Merge branch 'master' into hosseinsh-changelog-1.3.0

Netflix · Feb 13, 2023 · 599bc54 · 599bc54
2 parents 9969bc5 + 12a1c5d
commit 599bc54
Show file tree

Hide file tree

Showing 10 changed files with 105 additions and 20 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,12 +1,16 @@
 Changelog
 =========
 
+Unreleased
+~~~~~~~~~~~~~~~~~~~~
+
+
 1.3.0 - `2023-02-13`
 ~~~~~~~~~~~~~~~~~~~~
 This release contains many dependency updates, and numerous added or improved features over the last year.
 
 Some of the notable changes in this release are:
-
+- Removal of AWS S3 destinations and the respetive resources via the UI
 - No fine-grained authz for role global_cert_issuer
 - De-activate endpoint (Entrust Plugin)
 - Remove unsafe paginate method and replace with sort_and_page

diff --git a/lemur/certificates/views.py b/lemur/certificates/views.py
@@ -520,8 +520,8 @@ def post(self, data=None):
         data["creator"] = g.user
         # allowed_issuance_for_domain throws UnauthorizedError if caller is not authorized
         try:
-            # unless admin, perform fine grained authorization
-            if not g.user.is_admin and not data["authority"].is_private_authority:
+            # unless admin or global_cert_issuer, perform fine grained authorization
+            if not g.user.is_admin_or_global_cert_issuer and not data["authority"].is_private_authority:
                 service.allowed_issuance_for_domain(data["common_name"], data["extensions"])
         except UnauthorizedError as e:
             return dict(message=str(e)), 403

diff --git a/lemur/manage.py b/lemur/manage.py
@@ -225,6 +225,17 @@ def run(self, password):
             )
             sys.stdout.write("[+] Created 'operator' role\n")
 
+        global_cert_issuer_role = role_service.get_by_name("global_cert_issuer")
+
+        if global_cert_issuer_role:
+            sys.stdout.write("[-] global_cert_issuer role already created, skipping...!\n")
+        else:
+            # we create a global_cert_issuer role
+            global_cert_issuer_role = role_service.create(
+                "global_cert_issuer", description="This is the Lemur global_cert_issuer role."
+            )
+            sys.stdout.write("[+] Created 'global_cert_issuer' role\n")
+
         read_only_role = role_service.get_by_name("read-only")
 
         if read_only_role:

diff --git a/lemur/plugins/lemur_aws/plugin.py b/lemur/plugins/lemur_aws/plugin.py
@@ -32,7 +32,7 @@
 .. moduleauthor:: Mikhail Khodorovskiy <[email protected]>
 .. moduleauthor:: Harm Weites <[email protected]>
 """
-
+from os.path import join
 import sys
 from acme.errors import ClientError
 from flask import current_app
@@ -591,9 +591,7 @@ def upload(self, name, body, private_key, chain, options, **kwargs):
             s3.put(
                 self.get_option("bucket", options),
                 self.get_option("region", options),
-                "{prefix}/{name}.{extension}".format(
-                    prefix=self.get_option("prefix", options), name=name, extension=ext
-                ),
+                join(self.get_option("prefix", options), f"{name}.{ext}"),
                 data,
                 self.get_option("encrypt", options),
                 account_number=self.get_option("accountNumber", options),
@@ -669,6 +667,12 @@ def delete_acme_token(self, token_path, options, **kwargs):
                                                                "filename": filename})
         return response
 
+    def clean(self, certificate, options, **kwargs):
+        prefix = self.get_option("prefix", options)
+        s3.delete(bucket_name=self.get_option("bucket", options),
+                  prefixed_object_name=join(prefix, f"{certificate.name}.pem"),
+                  account_number=self.get_option("accountNumber", options))
+
 
 class SNSNotificationPlugin(ExpirationNotificationPlugin):
     title = "AWS SNS"

diff --git a/lemur/plugins/lemur_aws/tests/test_plugin.py b/lemur/plugins/lemur_aws/tests/test_plugin.py
@@ -1,3 +1,5 @@
+from collections import namedtuple
+from os.path import join
 import boto3
 from moto import mock_sts, mock_s3, mock_ec2, mock_elb, mock_elbv2, mock_acm
 
@@ -9,6 +11,58 @@ def test_get_certificates(app):
     assert p
 
 
+@mock_sts()
+@mock_s3()
+def test_clean(app):
+    from lemur.common.utils import check_validation
+    from lemur.plugins.base import plugins
+
+    bucket = "public-bucket"
+    account = "123456789012"
+    prefix = "some-path/more-path/"
+
+    additional_options = [
+        {
+            "name": "bucket",
+            "value": bucket,
+            "type": "str",
+            "required": True,
+            "validation": check_validation(r"[0-9a-z.-]{3,63}"),
+            "helpMessage": "Must be a valid S3 bucket name!",
+        },
+        {
+            "name": "accountNumber",
+            "type": "str",
+            "value": account,
+            "required": True,
+            "validation": check_validation(r"[0-9]{12}"),
+            "helpMessage": "A valid AWS account number with permission to access S3",
+        },
+        {
+            "name": "prefix",
+            "type": "str",
+            "value": prefix,
+            "required": False,
+            "helpMessage": "Must be a valid S3 object prefix!",
+        },
+    ]
+
+    s3_client = boto3.client('s3')
+    s3_client.create_bucket(Bucket=bucket)
+
+    p = plugins.get("aws-s3")
+    Certificate = namedtuple("Certificate", ["name"])
+    certificate = Certificate(name="certificate")
+    s3_client.put_object(
+        Bucket=bucket,
+        Body="PEM_DATA",
+        Key=join(prefix, f"{certificate.name}.pem"),
+    )
+    assert s3_client.list_objects(Bucket=bucket)["Contents"]
+    p.clean(certificate, additional_options)
+    assert "Contents" not in s3_client.list_objects(Bucket=bucket)
+
+
 @mock_sts()
 @mock_s3()
 def test_upload_acme_token(app):

diff --git a/lemur/static/app/angular/certificates/certificate/destinations.tpl.html b/lemur/static/app/angular/certificates/certificate/destinations.tpl.html
@@ -21,7 +21,7 @@
                 <td><a class="btn btn-sm btn-info" href="#/destinations/{{ destination.id }}/certificates">{{ destination.label }}</a></td>
                 <td><span class="text-muted">{{ destination.description }}</span></td>
                 <td>
-                    <button type="button" ng-click="certificate.removeDestination($index)" class="btn btn-danger btn-sm pull-right">Remove</button>
+                    <button type="button" ng-click="certificate.removeDestination($index)" confirm-click="Proceed to delete certificate resources in {{ destination.label }}?" class="btn btn-danger btn-sm pull-right">Remove</button>
                 </td>
             </tr>
         </table>

diff --git a/lemur/users/models.py b/lemur/users/models.py
@@ -92,6 +92,18 @@ def is_admin(self):
             if role.name == "admin":
                 return True
 
+    @property
+    def is_admin_or_global_cert_issuer(self):
+        """
+        Determine if the current user is a global cert issuer. The user has either 'admin' or 'global_cert_issuer' role
+        associated with them.
+
+        :return:
+        """
+        for role in self.roles:
+            if role.name == "admin" or role.name == "global_cert_issuer":
+                return True
+
     def __repr__(self):
         return "User(username={username})".format(username=self.username)
 

diff --git a/requirements-docs.txt b/requirements-docs.txt
@@ -59,13 +59,13 @@ blinker==1.4
     # via
     #   flask-mail
     #   flask-principal
-boto3==1.26.64
+boto3==1.26.69
     # via
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
     #   aws-sam-translator
     #   moto
-botocore==1.29.64
+botocore==1.29.69
     # via
     #   -r requirements-docs.in
     #   -r requirements-tests.txt
@@ -165,11 +165,11 @@ ecdsa==0.17.0
     #   sshpubkeys
 factory-boy==3.2.1
     # via -r requirements-tests.txt
-faker==16.6.1
+faker==17.0.0
     # via
     #   -r requirements-tests.txt
     #   factory-boy
-fakeredis==2.7.1
+fakeredis==2.8.0
     # via -r requirements-tests.txt
 flask==1.1.2
     # via
@@ -549,7 +549,7 @@ sqlalchemy==1.3.24
     #   flask-sqlalchemy
     #   marshmallow-sqlalchemy
     #   sqlalchemy-utils
-sqlalchemy-utils==0.39.0
+sqlalchemy-utils==0.40.0
     # via -r requirements-docs.in
 sshpubkeys==3.3.1
     # via

diff --git a/requirements-tests.txt b/requirements-tests.txt
@@ -24,11 +24,11 @@ bandit==1.7.4
     # via -r requirements-tests.in
 black==23.1.0
     # via -r requirements-tests.in
-boto3==1.26.64
+boto3==1.26.69
     # via
     #   aws-sam-translator
     #   moto
-botocore==1.29.64
+botocore==1.29.69
     # via
     #   aws-xray-sdk
     #   boto3
@@ -74,11 +74,11 @@ ecdsa==0.17.0
     #   sshpubkeys
 factory-boy==3.2.1
     # via -r requirements-tests.in
-faker==16.6.1
+faker==17.0.0
     # via
     #   -r requirements-tests.in
     #   factory-boy
-fakeredis==2.7.1
+fakeredis==2.8.0
     # via -r requirements-tests.in
 flask==1.1.2
     # via

diff --git a/requirements.txt b/requirements.txt
@@ -36,9 +36,9 @@ blinker==1.4
     # via
     #   flask-mail
     #   flask-principal
-boto3==1.26.64
+boto3==1.26.69
     # via -r requirements.in
-botocore==1.29.64
+botocore==1.29.69
     # via
     #   -r requirements.in
     #   boto3
@@ -276,7 +276,7 @@ sqlalchemy==1.3.24
     #   flask-sqlalchemy
     #   marshmallow-sqlalchemy
     #   sqlalchemy-utils
-sqlalchemy-utils==0.39.0
+sqlalchemy-utils==0.40.0
     # via -r requirements.in
 tabulate==0.9.0
     # via -r requirements.in