Skip to content

Commit 2a316a7

Browse files
rvelaVenafirvelaVenafi
authored
Merge pull request #116 from Venafi/disable_subject
Adding ability to disable subject fields for VaaS
2 parents 0620870 + 3457aa3 commit 2a316a7

4 files changed

Lines changed: 157 additions & 49 deletions

File tree

tests/resources/policy_specification.json

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,9 @@
22
"policy": {
33
"domains": [
44
"venafi.com",
5-
"kwan.com"
5+
"vfidev.com",
6+
"vfidev.net",
7+
"venafi.example"
68
],
79
"wildcardAllowed": true,
810
"maxValidDays": 120,
@@ -25,23 +27,35 @@
2527
},
2628
"keyPair": {
2729
"keyTypes": [
28-
"RSA"
30+
"RSA",
31+
"EC"
2932
],
3033
"rsaKeySizes": [
31-
2048
34+
2048,
35+
4096
3236
],
3337
"ellipticCurves": [
38+
"P521",
3439
"P384"
3540
],
36-
"serviceGenerated": false,
41+
"serviceGenerated": true,
3742
"reuseAllowed": false
3843
},
3944
"subjectAltNames": {
40-
"dnsAllowed": false,
41-
"ipAllowed": false,
42-
"emailAllowed": false,
43-
"uriAllowed": false,
44-
"upnAllowed": false
45+
"dnsAllowed": true,
46+
"ipAllowed": true,
47+
"emailAllowed": true,
48+
"uriAllowed": true,
49+
"upnAllowed": false,
50+
"ipConstraints": [
51+
"v4",
52+
"v6"
53+
],
54+
"uriProtocols": [
55+
"https",
56+
"ldaps",
57+
"spiffe"
58+
]
4559
}
4660
},
4761
"defaults": {
@@ -59,7 +73,7 @@
5973
"keyType": "RSA",
6074
"rsaKeySize": 2048,
6175
"ellipticCurve": "",
62-
"serviceGenerated": false
76+
"serviceGenerated": true
6377
}
6478
}
6579
}

tests/resources/policy_specification.yaml

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,9 @@
22
policy:
33
domains:
44
- venafi.com
5-
- kwan.com
6-
- yaml.com
5+
- vfidev.com
6+
- vfidev.net
7+
- venafi.example
78
wildcardAllowed: true
89
maxValidDays: 120
910
subject:
@@ -16,22 +17,32 @@ policy:
1617
states:
1718
- Yucatan
1819
countries:
19-
- US
20+
- MX
2021
keyPair:
2122
keyTypes:
2223
- RSA
24+
- EC
2325
rsaKeySizes:
2426
- 2048
27+
- 4096
2528
ellipticCurves:
29+
- P521
2630
- P384
27-
serviceGenerated: false
31+
serviceGenerated: true
2832
reuseAllowed: false
2933
subjectAltNames:
30-
dnsAllowed: false
31-
ipAllowed: false
32-
emailAllowed: false
33-
uriAllowed: false
34+
dnsAllowed: true
35+
ipAllowed: true
36+
emailAllowed: true
37+
uriAllowed: true
3438
upnAllowed: false
39+
ipConstraints:
40+
- v4
41+
- v6
42+
uriProtocols:
43+
- https
44+
- ldaps
45+
- spiffe
3546
defaults:
3647
domain: venafi.com
3748
subject:
@@ -40,9 +51,9 @@ defaults:
4051
- DevOps
4152
locality: Merida
4253
state: Yucatan
43-
country: Mexico
54+
country: MX
4455
keyPair:
4556
keyType: RSA
4657
rsaKeySize: 2048
4758
ellipticCurve: ''
48-
serviceGenerated: ''
59+
serviceGenerated: true

tests/test_pm.py

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -72,17 +72,29 @@ def _assert_policy_spec(self, ps):
7272
"""
7373
self.assertIsNotNone(ps)
7474
self.assertIn("venafi.com", ps.policy.domains)
75-
self.assertIn("kwan.com", ps.policy.domains)
75+
self.assertIn("vfidev.com", ps.policy.domains)
76+
self.assertIn("vfidev.net", ps.policy.domains)
77+
self.assertIn("venafi.example", ps.policy.domains)
7678
self.assertIn("venafi.com", ps.policy.subject.orgs)
7779
self.assertTrue(len(ps.policy.subject.orgs) == 1)
7880
self.assertIn("DevOps", ps.policy.subject.org_units)
7981
self.assertTrue(len(ps.policy.subject.org_units) == 1)
8082
self.assertIn("Merida", ps.policy.subject.localities)
8183
self.assertTrue(len(ps.policy.subject.localities) == 1)
84+
85+
self.assertIn("Yucatan", ps.policy.subject.states)
86+
self.assertTrue(len(ps.policy.subject.states) == 1)
87+
88+
self.assertIn("MX", ps.policy.subject.countries)
89+
self.assertTrue(len(ps.policy.subject.countries) == 1)
90+
8291
self.assertIn("RSA", ps.policy.key_pair.key_types)
83-
self.assertTrue(len(ps.policy.key_pair.key_types) == 1)
92+
self.assertIn("EC", ps.policy.key_pair.key_types)
93+
self.assertTrue(len(ps.policy.key_pair.key_types) == 2)
8494
self.assertIn(2048, ps.policy.key_pair.rsa_key_sizes)
85-
self.assertTrue(len(ps.policy.key_pair.rsa_key_sizes) == 1)
95+
self.assertIn(4096, ps.policy.key_pair.rsa_key_sizes)
96+
self.assertIn("P521", ps.policy.key_pair.elliptic_curves)
97+
self.assertIn("P384", ps.policy.key_pair.elliptic_curves)
8698

8799

88100
class TestTPPPolicyManagement(unittest.TestCase):
@@ -153,12 +165,12 @@ def _create_policy_tpp(self, policy_spec=None, policy=None, defaults=None):
153165
create_policy(self.tpp_conn, zone, policy_spec, policy, defaults)
154166

155167

156-
class TestCloudPolicyManagement(unittest.TestCase):
168+
class TestVaaSPolicyManagement(unittest.TestCase):
157169
def __init__(self, *args, **kwargs):
158170
self.cloud_conn = CloudConnection(token=CLOUD_APIKEY, url=CLOUD_URL)
159171
self.json_file = POLICY_SPEC_JSON
160172
self.yaml_file = POLICY_SPEC_YAML
161-
super(TestCloudPolicyManagement, self).__init__(*args, **kwargs)
173+
super(TestVaaSPolicyManagement, self).__init__(*args, **kwargs)
162174

163175
def test_create_policy_from_json(self):
164176
# ps = json_parser.parse_file(self.json_file)
@@ -329,6 +341,23 @@ def test_create_policy_with_team(self):
329341
self.assertEqual(1, len(result.users))
330342
self.assertEqual(CLOUD_TEAM, result.users[0])
331343

344+
def test_create_policy_disabled_subject_fields(self):
345+
zone = get_vaas_zone()
346+
policy = get_policy_obj()
347+
policy.subject.orgs = [""]
348+
policy.subject.org_units = [""]
349+
policy.subject.localities = [""]
350+
policy.subject.states = [""]
351+
policy.subject.countries = [""]
352+
ps_response = create_policy(connector=self.cloud_conn, zone=zone,policy=policy)
353+
self.assertIsNotNone(ps_response.policy)
354+
self.assertIsNotNone(ps_response.policy.subject)
355+
self.assertListEqual(ps_response.policy.subject.orgs, [""])
356+
self.assertListEqual(ps_response.policy.subject.org_units, [""])
357+
self.assertListEqual(ps_response.policy.subject.localities, [""])
358+
self.assertListEqual(ps_response.policy.subject.states, [""])
359+
self.assertListEqual(ps_response.policy.subject.countries, [""])
360+
332361
def _create_policy_cloud(self, policy_spec=None, policy=None, defaults=None):
333362
zone = get_vaas_zone()
334363
response = create_policy(self.cloud_conn, zone, policy_spec, policy, defaults)

vcert/policy/pm_cloud.py

Lines changed: 78 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -88,25 +88,7 @@ def build_policy_spec(cit, ca_info, subject_cn_to_str=True):
8888
ca = f"{ca_info.ca_type}\\{ca_info.ca_account_key}\\{ca_info.vendor_name}"
8989
p.certificate_authority = ca
9090

91-
s = Subject()
92-
create_subject = False
93-
if len(cit.SubjectORegexes) > 0:
94-
create_subject = True
95-
s.orgs = cit.SubjectORegexes
96-
if len(cit.SubjectOURegexes) > 0:
97-
create_subject = True
98-
s.org_units = cit.SubjectOURegexes
99-
if len(cit.SubjectLRegexes) > 0:
100-
create_subject = True
101-
s.localities = cit.SubjectLRegexes
102-
if len(cit.SubjectSTRegexes) > 0:
103-
create_subject = True
104-
s.states = cit.SubjectSTRegexes
105-
if len(cit.SubjectCRegexes) > 0:
106-
create_subject = True
107-
s.countries = cit.SubjectCRegexes
108-
109-
p.subject = s if create_subject else None
91+
p.subject = build_policy_spec_subject(cit)
11092

11193
kp = KeyPair()
11294
create_kp = False
@@ -204,6 +186,63 @@ def build_policy_spec(cit, ca_info, subject_cn_to_str=True):
204186
return ps
205187

206188

189+
def build_policy_spec_subject(cit):
190+
"""
191+
192+
:param Cit cit:
193+
:return:
194+
"""
195+
s = Subject()
196+
return_subject = False
197+
198+
orgs_values = None
199+
if cit.SubjectORegexes is None:
200+
orgs_values = [""]
201+
elif len(cit.SubjectORegexes) > 0:
202+
orgs_values = cit.SubjectORegexes
203+
if orgs_values:
204+
s.orgs = orgs_values
205+
return_subject = True
206+
207+
org_units_values = None
208+
if cit.SubjectOURegexes is None:
209+
org_units_values = [""]
210+
elif len(cit.SubjectOURegexes) > 0:
211+
org_units_values = cit.SubjectOURegexes
212+
if org_units_values:
213+
s.org_units = org_units_values
214+
return_subject = True
215+
216+
localities_values = None
217+
if cit.SubjectLRegexes is None:
218+
localities_values = [""]
219+
elif len(cit.SubjectLRegexes) > 0:
220+
localities_values = cit.SubjectLRegexes
221+
if localities_values:
222+
s.localities = localities_values
223+
return_subject = True
224+
225+
states_values = None
226+
if cit.SubjectSTRegexes is None:
227+
states_values = [""]
228+
elif len(cit.SubjectSTRegexes) > 0:
229+
states_values = cit.SubjectSTRegexes
230+
if states_values:
231+
s.states = states_values
232+
return_subject = True
233+
234+
countries_values = None
235+
if cit.SubjectCRegexes is None:
236+
countries_values = [""]
237+
elif len(cit.SubjectCRegexes) > 0:
238+
countries_values = cit.SubjectCRegexes
239+
if countries_values:
240+
s.countries = countries_values
241+
return_subject = True
242+
243+
return s if return_subject else None
244+
245+
207246
def validate_policy_spec(policy_spec):
208247
"""
209248
:param PolicySpecification policy_spec:
@@ -505,27 +544,42 @@ def build_cit_request(ps, ca_details):
505544
request['sanIpAddressRegexes'] = [re_ipv4, re_ipv6]
506545

507546
if ps.policy and ps.policy.subject and len(ps.policy.subject.orgs) > 0:
508-
request['subjectORegexes'] = ps.policy.subject.orgs
547+
if len(ps.policy.subject.orgs) == 1 and ps.policy.subject.orgs[0] == "":
548+
request['subjectORegexes'] = None
549+
else:
550+
request['subjectORegexes'] = ps.policy.subject.orgs
509551
else:
510552
request['subjectORegexes'] = [re_allow_all]
511553

512554
if ps.policy and ps.policy.subject and len(ps.policy.subject.org_units) > 0:
513-
request['subjectOURegexes'] = ps.policy.subject.org_units
555+
if len(ps.policy.subject.org_units) == 1 and ps.policy.subject.org_units[0] == "":
556+
request['subjectOURegexes'] = None
557+
else:
558+
request['subjectOURegexes'] = ps.policy.subject.org_units
514559
else:
515560
request['subjectOURegexes'] = [re_allow_all]
516561

517562
if ps.policy and ps.policy.subject and len(ps.policy.subject.localities) > 0:
518-
request['subjectLRegexes'] = ps.policy.subject.localities
563+
if len(ps.policy.subject.localities) == 1 and ps.policy.subject.localities[0] == "":
564+
request['subjectLRegexes'] = None
565+
else:
566+
request['subjectLRegexes'] = ps.policy.subject.localities
519567
else:
520568
request['subjectLRegexes'] = [re_allow_all]
521569

522570
if ps.policy and ps.policy.subject and len(ps.policy.subject.states) > 0:
523-
request['subjectSTRegexes'] = ps.policy.subject.states
571+
if len(ps.policy.subject.states) and ps.policy.subject.states[0] == "":
572+
request['subjectSTRegexes'] = None
573+
else:
574+
request['subjectSTRegexes'] = ps.policy.subject.states
524575
else:
525576
request['subjectSTRegexes'] = [re_allow_all]
526577

527578
if ps.policy and ps.policy.subject and len(ps.policy.subject.countries) > 0:
528-
request['subjectCValues'] = ps.policy.subject.countries
579+
if len(ps.policy.subject.countries) == 1 and ps.policy.subject.countries[0] == "":
580+
request['subjectCValues'] = None
581+
else:
582+
request['subjectCValues'] = ps.policy.subject.countries
529583
else:
530584
request['subjectCValues'] = [re_allow_all]
531585

0 commit comments

Comments
 (0)