def test_csr_require_cn(self):
common_name = utils.csr_require_cn(self.csr)
self.assertEqual(common_name, self.csr_sample_cn)
self.csr.set_subject(name.X509Name())
with self.assertRaises(errors.ValidationError):
utils.csr_require_cn(self.csr)
def test_csr_require_cn(self):
common_name = utils.csr_require_cn(self.csr)
self.assertEqual(common_name, self.csr_sample_cn)
self.csr.set_subject(name.X509Name())
with self.assertRaises(errors.ValidationError):
utils.csr_require_cn(self.csr)
def common_name(csr, allowed_domains=[], allowed_networks=[], **kwargs):
"""Check the CN entry is a known domain.
Refuse requests for certificates if they contain multiple CN
entries, or the domain does not match the list of known suffixes.
"""
alt_present = any(ext.get_name() == "subjectAltName"
for ext in csr.get_extensions())
CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)
if len(CNs) > 1:
raise v_errors.ValidationError("Too many CNs in the request")
# rfc2459#section-4.2.1.6 says so
if len(CNs) == 0 and not alt_present:
raise v_errors.ValidationError("Alt subjects have to exist if the main"
" subject doesn't")
if len(CNs) > 0:
cn = utils.csr_require_cn(csr)
try:
# is it an IP rather than domain?
ip = netaddr.IPAddress(cn)
if not (utils.check_networks(ip, allowed_networks)):
raise v_errors.ValidationError(
"Address '%s' not allowed (does not match known networks)"
% cn)
except netaddr.AddrFormatError:
if not (utils.check_domains(cn, allowed_domains)):
raise v_errors.ValidationError(
"Domain '%s' not allowed (does not match known domains)"
% cn)
def server_group(auth_result=None, csr=None, group_prefixes={}, **kwargs):
"""Check Team prefix.
Make sure that for server names containing a team prefix, the team is
verified against the groups the user is a member of.
"""
cn = utils.csr_require_cn(csr)
parts = cn.split('-')
if len(parts) == 1 or '.' in parts[0]:
return # no prefix
if parts[0] in group_prefixes:
if group_prefixes[parts[0]] not in auth_result.groups:
raise v_errors.ValidationError(
"Server prefix doesn't match user groups")
def blacklist_names(csr, domains=[], **kwargs):
"""Check for blacklisted names in CN and altNames."""
if not domains:
logger.warning("No domains were configured for the blacklist filter, "
"consider disabling the step or providing a list")
return
CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName)
if len(CNs) > 0:
cn = utils.csr_require_cn(csr)
if utils.check_domains(cn, domains):
raise v_errors.ValidationError("Domain '%s' not allowed "
"(CN blacklisted)" % cn)
for _, name in utils.iter_alternative_names(csr, ['DNS'],
fail_other_types=False):
if utils.check_domains(name, domains):
raise v_errors.ValidationError("Domain '%s' not allowed "
"(alt blacklisted)" % name)
