From 671ea1250d3edbce85c95b2a5dcee6aec81c5703 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Mon, 15 Apr 2019 11:09:34 -0600 Subject: [PATCH] v0.4.0 require separate string for private issuers --- keyfetch/fetch.go | 34 +++++++++++++++++++++++++++++----- keyfetch/issuer_test.go | 14 +++++++++++--- 2 files changed, 40 insertions(+), 8 deletions(-) diff --git a/keyfetch/fetch.go b/keyfetch/fetch.go index 8ee94a8..b350e6c 100644 --- a/keyfetch/fetch.go +++ b/keyfetch/fetch.go @@ -384,15 +384,34 @@ type Whitelist []*url.URL // NewWhitelist turns an array of URLs (such as https://example.com/) into // a parsed array of *url.URLs that can be used by the IsTrustedIssuer function -func NewWhitelist(issuers []string, assumePrivate ...bool) (Whitelist, error) { +func NewWhitelist(issuers []string, privateList ...[]string) (Whitelist, error) { + var err error + list := []*url.URL{} - insecure := false - if 0 != len(assumePrivate) && assumePrivate[0] { - insecure = true + if 0 != len(issuers) { + insecure := false + list, err = newWhitelist(list, issuers, insecure) + if nil != err { + return nil, err + } + } + if 0 != len(privateList) && 0 != len(privateList[0]) { + insecure := true + list, err = newWhitelist(list, privateList[0], insecure) + if nil != err { + return nil, err + } } + return Whitelist(list), nil +} + +func newWhitelist(list []*url.URL, issuers []string, insecure bool) (Whitelist, error) { for i := range issuers { iss := issuers[i] + + // Should have a valid http or https prefix + // TODO support custom prefixes (i.e. app://) ? if strings.HasPrefix(iss, "http://") { if !insecure { log.Println("Oops! You have an insecure domain in your whitelist: ", iss) @@ -404,19 +423,24 @@ func NewWhitelist(issuers []string, assumePrivate ...bool) (Whitelist, error) { } else if !strings.HasPrefix(iss, "https://") { iss = "https://" + iss } + // trailing slash as a boundary character, which may or may not denote a directory iss = strings.TrimRight(iss, "/") + "/" u, err := url.Parse(iss) if nil != err { return nil, err } + + // Strip any * prefix, for easier comparison later + // *.example.com => .example.com if strings.HasPrefix(u.Host, "*.") { u.Host = u.Host[1:] } + list = append(list, u) } - return Whitelist(list), nil + return list, nil } /* diff --git a/keyfetch/issuer_test.go b/keyfetch/issuer_test.go index 5bdd144..d201919 100644 --- a/keyfetch/issuer_test.go +++ b/keyfetch/issuer_test.go @@ -22,18 +22,26 @@ func TestInvalidIssuer(t *testing.T) { func TestIssuerMatches(t *testing.T) { trusted := []string{ "https://example.com/", - "http://happy.xyz/abc", "foobar.net/def/", "https://*.wild.org", "https://*.west.mali/verde", } + privates := []string{ + "http://happy.xyz/abc", + } - _, err := NewWhitelist(trusted) + _, err := NewWhitelist(append(trusted, privates...)) if nil == err { t.Fatal(errors.New("An insecure domain got through!")) } - list, err := NewWhitelist(trusted, true) + // Empty list is allowed... I guess? + list, err := NewWhitelist(nil) + if nil != err { + t.Fatal(err) + } + // Combo list + list, err = NewWhitelist(trusted, privates) if nil != err { t.Fatal(err) }