Reworked sensitive domain name and restriction logic (#878)

* This is a fix for a potential security issue; the old code had edge cases with unexpected behavior. * LEMUR_RESTRICTED_DOMAINS is no more, instead LEMUR_WHITELISTED_DOMAINS is a list of *allowed* domain name patterns. Per discussion in PR #600 * Domain restrictions are now checked everywhere: in domain name-like CN (common name) values and SAN DNSNames, including raw CSR requests. * Common name values that contain a space are exempt, since they cannot be valid domain names.
2017-08-17 05:24:49 +03:00
parent 466df367e6
commit 7762d6ed52
10 changed files with 197 additions and 27 deletions
--- a/lemur/common/fields.py
+++ b/lemur/common/fields.py
@ -18,6 +18,8 @@ from marshmallow import utils
 from marshmallow.fields import Field
 from marshmallow.exceptions import ValidationError

+from lemur.common import validators
+

 class Hex(Field):
    """
@ -357,6 +359,7 @@ class SubjectAlternativeNameExtension(Field):
        general_names = []
        for name in value:
            if name['nameType'] == 'DNSName':
+                validators.sensitive_domain(name['value'])
                general_names.append(x509.DNSName(name['value']))

            elif name['nameType'] == 'IPAddress':
--- a/lemur/common/validators.py
+++ b/lemur/common/validators.py
@ -1,9 +1,10 @@
 import re

-from flask import current_app
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
+from cryptography.x509 import NameOID
+from flask import current_app
 from marshmallow.exceptions import ValidationError

 from lemur.auth.permissions import SensitiveDomainPermission
@ -41,22 +42,33 @@ def private_key(key):
        raise ValidationError('Private key presented is not valid.')


+def common_name(value):
+    """If the common name could be a domain name, apply domain validation rules."""
+    # Common name could be a domain name, or a human-readable name of the subject (often used in CA names or client
+    # certificates). As a simple heuristic, we assume that human-readable names always include a space.
+    # However, to avoid confusion for humans, we also don't count spaces at the beginning or end of the string.
+    if ' ' not in value.strip():
+        return sensitive_domain(value)
+
+
 def sensitive_domain(domain):
    """
-    Determines if domain has been marked as sensitive.
-    :param domain:
+    Checks if user has the admin role, the domain does not match sensitive domains and whitelisted domain patterns.
+    :param domain: domain name (str)
    :return:
    """
-    restricted_domains = current_app.config.get('LEMUR_RESTRICTED_DOMAINS', [])
-    if restricted_domains:
-        domains = domain_service.get_by_name(domain)
-        for domain in domains:
-            # we only care about non-admins
-            if not SensitiveDomainPermission().can():
-                if domain.sensitive or any([re.match(pattern, domain.name) for pattern in restricted_domains]):
-                    raise ValidationError(
-                        'Domain {0} has been marked as sensitive, contact and administrator \
-                        to issue the certificate.'.format(domain))
+    if SensitiveDomainPermission().can():
+        # User has permission, no need to check anything
+        return
+
+    whitelist = current_app.config.get('LEMUR_WHITELISTED_DOMAINS', [])
+    if whitelist and not any(re.match(pattern, domain) for pattern in whitelist):
+        raise ValidationError('Domain {0} does not match whitelisted domain patterns. '
+                              'Contact an administrator to issue the certificate.'.format(domain))
+
+    if any(d.sensitive for d in domain_service.get_by_name(domain)):
+        raise ValidationError('Domain {0} has been marked as sensitive. '
+                              'Contact an administrator to issue the certificate.'.format(domain))


 def encoding(oid_encoding):
@ -84,15 +96,27 @@ def sub_alt_type(alt_type):

 def csr(data):
    """
-    Determines if the CSR is valid.
+    Determines if the CSR is valid and allowed.
    :param data:
    :return:
    """
    try:
-        x509.load_pem_x509_csr(data.encode('utf-8'), default_backend())
+        request = x509.load_pem_x509_csr(data.encode('utf-8'), default_backend())
    except Exception:
        raise ValidationError('CSR presented is not valid.')

+    # Validate common name and SubjectAltNames
+    for name in request.subject.get_attributes_for_oid(NameOID.COMMON_NAME):
+        common_name(name.value)
+
+    try:
+        alt_names = request.extensions.get_extension_for_class(x509.SubjectAlternativeName)
+
+        for name in alt_names.value.get_values_for_type(x509.DNSName):
+            sensitive_domain(name)
+    except x509.ExtensionNotFound:
+        pass
+

 def dates(data):
    if not data.get('validity_start') and data.get('validity_end'):