certificates/authority/provisioner/policy.go

package provisioner

import (
	"github.com/smallstep/certificates/policy"
)

// newX509PolicyEngine creates a new x509 name policy engine
func newX509PolicyEngine(x509Opts *X509Options) (policy.X509NamePolicyEngine, error) {

	if x509Opts == nil {
		return nil, nil
	}

	options := []policy.NamePolicyOption{
		policy.WithSubjectCommonNameVerification(), // enable x509 Subject Common Name validation by default
	}

	allowed := x509Opts.GetAllowedNameOptions()
	if allowed != nil && allowed.HasNames() {
		options = append(options,
			policy.WithPermittedDNSDomains(allowed.DNSDomains),
			policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),
			policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
			policy.WithPermittedURIDomains(allowed.URIDomains),
		)
	}

	denied := x509Opts.GetDeniedNameOptions()
	if denied != nil && denied.HasNames() {
		options = append(options,
			policy.WithExcludedDNSDomains(denied.DNSDomains),
			policy.WithExcludedIPsOrCIDRs(denied.IPRanges),
			policy.WithExcludedEmailAddresses(denied.EmailAddresses),
			policy.WithExcludedURIDomains(denied.URIDomains),
		)
	}

	return policy.New(options...)
}

// newSSHPolicyEngine creates a new SSH name policy engine
func newSSHPolicyEngine(sshOpts *SSHOptions) (policy.SSHNamePolicyEngine, error) {

	if sshOpts == nil {
		return nil, nil
	}

	options := []policy.NamePolicyOption{}

	allowed := sshOpts.GetAllowedNameOptions()
	if allowed != nil && allowed.HasNames() {
		options = append(options,
			policy.WithPermittedDNSDomains(allowed.DNSDomains), // TODO(hs): be a bit more lenient w.r.t. the format of domains? I.e. allow "*.localhost" instead of the ".localhost", which is what Name Constraints do.
			policy.WithPermittedEmailAddresses(allowed.EmailAddresses),
			policy.WithPermittedPrincipals(allowed.Principals),
		)
	}

	denied := sshOpts.GetDeniedNameOptions()
	if denied != nil && denied.HasNames() {
		options = append(options,
			policy.WithExcludedDNSDomains(denied.DNSDomains), // TODO(hs): be a bit more lenient w.r.t. the format of domains? I.e. allow "*.localhost" instead of the ".localhost", which is what Name Constraints do.
			policy.WithExcludedEmailAddresses(denied.EmailAddresses),
			policy.WithExcludedPrincipals(denied.Principals),
		)
	}

	return policy.New(options...)
}
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`package provisioner`

			`import (`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`"github.com/smallstep/certificates/policy"`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`)`

			`// newX509PolicyEngine creates a new x509 name policy engine`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`func newX509PolicyEngine(x509Opts *X509Options) (policy.X509NamePolicyEngine, error) {`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00
			`if x509Opts == nil {`
			`return nil, nil`
			`}`

Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`options := []policy.NamePolicyOption{`
			`policy.WithSubjectCommonNameVerification(), // enable x509 Subject Common Name validation by default`
Add more tests 2022-01-03 14:32:58 +00:00			`}`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00
			`allowed := x509Opts.GetAllowedNameOptions()`
			`if allowed != nil && allowed.HasNames() {`
			`options = append(options,`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithPermittedDNSDomains(allowed.DNSDomains),`
Clean up, improve test cases and coverage 2022-01-18 13:39:21 +00:00			`policy.WithPermittedIPsOrCIDRs(allowed.IPRanges),`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithPermittedEmailAddresses(allowed.EmailAddresses),`
			`policy.WithPermittedURIDomains(allowed.URIDomains),`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`)`
			`}`

			`denied := x509Opts.GetDeniedNameOptions()`
			`if denied != nil && denied.HasNames() {`
			`options = append(options,`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithExcludedDNSDomains(denied.DNSDomains),`
Clean up, improve test cases and coverage 2022-01-18 13:39:21 +00:00			`policy.WithExcludedIPsOrCIDRs(denied.IPRanges),`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithExcludedEmailAddresses(denied.EmailAddresses),`
			`policy.WithExcludedURIDomains(denied.URIDomains),`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`)`
			`}`

Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`return policy.New(options...)`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`}`

			`// newSSHPolicyEngine creates a new SSH name policy engine`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`func newSSHPolicyEngine(sshOpts *SSHOptions) (policy.SSHNamePolicyEngine, error) {`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00
			`if sshOpts == nil {`
			`return nil, nil`
			`}`

Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`options := []policy.NamePolicyOption{}`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00
			`allowed := sshOpts.GetAllowedNameOptions()`
			`if allowed != nil && allowed.HasNames() {`
			`options = append(options,`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithPermittedDNSDomains(allowed.DNSDomains), // TODO(hs): be a bit more lenient w.r.t. the format of domains? I.e. allow "*.localhost" instead of the ".localhost", which is what Name Constraints do.`
			`policy.WithPermittedEmailAddresses(allowed.EmailAddresses),`
			`policy.WithPermittedPrincipals(allowed.Principals),`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`)`
			`}`

			`denied := sshOpts.GetDeniedNameOptions()`
			`if denied != nil && denied.HasNames() {`
			`options = append(options,`
Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`policy.WithExcludedDNSDomains(denied.DNSDomains), // TODO(hs): be a bit more lenient w.r.t. the format of domains? I.e. allow "*.localhost" instead of the ".localhost", which is what Name Constraints do.`
			`policy.WithExcludedEmailAddresses(denied.EmailAddresses),`
			`policy.WithExcludedPrincipals(denied.Principals),`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`)`
			`}`

Merge logic for X509 and SSH policy 2022-01-17 22:36:13 +00:00			`return policy.New(options...)`
Add initial implementation of x509 and SSH allow/deny policy engine 2022-01-03 11:25:24 +00:00			`}`