def whitelist_names(csr=None, names=[], allow_cn_id=False, allow_dns_id=False, allow_ip_id=False, allow_wildcard=False, **kwargs): """Ensure names match the whitelist in the allowed name slots.""" allowed_domains, allowed_ips, allowed_ranges = _split_names_by_type(names) for dns_id in csr.get_subject_dns_ids(): if not allow_dns_id: raise v_errors.ValidationError("IP-ID not allowed") valid = False for allowed_domain in allowed_domains: if utils.compare_name_pattern(dns_id, allowed_domain, allow_wildcard): valid = True break if not valid: raise v_errors.ValidationError( "Value `%s` not allowed in DNS-ID" % (dns_id,)) for ip_id in csr.get_subject_ip_ids(): if not allow_ip_id: raise v_errors.ValidationError("IP-ID not allowed") if ip_id in allowed_ips: continue for net in allowed_ranges: if ip_id in net: continue raise v_errors.ValidationError( "Value `%s` not allowed in IP-ID" % (ip_id,)) for cn_id in csr.get_subject_cn(): if not allow_cn_id: raise v_errors.ValidationError("CN-ID not allowed") ip = utils.maybe_ip(cn_id) if ip: # current CN is an ip address if ip in allowed_ips: continue if any((ip in net) for net in allowed_ranges): continue raise v_errors.ValidationError( "Value `%s` not allowed in CN-ID" % (cn_id,)) else: # current CN is a domain valid = False for allowed_domain in allowed_domains: if utils.compare_name_pattern(cn_id, allowed_domain, allow_wildcard): valid = True break if valid: continue raise v_errors.ValidationError( "Value `%s` not allowed in CN-ID" % (cn_id,)) if csr.has_unknown_san_entries(): raise v_errors.ValidationError("Request contains unknown SAN entries")
def test_check_compare_name_pattern(self): cases = [ ("example.com", "example.com", False, True), ("*.example.com", "*.example.com", False, True), ("*.example.com", "%.example.com", True, True), ("*.example.com", "%.example.com", False, False), ("abc.example.com", "%.example.com", False, True), ("abc.def.example.com", "%.example.com", False, False), ("abc.def.example.com", "%.%.example.com", False, True), ("host-123.example.com", "host-%.example.com", False, True), ] for value, pattern, wildcard, result in cases: self.assertEqual( result, utils.compare_name_pattern(value, pattern, wildcard), "checking %s against %s failed" % (value, pattern))