feat(certificates): add support for restricted domains (#424)

Lemur's documentation already mentions LEMUR_RESTRICTED_DOMAINS, a list
of regular expressions matching domains only administrators can issue
certificates for. An option to mark domains as sensitive existed in the
API, however the configuration option was not implemented.

Now both ways of sensitivity are checked in the same place.
This commit is contained in:
Terin Stock 2016-09-12 16:59:14 -07:00 committed by kevgliss
parent a60e372c5a
commit 39645a1a84
1 changed files with 3 additions and 1 deletions

View File

@ -1,5 +1,6 @@
import arrow
from flask import current_app
from marshmallow.exceptions import ValidationError
from cryptography import x509
@ -43,11 +44,12 @@ def sensitive_domain(domain):
:param domain:
:return:
"""
restricted_domains = current_app.config['LEMUR_RESTRICTED_DOMAINS']
domains = domain_service.get_by_name(domain)
for domain in domains:
# we only care about non-admins
if not SensitiveDomainPermission().can():
if domain.sensitive:
if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
raise ValidationError(
'Domain {0} has been marked as sensitive, contact and administrator \
to issue the certificate.'.format(domain))