|
|
@ -5,7 +5,6 @@ import (
|
|
|
|
"net"
|
|
|
|
"net"
|
|
|
|
"strings"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
|
|
|
"golang.org/x/net/idna"
|
|
|
|
"golang.org/x/net/idna"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
@ -33,7 +32,7 @@ func WithPermittedDNSDomains(domains []string) NamePolicyOption {
|
|
|
|
for i, domain := range domains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -48,7 +47,7 @@ func AddPermittedDNSDomains(domains []string) NamePolicyOption {
|
|
|
|
for i, domain := range domains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -63,7 +62,7 @@ func WithExcludedDNSDomains(domains []string) NamePolicyOption {
|
|
|
|
for i, domain := range domains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -78,7 +77,7 @@ func AddExcludedDNSDomains(domains []string) NamePolicyOption {
|
|
|
|
for i, domain := range domains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
normalizedDomains[i] = normalizedDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -91,7 +90,7 @@ func WithPermittedDNSDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedDNSDomains = []string{normalizedDomain}
|
|
|
|
e.permittedDNSDomains = []string{normalizedDomain}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -102,7 +101,7 @@ func AddPermittedDNSDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse permitted domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomain)
|
|
|
|
e.permittedDNSDomains = append(e.permittedDNSDomains, normalizedDomain)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -113,7 +112,7 @@ func WithExcludedDNSDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedDNSDomains = []string{normalizedDomain}
|
|
|
|
e.excludedDNSDomains = []string{normalizedDomain}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -124,7 +123,7 @@ func AddExcludedDNSDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
normalizedDomain, err := normalizeAndValidateDNSDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
|
|
return fmt.Errorf("cannot parse excluded domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomain)
|
|
|
|
e.excludedDNSDomains = append(e.excludedDNSDomains, normalizedDomain)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -151,7 +150,7 @@ func WithPermittedCIDRs(cidrs []string) NamePolicyOption {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
networks[i] = nw
|
|
|
|
networks[i] = nw
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -166,7 +165,7 @@ func AddPermittedCIDRs(cidrs []string) NamePolicyOption {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
networks[i] = nw
|
|
|
|
networks[i] = nw
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -181,7 +180,7 @@ func WithExcludedCIDRs(cidrs []string) NamePolicyOption {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
networks[i] = nw
|
|
|
|
networks[i] = nw
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -196,7 +195,7 @@ func AddExcludedCIDRs(cidrs []string) NamePolicyOption {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
for i, cidr := range cidrs {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
networks[i] = nw
|
|
|
|
networks[i] = nw
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -215,7 +214,7 @@ func WithPermittedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption {
|
|
|
|
} else if ip := net.ParseIP(ipOrCIDR); ip != nil {
|
|
|
|
} else if ip := net.ParseIP(ipOrCIDR); ip != nil {
|
|
|
|
networks[i] = networkFor(ip)
|
|
|
|
networks[i] = networkFor(ip)
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
return errors.Errorf("cannot parse permitted constraint %q as IP nor CIDR", ipOrCIDR)
|
|
|
|
return fmt.Errorf("cannot parse permitted constraint %q as IP nor CIDR", ipOrCIDR)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedIPRanges = networks
|
|
|
|
e.permittedIPRanges = networks
|
|
|
@ -233,7 +232,7 @@ func WithExcludedIPsOrCIDRs(ipsOrCIDRs []string) NamePolicyOption {
|
|
|
|
} else if ip := net.ParseIP(ipOrCIDR); ip != nil {
|
|
|
|
} else if ip := net.ParseIP(ipOrCIDR); ip != nil {
|
|
|
|
networks[i] = networkFor(ip)
|
|
|
|
networks[i] = networkFor(ip)
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
return errors.Errorf("cannot parse excluded constraint %q as IP nor CIDR", ipOrCIDR)
|
|
|
|
return fmt.Errorf("cannot parse excluded constraint %q as IP nor CIDR", ipOrCIDR)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedIPRanges = networks
|
|
|
|
e.excludedIPRanges = networks
|
|
|
@ -245,7 +244,7 @@ func WithPermittedCIDR(cidr string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedIPRanges = []*net.IPNet{nw}
|
|
|
|
e.permittedIPRanges = []*net.IPNet{nw}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -256,7 +255,7 @@ func AddPermittedCIDR(cidr string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse permitted CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedIPRanges = append(e.permittedIPRanges, nw)
|
|
|
|
e.permittedIPRanges = append(e.permittedIPRanges, nw)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -297,7 +296,7 @@ func WithExcludedCIDR(cidr string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedIPRanges = []*net.IPNet{nw}
|
|
|
|
e.excludedIPRanges = []*net.IPNet{nw}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -308,7 +307,7 @@ func AddExcludedCIDR(cidr string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
_, nw, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return errors.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
return fmt.Errorf("cannot parse excluded CIDR constraint %q", cidr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedIPRanges = append(e.excludedIPRanges, nw)
|
|
|
|
e.excludedIPRanges = append(e.excludedIPRanges, nw)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -355,7 +354,7 @@ func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted email constraint %q: %w", email, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -370,7 +369,7 @@ func AddPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted email constraint %q: %w", email, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -385,7 +384,7 @@ func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded email constraint %q: %w", email, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -400,7 +399,7 @@ func AddExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
for i, email := range emailAddresses {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(email)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded email constraint %q: %w", email, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
normalizedEmailAddresses[i] = normalizedEmailAddress
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -413,7 +412,7 @@ func WithPermittedEmailAddress(emailAddress string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedEmailAddresses = []string{normalizedEmailAddress}
|
|
|
|
e.permittedEmailAddresses = []string{normalizedEmailAddress}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -424,7 +423,7 @@ func AddPermittedEmailAddress(emailAddress string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted email constraint %q: %w", emailAddress, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddress)
|
|
|
|
e.permittedEmailAddresses = append(e.permittedEmailAddresses, normalizedEmailAddress)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -435,7 +434,7 @@ func WithExcludedEmailAddress(emailAddress string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedEmailAddresses = []string{normalizedEmailAddress}
|
|
|
|
e.excludedEmailAddresses = []string{normalizedEmailAddress}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -446,7 +445,7 @@ func AddExcludedEmailAddress(emailAddress string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
normalizedEmailAddress, err := normalizeAndValidateEmailConstraint(emailAddress)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded email constraint %q: %w", emailAddress, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddress)
|
|
|
|
e.excludedEmailAddresses = append(e.excludedEmailAddresses, normalizedEmailAddress)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -459,7 +458,7 @@ func WithPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -474,7 +473,7 @@ func AddPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -483,35 +482,35 @@ func AddPermittedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func WithPermittedURIDomain(uriDomain string) NamePolicyOption {
|
|
|
|
func WithPermittedURIDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(uriDomain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedURIDomains = []string{normalizedURIDomain}
|
|
|
|
e.permittedURIDomains = []string{normalizedURIDomain}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func AddPermittedURIDomain(uriDomain string) NamePolicyOption {
|
|
|
|
func AddPermittedURIDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(uriDomain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse permitted URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomain)
|
|
|
|
e.permittedURIDomains = append(e.permittedURIDomains, normalizedURIDomain)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func WithExcludedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
func WithExcludedURIDomains(domains []string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomains := make([]string, len(uriDomains))
|
|
|
|
normalizedURIDomains := make([]string, len(domains))
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -520,13 +519,13 @@ func WithExcludedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func AddExcludedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
func AddExcludedURIDomains(domains []string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomains := make([]string, len(uriDomains))
|
|
|
|
normalizedURIDomains := make([]string, len(domains))
|
|
|
|
for i, domain := range uriDomains {
|
|
|
|
for i, domain := range domains {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
normalizedURIDomains[i] = normalizedURIDomain
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -535,22 +534,22 @@ func AddExcludedURIDomains(uriDomains []string) NamePolicyOption {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func WithExcludedURIDomain(uriDomain string) NamePolicyOption {
|
|
|
|
func WithExcludedURIDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(uriDomain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedURIDomains = []string{normalizedURIDomain}
|
|
|
|
e.excludedURIDomains = []string{normalizedURIDomain}
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func AddExcludedURIDomain(uriDomain string) NamePolicyOption {
|
|
|
|
func AddExcludedURIDomain(domain string) NamePolicyOption {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
return func(e *NamePolicyEngine) error {
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(uriDomain)
|
|
|
|
normalizedURIDomain, err := normalizeAndValidateURIDomainConstraint(domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
return fmt.Errorf("cannot parse excluded URI domain constraint %q: %w", domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomain)
|
|
|
|
e.excludedURIDomains = append(e.excludedURIDomains, normalizedURIDomain)
|
|
|
|
return nil
|
|
|
|
return nil
|
|
|
@ -594,26 +593,29 @@ func isIPv4(ip net.IP) bool {
|
|
|
|
func normalizeAndValidateDNSDomainConstraint(constraint string) (string, error) {
|
|
|
|
func normalizeAndValidateDNSDomainConstraint(constraint string) (string, error) {
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
return "", errors.Errorf("contraint %q can not be empty or white space string", constraint)
|
|
|
|
return "", fmt.Errorf("contraint %q can not be empty or white space string", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.Contains(normalizedConstraint, "..") {
|
|
|
|
if strings.Contains(normalizedConstraint, "..") {
|
|
|
|
return "", errors.Errorf("domain constraint %q cannot have empty labels", constraint)
|
|
|
|
return "", fmt.Errorf("domain constraint %q cannot have empty labels", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if normalizedConstraint[0] == '*' && normalizedConstraint[1] != '.' {
|
|
|
|
if strings.HasPrefix(normalizedConstraint, ".") {
|
|
|
|
return "", errors.Errorf("wildcard character in domain constraint %q can only be used to match (full) labels", constraint)
|
|
|
|
return "", fmt.Errorf("domain constraint %q with wildcard should start with *", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.LastIndex(normalizedConstraint, "*") > 0 {
|
|
|
|
if strings.LastIndex(normalizedConstraint, "*") > 0 {
|
|
|
|
return "", errors.Errorf("domain constraint %q can only have wildcard as starting character", constraint)
|
|
|
|
return "", fmt.Errorf("domain constraint %q can only have wildcard as starting character", constraint)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if normalizedConstraint[0] == '*' && normalizedConstraint[1] != '.' {
|
|
|
|
|
|
|
|
return "", fmt.Errorf("wildcard character in domain constraint %q can only be used to match (full) labels", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(normalizedConstraint, "*.") {
|
|
|
|
if strings.HasPrefix(normalizedConstraint, "*.") {
|
|
|
|
normalizedConstraint = normalizedConstraint[1:] // cut off wildcard character; keep the period
|
|
|
|
normalizedConstraint = normalizedConstraint[1:] // cut off wildcard character; keep the period
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedConstraint, err := idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
normalizedConstraint, err := idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "domain constraint %q can not be converted to ASCII", constraint)
|
|
|
|
return "", fmt.Errorf("domain constraint %q can not be converted to ASCII: %w", constraint, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if _, ok := domainToReverseLabels(normalizedConstraint); !ok {
|
|
|
|
if _, ok := domainToReverseLabels(normalizedConstraint); !ok {
|
|
|
|
return "", errors.Errorf("cannot parse domain constraint %q", constraint)
|
|
|
|
return "", fmt.Errorf("cannot parse domain constraint %q", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return normalizedConstraint, nil
|
|
|
|
return normalizedConstraint, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -621,7 +623,7 @@ func normalizeAndValidateDNSDomainConstraint(constraint string) (string, error)
|
|
|
|
func normalizeAndValidateEmailConstraint(constraint string) (string, error) {
|
|
|
|
func normalizeAndValidateEmailConstraint(constraint string) (string, error) {
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
return "", errors.Errorf("email contraint %q can not be empty or white space string", constraint)
|
|
|
|
return "", fmt.Errorf("email contraint %q can not be empty or white space string", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.Contains(normalizedConstraint, "*") {
|
|
|
|
if strings.Contains(normalizedConstraint, "*") {
|
|
|
|
return "", fmt.Errorf("email constraint %q cannot contain asterisk wildcard", constraint)
|
|
|
|
return "", fmt.Errorf("email constraint %q cannot contain asterisk wildcard", constraint)
|
|
|
@ -645,14 +647,14 @@ func normalizeAndValidateEmailConstraint(constraint string) (string, error) {
|
|
|
|
// https://datatracker.ietf.org/doc/html/rfc5280#section-7.5
|
|
|
|
// https://datatracker.ietf.org/doc/html/rfc5280#section-7.5
|
|
|
|
domainASCII, err := idna.Lookup.ToASCII(mailbox.domain)
|
|
|
|
domainASCII, err := idna.Lookup.ToASCII(mailbox.domain)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "email constraint %q domain part %q cannot be converted to ASCII", constraint, mailbox.domain)
|
|
|
|
return "", fmt.Errorf("email constraint %q domain part %q cannot be converted to ASCII: %w", constraint, mailbox.domain, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedConstraint = mailbox.local + "@" + domainASCII
|
|
|
|
normalizedConstraint = mailbox.local + "@" + domainASCII
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
var err error
|
|
|
|
var err error
|
|
|
|
normalizedConstraint, err = idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
normalizedConstraint, err = idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "email constraint %q cannot be converted to ASCII", constraint)
|
|
|
|
return "", fmt.Errorf("email constraint %q cannot be converted to ASCII: %w", constraint, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if _, ok := domainToReverseLabels(normalizedConstraint); !ok {
|
|
|
|
if _, ok := domainToReverseLabels(normalizedConstraint); !ok {
|
|
|
@ -664,35 +666,38 @@ func normalizeAndValidateEmailConstraint(constraint string) (string, error) {
|
|
|
|
func normalizeAndValidateURIDomainConstraint(constraint string) (string, error) {
|
|
|
|
func normalizeAndValidateURIDomainConstraint(constraint string) (string, error) {
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
normalizedConstraint := strings.ToLower(strings.TrimSpace(constraint))
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
if normalizedConstraint == "" {
|
|
|
|
return "", errors.Errorf("URI domain contraint %q cannot be empty or white space string", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain contraint %q cannot be empty or white space string", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.Contains(normalizedConstraint, "://") {
|
|
|
|
if strings.Contains(normalizedConstraint, "://") {
|
|
|
|
return "", errors.Errorf("URI domain constraint %q contains scheme (not supported yet)", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q contains scheme (not supported yet)", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.Contains(normalizedConstraint, "..") {
|
|
|
|
if strings.Contains(normalizedConstraint, "..") {
|
|
|
|
return "", errors.Errorf("URI domain constraint %q cannot have empty labels", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q cannot have empty labels", constraint)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.HasPrefix(normalizedConstraint, ".") {
|
|
|
|
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q with wildcard should start with *", constraint)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.LastIndex(normalizedConstraint, "*") > 0 {
|
|
|
|
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q can only have wildcard as starting character", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(normalizedConstraint, "*.") {
|
|
|
|
if strings.HasPrefix(normalizedConstraint, "*.") {
|
|
|
|
normalizedConstraint = normalizedConstraint[1:] // cut off wildcard character; keep the period
|
|
|
|
normalizedConstraint = normalizedConstraint[1:] // cut off wildcard character; keep the period
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if strings.Contains(normalizedConstraint, "*") {
|
|
|
|
|
|
|
|
return "", errors.Errorf("URI domain constraint %q can only have wildcard as starting character", constraint)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// we're being strict with square brackets in domains; we don't allow them, no matter what
|
|
|
|
// we're being strict with square brackets in domains; we don't allow them, no matter what
|
|
|
|
if strings.Contains(normalizedConstraint, "[") || strings.Contains(normalizedConstraint, "]") {
|
|
|
|
if strings.Contains(normalizedConstraint, "[") || strings.Contains(normalizedConstraint, "]") {
|
|
|
|
return "", errors.Errorf("URI domain constraint %q contains invalid square brackets", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q contains invalid square brackets", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if _, _, err := net.SplitHostPort(normalizedConstraint); err == nil {
|
|
|
|
if _, _, err := net.SplitHostPort(normalizedConstraint); err == nil {
|
|
|
|
// a successful split (likely) with host and port; we don't currently allow ports in the config
|
|
|
|
// a successful split (likely) with host and port; we don't currently allow ports in the config
|
|
|
|
return "", errors.Errorf("URI domain constraint %q cannot contain port", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q cannot contain port", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// check if the host part of the URI domain constraint is an IP
|
|
|
|
// check if the host part of the URI domain constraint is an IP
|
|
|
|
if net.ParseIP(normalizedConstraint) != nil {
|
|
|
|
if net.ParseIP(normalizedConstraint) != nil {
|
|
|
|
return "", errors.Errorf("URI domain constraint %q cannot be an IP", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q cannot be an IP", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
normalizedConstraint, err := idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
normalizedConstraint, err := idna.Lookup.ToASCII(normalizedConstraint)
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return "", errors.Wrapf(err, "URI domain constraint %q cannot be converted to ASCII", constraint)
|
|
|
|
return "", fmt.Errorf("URI domain constraint %q cannot be converted to ASCII: %w", constraint, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
_, ok := domainToReverseLabels(normalizedConstraint)
|
|
|
|
_, ok := domainToReverseLabels(normalizedConstraint)
|
|
|
|
if !ok {
|
|
|
|
if !ok {
|
|
|
|