Add source ip validation

Change-Id: I70c694be981f79c0fa8103275229efc48bdb035c
2014-08-26 20:20:58 +01:00 · 2014-08-26 20:20:58 +01:00 · 0e4e2e8e6a
parent 8a6554055e
commit 0e4e2e8e6a
5 changed files with 20 additions and 3 deletions
--- a/config.py
+++ b/config.py
@ -50,6 +50,7 @@ validators = [
            ('extensions', {'allowed_extensions': ['keyUsage', 'subjectAltName', 'basicConstraints', 'subjectKeyIdentifier']}),
            ('key_usage', {'allowed_usage': ['Digital Signature', 'Key Encipherment', 'Non Repudiation', 'Certificate Sign', 'CRL Sign']}),
            ('ca_status', {'ca_requested': False}),
+            ('source_cidrs', {'cidrs': ["127.0.0.0/8"]}),
        ]
    },
 ]
--- a/ephemeral_ca/certificate_ops.py
+++ b/ephemeral_ca/certificate_ops.py
@ -20,8 +20,8 @@ def parse_csr(csr, encoding):
        return None


-def validate_csr(auth_result, csr):
-    args = {'auth_result': auth_result, 'csr': csr, 'conf': conf}
+def validate_csr(auth_result, csr, request):
+    args = {'auth_result': auth_result, 'csr': csr, 'conf': conf, 'request': request}
    for validator_steps in conf.validators:
        logger.debug("Checking validators set <%s>", validator_steps.get("name"))
        valid = True
--- a/ephemeral_ca/controllers/init.py
+++ b/ephemeral_ca/controllers/init.py
@ -34,7 +34,7 @@ class RootController(object):
            return 'CSR cannot be parsed\n'

        try:
-            certificate_ops.validate_csr(auth_result, csr)
+            certificate_ops.validate_csr(auth_result, csr, request)
        except validators.ValidationError as e:
            logger.exception("csr failed validation")
            response.status_int = 409
--- a/ephemeral_ca/validators.py
+++ b/ephemeral_ca/validators.py
@ -1,4 +1,5 @@
 import M2Crypto
+import netaddr


 class ValidationError(Exception):
@ -118,3 +119,17 @@ def ca_status(csr=None, ca_requested=False, **kwargs):
            has_crl_sign = ('CRL Sign' in usages)
            if ca_requested != has_cert_sign or ca_requested != has_crl_sign:
                raise ValidationError("Key usage doesn't match requested CA status (keyCertSign/cRLSign: %s/%s)" % (has_cert_sign, has_crl_sign))
+
+
+def source_cidrs(request=None, cidrs=None, **kwargs):
+    """
+    Ensure that the request comes from a known source
+    """
+    for cidr in cidrs:
+        try:
+            r = netaddr.IPNetwork(cidr)
+            if request.client_addr in r:
+                return
+        except netaddr.AddrFormatError:
+            raise ValidationError("Cidr <%s> does not describe a valid network", cidr)
+    raise ValidationError("No network matched the request source <%s>", request.client_addr)
--- a/setup.py
+++ b/setup.py
@ -12,6 +12,7 @@ setup(
        'm2crypto',
        'pecan',
        'setuptools>=1.0',
+        'netaddr',
    ],
    extras_require={
        'auth_ldap': ['python-ldap'],