From 9ecc19c481384b0405e92845a01ea4144c1d95f2 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Fri, 12 Apr 2019 09:53:06 -0400 Subject: [PATCH 1/5] adding san filter --- lemur/plugins/lemur_vault_dest/plugin.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 91f6a07a..94647c03 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -9,6 +9,7 @@ .. moduleauthor:: Christopher Jolley """ +import re import hvac from flask import current_app @@ -19,7 +20,6 @@ from lemur.plugins.bases import DestinationPlugin from cryptography import x509 from cryptography.hazmat.backends import default_backend - class VaultDestinationPlugin(DestinationPlugin): """Hashicorp Vault Destination plugin for Lemur""" title = 'Vault' @@ -76,6 +76,13 @@ class VaultDestinationPlugin(DestinationPlugin): ], 'required': True, 'helpMessage': 'Bundle the chain into the certificate' + }, + { + 'name': 'sanFilter', + 'type': 'str', + 'required': False, + 'validation': '^[0-9a-zA-Z\\\?\[\](){}^$+._-]+$', + 'helpMessage': 'Valid regex filter' } ] @@ -98,6 +105,14 @@ class VaultDestinationPlugin(DestinationPlugin): path = self.get_option('vaultPath', options) bundle = self.get_option('bundleChain', options) obj_name = self.get_option('objectName', options) + san_filter = self.get_option('sanFilter', options) + + san_list = get_san_list(body) + for san in san_list: + if not re.match(san_filter, san): + current_app.logger.exception( + "Exception uploading secret to vault: invalid SAN in certificate", + exc_info=True) with open(token_file, 'r') as file: token = file.readline().rstrip('\n') @@ -119,7 +134,6 @@ class VaultDestinationPlugin(DestinationPlugin): else: secret['data'][cname]['crt'] = body secret['data'][cname]['key'] = private_key - san_list = get_san_list(body) if isinstance(san_list, list): secret['data'][cname]['san'] = san_list try: From 1667c057428c58e6c25ff3a9ae76621f8639c9d7 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Thu, 18 Apr 2019 13:57:10 -0400 Subject: [PATCH 2/5] removed unused functions --- lemur/plugins/lemur_vault_dest/plugin.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 93134e7f..1b07cd83 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -21,14 +21,6 @@ from lemur.plugins.bases import DestinationPlugin from cryptography import x509 from cryptography.hazmat.backends import default_backend -class Error(Exception): - """Base exception class""" - pass - -class InvalidSanError(Error): - """Invlied SAN in SAN list as defined by regex in destination""" - pass - class VaultDestinationPlugin(DestinationPlugin): """Hashicorp Vault Destination plugin for Lemur""" title = 'Vault' From 8dccaaf54450eb8e35e8e46804c6c910d040ca5f Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Mon, 22 Apr 2019 07:58:01 -0400 Subject: [PATCH 3/5] simpler validation --- lemur/plugins/lemur_vault_dest/.plugin.py.swp | Bin 0 -> 16384 bytes lemur/plugins/lemur_vault_dest/plugin.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 lemur/plugins/lemur_vault_dest/.plugin.py.swp diff --git a/lemur/plugins/lemur_vault_dest/.plugin.py.swp b/lemur/plugins/lemur_vault_dest/.plugin.py.swp new file mode 100644 index 0000000000000000000000000000000000000000..b82010b3d3acbd7728a41aa95e77a928b96bc16d GIT binary patch literal 16384 zcmeHOU2Ggz6`rJ}4TQ9%g$HPB6-JvLVfB&avpS^rp`72ixo3}eY zwcp?p{l><%HKW%sxUZRRdrOM)+S*!KbdLUdcBg4Mf&8U+jgB4absmIec|-GhTk^>p za}DGgcqbY-pnUr9_!v=sYUDn4*PRRRgh@`5YarJ^u7O+wxdw6#yfm{Q* z267GL8u&ldfKgYJ+acFYQ~<#9|M>j>Z#4cIcoBFWI1gCBCxF*)QjR4N zXW%8^3h*>=26z;x0`~xWfY)wTl&ipZfi<8FG=TQm-=1t&xz;nO_zys!i37`Pn z16+eWUjwcHE^q`O8}9`ME*4#$5w=*B1>A0EO&;p57h0}UP{n&0r*Ts)G1(Rrm6)jQ zcARiqsu{Yw6!kLAS0C+iCxF|vo#7({B%zWX zQmny#(Rjw(891O}@_HAtCqG{{CI+AOxlE+CjC{ zf8Xa9I+oAtxO>8|13qvY6na#Z48JNs+|9E0d$Cb?c`G{MSo?*7Im=yYzz0_H} zh_ya&Lp8dFWg9D4eigQ)^z~1aNRH23$L0@=S2#rk9!pU^mwL)iU zIYWh#jqv+`fhG4#%xbU|+i+G{CxE)0esv(KWu0hgY;?jHePVL-ixquz`A|j_nzfp- z!B!rXOm%y=aaYbm3nXra_pYZo(+NVh!kNK@*i0-~EKd{BC}0%0cbwh1!jhaEW=Yd4 zKU_R?e@2eMIS%`ox{E1h_KC#S|DzeoU50$-zMUs}cJ95JShSVB`efY?xbf$bIq{XwO=oa&1~V!DN@Skji6;kix=;`hK6Gf zYNJ_UPiq-Z zw2e?(F-&B>^?+Gz&&39dEK9r{9kmY=#vRum9Gi&viZ`t_DQEzW0Z-Ts2_qRw3Yi;g zozSuqf}tFF3xY_-geH??M-nxlpw(DXv*Y{R33bEslxUW%u3^UCeI9>v1BJA!X{_zm zJ2sbYRH?9GFJi|`@~qEgJ&;`Tvr*n1wv3ROhC_R)*MWc5S>0X3&mM!endc%OV~$(r zfhJagw4JbW>VSRTH;}Wl#Qn%Gh0|fnhEquaDz;^EC*Tz(GciiBIXg8yRhylviDBBV z&tdHliB}{;#dN)%Z#7$Cg%!*qJ3KZ%A%v@Vwh_Vs+ZDFpSnH{RDy-l1;#cPN`p74Q zR_XlzL!1}?fwLu@|EHtF;Z>aTF9XxSZNLHG8qV{-1zrH?oc|E;C!FE00AB~50vf=B zzykoC?|+Un{42nZfG+_KPz8l+8ZkBF$Ssx8=JDWgAJRM>~qWNa;Om59_4P-i;1L1p6EycqU;qJq;3ff8-9<` zmQS@MszgfN6{Mh%!cg%7F(pw7S%9vH2`V(YjR6&EyP;hvVbb_|h;13R4YXSPb=D0} zz%unz|1o3O83YU&u@~!fv?vIk$7kp0xSuiRIu%MOd&rJQ^Gk*oEL^KD zIp9kw&g0X^wYh~yPS&R8^~qE7wKKDm^V5qpeRguDmX0B+F;yl6p!%Zj@wQIC`st!x z&WhS)khMLTtQ6ajx4p2(s0p5!T#mRM#oR?T*sP5i5)3=SBipimFGwvHE+7-E3b znW$?&durJ!EKssY1)r+?Sdwclt*R3J@LC216`$$A=3)8qcrhu|ovy@!@+XT%iPPWwh-Sg3F~2f#@+g*PS~PeE!bwNL*q_CkckIiC6t%dBE<({ zk(mq;#Frar*d?s6FrKO)z88P)5V_(m^trphXgQ)1#Sp4#S5JZ@mUpqglppinU383l z!+wq%BHU{Ty=F^<4a^_URS@P3r^HYzXa-f>pMG@q@iVol$+=o4m=GJPy`U?ep(HUW zU1Z=-kw~&ko2gCgDv@{hZ6m2+Q&L!V=z%Eio`@a+4L=ag_|{gmV&Ca6Dh~6AJ$ow# V*#`;3lyMju7Fynk9<-!{{{?&E-R}SZ literal 0 HcmV?d00001 diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 1b07cd83..a9c85dd7 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -94,7 +94,7 @@ class VaultDestinationPlugin(DestinationPlugin): 'type': 'str', 'value': '.*', 'required': False, - 'validation': '^[0-9a-zA-Z\\\?\[\](){}|^$+*,._-]+$', + 'validation': '.*', 'helpMessage': 'Valid regex filter' } ] From f9dadb2670de7c8f4414870ac6cb1b11c7d9c546 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Mon, 22 Apr 2019 09:38:44 -0400 Subject: [PATCH 4/5] fixing validation --- lemur/plugins/lemur_vault_dest/plugin.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index a9c85dd7..8d2ca6c6 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -124,11 +124,16 @@ class VaultDestinationPlugin(DestinationPlugin): san_list = get_san_list(body) if san_filter: for san in san_list: - if not re.match(san_filter, san, flags=re.IGNORECASE): + try: + if not re.match(san_filter, san, flags=re.IGNORECASE): + current_app.logger.exception( + "Exception uploading secret to vault: invalid SAN: {}".format(san), + exc_info=True) + os._exit(1) + except re.error: current_app.logger.exception( - "Exception uploading secret to vault: invalid SAN: {}".format(san), + "Exception compiling regex filter: invalid filter", exc_info=True) - os._exit(1) with open(token_file, 'r') as file: token = file.readline().rstrip('\n') From 85efb6a99e9fae62e318652c841597c2c2beacf7 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Mon, 22 Apr 2019 09:54:19 -0400 Subject: [PATCH 5/5] cleanup tmp files --- lemur/plugins/lemur_vault_dest/.plugin.py.swp | Bin 16384 -> 0 bytes lemur/plugins/lemur_vault_dest/plugin.py | 1 + 2 files changed, 1 insertion(+) delete mode 100644 lemur/plugins/lemur_vault_dest/.plugin.py.swp diff --git a/lemur/plugins/lemur_vault_dest/.plugin.py.swp b/lemur/plugins/lemur_vault_dest/.plugin.py.swp deleted file mode 100644 index b82010b3d3acbd7728a41aa95e77a928b96bc16d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeHOU2Ggz6`rJ}4TQ9%g$HPB6-JvLVfB&avpS^rp`72ixo3}eY zwcp?p{l><%HKW%sxUZRRdrOM)+S*!KbdLUdcBg4Mf&8U+jgB4absmIec|-GhTk^>p za}DGgcqbY-pnUr9_!v=sYUDn4*PRRRgh@`5YarJ^u7O+wxdw6#yfm{Q* z267GL8u&ldfKgYJ+acFYQ~<#9|M>j>Z#4cIcoBFWI1gCBCxF*)QjR4N zXW%8^3h*>=26z;x0`~xWfY)wTl&ipZfi<8FG=TQm-=1t&xz;nO_zys!i37`Pn z16+eWUjwcHE^q`O8}9`ME*4#$5w=*B1>A0EO&;p57h0}UP{n&0r*Ts)G1(Rrm6)jQ zcARiqsu{Yw6!kLAS0C+iCxF|vo#7({B%zWX zQmny#(Rjw(891O}@_HAtCqG{{CI+AOxlE+CjC{ zf8Xa9I+oAtxO>8|13qvY6na#Z48JNs+|9E0d$Cb?c`G{MSo?*7Im=yYzz0_H} zh_ya&Lp8dFWg9D4eigQ)^z~1aNRH23$L0@=S2#rk9!pU^mwL)iU zIYWh#jqv+`fhG4#%xbU|+i+G{CxE)0esv(KWu0hgY;?jHePVL-ixquz`A|j_nzfp- z!B!rXOm%y=aaYbm3nXra_pYZo(+NVh!kNK@*i0-~EKd{BC}0%0cbwh1!jhaEW=Yd4 zKU_R?e@2eMIS%`ox{E1h_KC#S|DzeoU50$-zMUs}cJ95JShSVB`efY?xbf$bIq{XwO=oa&1~V!DN@Skji6;kix=;`hK6Gf zYNJ_UPiq-Z zw2e?(F-&B>^?+Gz&&39dEK9r{9kmY=#vRum9Gi&viZ`t_DQEzW0Z-Ts2_qRw3Yi;g zozSuqf}tFF3xY_-geH??M-nxlpw(DXv*Y{R33bEslxUW%u3^UCeI9>v1BJA!X{_zm zJ2sbYRH?9GFJi|`@~qEgJ&;`Tvr*n1wv3ROhC_R)*MWc5S>0X3&mM!endc%OV~$(r zfhJagw4JbW>VSRTH;}Wl#Qn%Gh0|fnhEquaDz;^EC*Tz(GciiBIXg8yRhylviDBBV z&tdHliB}{;#dN)%Z#7$Cg%!*qJ3KZ%A%v@Vwh_Vs+ZDFpSnH{RDy-l1;#cPN`p74Q zR_XlzL!1}?fwLu@|EHtF;Z>aTF9XxSZNLHG8qV{-1zrH?oc|E;C!FE00AB~50vf=B zzykoC?|+Un{42nZfG+_KPz8l+8ZkBF$Ssx8=JDWgAJRM>~qWNa;Om59_4P-i;1L1p6EycqU;qJq;3ff8-9<` zmQS@MszgfN6{Mh%!cg%7F(pw7S%9vH2`V(YjR6&EyP;hvVbb_|h;13R4YXSPb=D0} zz%unz|1o3O83YU&u@~!fv?vIk$7kp0xSuiRIu%MOd&rJQ^Gk*oEL^KD zIp9kw&g0X^wYh~yPS&R8^~qE7wKKDm^V5qpeRguDmX0B+F;yl6p!%Zj@wQIC`st!x z&WhS)khMLTtQ6ajx4p2(s0p5!T#mRM#oR?T*sP5i5)3=SBipimFGwvHE+7-E3b znW$?&durJ!EKssY1)r+?Sdwclt*R3J@LC216`$$A=3)8qcrhu|ovy@!@+XT%iPPWwh-Sg3F~2f#@+g*PS~PeE!bwNL*q_CkckIiC6t%dBE<({ zk(mq;#Frar*d?s6FrKO)z88P)5V_(m^trphXgQ)1#Sp4#S5JZ@mUpqglppinU383l z!+wq%BHU{Ty=F^<4a^_URS@P3r^HYzXa-f>pMG@q@iVol$+=o4m=GJPy`U?ep(HUW zU1Z=-kw~&ko2gCgDv@{hZ6m2+Q&L!V=z%Eio`@a+4L=ag_|{gmV&Ca6Dh~6AJ$ow# V*#`;3lyMju7Fynk9<-!{{{?&E-R}SZ diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 8d2ca6c6..819ba22b 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -21,6 +21,7 @@ from lemur.plugins.bases import DestinationPlugin from cryptography import x509 from cryptography.hazmat.backends import default_backend + class VaultDestinationPlugin(DestinationPlugin): """Hashicorp Vault Destination plugin for Lemur""" title = 'Vault'