diff --git a/docker/src/lemur.conf.py b/docker/src/lemur.conf.py index 4cb3ae0c..4bcaeef9 100644 --- a/docker/src/lemur.conf.py +++ b/docker/src/lemur.conf.py @@ -24,7 +24,7 @@ LEMUR_TOKEN_SECRET = repr(os.environ.get('LEMUR_TOKEN_SECRET', LEMUR_ENCRYPTION_KEYS = repr(os.environ.get('LEMUR_ENCRYPTION_KEYS', base64.b64encode(get_random_secret(32).encode('utf8')))) -LEMUR_WHITELISTED_DOMAINS = [] +LEMUR_ALLOWED_DOMAINS = [] LEMUR_EMAIL = '' LEMUR_SECURITY_TEAM_EMAIL = [] diff --git a/docs/administration.rst b/docs/administration.rst index f44ad1a3..00da0c8a 100644 --- a/docs/administration.rst +++ b/docs/administration.rst @@ -100,7 +100,7 @@ Specifying the `SQLALCHEMY_MAX_OVERFLOW` to 0 will enforce limit to not create c Specifies whether to allow certificates created by Lemur to expire on weekends. Default is True. -.. data:: LEMUR_WHITELISTED_DOMAINS +.. data:: LEMUR_ALLOWED_DOMAINS :noindex: List of regular expressions for domain restrictions; if the list is not empty, normal users can only issue diff --git a/lemur/common/validators.py b/lemur/common/validators.py index e1dfe3c1..e004a971 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -22,7 +22,7 @@ def common_name(value): def sensitive_domain(domain): """ - Checks if user has the admin role, the domain does not match sensitive domains and whitelisted domain patterns. + Checks if user has the admin role, the domain does not match sensitive domains and allowed domain patterns. :param domain: domain name (str) :return: """ @@ -30,10 +30,10 @@ def sensitive_domain(domain): # User has permission, no need to check anything return - whitelist = current_app.config.get("LEMUR_WHITELISTED_DOMAINS", []) - if whitelist and not any(re.match(pattern, domain) for pattern in whitelist): + allowlist = current_app.config.get("LEMUR_ALLOWED_DOMAINS", []) + if allowlist and not any(re.match(pattern, domain) for pattern in allowlist): raise ValidationError( - "Domain {0} does not match whitelisted domain patterns. " + "Domain {0} does not match allowed domain patterns. " "Contact an administrator to issue the certificate.".format(domain) ) diff --git a/lemur/manage.py b/lemur/manage.py index 2fbbe893..e53f8bd6 100755 --- a/lemur/manage.py +++ b/lemur/manage.py @@ -95,7 +95,7 @@ LEMUR_TOKEN_SECRET = '{secret_token}' LEMUR_ENCRYPTION_KEYS = '{encryption_key}' # List of domain regular expressions that non-admin users can issue -LEMUR_WHITELISTED_DOMAINS = [] +LEMUR_ALLOWED_DOMAINS = [] # Mail Server diff --git a/lemur/tests/conf.py b/lemur/tests/conf.py index 8255e674..8c1e65d3 100644 --- a/lemur/tests/conf.py +++ b/lemur/tests/conf.py @@ -36,7 +36,7 @@ LEMUR_ENCRYPTION_KEYS = base64.urlsafe_b64encode(get_random_secret(length=32).en # List of domain regular expressions that non-admin users can issue -LEMUR_WHITELISTED_DOMAINS = [ +LEMUR_ALLOWED_DOMAINS = [ r"^[a-zA-Z0-9-]+\.example\.com$", r"^[a-zA-Z0-9-]+\.example\.org$", r"^example\d+\.long\.com$", diff --git a/lemur/tests/test_certificates.py b/lemur/tests/test_certificates.py index 8403461b..4e8072ff 100644 --- a/lemur/tests/test_certificates.py +++ b/lemur/tests/test_certificates.py @@ -397,7 +397,7 @@ def test_certificate_cn_admin(client, authority, logged_in_admin): from lemur.certificates.schemas import CertificateInputSchema input_data = { - "commonName": "*.admin-overrides-whitelist.com", + "commonName": "*.admin-overrides-allowlist.com", "owner": "jim@example.com", "authority": {"id": authority.id}, "description": "testtestest", @@ -458,7 +458,7 @@ def test_certificate_incative_authority(client, authority, session, logged_in_us def test_certificate_disallowed_names(client, authority, session, logged_in_user): - """The CN and SAN are disallowed by LEMUR_WHITELISTED_DOMAINS.""" + """The CN and SAN are disallowed by LEMUR_ALLOWED_DOMAINS.""" from lemur.certificates.schemas import CertificateInputSchema input_data = { @@ -481,10 +481,10 @@ def test_certificate_disallowed_names(client, authority, session, logged_in_user data, errors = CertificateInputSchema().load(input_data) assert errors["common_name"][0].startswith( - "Domain *.example.com does not match whitelisted domain patterns" + "Domain *.example.com does not match allowed domain patterns" ) assert errors["extensions"]["sub_alt_names"]["names"][0].startswith( - "Domain evilhacker.org does not match whitelisted domain patterns" + "Domain evilhacker.org does not match allowed domain patterns" ) @@ -671,7 +671,7 @@ def test_csr_empty_san(client): def test_csr_disallowed_cn(client, logged_in_user): - """Domain name CN is disallowed via LEMUR_WHITELISTED_DOMAINS.""" + """Domain name CN is disallowed via LEMUR_ALLOWED_DOMAINS.""" from lemur.common import validators request, pkey = create_csr( @@ -680,12 +680,12 @@ def test_csr_disallowed_cn(client, logged_in_user): with pytest.raises(ValidationError) as err: validators.csr(request) assert str(err.value).startswith( - "Domain evilhacker.org does not match whitelisted domain patterns" + "Domain evilhacker.org does not match allowed domain patterns" ) def test_csr_disallowed_san(client, logged_in_user): - """SAN name is disallowed by LEMUR_WHITELISTED_DOMAINS.""" + """SAN name is disallowed by LEMUR_ALLOWED_DOMAINS.""" from lemur.common import validators request, pkey = create_csr( @@ -701,7 +701,7 @@ def test_csr_disallowed_san(client, logged_in_user): with pytest.raises(ValidationError) as err: validators.csr(request) assert str(err.value).startswith( - "Domain evilhacker.org does not match whitelisted domain patterns" + "Domain evilhacker.org does not match allowed domain patterns" )