2022-01-03 11:25:24 +00:00
|
|
|
package provisioner
|
|
|
|
|
|
|
|
|
|
import (
|
2022-01-17 22:36:13 +00:00
|
|
|
"github.com/smallstep/certificates/policy"
|
2022-01-03 11:25:24 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// newX509PolicyEngine creates a new x509 name policy engine
|
2022-01-17 22:36:13 +00:00
|
|
|
func newX509PolicyEngine(x509Opts *X509Options) (policy.X509NamePolicyEngine, error) {
|
2022-01-03 11:25:24 +00:00
|
|
|
|
|
|
|
|
if x509Opts == nil {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-17 22:36:13 +00:00
|
|
|
options := []policy.NamePolicyOption{
|
|
|
|
|
policy.WithSubjectCommonNameVerification(), // enable x509 Subject Common Name validation by default
|
2022-01-03 14:32:58 +00:00
|
|
|
}
|
2022-01-03 11:25:24 +00:00
|
|
|
|
|
|
|
|
allowed := x509Opts.GetAllowedNameOptions()
|
|
|
|
|
if allowed != nil && allowed.HasNames() {
|
|
|
|
|
options = append(options,
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithPermittedDNSDomains(allowed.DNSDomains),
|
2022-01-18 13:39:21 +00:00
|
|
|
policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
|
|
|
|
|
policy.WithPermittedURIDomains(allowed.URIDomains),
|
2022-01-03 11:25:24 +00:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
denied := x509Opts.GetDeniedNameOptions()
|
|
|
|
|
if denied != nil && denied.HasNames() {
|
|
|
|
|
options = append(options,
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithExcludedDNSDomains(denied.DNSDomains),
|
2022-01-18 13:39:21 +00:00
|
|
|
policy.WithExcludedIPsOrCIDRs(denied.IPRanges),
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithExcludedEmailAddresses(denied.EmailAddresses),
|
|
|
|
|
policy.WithExcludedURIDomains(denied.URIDomains),
|
2022-01-03 11:25:24 +00:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-17 22:36:13 +00:00
|
|
|
return policy.New(options...)
|
2022-01-03 11:25:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newSSHPolicyEngine creates a new SSH name policy engine
|
2022-01-17 22:36:13 +00:00
|
|
|
func newSSHPolicyEngine(sshOpts *SSHOptions) (policy.SSHNamePolicyEngine, error) {
|
2022-01-03 11:25:24 +00:00
|
|
|
|
|
|
|
|
if sshOpts == nil {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-17 22:36:13 +00:00
|
|
|
options := []policy.NamePolicyOption{}
|
2022-01-03 11:25:24 +00:00
|
|
|
|
|
|
|
|
allowed := sshOpts.GetAllowedNameOptions()
|
|
|
|
|
if allowed != nil && allowed.HasNames() {
|
|
|
|
|
options = append(options,
|
2022-01-25 13:59:55 +00:00
|
|
|
policy.WithPermittedDNSDomains(allowed.DNSDomains),
|
|
|
|
|
policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
|
|
|
|
|
policy.WithPermittedPrincipals(allowed.Principals),
|
2022-01-03 11:25:24 +00:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
denied := sshOpts.GetDeniedNameOptions()
|
|
|
|
|
if denied != nil && denied.HasNames() {
|
|
|
|
|
options = append(options,
|
2022-01-25 13:59:55 +00:00
|
|
|
policy.WithExcludedDNSDomains(denied.DNSDomains),
|
|
|
|
|
policy.WithExcludedIPsOrCIDRs(denied.IPRanges),
|
2022-01-17 22:36:13 +00:00
|
|
|
policy.WithExcludedEmailAddresses(denied.EmailAddresses),
|
|
|
|
|
policy.WithExcludedPrincipals(denied.Principals),
|
2022-01-03 11:25:24 +00:00
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-17 22:36:13 +00:00
|
|
|
return policy.New(options...)
|
2022-01-03 11:25:24 +00:00
|
|
|
}
|
