github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 18:19:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix logging; fix patch file

Browse Source
This commit is contained in:
Arjan H
2019-07-13 08:33:48 +02:00
parent 5a546115bf
commit 1efae0ee33
2 changed files with 73 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
install
View File

@@ -147,8 +147,8 @@ clone_repo() {
if [ "$branch" != "" ]; then
cd "$dir"
sudo -u labca git checkout $branch
cd -
sudo -u labca git checkout $branch &>>$installLog
cd - >/dev/null
fi
}
@@ -166,8 +166,8 @@ pull_repo() {
if [ "$branch" != "" ]; then
cd "$dir"
sudo -u labca git checkout $branch
cd -
sudo -u labca git checkout $branch &>>$installLog
cd - >/dev/null
fi
}

138
policy_pa.patch
View File

@@ -1,89 +1,89 @@
diff --git a/policy/pa.go b/policy/pa.go
index 3d097365..ce3c32e3 100644
index 3d097365..53cf6020 100644
--- a/policy/pa.go
+++ b/policy/pa.go
@@ -30,6 +30,8 @@ type AuthorityImpl struct {
blocklist map[string]bool
exactBlocklist map[string]bool
wildcardExactBlocklist map[string]bool
+ whitelist map[string]bool
+ lockdown map[string]bool
blocklistMu sync.RWMutex
enabledChallenges map[string]bool
blocklist map[string]bool
exactBlocklist map[string]bool
wildcardExactBlocklist map[string]bool
+ whitelist map[string]bool
+ lockdown map[string]bool
blocklistMu sync.RWMutex
enabledChallenges map[string]bool
@@ -70,6 +72,9 @@ type blockedNamesPolicy struct {
// time above and beyond the high-risk domains. Managing these entries separately
// from HighRiskBlockedNames makes it easier to vet changes accurately.
AdminBlockedNames []string `yaml:"AdminBlockedNames"`
// time above and beyond the high-risk domains. Managing these entries separately
// from HighRiskBlockedNames makes it easier to vet changes accurately.
AdminBlockedNames []string `yaml:"AdminBlockedNames"`
+
+ Whitelist []string `yaml:"Whitelist"`
+ Lockdown []string `yaml:"Lockdown"`
+ Whitelist []string `yaml:"Whitelist"`
+ Lockdown []string `yaml:"Lockdown"`
}
// SetHostnamePolicyFile will load the given policy file, returning error if it
@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
// wildcardNameMap to block issuance for `*.`+parts[1]
wildcardNameMap[parts[1]] = true
}
+ whiteMap := make(map[string]bool)
+ for _, v := range policy.Whitelist {
+ whiteMap[v] = true
+ }
+ lockMap := make(map[string]bool)
+ for _, v := range policy.Lockdown {
+ lockMap[v] = true
+ }
pa.blocklistMu.Lock()
pa.blocklist = nameMap
pa.exactBlocklist = exactNameMap
pa.wildcardExactBlocklist = wildcardNameMap
+ pa.whitelist = whiteMap
+ pa.lockdown = lockMap
pa.blocklistMu.Unlock()
return nil
// wildcardNameMap to block issuance for `*.`+parts[1]
wildcardNameMap[parts[1]] = true
}
+ whiteMap := make(map[string]bool)
+ for _, v := range policy.Whitelist {
+ whiteMap[v] = true
+ }
+ lockMap := make(map[string]bool)
+ for _, v := range policy.Lockdown {
+ lockMap[v] = true
+ }
pa.blocklistMu.Lock()
pa.blocklist = nameMap
pa.exactBlocklist = exactNameMap
pa.wildcardExactBlocklist = wildcardNameMap
+ pa.whitelist = whiteMap
+ pa.lockdown = lockMap
pa.blocklistMu.Unlock()
return nil
}
@@ -287,6 +302,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
}
}
+ ok, err := pa.checkWhitelist(domain)
+ if err != nil {
+ return err
+ }
+ if ok {
+ return nil
+ }
}
}
+ ok, err := pa.checkWhitelist(domain)
+ if err != nil {
+ return err
+ }
+ if ok {
+ return nil
+ }
+
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
icannTLD, err := iana.ExtractSuffix(domain)
if err != nil {
@@ -304,6 +327,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
return nil
return nil
}
+func (pa *AuthorityImpl) checkWhitelist(domain string) (bool,error) {
+ pa.blocklistMu.RLock()
+ defer pa.blocklistMu.RUnlock()
+func (pa *AuthorityImpl) checkWhitelist(domain string) (bool, error) {
+ pa.blocklistMu.RLock()
+ defer pa.blocklistMu.RUnlock()
+
+ if (pa.whitelist == nil) || (pa.lockdown == nil) {
+ return false, fmt.Errorf("Hostname policy not yet loaded.")
+ }
+ if (pa.whitelist == nil) || (pa.lockdown == nil) {
+ return false, fmt.Errorf("Hostname policy not yet loaded.")
+ }
+
+ labels := strings.Split(domain, ".")
+ for i := range labels {
+ joined := strings.Join(labels[i:], ".")
+ if pa.whitelist[joined] || pa.lockdown[joined] {
+ return true, nil
+ }
+ }
+ labels := strings.Split(domain, ".")
+ for i := range labels {
+ joined := strings.Join(labels[i:], ".")
+ if pa.whitelist[joined] || pa.lockdown[joined] {
+ return true, nil
+ }
+ }
+
+ if len(pa.lockdown) > 0 {
+ // In Lockdown mode, the domain MUST be in the list, so return an error if not found
+ return false, errPolicyForbidden
+ } else {
+ // In Whitelist mode, if the domain is not in the list, continue with the other checks
+ return false, nil
+ }
+ if len(pa.lockdown) > 0 {
+ // In Lockdown mode, the domain MUST be in the list, so return an error if not found
+ return false, errPolicyForbidden
+ } else {
+ // In Whitelist mode, if the domain is not in the list, continue with the other checks
+ return false, nil
+ }
+}
+
// WillingToIssueWildcards is an extension of WillingToIssue that accepts DNS