Lemur

~~~~~~~~~~~~~~~~~~~~

Updated deployment workflow to use `pypa/gh-action-pypi-publish`.

~~~~~~~~~~~~~~~~~~~~

- Added `PING_EXCLUDE_USER_PARAMS` config option.
- Added Google CA issuer plugin. This plugin creates certificates via Google CA Manager API.
- Allow CN to be optional in reissue and clone.

Special thanks to all who contributed to this release, notably:

- `odopertchouk <https://github.com/odopertchouk>`_

~~~~~~~~~~~~~~~~~~~~
- To avoid confusion, the debug app configuration property has been replaced with the standard DEBUG flask app config.
- Added ability for new versions of LEMUR_TOKEN_SECRET via the LEMUR_TOKEN_SECRETS config option. This allows for migration and rotation of the secret.
- Added ENTRUST_INFER_EKU config property which attempts to computes the appropriate EKU value from the csr (default False).
- Added DIGICERT_CIS_USE_CSR_FIELDS to control the `use_csr_fields` create certificate API field (default False).
- Added Digicert source plugin. Enable it with DIGICERT_SOURCE_ENABLED
- Added AWS ACM source plugin. This plugin retreives all certificates for an account and a region.
- Added AWS ACM destination plugin. This plugin uploads a certificate to AWS ACM.
- Allow updating options field via authority update API.
- Fixed a DoS security issue affecting Windows env via the name parameter of the certificate post endpoint.

~~~~~~~~~~~~~~~~~~~~
- Add NTLM auth support for ADCS issuer.
- Added password complexity requirements:

- At least 12 characters (required for your Muhlenberg password)—the more characters, the better
- A mixture of both uppercase and lowercase letters
- A mixture of letters and numbers
- Inclusion of at least one special character, e.g., ! ? ]

- If you don't want password complexity requirements, you can set CHECK_PASSWORD_STRENGTH to False.
- Added ability to limit authority creation to admins only using config option `ADMIN_ONLY_AUTHORITY_CREATION`.
- User passwords can now be updated by admins with the update user endpoint.
- Route53 find_zone_dns now selects the maximum suffix match for zone id (previously we selected the first match).

~~~~~~~~~~~~~~~~~~~~
- Fixed a bug where S3 deletes wouldn't work due to not respecting the configured exportPlugin.
- Flask 2.3.2 Upgrade.
- Implemented Click CLI.
- Removed flask-script.
- Updated werkzeug to 2.3.6 and jinja2 to 3.1.2.
- Updated CORS settings to use Flask-CORS Configuration Options.
- Added new Custom Response Headers option to Lemur Configuration.
- Added legacy p12 export type to openssl plugin. New versions of openssl produce keystores incompatible with older
- versions of JDK8, so in some cases it may be useful to export in this format. Note that legacy p12 files do *NOT* feature strong encryption, and you should not rely on confidentiality of the exported resource.

CLI Command Updates:
- `runserver` cmd has been replaced by the default `run` cmd.
- `show_urls` cmd has been replaced by the default `routes` cmd.
- `clean` cmd has been removed. currently there is no default replacement for the `clean` cmd.

~~~~~~~~~~~~~~~~~~~~
Added support for Python 3.10, Postgres 15, and Ubuntu 22.04.
Removed support for Postgres 10 and Ubuntu 18.04.

Python 3.11 is known not to work with the current version of Flask.

All combinations tested via GitHub Actions are listed below:

.. list-table:: Version Support Matrix
:header-rows: 1

* - Python
- Postgres
- Ubuntu
* - 3.8
- 12
- 20.04
* - 3.8
- 15
- 20.04
* - 3.9
- 12
- 20.04
* - 3.9
- 15
- 20.04
* - 3.9
- 15
- 20.04
* - 3.10
- 12
- 22.04
* - 3.10
- 15
- 22.04

Added additional validation and logging for destinations.
Destination labels are now limited to 32 characters, and s3
prefixes can no longer begin with /.
S3 destination path prefixes now default to "" instead of "None/"

Enforce case consistency in authority signing algorithms. Specifically, this renames SHA384withECDSA -> sha384WithECDSA
and SHA512withECDSA -> sha512WithECDSA. Notably, the backend schema will still accept the uppercase equivalents to
maintain backwards compatibility.