def whitelist_names(csr=None, names=[], allow_cn_id=False, allow_dns_id=False,
allow_ip_id=False, allow_wildcard=False, **kwargs):
"""Ensure names match the whitelist in the allowed name slots."""
allowed_domains, allowed_ips, allowed_ranges = _split_names_by_type(names)
for dns_id in csr.get_subject_dns_ids():
if not allow_dns_id:
raise v_errors.ValidationError("IP-ID not allowed")
valid = False
for allowed_domain in allowed_domains:
if utils.compare_name_pattern(dns_id, allowed_domain,
allow_wildcard):
valid = True
break
if not valid:
raise v_errors.ValidationError(
"Value `%s` not allowed in DNS-ID" % (dns_id,))
for ip_id in csr.get_subject_ip_ids():
if not allow_ip_id:
raise v_errors.ValidationError("IP-ID not allowed")
if ip_id in allowed_ips:
continue
for net in allowed_ranges:
if ip_id in net:
continue
raise v_errors.ValidationError(
"Value `%s` not allowed in IP-ID" % (ip_id,))
for cn_id in csr.get_subject_cn():
if not allow_cn_id:
raise v_errors.ValidationError("CN-ID not allowed")
ip = utils.maybe_ip(cn_id)
if ip:
# current CN is an ip address
if ip in allowed_ips:
continue
if any((ip in net) for net in allowed_ranges):
continue
raise v_errors.ValidationError(
"Value `%s` not allowed in CN-ID" % (cn_id,))
else:
# current CN is a domain
valid = False
for allowed_domain in allowed_domains:
if utils.compare_name_pattern(cn_id, allowed_domain,
allow_wildcard):
valid = True
break
if valid:
continue
raise v_errors.ValidationError(
"Value `%s` not allowed in CN-ID" % (cn_id,))
if csr.has_unknown_san_entries():
raise v_errors.ValidationError("Request contains unknown SAN entries")
def _split_names_by_type(names):
"""Identify ips and network ranges in a list of strings."""
allowed_domains = []
allowed_ips = []
allowed_ranges = []
for name in names:
ip = utils.maybe_ip(name)
if ip:
allowed_ips.append(ip)
continue
net = utils.maybe_range(name)
if net:
allowed_ranges.append(net)
continue
allowed_domains.append(name)
return (allowed_domains, allowed_ips, allowed_ranges)
