Merge branch 'main' into prep-1.8.0

.github/workflows/ci.yml

@@ -84,20 +84,21 @@ jobs:
           source ~/env/bin/activate
           bandit -r . -ll -ii -x lemur/tests/,docs
           xvfb-run make test-js
-      - name: Coveralls GitHub Action
-        uses: coverallsapp/github-action@v2
-        with:
-          parallel: true
-          flag-name: Python ${{ matrix.python-version }} Postgres ${{ matrix.postgres-version }} OS ${{ matrix.os }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  coveralls:
-      name: Indicate completion to coveralls.io
-      needs: build
-      if: ${{ always() }}
-      runs-on: ubuntu-latest
-      steps:
-      - name: Coveralls Finished
-        uses: coverallsapp/github-action@v2
-        with:
-          parallel-finished: true
+  # todo: re-enable me once https://github.com/coverallsapp/github-action/issues/205 is resolved
+  #     - name: Coveralls GitHub Action
+  #       uses: coverallsapp/github-action@v2
+  #       with:
+  #         parallel: true
+  #         flag-name: Python ${{ matrix.python-version }} Postgres ${{ matrix.postgres-version }} OS ${{ matrix.os }}
+  #       env:
+  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  # coveralls:
+  #     name: Indicate completion to coveralls.io
+  #     needs: build
+  #     if: ${{ always() }}
+  #     runs-on: ubuntu-latest
+  #     steps:
+  #     - name: Coveralls Finished
+  #       uses: coverallsapp/github-action@v2
+  #       with:
+  #         parallel-finished: true

.github/workflows/dependabot-auto-merge.yml

@@ -1,14 +1,28 @@
-name: dependabot-auto-merge
+name: Dependabot auto-approve and auto-merge
+on: pull_request
 
-on:
-  pull_request:
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
-  auto-merge:
+  dependabot:
     runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@v4
-      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
         with:
-          target: minor
-          github-token: ${{ secrets.DEPENDABOT_GITHUB_TOKEN }}
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Approve a PR (patch and minor updates only)
+        run: gh pr review --approve "$PR_URL"
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

CHANGELOG.rst

@@ -3,6 +3,7 @@ Changelog
 
 Unreleased
 ~~~~~~~~~~~~~~~~~~~~
+Added Google CA issuer plugin. This plugin creates certificates via Google CA Manager API.
 
 1.8.0 - `2024-05-17`
 ~~~~~~~~~~~~~~~~~~~~
@@ -27,7 +28,6 @@ Special thanks to all who contributed to this release, notably:
 - Allow updating options field via authority update API.
 - Fixed a DoS security issue affecting Windows env via the name parameter of the certificate post endpoint.
 
-
 1.6.0 - `2023-10-23`
 ~~~~~~~~~~~~~~~~~~~~
 - Add NTLM auth support for ADCS issuer.

Makefile

@@ -50,7 +50,7 @@ reset-db:
 
 setup-git:
 	@echo "--> Installing git hooks"
-	if [ -d .git/hooks ]; then \
+	if [[ -d .git/hooks && -d hooks ]]; then \
 		git config branch.autosetuprebase always; \
 		cd .git/hooks && ln -sf ../../hooks/* ./; \
 	fi
@@ -94,7 +94,7 @@ lint: lint-python lint-js
 lint-python:
 	@echo "--> Linting Python files"
 	PYFLAKES_NODOCTEST=1 flake8 lemur
-	mypy .
+	mypy  # scan the directory specified in mypy.ini
 	@echo ""
 
 lint-js:
@@ -116,10 +116,10 @@ endif
 	@echo "--> Updating Python requirements"
 	pip install --upgrade pip
 	pip install --upgrade pip-tools
-	pip-compile --output-file requirements.txt requirements.in -U --no-emit-index-url --resolver=backtracking
-	pip-compile --output-file requirements-docs.txt requirements-docs.in -U --no-emit-index-url --resolver=backtracking
-	pip-compile --output-file requirements-dev.txt requirements-dev.in -U --no-emit-index-url --resolver=backtracking
-	pip-compile --output-file requirements-tests.txt requirements-tests.in -U --no-emit-index-url --resolver=backtracking
+	pip-compile -v --output-file requirements.txt requirements.in -U --no-emit-index-url --resolver=backtracking
+	pip-compile -v --output-file requirements-tests.txt requirements-tests.in -U --no-emit-index-url --resolver=backtracking
+	pip-compile -v --output-file requirements-dev.txt requirements-dev.in -U --no-emit-index-url --resolver=backtracking
+	pip-compile -v --output-file requirements-docs.txt requirements-docs.in -U --no-emit-index-url --resolver=backtracking
 	@echo "--> Done updating Python requirements"
 	@echo "--> Installing new dependencies"
 	pip install -e .

docs/quickstart/index.rst

@@ -90,6 +90,7 @@ And then run:
 
 .. code-block:: bash
 
+  make up-reqs
   make release
 
 .. note:: This command will install npm dependencies as well as compile static assets.
@@ -193,13 +194,19 @@ Your database installation requires the pg_trgm extension. If you do not have th
 
 Additional notifications can be created through the UI or API.  See :ref:`Notification Options <NotificationOptions>` and :ref:`Command Line Interface <CommandLineInterface>` for details.
 
-**Make note of the password used as this will be used during first login to the Lemur UI.**
-
 .. code-block:: bash
 
     cd /www/lemur/lemur
+    lemur db init
+
+Then
+
+.. code-block:: bash
+
     lemur init
 
+**Make note of the password used as this will be used during first login to the Lemur UI.**
+
 .. note:: If you added the SUPERUSER permission to the lemur database user above, it is recommended you revoke that permission now.
 
 .. code-block:: bash

lemur/auth/views.py

@@ -159,7 +159,10 @@ def retrieve_user(user_api_url, access_token):
     r = requests.get(user_api_url, params=user_params, headers=headers)
     # Some IDPs, like "Keycloak", require a POST instead of a GET
     if r.status_code == 400:
-        r = requests.post(user_api_url, data=user_params, headers=headers)
+        if current_app.config.get("PING_EXCLUDE_USER_PARAMS", False):
+            r = requests.post(user_api_url, headers=headers)
+        else:
+            r = requests.post(user_api_url, data=user_params, headers=headers)
 
     profile = r.json()
 

lemur/certificates/schemas.py

@@ -369,6 +369,11 @@ def handle_subject_details(self, data):
             if field in data and data[field] is None:
                 data.pop(field)
 
+        # Earlier common_name was a required field and thus in most places it is checked not be None
+        # Now that it is optional, setting value as empty string instead of None for backward compatibility
+        if data.get("common_name") is None:
+            data["common_name"] = ""
+
 
 class CertificateShortOutputSchema(LemurOutputSchema):
     id = fields.Integer()

lemur/factory.py

@@ -61,7 +61,7 @@ def create_app(app_name=None, blueprints=None, config=None):
     if ctx and config is None:
         script_info = ctx.obj
         if script_info:
-            config = script_info.config
+            config = getattr(script_info, 'config')
 
     configure_app(app, config)
     configure_blueprints(app, blueprints)

lemur/plugins/lemur_google_ca/__init__.py

@@ -0,0 +1,4 @@
+try:
+    VERSION = __import__("pkg_resources").get_distribution(__name__).version
+except Exception as e:
+    VERSION = "unknown"