feat(certificates): add support for restricted domains (#424)
Lemur's documentation already mentions LEMUR_RESTRICTED_DOMAINS, a list of regular expressions matching domains only administrators can issue certificates for. An option to mark domains as sensitive existed in the API, however the configuration option was not implemented. Now both ways of sensitivity are checked in the same place.
This commit is contained in:
Terin Stock
kevgliss
parent
a60e372c5a
commit
39645a1a84
|
|
@ -1,5 +1,6 @@
|
||||||
|
|
||||||
import arrow
|
import arrow
|
||||||
|
from flask import current_app
|
||||||
from marshmallow.exceptions import ValidationError
|
from marshmallow.exceptions import ValidationError
|
||||||
|
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
|
|
@ -43,11 +44,12 @@ def sensitive_domain(domain):
|
||||||
:param domain:
|
:param domain:
|
||||||
:return:
|
:return:
|
||||||
"""
|
"""
|
||||||
|
restricted_domains = current_app.config['LEMUR_RESTRICTED_DOMAINS']
|
||||||
domains = domain_service.get_by_name(domain)
|
domains = domain_service.get_by_name(domain)
|
||||||
for domain in domains:
|
for domain in domains:
|
||||||
# we only care about non-admins
|
# we only care about non-admins
|
||||||
if not SensitiveDomainPermission().can():
|
if not SensitiveDomainPermission().can():
|
||||||
if domain.sensitive:
|
if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
|
||||||
raise ValidationError(
|
raise ValidationError(
|
||||||
'Domain {0} has been marked as sensitive, contact and administrator \
|
'Domain {0} has been marked as sensitive, contact and administrator \
|
||||||
to issue the certificate.'.format(domain))
|
to issue the certificate.'.format(domain))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue