Upstream merged, urllib3 updated to address security alert, added telegram notification plugin

Author: fed1337

.gitignore

@@ -5,7 +5,7 @@
 /.tmp/
 *.egg-info
 *.pyc
-*.log
+*.log*
 *.egg
 *.db
 *.pid

compose.yml

@@ -6,6 +6,7 @@ services:
       POSTGRES_USER: lemur
       POSTGRES_PASSWORD: lemur
       POSTGRES_HOST: postgres
+    network_mode: host
     ports:
       - "5432:5432"
     volumes:

lemur.conf.py

@@ -3,26 +3,24 @@
 Reads environment variables and defaults to a value suitable for dev/test environment if not set
 """
 
-import base64
-import os.path
-import secrets
-import string
-from typing import Dict, Any, List
-
-_basedir = os.path.abspath(os.path.dirname(__file__))
+from os.path import abspath, dirname, realpath
+from os import environ
+# from typing import Dict, Any
 
+_basedir = abspath(dirname(__file__))
 
 # General
-THREADS_PER_PAGE = os.environ.get("THREADS_PER_PAGE", 8)
-CORS = os.environ.get("CORS", True)
-DEBUG = os.environ.get("DEBUG", True)
+THREADS_PER_PAGE = environ.get("THREADS_PER_PAGE", 8)
+CORS = environ.get("CORS", True)
+DEBUG = environ.get("DEBUG", True)
+LEMUR_HOSTNAME = environ.get("LEMUR_HOSTNAME", "localhost")
 
 # Logging
-LOG_LEVEL = os.environ.get("LOG_LEVEL", "DEBUG")
-LOG_FILE = os.environ.get("LOG_FILE", "lemur.log")
-LOG_UPGRADE_FILE = os.environ.get("LOG_UPGRADE_FILE", "db_upgrade.log")
-LOG_REQUEST_HEADERS = os.environ.get("LOG_REQUEST_HEADERS", "False")
-LOG_SANITIZE_REQUEST_HEADERS = os.environ.get("LOG_SANITIZE_REQUEST_HEADERS", "True")
+LOG_LEVEL = environ.get("LOG_LEVEL", "DEBUG")
+LOG_FILE = environ.get("LOG_FILE", "lemur.log")
+LOG_UPGRADE_FILE = environ.get("LOG_UPGRADE_FILE", "db_upgrade.log")
+LOG_REQUEST_HEADERS = environ.get("LOG_REQUEST_HEADERS", "False")
+LOG_SANITIZE_REQUEST_HEADERS = environ.get("LOG_SANITIZE_REQUEST_HEADERS", "True")
 LOG_REQUEST_HEADERS_SKIP_ENDPOINT = ["/metrics", "/healthcheck"]  # These endpoints are noisy so skip them by default
 
 # This is the secret key used by flask session management
@@ -41,8 +39,16 @@
 LEMUR_DEFAULT_ORGANIZATION = ""
 LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = ""
 LEMUR_SECURITY_TEAM_EMAIL = ["admin@localhost"]
-SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI', 'postgresql://lemur:lemur@localhost:5432/lemur')
 
+# Database settings
+SQLALCHEMY_DATABASE_URI = environ.get('SQLALCHEMY_DATABASE_URI', 'postgresql://lemur:lemur@localhost:5432/lemur')
+# SQLALCHEMY_ENABLE_FLASK_REPLICATED = False
+# SQLALCHEMY_TRACK_MODIFICATIONS = False
+# SQLALCHEMY_ECHO = True
+# SQLALCHEMY_ENGINE_OPTIONS = {
+#     'pool_recycle': 499,
+#     'pool_timeout': 20,
+# }
 
 # LEMUR_DEFAULT_ISSUER_PLUGIN=cryptography-issuer
 # LEMUR_DEFAULT_AUTHORITY=cryptography
@@ -85,127 +91,118 @@
 IDP_PROTECT_BUILTINS = True
 IDP_CREATE_PER_USER_ROLE = True  # Generates Lemur role for each user (allows cert assignment to a single user)
 
-
 # # this is the secret used to generate oauth state tokens
-# OAUTH_STATE_TOKEN_SECRET = repr(os.environ.get('OAUTH_STATE_TOKEN_SECRET', base64.b64encode(get_random_secret(32).encode('utf8'))))
-#
+# OAUTH_STATE_TOKEN_SECRET = repr(environ.get('OAUTH_STATE_TOKEN_SECRET', '')
+
 # REDIS_HOST = 'redis'
 # REDIS_PORT = 6379
 # REDIS_DB = 0
 # CELERY_RESULT_BACKEND = f'redis://{REDIS_HOST}:{REDIS_PORT}'
 # CELERY_BROKER_URL = f'redis://{REDIS_HOST}:{REDIS_PORT}'
 # CELERY_IMPORTS = ('lemur.common.celery')
 # CELERYBEAT_SCHEDULE: Dict[str, Any] = {
-    # All tasks are disabled by default. Enable any tasks you wish to run.
-    # 'fetch_all_pending_acme_certs': {
-    #     'task': 'lemur.common.celery.fetch_all_pending_acme_certs',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(minute="*"),
-    # },
-    # 'remove_old_acme_certs': {
-    #     'task': 'lemur.common.celery.remove_old_acme_certs',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=8, minute=0, day_of_week=5),
-    # },
-    # 'clean_all_sources': {
-    #     'task': 'lemur.common.celery.clean_all_sources',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=5, minute=0, day_of_week=5),
-    # },
-    # 'sync_all_sources': {
-    #     'task': 'lemur.common.celery.sync_all_sources',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour="*/2", minute=0),
-    # },
-    # 'report_celery_last_success_metrics': {
-    #     'task': 'lemur.common.celery.report_celery_last_success_metrics',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(minute="*"),
-    # },
-    # 'certificate_reissue': {
-    #     'task': 'lemur.common.celery.certificate_reissue',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=9, minute=0),
-    # },
-    # 'certificate_rotate': {
-    #     'task': 'lemur.common.celery.certificate_rotate',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    # },
-    # 'get_all_zones': {
-    #     'task': 'lemur.common.celery.get_all_zones',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(minute="*/30"),
-    # },
-    # 'check_revoked': {
-    #     'task': 'lemur.common.celery.check_revoked',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    # }
-    # 'enable_autorotate_for_certs_attached_to_destination': {
-    #     'task': 'lemur.common.celery.enable_autorotate_for_certs_attached_to_destination',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    # }
-    # 'enable_autorotate_for_certs_attached_to_endpoint': {
-    #     'task': 'lemur.common.celery.enable_autorotate_for_certs_attached_to_endpoint',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    # }
-    # 'notify_expirations': {
-    #     'task': 'lemur.common.celery.notify_expirations',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    #  },
-    # 'notify_authority_expirations': {
-    #     'task': 'lemur.common.celery.notify_authority_expirations',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0),
-    # },
-    # 'send_security_expiration_summary': {
-    #     'task': 'lemur.common.celery.send_security_expiration_summary',
-    #     'options': {
-    #         'expires': 180
-    #     },
-    #     'schedule': crontab(hour=10, minute=0, day_of_week='mon-fri'),
-    # }
+#     All tasks are disabled by default. Enable any tasks you wish to run.
+#     'fetch_all_pending_acme_certs': {
+#         'task': 'lemur.common.celery.fetch_all_pending_acme_certs',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(minute="*"),
+#     },
+#     'remove_old_acme_certs': {
+#         'task': 'lemur.common.celery.remove_old_acme_certs',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=8, minute=0, day_of_week=5),
+#     },
+#     'clean_all_sources': {
+#         'task': 'lemur.common.celery.clean_all_sources',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=5, minute=0, day_of_week=5),
+#     },
+#     'sync_all_sources': {
+#         'task': 'lemur.common.celery.sync_all_sources',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour="*/2", minute=0),
+#     },
+#     'report_celery_last_success_metrics': {
+#         'task': 'lemur.common.celery.report_celery_last_success_metrics',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(minute="*"),
+#     },
+#     'certificate_reissue': {
+#         'task': 'lemur.common.celery.certificate_reissue',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=9, minute=0),
+#     },
+#     'certificate_rotate': {
+#         'task': 'lemur.common.celery.certificate_rotate',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#     },
+#     'get_all_zones': {
+#         'task': 'lemur.common.celery.get_all_zones',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(minute="*/30"),
+#     },
+#     'check_revoked': {
+#         'task': 'lemur.common.celery.check_revoked',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#     }
+#     'enable_autorotate_for_certs_attached_to_destination': {
+#         'task': 'lemur.common.celery.enable_autorotate_for_certs_attached_to_destination',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#     }
+#     'enable_autorotate_for_certs_attached_to_endpoint': {
+#         'task': 'lemur.common.celery.enable_autorotate_for_certs_attached_to_endpoint',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#     }
+#     'notify_expirations': {
+#         'task': 'lemur.common.celery.notify_expirations',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#      },
+#     'notify_authority_expirations': {
+#         'task': 'lemur.common.celery.notify_authority_expirations',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0),
+#     },
+#     'send_security_expiration_summary': {
+#         'task': 'lemur.common.celery.send_security_expiration_summary',
+#         'options': {
+#             'expires': 180
+#         },
+#         'schedule': crontab(hour=10, minute=0, day_of_week='mon-fri'),
+#     }
 # }
 # CELERY_TIMEZONE = 'UTC'
 #
-# SQLALCHEMY_ENABLE_FLASK_REPLICATED = False
-# SQLALCHEMY_TRACK_MODIFICATIONS = False
-# SQLALCHEMY_ECHO = True
-# SQLALCHEMY_ENGINE_OPTIONS = {
-#     'pool_recycle': 499,
-#     'pool_timeout': 20,
-# }
-#
 # LEMUR_EMAIL = '[email protected]'
 # LEMUR_SECURITY_TEAM_EMAIL_INTERVALS = [15, 2]
 # LEMUR_DEFAULT_EXPIRATION_NOTIFICATION_INTERVALS = [30, 15, 2]
@@ -218,16 +215,15 @@
 # DEFAULT_VALIDITY_DAYS = 365
 #
 # LEMUR_OWNER_EMAIL_IN_SUBJECT = False
-# LEMUR_DEFAULT_AUTHORITY = str(os.environ.get('LEMUR_DEFAULT_AUTHORITY', 'ExampleCa'))
+# LEMUR_DEFAULT_AUTHORITY = str(environ.get('LEMUR_DEFAULT_AUTHORITY', 'ExampleCa'))
 # LEMUR_DEFAULT_ROLE = 'operator'
-#
-# # Authority Settings - These will change depending on which authorities you are
-# # using
-# current_path = os.path.dirname(os.path.realpath(__file__))
-#
-# # DNS Settings
-#
-# # exclude logging missing SAN, since we can have certs from private CAs with only cn, prod parity
+
+# Authority Settings - These will change depending on which authorities you are using
+# current_path = dirname(realpath(__file__))
+
+# DNS Settings
+
+# exclude logging missing SAN, since we can have certs from private CAs with only cn, prod parity
 # LOG_SSL_SUBJ_ALT_NAME_ERRORS = False
 #
 # ACME_DNS_PROVIDER_TYPES = {"items": [
@@ -266,6 +262,6 @@
 #         'name': 'ultradns',
 #     },
 # ]}
-#
+
 # # Authority plugins which support revocation
 # SUPPORTED_REVOCATION_AUTHORITY_PLUGINS = ['acme-issuer']

lemur/__about__.py

@@ -13,10 +13,10 @@
 __summary__ = "Certificate management and orchestration service"
 __uri__ = "https://github.com/Netflix/lemur"
 
-__version__ = "1.3.dev0"
+__version__ = "1.8.3+f"
 
 __author__ = "The Lemur developers"
 __email__ = "[email protected]"
 
 __license__ = "Apache License, Version 2.0"
-__copyright__ = f"Copyright 2018 {__author__}"
+__copyright__ = f"Copyright 2025 {__author__}"

lemur/plugins/lemur_aws/iam.py

@@ -288,15 +288,15 @@ def _filter_ignored_certificates(certificates, **kwargs):
         filtered_certificates = []
 
         for cert in certificates:
-            # Get the ARN for the certificate
-            cert_arn = cert.get("ServerCertificateMetadata", {}).get("Arn")
-            if not cert_arn:
+            # Get the certificate name for the certificate
+            cert_name = cert.get("ServerCertificateMetadata", {}).get("ServerCertificateName")
+            if not cert_name:
                 filtered_certificates.append(cert)
                 continue
 
             try:
                 # Get tags for the certificate
-                tags_response = client.list_tags_for_resource(ResourceName=cert_arn)
+                tags_response = client.list_server_certificate_tags(ServerCertificateName=cert_name)
                 tags = tags_response.get("Tags", [])
 
                 # If the certificate has any ignore tags, skip it

lemur/plugins/lemur_telegram/__init__.py

@@ -0,0 +1,5 @@
+try:
+    from importlib.metadata import version
+    VERSION = version(__name__)
+except Exception as e:
+    VERSION = "unknown"