forked from TrueCloudLab/certificates
Add StatusCoder to ConstraintError
This commit is contained in:
parent
2959aa676d
commit
75bff055fc
2 changed files with 32 additions and 26 deletions
|
@ -4,6 +4,7 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -22,6 +23,11 @@ func (e ConstraintError) Error() string {
|
||||||
return e.Detail
|
return e.Detail
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// StatusCode implements an status coder interface.
|
||||||
|
func (e ConstraintError) StatusCode() int {
|
||||||
|
return http.StatusForbidden
|
||||||
|
}
|
||||||
|
|
||||||
// Engine implements a constraint validator for DNS names, IP addresses, Email
|
// Engine implements a constraint validator for DNS names, IP addresses, Email
|
||||||
// addresses and URIs.
|
// addresses and URIs.
|
||||||
type Engine struct {
|
type Engine struct {
|
||||||
|
@ -39,38 +45,38 @@ type Engine struct {
|
||||||
// New creates a constraint validation engine that contains the given chain of
|
// New creates a constraint validation engine that contains the given chain of
|
||||||
// certificates.
|
// certificates.
|
||||||
func New(chain ...*x509.Certificate) *Engine {
|
func New(chain ...*x509.Certificate) *Engine {
|
||||||
s := new(Engine)
|
e := new(Engine)
|
||||||
for _, crt := range chain {
|
for _, crt := range chain {
|
||||||
s.permittedDNSDomains = append(s.permittedDNSDomains, crt.PermittedDNSDomains...)
|
e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...)
|
||||||
s.excludedDNSDomains = append(s.excludedDNSDomains, crt.ExcludedDNSDomains...)
|
e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...)
|
||||||
s.permittedIPRanges = append(s.permittedIPRanges, crt.PermittedIPRanges...)
|
e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...)
|
||||||
s.excludedIPRanges = append(s.excludedIPRanges, crt.ExcludedIPRanges...)
|
e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...)
|
||||||
s.permittedEmailAddresses = append(s.permittedEmailAddresses, crt.PermittedEmailAddresses...)
|
e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...)
|
||||||
s.excludedEmailAddresses = append(s.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
|
e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
|
||||||
s.permittedURIDomains = append(s.permittedURIDomains, crt.PermittedURIDomains...)
|
e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)
|
||||||
s.excludedURIDomains = append(s.excludedURIDomains, crt.ExcludedURIDomains...)
|
e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)
|
||||||
|
|
||||||
if !s.hasNameConstraints {
|
if !e.hasNameConstraints {
|
||||||
for _, ext := range crt.Extensions {
|
for _, ext := range crt.Extensions {
|
||||||
if ext.Id.Equal(oidExtensionNameConstraints) {
|
if ext.Id.Equal(oidExtensionNameConstraints) {
|
||||||
s.hasNameConstraints = true
|
e.hasNameConstraints = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return s
|
return e
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate checks the given names with the name constraints defined in the
|
// Validate checks the given names with the name constraints defined in the
|
||||||
// service.
|
// service.
|
||||||
func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
|
func (e *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
|
||||||
if s == nil || !s.hasNameConstraints {
|
if e == nil || !e.hasNameConstraints {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, name := range dnsNames {
|
for _, name := range dnsNames {
|
||||||
if err := checkNameConstraints("DNS name", name, name, s.permittedDNSDomains, s.excludedDNSDomains,
|
if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains,
|
||||||
func(parsedName, constraint any) (bool, error) {
|
func(parsedName, constraint any) (bool, error) {
|
||||||
return matchDomainConstraint(parsedName.(string), constraint.(string))
|
return matchDomainConstraint(parsedName.(string), constraint.(string))
|
||||||
},
|
},
|
||||||
|
@ -80,7 +86,7 @@ func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresse
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, ip := range ipAddresses {
|
for _, ip := range ipAddresses {
|
||||||
if err := checkNameConstraints("IP address", ip.String(), ip, s.permittedIPRanges, s.excludedIPRanges,
|
if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges,
|
||||||
func(parsedName, constraint any) (bool, error) {
|
func(parsedName, constraint any) (bool, error) {
|
||||||
return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
|
return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
|
||||||
},
|
},
|
||||||
|
@ -94,7 +100,7 @@ func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresse
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("cannot parse rfc822Name %q", email)
|
return fmt.Errorf("cannot parse rfc822Name %q", email)
|
||||||
}
|
}
|
||||||
if err := checkNameConstraints("Email address", email, mailbox, s.permittedEmailAddresses, s.excludedEmailAddresses,
|
if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses,
|
||||||
func(parsedName, constraint any) (bool, error) {
|
func(parsedName, constraint any) (bool, error) {
|
||||||
return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
|
return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
|
||||||
},
|
},
|
||||||
|
@ -104,7 +110,7 @@ func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresse
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, uri := range uris {
|
for _, uri := range uris {
|
||||||
if err := checkNameConstraints("URI", uri.String(), uri, s.permittedURIDomains, s.excludedURIDomains,
|
if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains,
|
||||||
func(parsedName, constraint any) (bool, error) {
|
func(parsedName, constraint any) (bool, error) {
|
||||||
return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
|
return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
|
||||||
},
|
},
|
||||||
|
@ -118,6 +124,6 @@ func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresse
|
||||||
|
|
||||||
// ValidateCertificate validates the DNS names, IP addresses, Email address and
|
// ValidateCertificate validates the DNS names, IP addresses, Email address and
|
||||||
// URIs present in the given certificate.
|
// URIs present in the given certificate.
|
||||||
func (s *Engine) ValidateCertificate(cert *x509.Certificate) error {
|
func (e *Engine) ValidateCertificate(cert *x509.Certificate) error {
|
||||||
return s.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)
|
return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)
|
||||||
}
|
}
|
||||||
|
|
|
@ -205,7 +205,7 @@ func Test_service_Validate(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
s := &Engine{
|
e := &Engine{
|
||||||
hasNameConstraints: tt.fields.hasNameConstraints,
|
hasNameConstraints: tt.fields.hasNameConstraints,
|
||||||
permittedDNSDomains: tt.fields.permittedDNSDomains,
|
permittedDNSDomains: tt.fields.permittedDNSDomains,
|
||||||
excludedDNSDomains: tt.fields.excludedDNSDomains,
|
excludedDNSDomains: tt.fields.excludedDNSDomains,
|
||||||
|
@ -216,7 +216,7 @@ func Test_service_Validate(t *testing.T) {
|
||||||
permittedURIDomains: tt.fields.permittedURIDomains,
|
permittedURIDomains: tt.fields.permittedURIDomains,
|
||||||
excludedURIDomains: tt.fields.excludedURIDomains,
|
excludedURIDomains: tt.fields.excludedURIDomains,
|
||||||
}
|
}
|
||||||
if err := s.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr {
|
if err := e.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr {
|
||||||
t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr)
|
t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -224,8 +224,8 @@ func Test_service_Validate(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func Test_service_Validate_nil(t *testing.T) {
|
func Test_service_Validate_nil(t *testing.T) {
|
||||||
var s *Engine
|
var e *Engine
|
||||||
if err := s.Validate([]string{"www.example.com"}, nil, nil, nil); err != nil {
|
if err := e.Validate([]string{"www.example.com"}, nil, nil, nil); err != nil {
|
||||||
t.Errorf("service.Validate() error = %v, wantErr false", err)
|
t.Errorf("service.Validate() error = %v, wantErr false", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -284,7 +284,7 @@ func TestEngine_ValidateCertificate(t *testing.T) {
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
s := &Engine{
|
e := &Engine{
|
||||||
hasNameConstraints: tt.fields.hasNameConstraints,
|
hasNameConstraints: tt.fields.hasNameConstraints,
|
||||||
permittedDNSDomains: tt.fields.permittedDNSDomains,
|
permittedDNSDomains: tt.fields.permittedDNSDomains,
|
||||||
excludedDNSDomains: tt.fields.excludedDNSDomains,
|
excludedDNSDomains: tt.fields.excludedDNSDomains,
|
||||||
|
@ -295,7 +295,7 @@ func TestEngine_ValidateCertificate(t *testing.T) {
|
||||||
permittedURIDomains: tt.fields.permittedURIDomains,
|
permittedURIDomains: tt.fields.permittedURIDomains,
|
||||||
excludedURIDomains: tt.fields.excludedURIDomains,
|
excludedURIDomains: tt.fields.excludedURIDomains,
|
||||||
}
|
}
|
||||||
if err := s.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr {
|
if err := e.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr {
|
||||||
t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in a new issue