory-boy
-fakeredis==2.26.1
+fakeredis==2.26.2
     # via -r requirements-tests.txt
 filelock==3.13.3
     # via virtualenv
@@ -225,7 +225,7 @@ flask-bcrypt==1.0.1
     # via -r requirements-tests.txt
 flask-cors==5.0.0
     # via -r requirements-tests.txt
-flask-limiter==3.10.0
+flask-limiter==3.10.1
     # via -r requirements-tests.txt
 flask-mail==0.10.0
     # via -r requirements-tests.txt
@@ -285,6 +285,8 @@ gunicorn==23.0.0
     # via -r requirements-tests.txt
 hvac==2.3.0
     # via -r requirements-tests.txt
+id==1.5.0
+    # via twine
 identify==2.5.35
     # via pre-commit
 idna==3.7
@@ -338,7 +340,7 @@ jmespath==1.0.1
     #   -r requirements-tests.txt
     #   boto3
     #   botocore
-josepy==1.14.0
+josepy==1.15.0
     # via
     #   -r requirements-tests.txt
     #   acme
@@ -445,7 +447,7 @@ multipart==0.2.4
     # via
     #   -r requirements-tests.txt
     #   moto
-mypy==1.14.1
+mypy==1.15.0
     # via -r requirements-tests.txt
 mypy-extensions==1.0.0
     # via
@@ -509,8 +511,6 @@ pbr==6.0.0
     #   stevedore
 pem==23.1.0
     # via -r requirements-tests.txt
-pkginfo==1.10.0
-    # via twine
 platformdirs==4.2.0
     # via
     #   -r requirements-tests.txt
@@ -520,7 +520,7 @@ pluggy==1.5.0
     # via
     #   -r requirements-tests.txt
     #   pytest
-pre-commit==4.0.1
+pre-commit==4.1.0
     # via -r requirements-dev.in
 prompt-toolkit==3.0.43
     # via
@@ -531,7 +531,7 @@ proto-plus==1.23.0
     #   -r requirements-tests.txt
     #   google-api-core
     #   google-cloud-private-ca
-protobuf==4.25.5
+protobuf==4.25.6
     # via
     #   -r requirements-tests.txt
     #   google-api-core
@@ -596,7 +596,7 @@ pynacl==1.5.0
     # via
     #   -r requirements-tests.txt
     #   paramiko
-pyopenssl==24.3.0
+pyopenssl==25.0.0
     # via
     #   -r requirements-tests.txt
     #   acme
@@ -686,6 +686,7 @@ requests==2.32.3
     #   docker
     #   google-api-core
     #   hvac
+    #   id
     #   jsonschema-path
     #   moto
     #   requests-mock
@@ -729,7 +730,7 @@ rsa==4.9
     #   -r requirements-tests.txt
     #   google-auth
     #   python-jose
-s3transfer==0.10.1
+s3transfer==0.11.1
     # via
     #   -r requirements-tests.txt
     #   boto3
@@ -739,7 +740,7 @@ sarif-om==1.0.4
     #   cfn-lint
 secretstorage==3.3.3
     # via keyring
-sentry-sdk==2.19.2
+sentry-sdk==2.20.0
     # via -r requirements-tests.txt
 six==1.17.0
     # via
@@ -783,7 +784,7 @@ tomli==2.0.1
     #   black
     #   mypy
     #   pytest
-twine==6.0.1
+twine==6.1.0
     # via -r requirements-dev.in
 twofish==0.3.0
     # via
@@ -797,13 +798,13 @@ types-deprecated==1.2.15.20241117
     # via -r requirements-tests.txt
 types-paramiko==3.5.0.20240928
     # via -r requirements-tests.txt
-types-protobuf==5.29.1.20241207
+types-protobuf==5.29.1.20250208
     # via -r requirements-tests.txt
 types-pyopenssl==24.1.0.20240722
     # via
     #   -r requirements-tests.txt
     #   types-redis
-types-pyrfc3339==1.1.1.5
+types-pyrfc3339==2.0.1.20241107
     # via -r requirements-tests.txt
 types-python-dateutil==2.9.0.20240316
     # via
@@ -815,7 +816,7 @@ types-redis==4.6.0.20241004
     # via -r requirements-tests.txt
 types-requests==2.31.0.6
     # via -r requirements-tests.txt
-types-setuptools==75.6.0.20241223
+types-setuptools==75.8.0.20250210
     # via
     #   -r requirements-tests.txt
     #   types-cffi
@@ -841,6 +842,7 @@ typing-extensions==4.11.0
     #   mypy
     #   pydantic
     #   pydantic-core
+    #   pyopenssl
 tzdata==2024.1
     # via
     #   -r requirements-tests.txt