adding san filter

lemur/plugins/lemur_vault_dest/plugin.py

@@ -9,6 +9,7 @@
 
 .. moduleauthor:: Christopher Jolley <chris@alwaysjolley.com>
 """
+import re
 import hvac
 from flask import current_app
 
@@ -19,7 +20,6 @@ from lemur.plugins.bases import DestinationPlugin
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 
-
 class VaultDestinationPlugin(DestinationPlugin):
     """Hashicorp Vault Destination plugin for Lemur"""
     title = 'Vault'
@@ -76,6 +76,13 @@ class VaultDestinationPlugin(DestinationPlugin):
             ],
             'required': True,
             'helpMessage': 'Bundle the chain into the certificate'
+        },
+        {
+            'name': 'sanFilter',
+            'type': 'str',
+            'required': False,
+            'validation': '^[0-9a-zA-Z\\\?\[\](){}^$+._-]+$',
+            'helpMessage': 'Valid regex filter'
         }
     ]
 
@@ -98,6 +105,14 @@ class VaultDestinationPlugin(DestinationPlugin):
         path = self.get_option('vaultPath', options)
         bundle = self.get_option('bundleChain', options)
         obj_name = self.get_option('objectName', options)
+        san_filter = self.get_option('sanFilter', options)
+
+        san_list = get_san_list(body)
+        for san in san_list:
+            if not re.match(san_filter, san):
+                current_app.logger.exception(
+                    "Exception uploading secret to vault: invalid SAN in certificate",
+                    exc_info=True)
 
         with open(token_file, 'r') as file:
             token = file.readline().rstrip('\n')
@@ -119,7 +134,6 @@ class VaultDestinationPlugin(DestinationPlugin):
         else:
             secret['data'][cname]['crt'] = body
         secret['data'][cname]['key'] = private_key
-        san_list = get_san_list(body)
         if isinstance(san_list, list):
             secret['data'][cname]['san'] = san_list
         try: