authorities Package¶
models
Module¶
- class lemur.authorities.models.Authority(**kwargs)
Bases:
Model
- active
- authority_certificate
- authority_pending_certificate
- body
- certificates
- chain
- date_created
- property default_validity_days
- description
- id
- property is_cab_compliant
Parse the options to find whether authority is CAB Forum Compliant, i.e., adhering to the CA/Browser Forum Baseline Requirements. Returns None if option is not available
- property is_cn_optional
Parse the options to find whether common name is treated as an optional field. Returns False if option is not available
- property is_private_authority
Tells if authority is private/internal. In other words, it is not publicly trusted. If plugin is configured in list LEMUR_PRIVATE_AUTHORITY_PLUGIN_NAMES, the authority is treated as private :return: True if private, False otherwise
- property max_issuance_days
- name
- options
- owner
- pending_certificates
- property plugin
- plugin_name
- roles
- user_id
service
Module¶
- lemur.authorities.service.create(**kwargs)
Creates a new authority.
- lemur.authorities.service.create_authority_roles(roles, owner, plugin_title, creator)
Creates all of the necessary authority roles. :param creator: :param roles: :return:
- lemur.authorities.service.get(authority_id)
Retrieves an authority given it’s ID
- Parameters:
authority_id –
- Returns:
- lemur.authorities.service.get_all()
Get all authorities that are currently in Lemur.
:rtype : List :return:
- lemur.authorities.service.get_authorities_by_name(authority_names)
Retrieves an authority given it’s name.
- Parameters:
authority_names – list with authority names to match
- Returns:
- lemur.authorities.service.get_authority_role(ca_name, creator=None)
Attempts to get the authority role for a given ca uses current_user as a basis for accomplishing that.
- Parameters:
ca_name –
- lemur.authorities.service.get_by_name(authority_name)
Retrieves an authority given it’s name.
- Parameters:
authority_name –
- Returns:
- lemur.authorities.service.mint(**kwargs)
Creates the authority based on the plugin provided.
- lemur.authorities.service.render(args)
Helper that helps us render the REST Api responses. :param args: :return:
- lemur.authorities.service.update(authority_id, description, owner, active, roles, options: str | None = None)
Update an authority with new values.
- Parameters:
authority_id –
roles – roles that are allowed to use this authority
- Returns:
- lemur.authorities.service.update_options(authority_id, options)
Update an authority with new options.
- Parameters:
authority_id –
options – the new options to be saved into the authority
- Returns:
views
Module¶
- class lemur.authorities.views.Authorities
Bases:
AuthenticatedResource
- endpoint = 'authority'
- get(authority_id)
- GET /authorities/1¶
One authority
Example request:
GET /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "roles": [{ "id": 123, "name": "secure@example.com" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "active": true, "owner": "secure@example.com", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." }
- Parameters:
description – a sensible description about what the CA with be used for
owner – the team or person who ‘owns’ this authority
active – set whether this authoritity is currently in use
- Request Headers:
Authorization – OAuth token to authenticate
Authorization – OAuth token to authenticate
- Status Codes:
403 Forbidden – unauthenticated
200 OK – no error
200 OK – no error
403 Forbidden – unauthenticated
- mediatypes()
- methods: t.ClassVar[t.Collection[str] | None] = {'GET', 'PUT'}
The methods this view is registered for. Uses the same default (
["GET", "HEAD", "OPTIONS"]
) asroute
andadd_url_rule
by default.
- put(authority_id, data=None)
- PUT /authorities/1¶
Update an authority
Example request:
PUT /authorities/1 HTTP/1.1 Host: example.com Accept: application/json, text/javascript Content-Type: application/json;charset=UTF-8 { "name": "TestAuthority5", "roles": [{ "id": 566, "name": "TestAuthority5_admin" }, { "id": 567, "name": "TestAuthority5_operator" }, { "id": 123, "name": "secure@example.com" }], "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----", "status": null, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority5 certificate authority.", "chain": "", "notBefore": "2016-06-03T00:00:51+00:00", "notAfter": "2036-06-03T23:59:51+00:00", "owner": "secure@example.com", "user": { "username": "joe@example.com", "active": true, "email": "joe@example.com", "id": 3 }, "active": true, "bits": 2048, "id": 2280, "name": "TestAuthority5" }, "owner": "secure@example.com", "id": 44, "description": "This is the ROOT certificate for the TestAuthority5 certificate authority." }
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "name": "TestAuthority", "roles": [{ "id": 123, "name": "secure@example.com" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "secure@example.com", "user": { "username": "joe@example.com", "active": true, "email": "joe@example.com", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "secure@example.com", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." }
- Request Headers:
Authorization – OAuth token to authenticate
- Status Codes:
200 OK – no error
403 Forbidden – unauthenticated
- class lemur.authorities.views.AuthoritiesList
Bases:
AuthenticatedResource
Defines the ‘authorities’ endpoint
- endpoint = 'authorities'
- get()
- GET /authorities¶
The current list of authorities
Example request:
GET /authorities HTTP/1.1 Host: example.com Accept: application/json, text/javascript
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "items": [{ "name": "TestAuthority", "roles": [{ "id": 123, "name": "secure@example.com" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "secure@example.com", "user": { "username": "joe@example.com", "active": true, "email": "joe@example.com", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "secure@example.com", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." }], "total": 1 }
- Query Parameters:
sortBy – field to sort on
sortDir – asc or desc
page – int default is 1
filter – key value pair. format is k;v
count – count number default is 10
- Request Headers:
Authorization – OAuth token to authenticate
- Status Codes:
200 OK – no error
403 Forbidden – unauthenticated
- Note:
this will only show certificates that the current user is authorized to use
- mediatypes()
- methods: t.ClassVar[t.Collection[str] | None] = {'GET', 'POST'}
The methods this view is registered for. Uses the same default (
["GET", "HEAD", "OPTIONS"]
) asroute
andadd_url_rule
by default.
- post(data=None)
- POST /authorities¶
Create an authority
Example request:
POST /authorities HTTP/1.1 Host: example.com Accept: application/json, text/javascript Content-Type: application/json;charset=UTF-8 { "country": "US", "state": "California", "location": "Los Gatos", "organization": "Netflix", "organizationalUnit": "Operations", "type": "root", "signingAlgorithm": "sha256WithRSA", "sensitivity": "medium", "keyType": "RSA2048", "plugin": { "slug": "cloudca-issuer" }, "name": "TimeTestAuthority5", "owner": "secure@example.com", "description": "test", "commonName": "AcommonName", "validityYears": "20", "extensions": { "subAltNames": { "names": [] }, "custom": [] } }
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "name": "TestAuthority", "roles": [{ "id": 123, "name": "secure@example.com" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "secure@example.com", "user": { "username": "joe@example.com", "active": true, "email": "joe@example.com", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "secure@example.com", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." }
- Parameters:
name – authority’s name
description – a sensible description about what the CA with be used for
owner – the team or person who ‘owns’ this authority
validityStart – when this authority should start issuing certificates
validityEnd – when this authority should stop issuing certificates
validityYears – starting from now how many years into the future the authority should be valid
extensions – certificate extensions
plugin – name of the plugin to create the authority
type – the type of authority (root/subca)
parent – the parent authority if this is to be a subca
signingAlgorithm – algorithm used to sign the authority
keyType – key type
sensitivity – the sensitivity of the root key, for CloudCA this determines if the root keys are stored in an HSM
keyName – name of the key to store in the HSM (CloudCA)
serialNumber – serial number of the authority
firstSerial – specifies the starting serial number for certificates issued off of this authority
- Request Headers:
Authorization – OAuth token to authenticate
- Status Codes:
401 Unauthorized – unauthenticated
403 Forbidden – unauthorized
200 OK – no error
- class lemur.authorities.views.AuthorityVisualizations
Bases:
AuthenticatedResource
- endpoint = 'authority_visualizations'
- get(authority_id)
- GET /authorities/1/visualize¶
Authority visualization
Example request:
GET /certificates/1/visualize HTTP/1.1 Host: example.com Accept: application/json, text/javascript
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript {"name": "flare", "children": [ { "name": "analytics", "children": [ { "name": "cluster", "children": [ {"name": "AgglomerativeCluster", "size": 3938}, {"name": "CommunityStructure", "size": 3812}, {"name": "HierarchicalCluster", "size": 6714}, {"name": "MergeEdge", "size": 743} ] } ] } ] }
- Request Headers:
Authorization – OAuth token to authenticate
- Status Codes:
200 OK – no error
403 Forbidden – unauthenticated
- mediatypes()
- methods: t.ClassVar[t.Collection[str] | None] = {'GET'}
The methods this view is registered for. Uses the same default (
["GET", "HEAD", "OPTIONS"]
) asroute
andadd_url_rule
by default.
- class lemur.authorities.views.CertificateAuthority
Bases:
AuthenticatedResource
- endpoint = 'certificateAuthority'
- get(certificate_id)
- GET /certificates/1/authority¶
One authority for given certificate
Example request:
GET /certificates/1/authority HTTP/1.1 Host: example.com Accept: application/json, text/javascript
Example response:
HTTP/1.1 200 OK Vary: Accept Content-Type: text/javascript { "name": "TestAuthority", "roles": [{ "id": 123, "name": "secure@example.com" }, { "id": 564, "name": "TestAuthority_admin" }, { "id": 565, "name": "TestAuthority_operator" }], "options": null, "active": true, "authorityCertificate": { "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...", "status": true, "cn": "AcommonName", "description": "This is the ROOT certificate for the TestAuthority certificate authority.", "chain": "", "notBefore": "2016-06-02T00:00:15+00:00", "notAfter": "2023-06-02T23:59:15+00:00", "owner": "secure@example.com", "user": { "username": "joe@example.com", "active": true, "email": "joe@example.com", "id": 3 }, "active": true, "bits": 2048, "id": 2235, "name": "TestAuthority" }, "owner": "secure@example.com", "id": 43, "description": "This is the ROOT certificate for the TestAuthority certificate authority." }
- Request Headers:
Authorization – OAuth token to authenticate
- Status Codes:
200 OK – no error
403 Forbidden – unauthenticated
- mediatypes()
- methods: t.ClassVar[t.Collection[str] | None] = {'GET'}
The methods this view is registered for. Uses the same default (
["GET", "HEAD", "OPTIONS"]
) asroute
andadd_url_rule
by default.