smallstep-certificates/authority/internal/constraints/constraints.go

package constraints

import (
	"crypto/x509"
	"fmt"
	"net"
	"net/http"
	"net/url"

	"github.com/smallstep/certificates/errs"
)

// ConstraintError is the typed error that will be returned if a constraint
// error is found.
type ConstraintError struct {
	Type   string
	Name   string
	Detail string
}

// Error implements the error interface.
func (e ConstraintError) Error() string {
	return e.Detail
}

// As implements the As(any) bool interface and allows to use "errors.As()" to
// convert the ConstraintError to an errs.Error.
func (e ConstraintError) As(v any) bool {
	if err, ok := v.(**errs.Error); ok {
		*err = &errs.Error{
			Status: http.StatusForbidden,
			Msg:    e.Detail,
			Err:    e,
		}
		return true
	}
	return false
}

// Engine implements a constraint validator for DNS names, IP addresses, Email
// addresses and URIs.
type Engine struct {
	hasNameConstraints      bool
	permittedDNSDomains     []string
	excludedDNSDomains      []string
	permittedIPRanges       []*net.IPNet
	excludedIPRanges        []*net.IPNet
	permittedEmailAddresses []string
	excludedEmailAddresses  []string
	permittedURIDomains     []string
	excludedURIDomains      []string
}

// New creates a constraint validation engine that contains the given chain of
// certificates.
func New(chain ...*x509.Certificate) *Engine {
	e := new(Engine)
	for _, crt := range chain {
		e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...)
		e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...)
		e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...)
		e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...)
		e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...)
		e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
		e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)
		e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)
	}

	e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 ||
		len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 ||
		len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 ||
		len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0

	return e
}

// Validate checks the given names with the name constraints defined in the
// service.
func (e *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
	if e == nil || !e.hasNameConstraints {
		return nil
	}

	for _, name := range dnsNames {
		if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains,
			func(parsedName, constraint any) (bool, error) {
				return matchDomainConstraint(parsedName.(string), constraint.(string))
			},
		); err != nil {
			return err
		}
	}

	for _, ip := range ipAddresses {
		if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges,
			func(parsedName, constraint any) (bool, error) {
				return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
			},
		); err != nil {
			return err
		}
	}

	for _, email := range emailAddresses {
		mailbox, ok := parseRFC2821Mailbox(email)
		if !ok {
			return fmt.Errorf("cannot parse rfc822Name %q", email)
		}
		if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses,
			func(parsedName, constraint any) (bool, error) {
				return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
			},
		); err != nil {
			return err
		}
	}

	for _, uri := range uris {
		if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains,
			func(parsedName, constraint any) (bool, error) {
				return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
			},
		); err != nil {
			return err
		}
	}

	return nil
}

// ValidateCertificate validates the DNS names, IP addresses, Email addresses
// and URIs present in the given certificate.
func (e *Engine) ValidateCertificate(cert *x509.Certificate) error {
	return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)
}
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`package constraints`

			`import (`
			`"crypto/x509"`
			`"fmt"`
			`"net"`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`"net/http"`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`"net/url"`
Render proper policy and constrains errors 2022-09-22 01:35:18 +00:00
			`"github.com/smallstep/certificates/errs"`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`)`

Add more constraint unit tests 2022-09-20 18:33:36 +00:00			`// ConstraintError is the typed error that will be returned if a constraint`
			`// error is found.`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`type ConstraintError struct {`
Return a typed error 2022-09-20 17:36:44 +00:00			`Type string`
			`Name string`
			`Detail string`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`}`

Add more constraint unit tests 2022-09-20 18:33:36 +00:00			`// Error implements the error interface.`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`func (e ConstraintError) Error() string {`
Return a typed error 2022-09-20 17:36:44 +00:00			`return e.Detail`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`}`

Render proper policy and constrains errors 2022-09-22 01:35:18 +00:00			`// As implements the As(any) bool interface and allows to use "errors.As()" to`
			`// convert the ConstraintError to an errs.Error.`
			`func (e ConstraintError) As(v any) bool {`
			`if err, ok := v.(**errs.Error); ok {`
			`*err = &errs.Error{`
			`Status: http.StatusForbidden,`
			`Msg: e.Detail,`
			`Err: e,`
			`}`
			`return true`
			`}`
			`return false`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`}`

Rename constraint.Service to constraint.Engine 2022-09-20 18:38:32 +00:00			`// Engine implements a constraint validator for DNS names, IP addresses, Email`
Make the constraint service public 2022-09-20 18:36:45 +00:00			`// addresses and URIs.`
Rename constraint.Service to constraint.Engine 2022-09-20 18:38:32 +00:00			`type Engine struct {`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`hasNameConstraints bool`
			`permittedDNSDomains []string`
			`excludedDNSDomains []string`
			`permittedIPRanges []*net.IPNet`
			`excludedIPRanges []*net.IPNet`
			`permittedEmailAddresses []string`
			`excludedEmailAddresses []string`
			`permittedURIDomains []string`
			`excludedURIDomains []string`
			`}`

Rename constraint.Service to constraint.Engine 2022-09-20 18:38:32 +00:00			`// New creates a constraint validation engine that contains the given chain of`
Add more constraint unit tests 2022-09-20 18:33:36 +00:00			`// certificates.`
Rename constraint.Service to constraint.Engine 2022-09-20 18:38:32 +00:00			`func New(chain ...x509.Certificate) Engine {`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`e := new(Engine)`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`for _, crt := range chain {`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...)`
			`e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...)`
			`e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...)`
			`e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...)`
			`e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...)`
			`e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)`
			`e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)`
			`e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`}`
Change way to get hasNameConstraints 2022-09-22 18:35:11 +00:00
			`e.hasNameConstraints = len(e.permittedDNSDomains) > 0 \|\| len(e.excludedDNSDomains) > 0 \|\|`
			`len(e.permittedIPRanges) > 0 \|\| len(e.excludedIPRanges) > 0 \|\|`
			`len(e.permittedEmailAddresses) > 0 \|\| len(e.excludedEmailAddresses) > 0 \|\|`
			`len(e.permittedURIDomains) > 0 \|\| len(e.excludedURIDomains) > 0`

Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`return e`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`}`

Add more constraint unit tests 2022-09-20 18:33:36 +00:00			`// Validate checks the given names with the name constraints defined in the`
			`// service.`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`func (e Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []url.URL) error {`
			`if e == nil \|\| !e.hasNameConstraints {`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`return nil`
			`}`

			`for _, name := range dnsNames {`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains,`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`func(parsedName, constraint any) (bool, error) {`
			`return matchDomainConstraint(parsedName.(string), constraint.(string))`
			`},`
			`); err != nil {`
			`return err`
			`}`
			`}`

			`for _, ip := range ipAddresses {`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges,`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`func(parsedName, constraint any) (bool, error) {`
			`return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))`
Return a typed error 2022-09-20 17:36:44 +00:00			`},`
			`); err != nil {`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`return err`
			`}`
			`}`

			`for _, email := range emailAddresses {`
			`mailbox, ok := parseRFC2821Mailbox(email)`
			`if !ok {`
			`return fmt.Errorf("cannot parse rfc822Name %q", email)`
			`}`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses,`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`func(parsedName, constraint any) (bool, error) {`
			`return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))`
			`},`
			`); err != nil {`
			`return err`
			`}`
			`}`

			`for _, uri := range uris {`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains,`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`func(parsedName, constraint any) (bool, error) {`
			`return matchURIConstraint(parsedName.(*url.URL), constraint.(string))`
Return a typed error 2022-09-20 17:36:44 +00:00			`},`
			`); err != nil {`
Initial work on name constraints validation Issue #1060 2022-09-20 02:45:13 +00:00			`return err`
			`}`
			`}`

			`return nil`
			`}`
Add helper ValidateCertificate 2022-09-20 20:12:34 +00:00
Fix comment typos and extra white spaces 2022-09-23 17:50:44 +00:00			`// ValidateCertificate validates the DNS names, IP addresses, Email addresses`
			`// and URIs present in the given certificate.`
Add StatusCoder to ConstraintError 2022-09-20 21:45:47 +00:00			`func (e Engine) ValidateCertificate(cert x509.Certificate) error {`
			`return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)`
Add helper ValidateCertificate 2022-09-20 20:12:34 +00:00			`}`