netflix / lemur Goto Github PK
View Code? Open in Web Editor NEWRepository for the Lemur Certificate Manager
License: Apache License 2.0
Repository for the Lemur Certificate Manager
License: Apache License 2.0
We should allow owners to edit or transfer ownership of a given certificate. This ability to should be limited to certificate owners and administrators.
Lemur should be able to filter by and track certificate signing signatures (sha1 vs sha2) to help with sha1 remediation.
Current authority type is buried a bit too deeply, we should move it to the first pane of authority creation. This would also allow us to validate the allowable date range of the subca, similar logic that is applied to leaf certificates.
Lemur should be able to filter multiple columns at the same time with an implicit AND.
What is the process for rotating the encryption key used with Lemur? Lets say I accidentally copy it into an IRC chat. What are my next steps?
If there isn't any tooling built-in to help with this, I think it would be a great thing to have. I haven't done much research into the best way to do it, but a good starting point might be: https://cryptography.io/en/latest/fernet/#cryptography.fernet.MultiFernet
It might make sense to look into this at the same time as issue #117 is being addressed.
The new architecture should support the loading of various kinds of plugins:
It looks like 64 character limit
Is it possible to delete (not just deactivate) an imported certificate? I can't find any way to do it, and can't find anything about it in the documentation.
The current lemur_email notification system only supports ses or smtp. Mandrill is a popular transactional mail service (built by the guys that make mailchimp).
Adding support for Mandrill would be a nice addition. I have started development on a mandrill plugin (t0xiccode/lemur_mandrill), but rolling this functionality into the "core" lemur_email plugin would make it easier to get started for organisations using it for emails.
Right now it can be quite confusing to go between "Authority" and what that authorities public certificate actually is. It might make sense to display the public certificate of the authority on the authority page to reduce confusion about the chain.
Currently error messages are displayed for only a period of time. They should be displayed until the user acknowledges the error.
Can we can have Vagrant based installation in addition to Docker?
We currently store our certificates in PEM format. It would be nice if we could support output plugins.
The first output plugin I would expect to create is for Java trust and key stores.
Currently the form validation is such that as long as there is a value in the 'Certificate Authority' field it is considered valid. We should ensure that the user actually selected a 'Certificate Authority' object before allowing them to submit the form.
Additionally the API should include more validation and messages around requests submitted without a valid authority.
There should be an ability to stop receiving expiration notifications on a certificate by certificate basis. Currently marking the certificate as 'in-active' is the only way to suppress notifications and may not fit all use cases.
Currently authority details are not very detailed,
We should add:
Display owning DL and provide use based on if the user has the owning team DL
Should allow the owner to be edited
Lemur constructed permalink to certificates such that they can be shared via email or IM and that certificate would be immediately viewable in the UI instead of asking the receiver to search for the certificate name.
Lemur currently only allows a user to choose a destination during the creation process. There should be a way to allow a user to upload a certificate to an arbitrary number of destinations after is has been created.
This would be useful in two scenarios:
Flask restful will be deprecating reqparse in favor of marshmallow
http://marshmallow.readthedocs.org/en/latest/
When creating a new certificate, we are often replacing old certificates. Lemur should have ability to specify the ID of the certificate being replaced (if any). This would allow us to mark the old certificate as 'inactive' and silence the notifications for it.
It might be interesting to write a lemur plugin to talk to cloudflare's PKI toolkit:
https://github.com/cloudflare/cfssl
Lemur should attempt to see if a role exists for the owning team email, if it does it should allow any user with that role to have owner permission.
All private key views should be audited and viewable.
Currently there is no certificate approval process within Lemur. I would propose this feature be added in such as way that allows an administer to mark a given domain as 'sensitive'.
When a certificate is requested and contains and domain that is marked as 'sensitive' it should not be issued and instead be marked with a status of 'pending'. This could possibly send an email notification to admins to 'approve' the certificate.
Once marked as 'approved' by an administrator or a user with a special permission (maybe an approver role?) We should issue the original request and notify the user.
These sensitive domains should be configurable in the Lemur configuration file or eventually in the UI. These should be simple regexes such that we can loosely match various levels of domains.
This would allow us to mark test.example.com as sensitive but allow myapp.test.example.com to be issued.
Lemur should not have netflix specific distinguished named defaults in the UI, these should be customizable.
We could do this by:
Providing an endpoint that would read a configuration file such that angular can correctly fill in the default fields.
or
As a build/deploy step ask for these defaults and include them in the javascript.
It would be useful if when uploading to a destination if to display a unique identifier for that certificate so it can be found in the corresponding destination.
For instance when uploading a certificate to AWS we would be able to generate the ARN for any given certificate by combining the AWS account id with the certificate name.
This would most likely be added to the plugin destination interface with a unique_identifier property.
Alternatively this could be defined just in the front end as a plugin option that would simply render the unique identifier in javascript.
If the unique identifier cannot be derived we will need to think about how that extra metadata could be stored.
I have setup lemur using lemur-docker and can't get it to create a certificate.
The error returned is:
{"message": "'NoneType' object has no attribute 'owner'"}
I also build it from source myself and had the same error.
The http request sent was:
Request:
curl 'https://app1.example.com/api/1/certificates'
-X POST
-H 'Pragma: no-cache' -H 'Origin: https://app1.example.com'
-H 'Accept-Encoding: gzip, deflate'
-H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8'
-H 'Accept: application/json, text/plain, */*'
-H 'Cache-Control: no-cache'
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0NDMwOTI1NTcsInN1YiI6MSwiZXhwIjoxNDQzMTc4OTU3fQ.o8qZ28o383YMwVCywRxTNxYTPhFDu-kHHX7yM3qDFq4'
-H 'Cookie: session=eyJpZGVudGl0eS5hdXRoX3R5cGUiOm51bGwsImlkZW50aXR5LmlkIjoxfQ.COTCBQ.0VA8yUn1KoIoNzlKSJvmXyo8TBo'
-H 'Connection: keep-alive'
-H 'Referer: https://app1.example.com/'
--data-binary '{"country":"","state":"","location":"","organization":"","organizationalUnit":"","owner":"fsdf@sadas","description":"sadsadsa","selectedAuthority":"dsadasdsad","commonName":"asdsa","extensions":{"subAltNames":{"names":[]}},"subAltType":null,"subAltValue":null}' --compressed
Response:
{"message": "'NoneType' object has no attribute 'owner'"}
Any help would be appreciated, lemur looks really cool and I would like to try it out.
Tim
We cannot currently create the default lemur.conf.py with the lemur create_config
command. This is because flask script expects that a config be available before it will run any of the commands. Unfortunately this means that our command to create a config fails because deadlock.
I think there might be a way to defer the creation of 'create_app' such that the configuration file is not required to be there upon instantiation.
Currently destination plugins only upload certificates to their new destinations. When a user disassociates a certificate from a destination the plugin should attempt to remove that certificate from the destination in order to keep them in sync.
When passing configuration files to the child gunicorn workers the '-c' configuration flag is not correctly passed to the flask app.
Currently we can only pass the app configuration via env variable or by placing our config in the default location ~/.lemur/lemur.conf.py
If you create a Root CA, a Sub CA, and a Leaf CA, and look up their certificates, you will see that the chain information presented by lemur of a CA is incomplete.
The Root CA has no chain, which is of course correct.
The Sub CA has no chain.
The Leaf CA has the Sub CA in its chain.
There are some netflix specific code in the SSO flow that should be generalized.
2015-08-26 20:33:36,751 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
resp = f(*args, **kwargs)
File "/apps/lemur/lemur/certificates/views.py", line 575, in put
permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'
2015-08-26 20:34:08,236 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
resp = f(*args, **kwargs)
File "/apps/lemur/lemur/certificates/views.py", line 575, in put
permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'
2015-08-26 20:37:19,147 ERROR: 'NoneType' object has no attribute 'name' [in /apps/lemur/lemur/common/utils.py:60]
Traceback (most recent call last):
File "/apps/lemur/lemur/common/utils.py", line 46, in wrapper
resp = f(*args, **kwargs)
File "/apps/lemur/lemur/certificates/views.py", line 575, in put
permission = UpdateCertificatePermission(certificate_id, role.name)
AttributeError: 'NoneType' object has no attribute 'name'
If user enters a owner that has no associated role with it, they are unable to edit the owner.
The verisign plugin should be able to poll the verisign API for all issued certificates and ensure that Lemur knows about them.
Plugins are duplicated in the authority dropdown.
With #123 in place, we will need a script to be able to move from the older style sqlalchemy_utils encrypted column to the new fernet encrypted column.
This will be handled via a alembic migration that will create an intermediate table such that we can convert between the new encryption scheme and the old scheme. New deployments should not have to undergo this migration.
Currently the owner, creator and security team (de-duplicated) will receive notifications about expiring certificates. We should allow certificate owners and administrators the ability to add any number of recipients to receive these notifications.
If you create a root CA, and look up the certificate for that CA its description is:
This is the ROOT certificate for the $CN certificate authority.
If you create a subCA off of that rootCA, and look up the certificate for that SubCA its description is:
This is the ROOT certificate for the $CN certificate authority
This would provide the ability to zero in on a user (or group). Should also include a shortcut or checkbox for a user to view only their certificates. This would include any certificate directly created by them as well as any certificates they own transitively through group membership.
There are use cases where a third party may issue a CSR on your behalf (retaining the private key). It would be helpful to allow Lemur to be able to act as a 'pass through' and issue this certificate directly. This would also be helpful in the case the UI does not support a particular option or extension and could be generated manually.
The IV is static per key at least. Lemur is using sqlalchemy_utils to encrypt certificates. This in turn
encrypts with AES in CBC mode.
https://github.com/kvesteri/sqlalchemy-utils/blob/master/sqlalchemy_utils/types/encrypted.py#L56
Given a single key, it will use the SHA256 hash of that key for all encryption. It looks like it will use the first 16 bytes of that hash as the IV for each operation.
There are currently a few ugly sys calls to various OpenSSL commands(e.g creating CSRs). With the newest version of cryptography (1.0) we should be able to remove these and use standard library calls instead.
Lemur notifies users about certificate expiration 30, 15, 10, 5, 1 days before expiration. We should allow users to configure this interval.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.