Map piv/cac to the Federal Bridge CA if using valid policy OIDs (LG-3604) #193
Conversation
Co-authored-by: Jonathan Hooper <jonathan.hooper@gsa.gov>
app/services/issuing_ca_service.rb
Outdated
| return nil unless cert.aia && cert.aia['CA Issuers'].is_a?(Array) | ||
| ca_issuers = cert.aia['CA Issuers'].map do |issuer| | ||
| issuer = issuer.to_s | ||
| next unless issuer.starts_with?('URI') | ||
| issuer = issuer.gsub(/^URI:/, '') | ||
| uri = URI.parse(issuer) | ||
| next unless uri.scheme == 'http' | ||
| next unless allowed_host?(uri.host) | ||
| uri | ||
| end.compact |
There was a problem hiding this comment.
a few things:
- Some ideas for avoiding
unless - Ideas for avoiding reassigning
issuerparam: - possibly simpler control flow with fewer early returns?
this is subjective, just an idea
| return nil unless cert.aia && cert.aia['CA Issuers'].is_a?(Array) | |
| ca_issuers = cert.aia['CA Issuers'].map do |issuer| | |
| issuer = issuer.to_s | |
| next unless issuer.starts_with?('URI') | |
| issuer = issuer.gsub(/^URI:/, '') | |
| uri = URI.parse(issuer) | |
| next unless uri.scheme == 'http' | |
| next unless allowed_host?(uri.host) | |
| uri | |
| end.compact | |
| ca_issuers = Array(cert.aia && cert.aia['CA Issuers']).map do |issuer| | |
| if issuer.to_s.starts_with?('URI:') | |
| uri = URI.parse(issuer.to_s.gsub(/^URI:/, '')) | |
| uri if uri.scheme == 'http' && allowed_host?(uri.host) | |
| end | |
| end.compact |
There was a problem hiding this comment.
Acknowledging the subjectivity for myself as well on this. I'm not committed to what we have at the moment, but I have difficulty parsing nested calls and implicit returns while reading. It's lengthier, but the intention was a series of clear steps for filtering and transformation.
I was considering something like filter_map, but it would have to be filter -> map -> filter which felt harder to follow.
There was a problem hiding this comment.
there's flat_map which will remove nil values automatically?
There was a problem hiding this comment.
I think flat_map will only pull values out of arrays
irb(main):003:0> ['a', nil, ['a']].flat_map { |x| x }
=> ["a", nil, "a"]There was a problem hiding this comment.
Ah right, well probably fine to leave as-is for a bit then
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
mitchellhenke
force-pushed
the
mitchellhenke/federal-bridge-and-policy-oids
branch
from
304c0ff
to
9983fa3
Compare
mitchellhenke
force-pushed
the
mitchellhenke/federal-bridge-and-policy-oids
branch
from
9983fa3
to
32134d0
Compare
Creates a new service that will attempt to verify a cert is issued by a trusted authority and has valid policy OIDs. The service is only permitted to download bundles from specified CA issuers via configuration. Missing hosts will be logged so we can consider adding them in the future. These hosts will also have to be coordinated with the outbound proxy configuration.
Policy OIDs are only checked for the downloaded certs. If a cert is stored, we continue to not check policy to avoid breaking existing functionality.