authorities Package

models Module

class lemur.authorities.models.Authority(**kwargs)

Bases: flask_sqlalchemy.Model

active
authority_certificate
body
certificates
chain
date_created
description
id
name
options
owner
plugin
plugin_name
roles
user_id

service Module

lemur.authorities.service.create(**kwargs)

Creates a new authority.

lemur.authorities.service.create_authority_roles(roles, owner, plugin_title, creator)

Creates all of the necessary authority roles. :param creator: :param roles: :return:

lemur.authorities.service.get(authority_id)

Retrieves an authority given it’s ID

Parameters:authority_id
Returns:
lemur.authorities.service.get_all()

Get all authorities that are currently in Lemur.

:rtype : List :return:

lemur.authorities.service.get_authority_role(ca_name, creator=None)

Attempts to get the authority role for a given ca uses current_user as a basis for accomplishing that.

Parameters:ca_name
lemur.authorities.service.get_by_name(authority_name)

Retrieves an authority given it’s name.

Parameters:authority_name
Returns:
lemur.authorities.service.mint(**kwargs)

Creates the authority based on the plugin provided.

lemur.authorities.service.render(args)

Helper that helps us render the REST Api responses. :param args: :return:

lemur.authorities.service.update(authority_id, description=None, owner=None, active=None, roles=None)

Update an authority with new values.

Parameters:
  • authority_id
  • roles – roles that are allowed to use this authority
Returns:

views Module

class lemur.authorities.views.Authorities

Bases: lemur.auth.service.AuthenticatedResource

endpoint = 'authority'
get(authority_id)
GET /authorities/1

One authority

Example request:

GET /authorities/1 HTTP/1.1
Host: example.com
Accept: application/json, text/javascript

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "roles": [{
      "id": 123,
      "name": "secure@example.com"
  }, {
      "id": 564,
      "name": "TestAuthority_admin"
  }, {
      "id": 565,
      "name": "TestAuthority_operator"
  }],
  "active": true,
  "owner": "secure@example.com",
  "id": 43,
  "description": "This is the ROOT certificate for the TestAuthority certificate authority."
}
Parameters:
  • description – a sensible description about what the CA with be used for
  • owner – the team or person who ‘owns’ this authority
  • active – set whether this authoritity is currently in use
Request Headers:
 
Status Codes:
mediatypes(resource_cls)
methods = ['GET', 'PUT']
put(authority_id, data=None)
PUT /authorities/1

Update an authority

Example request:

PUT /authorities/1 HTTP/1.1
Host: example.com
Accept: application/json, text/javascript

{
  "name": "TestAuthority5",
  "roles": [{
      "id": 566,
      "name": "TestAuthority5_admin"
  }, {
      "id": 567,
      "name": "TestAuthority5_operator"
  }, {
      "id": 123,
      "name": "secure@example.com"
  }],
  "active": true,
  "authorityCertificate": {
      "body": "-----BEGIN CERTIFICATE-----",
      "status": null,
      "cn": "AcommonName",
      "description": "This is the ROOT certificate for the TestAuthority5 certificate authority.",
      "chain": "",
      "notBefore": "2016-06-03T00:00:51+00:00",
      "notAfter": "2036-06-03T23:59:51+00:00",
      "owner": "secure@example.com",
      "user": {
          "username": "joe@example.com",
          "active": true,
          "email": "joe@example.com",
          "id": 3
      },
      "active": true,
      "bits": 2048,
      "id": 2280,
      "name": "TestAuthority5"
  },
  "owner": "secure@example.com",
  "id": 44,
  "description": "This is the ROOT certificate for the TestAuthority5 certificate authority."
 }

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "name": "TestAuthority",
  "roles": [{
      "id": 123,
      "name": "secure@example.com"
  }, {
      "id": 564,
      "name": "TestAuthority_admin"
  }, {
      "id": 565,
      "name": "TestAuthority_operator"
  }],
  "options": null,
  "active": true,
  "authorityCertificate": {
      "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
      "status": true,
      "cn": "AcommonName",
      "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
      "chain": "",
      "notBefore": "2016-06-02T00:00:15+00:00",
      "notAfter": "2023-06-02T23:59:15+00:00",
      "owner": "secure@example.com",
      "user": {
          "username": "joe@example.com",
          "active": true,
          "email": "joe@example.com",
          "id": 3
      },
      "active": true,
      "bits": 2048,
      "id": 2235,
      "name": "TestAuthority"
  },
  "owner": "secure@example.com",
  "id": 43,
  "description": "This is the ROOT certificate for the TestAuthority certificate authority."
}
Request Headers:
 
Status Codes:
class lemur.authorities.views.AuthoritiesList

Bases: lemur.auth.service.AuthenticatedResource

Defines the ‘authorities’ endpoint

endpoint = 'authorities'
get()
GET /authorities

The current list of authorities

Example request:

GET /authorities HTTP/1.1
Host: example.com
Accept: application/json, text/javascript

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "items": [{
      "name": "TestAuthority",
      "roles": [{
          "id": 123,
          "name": "secure@example.com"
      }, {
          "id": 564,
          "name": "TestAuthority_admin"
      }, {
          "id": 565,
          "name": "TestAuthority_operator"
      }],
      "options": null,
      "active": true,
      "authorityCertificate": {
          "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
          "status": true,
          "cn": "AcommonName",
          "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
          "chain": "",
          "notBefore": "2016-06-02T00:00:15+00:00",
          "notAfter": "2023-06-02T23:59:15+00:00",
          "owner": "secure@example.com",
          "user": {
              "username": "joe@example.com",
              "active": true,
              "email": "joe@example.com",
              "id": 3
          },
          "active": true,
          "bits": 2048,
          "id": 2235,
          "name": "TestAuthority"
      },
      "owner": "secure@example.com",
      "id": 43,
      "description": "This is the ROOT certificate for the TestAuthority certificate authority."
  }
  "total": 1
}
Query Parameters:
 
  • sortBy – field to sort on
  • sortDir – asc or desc
  • page – int default is 1
  • filter – key value pair. format is k;v
  • count – count number default is 10
Request Headers:
 
Status Codes:
Note:

this will only show certificates that the current user is authorized to use
mediatypes(resource_cls)
methods = ['GET', 'POST']
post(data=None)
POST /authorities

Create an authority

Example request:

 POST /authorities HTTP/1.1
 Host: example.com
 Accept: application/json, text/javascript

{
   "country": "US",
   "state": "California",
   "location": "Los Gatos",
   "organization": "Netflix",
   "organizationalUnit": "Operations",
   "type": "root",
   "signingAlgorithm": "sha256WithRSA",
   "sensitivity": "medium",
   "keyType": "RSA2048",
   "plugin": {
       "slug": "cloudca-issuer",
   },
   "name": "TimeTestAuthority5",
   "owner": "secure@example.com",
   "description": "test",
   "commonName": "AcommonName",
   "validityYears": "20",
   "extensions": {
       "subAltNames": {
           "names": []
       },
       "custom": []
}

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "name": "TestAuthority",
  "roles": [{
      "id": 123,
      "name": "secure@example.com"
  }, {
      "id": 564,
      "name": "TestAuthority_admin"
  }, {
      "id": 565,
      "name": "TestAuthority_operator"
  }],
  "options": null,
  "active": true,
  "authorityCertificate": {
      "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
      "status": true,
      "cn": "AcommonName",
      "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
      "chain": "",
      "notBefore": "2016-06-02T00:00:15+00:00",
      "notAfter": "2023-06-02T23:59:15+00:00",
      "owner": "secure@example.com",
      "user": {
          "username": "joe@example.com",
          "active": true,
          "email": "joe@example.com",
          "id": 3
      },
      "active": true,
      "bits": 2048,
      "id": 2235,
      "name": "TestAuthority"
  },
  "owner": "secure@example.com",
  "id": 43,
  "description": "This is the ROOT certificate for the TestAuthority certificate authority."
}
Parameters:
  • name – authority’s name
  • description – a sensible description about what the CA with be used for
  • owner – the team or person who ‘owns’ this authority
  • validityStart – when this authority should start issuing certificates
  • validityEnd – when this authority should stop issuing certificates
  • validityYears – starting from now how many years into the future the authority should be valid
  • extensions – certificate extensions
  • plugin – name of the plugin to create the authority
  • type – the type of authority (root/subca)
  • parent – the parent authority if this is to be a subca
  • signingAlgorithm – algorithm used to sign the authority
  • keyType – key type
  • sensitivity – the sensitivity of the root key, for CloudCA this determines if the root keys are stored

in an HSM :arg keyName: name of the key to store in the HSM (CloudCA) :arg serialNumber: serial number of the authority :arg firstSerial: specifies the starting serial number for certificates issued off of this authority :reqheader Authorization: OAuth token to authenticate :statuscode 403: unauthenticated :statuscode 200: no error

class lemur.authorities.views.AuthorityVisualizations

Bases: lemur.auth.service.AuthenticatedResource

endpoint = 'authority_visualizations'
get(authority_id)

{“name”: “flare”, “children”: [

{

“name”: “analytics”, “children”: [

{

“name”: “cluster”, “children”: [

{“name”: “AgglomerativeCluster”, “size”: 3938}, {“name”: “CommunityStructure”, “size”: 3812}, {“name”: “HierarchicalCluster”, “size”: 6714}, {“name”: “MergeEdge”, “size”: 743}

]

}

}

]}

mediatypes(resource_cls)
methods = ['GET']
class lemur.authorities.views.CertificateAuthority

Bases: lemur.auth.service.AuthenticatedResource

endpoint = 'certificateAuthority'
get(certificate_id)
GET /certificates/1/authority

One authority for given certificate

Example request:

GET /certificates/1/authority HTTP/1.1
Host: example.com
Accept: application/json, text/javascript

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
  "name": "TestAuthority",
  "roles": [{
      "id": 123,
      "name": "secure@example.com"
  }, {
      "id": 564,
      "name": "TestAuthority_admin"
  }, {
      "id": 565,
      "name": "TestAuthority_operator"
  }],
  "options": null,
  "active": true,
  "authorityCertificate": {
      "body": "-----BEGIN CERTIFICATE-----IyMzU5MTVaMHk...",
      "status": true,
      "cn": "AcommonName",
      "description": "This is the ROOT certificate for the TestAuthority certificate authority.",
      "chain": "",
      "notBefore": "2016-06-02T00:00:15+00:00",
      "notAfter": "2023-06-02T23:59:15+00:00",
      "owner": "secure@example.com",
      "user": {
          "username": "joe@example.com",
          "active": true,
          "email": "joe@example.com",
          "id": 3
      },
      "active": true,
      "bits": 2048,
      "id": 2235,
      "name": "TestAuthority"
  },
  "owner": "secure@example.com",
  "id": 43,
  "description": "This is the ROOT certificate for the TestAuthority certificate authority."
}
Request Headers:
 
Status Codes:
mediatypes(resource_cls)
methods = ['GET']