Merge branch 'Venafi:master' into retire-cert

Author: Pmaraveyias

docker-entrypoint.sh

@@ -8,6 +8,8 @@ bandit -r vcert/
 
 # ID 40291 is pip, ignore so we can still test python 2.7
 #Ignoring false-positive issue with pytest. ref: https://github.com/pytest-dev/py/issues/287
-safety check -i 40291 -i 51457
+#Ignoring cryptography issue 59473 The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
+# If we upgrade to cryptography 41.0.2 or higher we get `pyo3 modules may only be initialized once per interpreter process` and tests cannot run
+safety check -i 40291 -i 51457 -i 59473
 
 pytest -v --junit-xml=junit.xml --junit-prefix=`python -V | tr ' ' '_'` --cov=vcert --cov=vcert.parser --cov=vcert.policy --cov-report term --cov-report xml

requirements-build.txt

@@ -1,4 +1,4 @@
-pytest==7.3.1
+pytest==7.4.3
 pytest-cov==4.1.0
 safety==2.3.5
 bandit==1.7.5

requirements.txt

@@ -2,5 +2,5 @@ requests==2.31.0
 python-dateutil==2.8.2
 cryptography==40.0.2
 six==1.16.0
-ruamel.yaml==0.17.31
+ruamel.yaml==0.18.5
 pynacl==1.5.0

setup.py

@@ -11,7 +11,7 @@
     long_description = f.read()
 
 setup(name='vcert',
-      version='0.16.0',
+      version='0.16.2',
       url="https://github.com/Venafi/vcert-python",
       packages=['vcert', 'vcert.parser', 'vcert.policy'],
       install_requires=['requests==2.31.0', 'python-dateutil==2.8.2', 'certvalidator<=0.11.1', 'six==1.16.0',

vcert/connection_cloud.py

@@ -403,7 +403,9 @@ def request_cert(self, request, zone):
         status, data = self._post(URLS.CERTIFICATE_REQUESTS, data=request_data)
         if status == HTTPStatus.CREATED:
             request.id = data['certificateRequests'][0]['id']
-            request.cert_guid = data['certificateRequests'][0]['certificateIds'][0]
+            if 'certificateIds' in data['certificateRequests'][0] \
+                    and len(data['certificateRequests'][0]['certificateIds']) > 0:
+                request.cert_guid = data['certificateRequests'][0]['certificateIds'][0]
             return True
         else:
             log.error(f"unexpected server response {status}: {data}")
@@ -413,11 +415,26 @@ def retrieve_cert(self, request):
         cert_status = self._get_cert_status(request)
         if cert_status.status == CertStatuses.PENDING or cert_status.status == CertStatuses.REQUESTED:
             log.info(f"Certificate status is {cert_status.status}")
-            return None
-        elif cert_status.status == CertStatuses.FAILED:
+            # Time in seconds
+            time_start = time.time()
+            while True:
+                log.debug("Waiting for certificate...")
+                time.sleep(3)
+                cert_status = self._get_cert_status(request)
+                if cert_status.status == CertStatuses.ISSUED:
+                    log.info(f"Certificate status is {cert_status.status}")
+                    break
+                elif (time.time() - time_start) < request.timeout:
+                    continue
+                else:
+                    raise RetrieveCertificateTimeoutError(f"Operation timed out at {request.timeout} seconds "
+                                                          f"while waiting for certificate with id {request.id} to be ISSUED")
+
+        if cert_status.status == CertStatuses.FAILED:
             log.debug(f"Certificate status is {cert_status.status}. Returning data for debug")
             return "Certificate FAILED"
-        elif cert_status.status == CertStatuses.ISSUED:
+
+        if cert_status.status == CertStatuses.ISSUED:
             request.cert_guid = cert_status.certificateIds[0]
             dek_info = self._get_dek_hash(request.cert_guid)
             if dek_info and dek_info.public_key: