Original validator checked for domain labels as defined by RFC1034, however real
internet deals with other domains as well - starting with digits or symbols.
This change allows modifying the pattern to allow custom / relaxed rules.
Validation has been removed from adding a domain to a new extension, since it's
only used in fixups and the domain should be already validated. (or not, if not
configured)
Closes-bug: 1592489
Change-Id: Ib453054ba5f554bab28cff392c539e713fa28918
Standards validation was correct, but could use a better error message. That
will follow in later commits.
This reverts commit 87d9da87b4.
Change-Id: Ib5fa6ffcdba879c4eabff513ee2b09a41271bebf
Standards validation is failing using the examples in the readme,
until this can be fixed and added to the tests, disabling
standards validation.
Change-Id: Ia22e2c2923c118321911c127bb4d46e50bca408b
Add the support for actually sending the audit messages, or logging them
using the standard logging mechanisms.
Change-Id: I98067da8db4987f9f9859a8c6d5443a94677f856
This config option was referring to a validator that was removed in
https://review.openstack.org/#/c/238345/ it is not needed and was
causing anchor to fail startup.
Change-Id: Ia2ef8765f776a8bcba825674b7a246b83b41dd12
Add a validator which collects various standard format/behaviour tests.
These are not user-configurable and any valid request failing them is a
bug in Anchor.
All checks reference the document where they're defined.
Closes-bug: 1476877
Partial-bug: 1476875
Change-Id: I208685d8d7cde40ed5294e7235d64ca17617c094
Signing requests are expected to arrive at
/v1/sign/<registration_authority>
now. Virtual registration authority is a new concept which right now includes
everything the original configuration included. That means for example each
registration authority available within Anchor deployment can configure its own
CA, auth, and validators. Clients request a specific registration authority via
the URL. This does not mean they can just choose who signs the CSR - they still
need to pass all checks. Only the guesswork of "which validation set applies to
them" is gone because of this change.
The previous concept of validator sets is gone. Each registration authority
configures its own validators and all of them need to pass.
Previous endpoint /sign will not work anymore. It's incompatible with
the new design.
The configuration file changes in the following way:
1. Registration authorities need to be defined in the main config.
2. Validator sets are not available anymore.
3. CA and auth settings at the top level need to be named. They can be referred
to in the registration authority block.
4. Old names are removed. Any use of "auth", "ca", or "validators" at the top
level will result in an error and explanation regarding the upgrade path.
Further documentation and a sample config with the new layout can be found in
the docs/configuration.rst file.
Closes-bug: 1463752
Change-Id: I5a949e0c79a2d56eadadf5ece62bb8b8eea89e78
Split the README documentation into better section. Refresh the text,
so that it matches the current code. Ensure the sample config works
with the examples.
Closes-bug: 1437703
Change-Id: I1548892a97d82fdcd1a4fe53f24c0fcdb6e35f1f