IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

cert-request: generalise _san_dnsname_ips for arbitrary cname depth

Browse Source 
Generalise _san_dnsname_ips to allow arbitrary cname depths.  This
also clarifies the code and avoids boolean blindness.  Update the
call site to maintain the existing behvaiour (one cname allowed).

Part of: https://pagure.io/freeipa/issue/7451

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Fraser Tweedale 2018-04-23 16:09:22 +10:00 committed by Florence Blanc-Renaud
parent eb70e64c0b
commit 9c750f0738
1 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ipaserver/plugins/cert.py
View File

@ -1117,7 +1117,7 @@ def _validate_san_ips(san_ipaddrs, san_dnsnames):
""" """
san_dns_ips = set() san_dns_ips = set()
for name in san_dnsnames: for name in san_dnsnames:
san_dns_ips.update(_san_dnsname_ips(name)) san_dns_ips.update(_san_dnsname_ips(name, cname_depth=1))
for ip in san_ipaddrs: for ip in san_ipaddrs:
if unicode(ip) not in san_dns_ips: if unicode(ip) not in san_dns_ips:
raise errors.ValidationError( raise errors.ValidationError(
@ -1129,7 +1129,7 @@ def _validate_san_ips(san_ipaddrs, san_dnsnames):
) )
def _san_dnsname_ips(dnsname, dnsname_is_cname=False): def _san_dnsname_ips(dnsname, cname_depth):
""" """
Resolve a DNS name to its IP address(es). Resolve a DNS name to its IP address(es).
@ -1139,8 +1139,7 @@ def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
that correspond to the DNS name (from the subjectAltName). that correspond to the DNS name (from the subjectAltName).
:param dnsname: The DNS name (text) for which to resolve the IP addresses :param dnsname: The DNS name (text) for which to resolve the IP addresses
:param dnsname_is_cname: True when (recursively) resolving a CNAME (CNAME :param cname_depth: How many cnames are we allowed to follow?
chains are not followed)
:return: The set of IP addresses resolved from the DNS name :return: The set of IP addresses resolved from the DNS name
@ -1158,15 +1157,13 @@ def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
result.get('aaaarecord', ())): result.get('aaaarecord', ())):
if _ip_rdns_ok(ip, fqdn): if _ip_rdns_ok(ip, fqdn):
ips.add(ip) ips.add(ip)
cnames = result.get('cnamerecord', ())
if cnames: if cname_depth > 0:
if dnsname_is_cname: for cname in result.get('cnamerecord', []):
logger.debug("Skipping IPs for %s: chained CNAME", dnsname)
else:
for cname in cnames:
if not cname.endswith('.'): if not cname.endswith('.'):
cname = u'%s.%s' % (cname, zone) cname = u'%s.%s' % (cname, zone)
ips.update(_san_dnsname_ips(cname, True)) ips.update(_san_dnsname_ips(cname, cname_depth=cname_depth - 1))
return ips return ips