def test_csr_require_cn(self): common_name = utils.csr_require_cn(self.csr) self.assertEqual(common_name, self.csr_sample_cn) self.csr.set_subject(name.X509Name()) with self.assertRaises(errors.ValidationError): utils.csr_require_cn(self.csr)
def common_name(csr, allowed_domains=[], allowed_networks=[], **kwargs): """Check the CN entry is a known domain. Refuse requests for certificates if they contain multiple CN entries, or the domain does not match the list of known suffixes. """ alt_present = any(ext.get_name() == "subjectAltName" for ext in csr.get_extensions()) CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName) if len(CNs) > 1: raise v_errors.ValidationError("Too many CNs in the request") # rfc2459#section-4.2.1.6 says so if len(CNs) == 0 and not alt_present: raise v_errors.ValidationError("Alt subjects have to exist if the main" " subject doesn't") if len(CNs) > 0: cn = utils.csr_require_cn(csr) try: # is it an IP rather than domain? ip = netaddr.IPAddress(cn) if not (utils.check_networks(ip, allowed_networks)): raise v_errors.ValidationError( "Address '%s' not allowed (does not match known networks)" % cn) except netaddr.AddrFormatError: if not (utils.check_domains(cn, allowed_domains)): raise v_errors.ValidationError( "Domain '%s' not allowed (does not match known domains)" % cn)
def server_group(auth_result=None, csr=None, group_prefixes={}, **kwargs): """Check Team prefix. Make sure that for server names containing a team prefix, the team is verified against the groups the user is a member of. """ cn = utils.csr_require_cn(csr) parts = cn.split('-') if len(parts) == 1 or '.' in parts[0]: return # no prefix if parts[0] in group_prefixes: if group_prefixes[parts[0]] not in auth_result.groups: raise v_errors.ValidationError( "Server prefix doesn't match user groups")
def blacklist_names(csr, domains=[], **kwargs): """Check for blacklisted names in CN and altNames.""" if not domains: logger.warning("No domains were configured for the blacklist filter, " "consider disabling the step or providing a list") return CNs = csr.get_subject().get_entries_by_oid(x509_name.OID_commonName) if len(CNs) > 0: cn = utils.csr_require_cn(csr) if utils.check_domains(cn, domains): raise v_errors.ValidationError("Domain '%s' not allowed " "(CN blacklisted)" % cn) for _, name in utils.iter_alternative_names(csr, ['DNS'], fail_other_types=False): if utils.check_domains(name, domains): raise v_errors.ValidationError("Domain '%s' not allowed " "(alt blacklisted)" % name)