From 9ecc19c481384b0405e92845a01ea4144c1d95f2 Mon Sep 17 00:00:00 2001 From: alwaysjolley Date: Fri, 12 Apr 2019 09:53:06 -0400 Subject: [PATCH] adding san filter --- lemur/plugins/lemur_vault_dest/plugin.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/lemur/plugins/lemur_vault_dest/plugin.py b/lemur/plugins/lemur_vault_dest/plugin.py index 91f6a07a..94647c03 100644 --- a/lemur/plugins/lemur_vault_dest/plugin.py +++ b/lemur/plugins/lemur_vault_dest/plugin.py @@ -9,6 +9,7 @@ .. moduleauthor:: Christopher Jolley """ +import re import hvac from flask import current_app @@ -19,7 +20,6 @@ from lemur.plugins.bases import DestinationPlugin from cryptography import x509 from cryptography.hazmat.backends import default_backend - class VaultDestinationPlugin(DestinationPlugin): """Hashicorp Vault Destination plugin for Lemur""" title = 'Vault' @@ -76,6 +76,13 @@ class VaultDestinationPlugin(DestinationPlugin): ], 'required': True, 'helpMessage': 'Bundle the chain into the certificate' + }, + { + 'name': 'sanFilter', + 'type': 'str', + 'required': False, + 'validation': '^[0-9a-zA-Z\\\?\[\](){}^$+._-]+$', + 'helpMessage': 'Valid regex filter' } ] @@ -98,6 +105,14 @@ class VaultDestinationPlugin(DestinationPlugin): path = self.get_option('vaultPath', options) bundle = self.get_option('bundleChain', options) obj_name = self.get_option('objectName', options) + san_filter = self.get_option('sanFilter', options) + + san_list = get_san_list(body) + for san in san_list: + if not re.match(san_filter, san): + current_app.logger.exception( + "Exception uploading secret to vault: invalid SAN in certificate", + exc_info=True) with open(token_file, 'r') as file: token = file.readline().rstrip('\n') @@ -119,7 +134,6 @@ class VaultDestinationPlugin(DestinationPlugin): else: secret['data'][cname]['crt'] = body secret['data'][cname]['key'] = private_key - san_list = get_san_list(body) if isinstance(san_list, list): secret['data'][cname]['san'] = san_list try: