Merge pull request #2759 from alwaysjolley/lemur_vault_plugin
Adding SAN filter to Vault Destination Plugin
This commit is contained in:
commit
21d619e24a
|
@ -9,6 +9,8 @@
|
||||||
|
|
||||||
.. moduleauthor:: Christopher Jolley <chris@alwaysjolley.com>
|
.. moduleauthor:: Christopher Jolley <chris@alwaysjolley.com>
|
||||||
"""
|
"""
|
||||||
|
import os
|
||||||
|
import re
|
||||||
import hvac
|
import hvac
|
||||||
from flask import current_app
|
from flask import current_app
|
||||||
|
|
||||||
|
@ -87,6 +89,14 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
],
|
],
|
||||||
'required': True,
|
'required': True,
|
||||||
'helpMessage': 'Bundle the chain into the certificate'
|
'helpMessage': 'Bundle the chain into the certificate'
|
||||||
|
},
|
||||||
|
{
|
||||||
|
'name': 'sanFilter',
|
||||||
|
'type': 'str',
|
||||||
|
'value': '.*',
|
||||||
|
'required': False,
|
||||||
|
'validation': '.*',
|
||||||
|
'helpMessage': 'Valid regex filter'
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -110,6 +120,21 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
bundle = self.get_option('bundleChain', options)
|
bundle = self.get_option('bundleChain', options)
|
||||||
obj_name = self.get_option('objectName', options)
|
obj_name = self.get_option('objectName', options)
|
||||||
api_version = self.get_option('vaultKvApiVersion', options)
|
api_version = self.get_option('vaultKvApiVersion', options)
|
||||||
|
san_filter = self.get_option('sanFilter', options)
|
||||||
|
|
||||||
|
san_list = get_san_list(body)
|
||||||
|
if san_filter:
|
||||||
|
for san in san_list:
|
||||||
|
try:
|
||||||
|
if not re.match(san_filter, san, flags=re.IGNORECASE):
|
||||||
|
current_app.logger.exception(
|
||||||
|
"Exception uploading secret to vault: invalid SAN: {}".format(san),
|
||||||
|
exc_info=True)
|
||||||
|
os._exit(1)
|
||||||
|
except re.error:
|
||||||
|
current_app.logger.exception(
|
||||||
|
"Exception compiling regex filter: invalid filter",
|
||||||
|
exc_info=True)
|
||||||
|
|
||||||
with open(token_file, 'r') as file:
|
with open(token_file, 'r') as file:
|
||||||
token = file.readline().rstrip('\n')
|
token = file.readline().rstrip('\n')
|
||||||
|
@ -133,7 +158,6 @@ class VaultDestinationPlugin(DestinationPlugin):
|
||||||
else:
|
else:
|
||||||
secret['data'][cname]['crt'] = body
|
secret['data'][cname]['crt'] = body
|
||||||
secret['data'][cname]['key'] = private_key
|
secret['data'][cname]['key'] = private_key
|
||||||
san_list = get_san_list(body)
|
|
||||||
if isinstance(san_list, list):
|
if isinstance(san_list, list):
|
||||||
secret['data'][cname]['san'] = san_list
|
secret['data'][cname]['san'] = san_list
|
||||||
try:
|
try:
|
||||||
|
|
Loading…
Reference in New Issue