Add source ip validation
Change-Id: I70c694be981f79c0fa8103275229efc48bdb035c
This commit is contained in:
parent
8a6554055e
commit
0e4e2e8e6a
|
@ -50,6 +50,7 @@ validators = [
|
|||
('extensions', {'allowed_extensions': ['keyUsage', 'subjectAltName', 'basicConstraints', 'subjectKeyIdentifier']}),
|
||||
('key_usage', {'allowed_usage': ['Digital Signature', 'Key Encipherment', 'Non Repudiation', 'Certificate Sign', 'CRL Sign']}),
|
||||
('ca_status', {'ca_requested': False}),
|
||||
('source_cidrs', {'cidrs': ["127.0.0.0/8"]}),
|
||||
]
|
||||
},
|
||||
]
|
||||
|
|
|
@ -20,8 +20,8 @@ def parse_csr(csr, encoding):
|
|||
return None
|
||||
|
||||
|
||||
def validate_csr(auth_result, csr):
|
||||
args = {'auth_result': auth_result, 'csr': csr, 'conf': conf}
|
||||
def validate_csr(auth_result, csr, request):
|
||||
args = {'auth_result': auth_result, 'csr': csr, 'conf': conf, 'request': request}
|
||||
for validator_steps in conf.validators:
|
||||
logger.debug("Checking validators set <%s>", validator_steps.get("name"))
|
||||
valid = True
|
||||
|
|
|
@ -34,7 +34,7 @@ class RootController(object):
|
|||
return 'CSR cannot be parsed\n'
|
||||
|
||||
try:
|
||||
certificate_ops.validate_csr(auth_result, csr)
|
||||
certificate_ops.validate_csr(auth_result, csr, request)
|
||||
except validators.ValidationError as e:
|
||||
logger.exception("csr failed validation")
|
||||
response.status_int = 409
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
import M2Crypto
|
||||
import netaddr
|
||||
|
||||
|
||||
class ValidationError(Exception):
|
||||
|
@ -118,3 +119,17 @@ def ca_status(csr=None, ca_requested=False, **kwargs):
|
|||
has_crl_sign = ('CRL Sign' in usages)
|
||||
if ca_requested != has_cert_sign or ca_requested != has_crl_sign:
|
||||
raise ValidationError("Key usage doesn't match requested CA status (keyCertSign/cRLSign: %s/%s)" % (has_cert_sign, has_crl_sign))
|
||||
|
||||
|
||||
def source_cidrs(request=None, cidrs=None, **kwargs):
|
||||
"""
|
||||
Ensure that the request comes from a known source
|
||||
"""
|
||||
for cidr in cidrs:
|
||||
try:
|
||||
r = netaddr.IPNetwork(cidr)
|
||||
if request.client_addr in r:
|
||||
return
|
||||
except netaddr.AddrFormatError:
|
||||
raise ValidationError("Cidr <%s> does not describe a valid network", cidr)
|
||||
raise ValidationError("No network matched the request source <%s>", request.client_addr)
|
||||
|
|
Loading…
Reference in New Issue