openstack
/
anchor
Code Issues Proposed changes

Merge "Clean up validator lists"

This commit is contained in:
Jenkins 2016-02-23 11:44:56 +00:00 committed by Gerrit Code Review
parent fbbdcbf388 65621def14
commit a49fdbf87d
5 changed files with 38 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
anchor/validators/custom.py
View File

@ -22,7 +22,6 @@ from pyasn1_modules import rfc2459
from anchor.validators import errors as v_errors
from anchor.validators import utils
from anchor.X509 import errors
from anchor.X509 import extension
from anchor.X509 import name as x509_name
@ -207,15 +206,6 @@ def source_cidrs(request=None, cidrs=None, **kwargs):
request.client_addr)
def csr_signature(csr=None, **kwargs):
"""Ensure that the CSR has a valid self-signature."""
try:
if not csr.verify():
raise v_errors.ValidationError("Signature on the CSR is not valid")
except errors.X509Error:
raise v_errors.ValidationError("Signature on the CSR is not valid")
def public_key(csr=None, allowed_keys=None, **kwargs):
"""Ensure the public key has the known type and size.

11
anchor/validators/standards.py
View File

@ -25,6 +25,7 @@ from __future__ import absolute_import
from anchor import util
from anchor.validators import errors
from anchor.X509 import errors as x509_errors
from anchor.X509 import extension
@ -33,6 +34,7 @@ def standards_compliance(csr=None, **kwargs):
_no_extension_duplicates(csr)
_critical_flags(csr)
_valid_domains(csr)
_csr_signature(csr)
# TODO(stan): validate srv/uri, distinct DNs, email format, identity keys
@ -80,3 +82,12 @@ def _valid_domains(csr):
util.verify_domain(domain, allow_wildcards=True)
except ValueError as e:
raise errors.ValidationError(str(e))
def _csr_signature(csr):
"""Ensure that the CSR has a valid self-signature."""
try:
if not csr.verify():
raise errors.ValidationError("Signature on the CSR is not valid")
except x509_errors.X509Error:
raise errors.ValidationError("Signature on the CSR is not valid")

5
setup.cfg
View File

@ -32,9 +32,6 @@ anchor.signing_backends =
pkcs11 = anchor.signers.pkcs11:sign
anchor.validators =
check_domains = anchor.validators.custom:check_domains
iter_alternative_names = anchor.validators.custom:iter_alternative_names
check_networks = anchor.validators.custom:check_networks
common_name = anchor.validators.custom:common_name
alternative_names = anchor.validators.custom:alternative_names
alternative_names_ip = anchor.validators.custom:alternative_names_ip
@ -42,8 +39,10 @@ anchor.validators =
server_group = anchor.validators.custom:server_group
extensions = anchor.validators.custom:extensions
key_usage = anchor.validators.custom:key_usage
ext_key_usage = anchor.validators.custom:ext_key_usage
source_cidrs = anchor.validators.custom:source_cidrs
whitelist_names = anchor.validators.custom:whitelist_names
public_key = anchor.validators.custom:public_key
standards_compliance = anchor.validators.standards:standards_compliance
anchor.authentication =

21
tests/validators/test_callable_validators.py
View File

@ -20,7 +20,6 @@ import unittest
import mock
import netaddr
from pyasn1.codec.der import decoder
from pyasn1_modules import rfc2459
from anchor.asn1 import rfc5280
from anchor.validators import custom
@ -565,26 +564,6 @@ class TestValidators(tests.DefaultRequestMixin, unittest.TestCase):
)
)
def test_csr_signature(self):
csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
self.assertIsNone(custom.csr_signature(csr=csr))
def test_csr_signature_bad_sig(self):
csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
with mock.patch.object(x509_csr.X509Csr, '_get_signature',
return_value=(b'A'*49)):
with self.assertRaisesRegexp(errors.ValidationError,
"Signature on the CSR is not valid"):
custom.csr_signature(csr=csr)
def test_csr_signature_bad_algo(self):
csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
with mock.patch.object(x509_csr.X509Csr, '_get_signing_algorithm',
return_value=rfc2459.id_dsa_with_sha1):
with self.assertRaisesRegexp(errors.ValidationError,
"Signature on the CSR is not valid"):
custom.csr_signature(csr=csr)
def test_public_key_good_rsa(self):
csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
self.assertIsNone(custom.public_key(csr=csr,

25
tests/validators/test_standards_validator.py
View File

@ -16,7 +16,9 @@
import unittest
import mock
from pyasn1.codec.der import encoder
from pyasn1_modules import rfc2459
from anchor.asn1 import rfc5280
from anchor.validators import errors
@ -160,3 +162,26 @@ class TestValidDomains(unittest.TestCase):
csr = self._create_csr_with_domain_san('foo*.example.com')
with self.assertRaises(errors.ValidationError):
standards._valid_domains(csr)
class TestCsrSignature(tests.DefaultRequestMixin, unittest.TestCase):
def test_csr_signature(self):
csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
self.assertIsNone(standards._csr_signature(csr=csr))
def test_csr_signature_bad_sig(self):
csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
with mock.patch.object(signing_request.X509Csr, '_get_signature',
return_value=(b'A'*49)):
with self.assertRaisesRegexp(errors.ValidationError,
"Signature on the CSR is not valid"):
standards._csr_signature(csr=csr)
def test_csr_signature_bad_algo(self):
csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
with mock.patch.object(signing_request.X509Csr,
'_get_signing_algorithm',
return_value=rfc2459.id_dsa_with_sha1):
with self.assertRaisesRegexp(errors.ValidationError,
"Signature on the CSR is not valid"):
standards._csr_signature(csr=csr)