adding san filter

This commit is contained in:
alwaysjolley 2019-04-12 09:53:06 -04:00
parent fa4a5122bc
commit 9ecc19c481
1 changed files with 16 additions and 2 deletions

View File

@ -9,6 +9,7 @@
.. moduleauthor:: Christopher Jolley <chris@alwaysjolley.com> .. moduleauthor:: Christopher Jolley <chris@alwaysjolley.com>
""" """
import re
import hvac import hvac
from flask import current_app from flask import current_app
@ -19,7 +20,6 @@ from lemur.plugins.bases import DestinationPlugin
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
class VaultDestinationPlugin(DestinationPlugin): class VaultDestinationPlugin(DestinationPlugin):
"""Hashicorp Vault Destination plugin for Lemur""" """Hashicorp Vault Destination plugin for Lemur"""
title = 'Vault' title = 'Vault'
@ -76,6 +76,13 @@ class VaultDestinationPlugin(DestinationPlugin):
], ],
'required': True, 'required': True,
'helpMessage': 'Bundle the chain into the certificate' 'helpMessage': 'Bundle the chain into the certificate'
},
{
'name': 'sanFilter',
'type': 'str',
'required': False,
'validation': '^[0-9a-zA-Z\\\?\[\](){}^$+._-]+$',
'helpMessage': 'Valid regex filter'
} }
] ]
@ -98,6 +105,14 @@ class VaultDestinationPlugin(DestinationPlugin):
path = self.get_option('vaultPath', options) path = self.get_option('vaultPath', options)
bundle = self.get_option('bundleChain', options) bundle = self.get_option('bundleChain', options)
obj_name = self.get_option('objectName', options) obj_name = self.get_option('objectName', options)
san_filter = self.get_option('sanFilter', options)
san_list = get_san_list(body)
for san in san_list:
if not re.match(san_filter, san):
current_app.logger.exception(
"Exception uploading secret to vault: invalid SAN in certificate",
exc_info=True)
with open(token_file, 'r') as file: with open(token_file, 'r') as file:
token = file.readline().rstrip('\n') token = file.readline().rstrip('\n')
@ -119,7 +134,6 @@ class VaultDestinationPlugin(DestinationPlugin):
else: else:
secret['data'][cname]['crt'] = body secret['data'][cname]['crt'] = body
secret['data'][cname]['key'] = private_key secret['data'][cname]['key'] = private_key
san_list = get_san_list(body)
if isinstance(san_list, list): if isinstance(san_list, list):
secret['data'][cname]['san'] = san_list secret['data'][cname]['san'] = san_list
try: try: