示例#1
0
文件: custom.py 项目: deenine/anchor
def whitelist_names(csr=None, names=[], allow_cn_id=False, allow_dns_id=False,
                    allow_ip_id=False, allow_wildcard=False, **kwargs):
    """Ensure names match the whitelist in the allowed name slots."""

    allowed_domains, allowed_ips, allowed_ranges = _split_names_by_type(names)

    for dns_id in csr.get_subject_dns_ids():
        if not allow_dns_id:
            raise v_errors.ValidationError("IP-ID not allowed")
        valid = False
        for allowed_domain in allowed_domains:
            if utils.compare_name_pattern(dns_id, allowed_domain,
                                          allow_wildcard):
                valid = True
                break
        if not valid:
            raise v_errors.ValidationError(
                "Value `%s` not allowed in DNS-ID" % (dns_id,))

    for ip_id in csr.get_subject_ip_ids():
        if not allow_ip_id:
            raise v_errors.ValidationError("IP-ID not allowed")
        if ip_id in allowed_ips:
            continue
        for net in allowed_ranges:
            if ip_id in net:
                continue
        raise v_errors.ValidationError(
            "Value `%s` not allowed in IP-ID" % (ip_id,))

    for cn_id in csr.get_subject_cn():
        if not allow_cn_id:
            raise v_errors.ValidationError("CN-ID not allowed")
        ip = utils.maybe_ip(cn_id)
        if ip:
            # current CN is an ip address
            if ip in allowed_ips:
                continue
            if any((ip in net) for net in allowed_ranges):
                continue
            raise v_errors.ValidationError(
                "Value `%s` not allowed in CN-ID" % (cn_id,))
        else:
            # current CN is a domain
            valid = False
            for allowed_domain in allowed_domains:
                if utils.compare_name_pattern(cn_id, allowed_domain,
                                              allow_wildcard):
                    valid = True
                    break
            if valid:
                continue
            raise v_errors.ValidationError(
                "Value `%s` not allowed in CN-ID" % (cn_id,))

    if csr.has_unknown_san_entries():
        raise v_errors.ValidationError("Request contains unknown SAN entries")
 def test_check_compare_name_pattern(self):
     cases = [
         ("example.com", "example.com", False, True),
         ("*.example.com", "*.example.com", False, True),
         ("*.example.com", "%.example.com", True, True),
         ("*.example.com", "%.example.com", False, False),
         ("abc.example.com", "%.example.com", False, True),
         ("abc.def.example.com", "%.example.com", False, False),
         ("abc.def.example.com", "%.%.example.com", False, True),
         ("host-123.example.com", "host-%.example.com", False, True),
     ]
     for value, pattern, wildcard, result in cases:
         self.assertEqual(
             result,
             utils.compare_name_pattern(value, pattern, wildcard),
             "checking %s against %s failed" % (value, pattern))