Merge branch 'main' into jschladen/fix-tag-check

Author: jtschladen

.github/workflows/ci.yml

@@ -47,14 +47,14 @@ jobs:
       FORCE_COLOR: 1
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
       - name: Set up Node.js 16
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version: 16
       - name: Install dependencies

.github/workflows/codeql.yml

@@ -41,15 +41,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     # Install prerequisites for python-ldap. See: https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html#build-prerequisites
     - name: Install python-ldap prerequisites
       run: sudo apt-get update && sudo apt-get install libldap2-dev libsasl2-dev
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/lemur-publish-release-pypi.yml

@@ -12,7 +12,7 @@ jobs:
     name: Build distribution
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -35,7 +35,7 @@ jobs:
         run: |
           python setup.py sdist bdist_wheel
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: python-package-distributions
           path: dist/
@@ -51,7 +51,7 @@ jobs:
       id-token: write
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: python-package-distributions
           path: dist/

docs/administration.rst

@@ -276,6 +276,25 @@ Basic Configuration
         DEFAULT_VALIDITY_DAYS = 1095
 
 
+.. data:: LEMUR_AUTOROTATION_USE_DEFAULT_VALIDITY
+    :noindex:
+
+        When set to True, certificates with autorotation enabled will use the authority's default validity period upon
+        reissuance, instead of maintaining the original certificate's validity span. This is useful when you want all
+        autorotated certificates to use a standardized validity period based on the authority's configuration (e.g.,
+        PUBLIC_CA_DEFAULT_VALIDITY_DAYS for CAB-compliant authorities, or DEFAULT_VALIDITY_DAYS for other authorities).
+
+        This feature only affects certificates that have autorotation (rotation flag) enabled. Certificates without
+        autorotation will continue to maintain their original validity span during reissuance, regardless of this setting.
+
+        The default value is False, which maintains backward compatibility by preserving the original certificate's
+        validity span during reissuance.
+
+    ::
+
+        LEMUR_AUTOROTATION_USE_DEFAULT_VALIDITY = False
+
+
 .. data:: DEBUG_DUMP
     :noindex:
 
@@ -546,10 +565,44 @@ to enable it, you must set the option ``--notify`` (when using cron) or the conf
         Use this config (optional) to migrate from one authority id to another on reissuance (useful for expiring authorities,
         key migrations, etc).
 
-    ::
+        This configuration supports two types of values:
+
+        1. **Static mapping** (integer): Maps an old authority ID directly to a new authority ID.
+        2. **Dynamic callback** (callable): A function that receives a certificate object and returns the new authority ID based on certificate properties.
+
+    Static mapping example::
 
         ROTATE_AUTHORITY_TRANSLATION = {1: 2}
 
+    Callback function example::
+
+        def select_authority_for_renewal(certificate):
+            """
+            Dynamically determine the authority for certificate renewal.
+
+            Args:
+                certificate: Certificate object with properties like:
+                    - owner: str
+                    - destinations: list of Destination objects
+                    - key_type: str
+                    - cn: str
+                    - san: str
+                    - authority: Authority object
+                    - authority_id: int
+
+            Returns:
+                int: The new authority ID to use
+            """
+            # Example: Select authority based on destinations
+            destination_labels = [dest.label for dest in certificate.destinations]
+            if 'production-aws' in destination_labels:
+                return 3  # Use cross-signed chain for production AWS
+            elif 'legacy-systems' in destination_labels:
+                return 4  # Use older authority for legacy compatibility
+            return certificate.authority_id  # Keep original authority
+
+        ROTATE_AUTHORITY_TRANSLATION = {1: select_authority_for_renewal}
+
 
 **Certificate rotation**
 
@@ -1723,16 +1776,33 @@ The following configuration properties are optional when using the Digicert CIS
             Defines the default signing algorithm for a given issuer name e.g. {"Digicert": "sha1"} will result in sha1 certs issued with the Digicert issuer (default = {}).
 
 
+
+
+.. data:: DIGICERT_CIS_USE_CSR_FIELDS
+    :noindex:
+
+            Controls the setting of the `use_csr_fields` parameter of the create certificate endpoint. When set, certificates will be issued with values from the csr instead of via API fields (default = False).
+
+
 .. data:: DIGICERT_CIS_ROOTS
     :noindex:
 
-            A string->string mapping from issuer name to root PEM. These will be optionally be appended to / stripped from response chains as requested by users.
+            A string->string mapping from authority name to root certificate PEM. This is used during authority creation to store the root certificate in Lemur's database.
 
 
-.. data:: DIGICERT_CIS_USE_CSR_FIELDS
+.. data:: DIGICERT_CIS_ALTERNATE_CHAINS
     :noindex:
 
-            Controls the setting of the `use_csr_fields` parameter of the create certificate endpoint. When set, certificates will be issued with values from the csr instead of via API fields (default = False).
+            A string->string mapping from authority name to alternate/cross-signed chain PEM. When configured, the specified chain will be appended to certificates issued by that authority. This is useful for providing cross-signed roots for compatibility with older systems.
+
+            Example::
+
+                DIGICERT_CIS_ALTERNATE_CHAINS = {
+                    "DigiCert-G2-RSA-Cross-Global": """-----BEGIN CERTIFICATE-----
+                MIIEgjCCA2qgAwIBAgIQBEbB7LuEYrWpF3L5qhjmezANBgkqhkiG9w0BAQsFADBh
+                ...
+                -----END CERTIFICATE-----"""
+                }
 
 
 CFSSL Issuer Plugin

lemur/auth/service.py

@@ -8,11 +8,11 @@
 .. moduleauthor:: Kevin Glisson <[email protected]>
 
 """
+import binascii
 import json
 from datetime import datetime, timedelta
 from functools import wraps
 
-import binascii
 import jwt
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization, hashes
@@ -167,6 +167,12 @@ def decorated_function(*args, **kwargs):
         if not g.current_user:
             return dict(message="You are not logged in"), 403
 
+        metrics.send("user_authentication", "counter", 1,
+                     metric_tags={"application_name": getattr(g, "caller_application", "none"),
+                                  "user_id": g.current_user.id,
+                                  "endpoint": request.endpoint,
+                                  "aid": payload.get("aid", "none")})
+
         # Tell Flask-Principal the identity changed
         identity_changed.send(
             current_app._get_current_object(), identity=Identity(g.current_user.id)

lemur/certificates/service.py

@@ -933,17 +933,32 @@ def get_name_from_arn(arn):
     return arn.split("/", 1)[1]
 
 
-def calculate_reissue_range(start, end):
+def calculate_reissue_range(start, end, authority=None, rotation=False):
     """
     Determine what the new validity_start and validity_end dates should be.
     :param start:
     :param end:
+    :param authority: Optional authority to use for default validity calculation
+    :param rotation: Whether this certificate has autorotation enabled
     :return:
     """
-    span = end - start
-
     new_start = arrow.utcnow()
-    new_end = new_start + span
+
+    # Check if we should use default validity for autorotation reissues
+    use_default_validity = (
+        rotation
+        and authority
+        and current_app.config.get("LEMUR_AUTOROTATION_USE_DEFAULT_VALIDITY")
+    )
+
+    if use_default_validity:
+        # Use authority's default validity days
+        default_days = authority.default_validity_days
+        new_end = new_start.shift(days=default_days)
+    else:
+        # Use original certificate's validity span
+        span = end - start
+        new_end = new_start + span
 
     return new_start, arrow.get(new_end)
 
@@ -956,7 +971,12 @@ def get_certificate_primitives(certificate):
     :return: dict of certificate primitives, should be enough to effectively re-issue
     certificate via `create`.
     """
-    start, end = calculate_reissue_range(certificate.not_before, certificate.not_after)
+    start, end = calculate_reissue_range(
+        certificate.not_before,
+        certificate.not_after,
+        authority=certificate.authority,
+        rotation=certificate.rotation
+    )
     ser = CertificateInputSchema().load(
         CertificateOutputSchema().dump(certificate).data
     )
@@ -1001,10 +1021,40 @@ def reissue_certificate(certificate, notify=None, replace=None, user=None):
     if replace:
         primitives["replaces"] = [certificate]
 
-    if primitives["authority"].id in current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {}):
-        primitives["authority"] = database.get(Authority,
-            current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {})[primitives["authority"].id]
-        )
+    # Support both static authority ID mapping and dynamic callback functions
+    authority_translation = current_app.config.get("ROTATE_AUTHORITY_TRANSLATION", {})
+    if primitives["authority"].id in authority_translation:
+        original_authority_id = primitives["authority"].id
+        original_authority_name = primitives["authority"].name
+        translation_value = authority_translation[primitives["authority"].id]
+
+        # Check if the value is a callable (function)
+        if callable(translation_value):
+            # Call the function with the certificate to determine the new authority ID
+            new_authority_id = translation_value(certificate)
+            if new_authority_id is not None:
+                primitives["authority"] = database.get(Authority, new_authority_id)
+        else:
+            # Static integer mapping (original behavior)
+            new_authority_id = translation_value
+            primitives["authority"] = database.get(Authority, translation_value)
+
+        # Log and metric the translation
+        if new_authority_id is not None:
+            current_app.logger.info(
+                f"Authority translated for certificate {certificate.name}: "
+                f"{original_authority_name} (ID: {original_authority_id}) -> "
+                f"{primitives['authority'].name} (ID: {new_authority_id})"
+            )
+            metrics.send(
+                "certificate_authority_translation",
+                "counter",
+                1,
+                metric_tags={
+                    "original_authority": original_authority_name,
+                    "new_authority": primitives["authority"].name,
+                }
+            )
 
     # Modify description to include the certificate ID being reissued and mention that this is created by Lemur
     # as part of reissue

lemur/plugins/lemur_digicert/plugin.py

@@ -685,6 +685,14 @@ def create_certificate(self, csr, issuer_options):
         end_entity = certificate_chain_pem[0]
         intermediate = certificate_chain_pem[1]
 
+        # Append cross-signed root if configured for this authority
+        authority_name = issuer_options.get('authority').name if issuer_options.get('authority') else None
+        if authority_name:
+            cross_signed_root = current_app.config.get("DIGICERT_CIS_ALTERNATE_CHAINS", {}).get(authority_name)
+            if cross_signed_root:
+                # Append the cross-signed root to the intermediate chain
+                intermediate = str(intermediate) + "\n" + cross_signed_root
+
         return (
             "\n".join(str(end_entity).splitlines()),
             "\n".join(str(intermediate).splitlines()),