From 65621def14a13172919e3d5b40bd2c7a5b302bc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <stanislaw.pitucha@hp.com>
Date: Sat, 6 Feb 2016 11:04:21 +1100
Subject: [PATCH] Clean up validator lists

Move signature validation to standards validators. Remove old validator entries
from the setup.cfg.

Partial-Bug: #1548610
Change-Id: I667b0ad1a49766c2df09489ea3a11e0e77bc4333
---
 anchor/validators/custom.py                  | 10 --------
 anchor/validators/standards.py               | 11 +++++++++
 setup.cfg                                    |  5 ++--
 tests/validators/test_callable_validators.py | 21 ----------------
 tests/validators/test_standards_validator.py | 25 ++++++++++++++++++++
 5 files changed, 38 insertions(+), 34 deletions(-)

diff --git a/anchor/validators/custom.py b/anchor/validators/custom.py
index e38e793..fc7be8b 100644
--- a/anchor/validators/custom.py
+++ b/anchor/validators/custom.py
@@ -22,7 +22,6 @@ from pyasn1_modules import rfc2459
 
 from anchor.validators import errors as v_errors
 from anchor.validators import utils
-from anchor.X509 import errors
 from anchor.X509 import extension
 from anchor.X509 import name as x509_name
 
@@ -207,15 +206,6 @@ def source_cidrs(request=None, cidrs=None, **kwargs):
         request.client_addr)
 
 
-def csr_signature(csr=None, **kwargs):
-    """Ensure that the CSR has a valid self-signature."""
-    try:
-        if not csr.verify():
-            raise v_errors.ValidationError("Signature on the CSR is not valid")
-    except errors.X509Error:
-        raise v_errors.ValidationError("Signature on the CSR is not valid")
-
-
 def public_key(csr=None, allowed_keys=None, **kwargs):
     """Ensure the public key has the known type and size.
 
diff --git a/anchor/validators/standards.py b/anchor/validators/standards.py
index 726b767..02db731 100644
--- a/anchor/validators/standards.py
+++ b/anchor/validators/standards.py
@@ -25,6 +25,7 @@ from __future__ import absolute_import
 
 from anchor import util
 from anchor.validators import errors
+from anchor.X509 import errors as x509_errors
 from anchor.X509 import extension
 
 
@@ -33,6 +34,7 @@ def standards_compliance(csr=None, **kwargs):
     _no_extension_duplicates(csr)
     _critical_flags(csr)
     _valid_domains(csr)
+    _csr_signature(csr)
     # TODO(stan): validate srv/uri, distinct DNs, email format, identity keys
 
 
@@ -80,3 +82,12 @@ def _valid_domains(csr):
             util.verify_domain(domain, allow_wildcards=True)
         except ValueError as e:
             raise errors.ValidationError(str(e))
+
+
+def _csr_signature(csr):
+    """Ensure that the CSR has a valid self-signature."""
+    try:
+        if not csr.verify():
+            raise errors.ValidationError("Signature on the CSR is not valid")
+    except x509_errors.X509Error:
+        raise errors.ValidationError("Signature on the CSR is not valid")
diff --git a/setup.cfg b/setup.cfg
index cfb80df..dafe9a9 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -31,9 +31,6 @@ anchor.signing_backends =
     anchor = anchor.certificate_ops:sign
 
 anchor.validators =
-    check_domains = anchor.validators.custom:check_domains
-    iter_alternative_names = anchor.validators.custom:iter_alternative_names
-    check_networks = anchor.validators.custom:check_networks
     common_name = anchor.validators.custom:common_name
     alternative_names = anchor.validators.custom:alternative_names
     alternative_names_ip = anchor.validators.custom:alternative_names_ip
@@ -41,8 +38,10 @@ anchor.validators =
     server_group = anchor.validators.custom:server_group
     extensions = anchor.validators.custom:extensions
     key_usage = anchor.validators.custom:key_usage
+    ext_key_usage = anchor.validators.custom:ext_key_usage
     source_cidrs = anchor.validators.custom:source_cidrs
     whitelist_names = anchor.validators.custom:whitelist_names
+    public_key = anchor.validators.custom:public_key
     standards_compliance = anchor.validators.standards:standards_compliance
 
 anchor.authentication =
diff --git a/tests/validators/test_callable_validators.py b/tests/validators/test_callable_validators.py
index ba0ff7f..22922f5 100644
--- a/tests/validators/test_callable_validators.py
+++ b/tests/validators/test_callable_validators.py
@@ -20,7 +20,6 @@ import unittest
 import mock
 import netaddr
 from pyasn1.codec.der import decoder
-from pyasn1_modules import rfc2459
 
 from anchor.asn1 import rfc5280
 from anchor.validators import custom
@@ -554,26 +553,6 @@ class TestValidators(tests.DefaultRequestMixin, unittest.TestCase):
             )
         )
 
-    def test_csr_signature(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        self.assertIsNone(custom.csr_signature(csr=csr))
-
-    def test_csr_signature_bad_sig(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        with mock.patch.object(x509_csr.X509Csr, '_get_signature',
-                               return_value=(b'A'*49)):
-            with self.assertRaisesRegexp(errors.ValidationError,
-                                         "Signature on the CSR is not valid"):
-                custom.csr_signature(csr=csr)
-
-    def test_csr_signature_bad_algo(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        with mock.patch.object(x509_csr.X509Csr, '_get_signing_algorithm',
-                               return_value=rfc2459.id_dsa_with_sha1):
-            with self.assertRaisesRegexp(errors.ValidationError,
-                                         "Signature on the CSR is not valid"):
-                custom.csr_signature(csr=csr)
-
     def test_public_key_good_rsa(self):
         csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
         self.assertIsNone(custom.public_key(csr=csr,
diff --git a/tests/validators/test_standards_validator.py b/tests/validators/test_standards_validator.py
index 259520a..04ded1d 100644
--- a/tests/validators/test_standards_validator.py
+++ b/tests/validators/test_standards_validator.py
@@ -16,7 +16,9 @@
 
 import unittest
 
+import mock
 from pyasn1.codec.der import encoder
+from pyasn1_modules import rfc2459
 
 from anchor.asn1 import rfc5280
 from anchor.validators import errors
@@ -160,3 +162,26 @@ class TestValidDomains(unittest.TestCase):
         csr = self._create_csr_with_domain_san('foo*.example.com')
         with self.assertRaises(errors.ValidationError):
             standards._valid_domains(csr)
+
+
+class TestCsrSignature(tests.DefaultRequestMixin, unittest.TestCase):
+    def test_csr_signature(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        self.assertIsNone(standards._csr_signature(csr=csr))
+
+    def test_csr_signature_bad_sig(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        with mock.patch.object(signing_request.X509Csr, '_get_signature',
+                               return_value=(b'A'*49)):
+            with self.assertRaisesRegexp(errors.ValidationError,
+                                         "Signature on the CSR is not valid"):
+                standards._csr_signature(csr=csr)
+
+    def test_csr_signature_bad_algo(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        with mock.patch.object(signing_request.X509Csr,
+                               '_get_signing_algorithm',
+                               return_value=rfc2459.id_dsa_with_sha1):
+            with self.assertRaisesRegexp(errors.ValidationError,
+                                         "Signature on the CSR is not valid"):
+                standards._csr_signature(csr=csr)