forked from TrueCloudLab/certificates
99 lines
2.4 KiB
Go
99 lines
2.4 KiB
Go
package sshpolicy
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
type NamePolicyOption func(g *NamePolicyEngine) error
|
|
|
|
func WithPermittedDNSDomains(domains []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
for _, domain := range domains {
|
|
if err := validateDNSDomainConstraint(domain); err != nil {
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
}
|
|
}
|
|
g.permittedDNSDomains = domains
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithExcludedDNSDomains(domains []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
for _, domain := range domains {
|
|
if err := validateDNSDomainConstraint(domain); err != nil {
|
|
return errors.Errorf("cannot parse excluded domain constraint %q", domain)
|
|
}
|
|
}
|
|
g.excludedDNSDomains = domains
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithPermittedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
for _, email := range emailAddresses {
|
|
if err := validateEmailConstraint(email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
g.permittedEmailAddresses = emailAddresses
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithExcludedEmailAddresses(emailAddresses []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
for _, email := range emailAddresses {
|
|
if err := validateEmailConstraint(email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
g.excludedEmailAddresses = emailAddresses
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithPermittedPrincipals(principals []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
// for _, principal := range principals {
|
|
// // TODO: validation?
|
|
// }
|
|
g.permittedPrincipals = principals
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func WithExcludedPrincipals(principals []string) NamePolicyOption {
|
|
return func(g *NamePolicyEngine) error {
|
|
// for _, principal := range principals {
|
|
// // TODO: validation?
|
|
// }
|
|
g.excludedPrincipals = principals
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func validateDNSDomainConstraint(domain string) error {
|
|
if _, ok := domainToReverseLabels(domain); !ok {
|
|
return errors.Errorf("cannot parse permitted domain constraint %q", domain)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func validateEmailConstraint(constraint string) error {
|
|
if strings.Contains(constraint, "@") {
|
|
_, ok := parseRFC2821Mailbox(constraint)
|
|
if !ok {
|
|
return fmt.Errorf("cannot parse email constraint %q", constraint)
|
|
}
|
|
}
|
|
_, ok := domainToReverseLabels(constraint)
|
|
if !ok {
|
|
return fmt.Errorf("cannot parse email domain constraint %q", constraint)
|
|
}
|
|
return nil
|
|
}
|