Merge pull request #21 from ibuildthecloud/master

Add ability to confirm adding new CNs
2025-07-02 09:31:47 +00:00 · 2020-04-02 22:10:05 -07:00 · 2020-04-02 22:10:05 -07:00 · 4436fc6b48
commit 4436fc6b48
parent 763229ddcd 4bac3f291f
2 changed files with 30 additions and 2 deletions
--- a/factory/gen.go
+++ b/factory/gen.go
@ -10,10 +10,12 @@ import (
 	"encoding/hex"
 	"encoding/pem"
 	"net"
+	"regexp"
 	"sort"
 	"strings"

 	"github.com/rancher/dynamiclistener/cert"
+	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 )

@ -23,11 +25,16 @@ const (
 	hashKey  = "listener.cattle.io/hash"
 )

+var (
+	cnRegexp = regexp.MustCompile("^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$")
+)
+
 type TLS struct {
 	CACert       *x509.Certificate
 	CAKey        crypto.Signer
 	CN           string
 	Organization []string
+	FilterCN     func(...string) []string
 }

 func cns(secret *v1.Secret) (cns []string) {
@ -76,11 +83,20 @@ func (t *TLS) Refresh(secret *v1.Secret) (*v1.Secret, error) {
 	return secret, err
 }

+func (t *TLS) Filter(cn ...string) []string {
+	if t.FilterCN == nil {
+		return cn
+	}
+	return t.FilterCN(cn...)
+}
+
 func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 	var (
 		err error
 	)

+	cn = t.Filter(cn...)
+
 	if !NeedsUpdate(0, secret, cn...) {
 		return secret, false, nil
 	}
@ -132,7 +148,11 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 		secret.Annotations = map[string]string{}
 	}
 	for _, cn := range cn {
-		secret.Annotations[cnPrefix+cn] = cn
+		if cnRegexp.MatchString(cn) {
+			secret.Annotations[cnPrefix+cn] = cn
+		} else {
+			logrus.Errorf("dropping invalid CN: %s", cn)
+		}
 	}
 	return secret
 }
--- a/listener.go
+++ b/listener.go
@ -25,6 +25,7 @@ type TLSFactory interface {
 	Refresh(secret *v1.Secret) (*v1.Secret, error)
 	AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
 	Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error)
+	Filter(cn ...string) []string
 }

 type SetFactory interface {
@ -48,6 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			CAKey:        caKey,
 			CN:           config.CN,
 			Organization: config.Organization,
+			FilterCN:     config.FilterCN,
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@ -97,6 +99,7 @@ type Config struct {
 	MaxSANs               int
 	ExpirationDaysCheck   int
 	CloseConnOnCertChange bool
+	FilterCN              func(...string) []string
 }

 type listener struct {
@ -205,7 +208,7 @@ func (l *listener) Accept() (net.Conn, error) {

 	if !strings.Contains(host, ":") {
 		if err := l.updateCert(host); err != nil {
-			logrus.Infof("failed to create TLS cert for: %s", host)
+			logrus.Infof("failed to create TLS cert for: %s, %v", host, err)
 		}
 	}

@ -259,6 +262,11 @@ func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 }

 func (l *listener) updateCert(cn ...string) error {
+	cn = l.factory.Filter(cn...)
+	if len(cn) == 0 {
+		return nil
+	}
+
 	l.RLock()
 	defer l.RUnlock()