root
/
keypairs
mirror of https://github.com/therootcompany/keypairs
2
0
Fork 0
Code Issues Releases Wiki Activity

v0.4.0 require separate string for private issuers

This commit is contained in:
AJ ONeal 2019-04-15 11:09:34 -06:00
parent 1205ea05e1
commit 671ea1250d
2 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
keyfetch/fetch.go
View File

@ -384,15 +384,34 @@ type Whitelist []*url.URL
// NewWhitelist turns an array of URLs (such as https://example.com/) into // NewWhitelist turns an array of URLs (such as https://example.com/) into
// a parsed array of *url.URLs that can be used by the IsTrustedIssuer function // a parsed array of *url.URLs that can be used by the IsTrustedIssuer function
func NewWhitelist(issuers []string, assumePrivate ...bool) (Whitelist, error) { func NewWhitelist(issuers []string, privateList ...[]string) (Whitelist, error) {
var err error
list := []*url.URL{} list := []*url.URL{}
if 0 != len(issuers) {
insecure := false insecure := false
if 0 != len(assumePrivate) && assumePrivate[0] { list, err = newWhitelist(list, issuers, insecure)
insecure = true if nil != err {
return nil, err
}
}
if 0 != len(privateList) && 0 != len(privateList[0]) {
insecure := true
list, err = newWhitelist(list, privateList[0], insecure)
if nil != err {
return nil, err
}
} }
return Whitelist(list), nil
}
func newWhitelist(list []*url.URL, issuers []string, insecure bool) (Whitelist, error) {
for i := range issuers { for i := range issuers {
iss := issuers[i] iss := issuers[i]
// Should have a valid http or https prefix
// TODO support custom prefixes (i.e. app://) ?
if strings.HasPrefix(iss, "http://") { if strings.HasPrefix(iss, "http://") {
if !insecure { if !insecure {
log.Println("Oops! You have an insecure domain in your whitelist: ", iss) log.Println("Oops! You have an insecure domain in your whitelist: ", iss)
@ -404,19 +423,24 @@ func NewWhitelist(issuers []string, assumePrivate ...bool) (Whitelist, error) {
} else if !strings.HasPrefix(iss, "https://") { } else if !strings.HasPrefix(iss, "https://") {
iss = "https://" + iss iss = "https://" + iss
} }
// trailing slash as a boundary character, which may or may not denote a directory // trailing slash as a boundary character, which may or may not denote a directory
iss = strings.TrimRight(iss, "/") + "/" iss = strings.TrimRight(iss, "/") + "/"
u, err := url.Parse(iss) u, err := url.Parse(iss)
if nil != err { if nil != err {
return nil, err return nil, err
} }
// Strip any * prefix, for easier comparison later
// *.example.com => .example.com
if strings.HasPrefix(u.Host, "*.") { if strings.HasPrefix(u.Host, "*.") {
u.Host = u.Host[1:] u.Host = u.Host[1:]
} }
list = append(list, u) list = append(list, u)
} }
return Whitelist(list), nil return list, nil
} }
/* /*

14
keyfetch/issuer_test.go
View File

@ -22,18 +22,26 @@ func TestInvalidIssuer(t *testing.T) {
func TestIssuerMatches(t *testing.T) { func TestIssuerMatches(t *testing.T) {
trusted := []string{ trusted := []string{
"https://example.com/", "https://example.com/",
"http://happy.xyz/abc",
"foobar.net/def/", "foobar.net/def/",
"https://*.wild.org", "https://*.wild.org",
"https://*.west.mali/verde", "https://*.west.mali/verde",
} }
privates := []string{
"http://happy.xyz/abc",
}
_, err := NewWhitelist(trusted) _, err := NewWhitelist(append(trusted, privates...))
if nil == err { if nil == err {
t.Fatal(errors.New("An insecure domain got through!")) t.Fatal(errors.New("An insecure domain got through!"))
} }
list, err := NewWhitelist(trusted, true) // Empty list is allowed... I guess?
list, err := NewWhitelist(nil)
if nil != err {
t.Fatal(err)
}
// Combo list
list, err = NewWhitelist(trusted, privates)
if nil != err { if nil != err {
t.Fatal(err) t.Fatal(err)
} }