cert-request: generalise _san_dnsname_ips for arbitrary cname depth

Generalise _san_dnsname_ips to allow arbitrary cname depths. This also clarifies the code and avoids boolean blindness. Update the call site to maintain the existing behvaiour (one cname allowed). Part of: https://pagure.io/freeipa/issue/7451
freeipa · Apr 23, 2018 · f3540e9 · f3540e9
1 parent 8e0591b
commit f3540e9
Showing 1 changed file with 10 additions and 13 deletions.
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
@@ -1122,7 +1122,7 @@ def _validate_san_ips(san_ipaddrs, san_dnsnames):
     """
     san_dns_ips = set()
     for name in san_dnsnames:
-        san_dns_ips.update(_san_dnsname_ips(name))
+        san_dns_ips.update(_san_dnsname_ips(name, cname_depth=1))
     for ip in san_ipaddrs:
         if unicode(ip) not in san_dns_ips:
             raise errors.ValidationError(
@@ -1134,7 +1134,7 @@ def _validate_san_ips(san_ipaddrs, san_dnsnames):
             )
 
 
-def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
+def _san_dnsname_ips(dnsname, cname_depth):
     """
     Resolve a DNS name to its IP address(es).
 
@@ -1144,8 +1144,7 @@ def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
     that correspond to the DNS name (from the subjectAltName).
 
     :param dnsname: The DNS name (text) for which to resolve the IP addresses
-    :param dnsname_is_cname: True when (recursively) resolving a CNAME (CNAME
-        chains are not followed)
+    :param cname_depth: How many cnames are we allowed to follow?
 
     :return: The set of IP addresses resolved from the DNS name
 
@@ -1163,15 +1162,13 @@ def _san_dnsname_ips(dnsname, dnsname_is_cname=False):
                               result.get('aaaarecord', ())):
         if _ip_rdns_ok(ip, fqdn):
             ips.add(ip)
-    cnames = result.get('cnamerecord', ())
-    if cnames:
-        if dnsname_is_cname:
-            logger.debug("Skipping IPs for %s: chained CNAME", dnsname)
-        else:
-            for cname in cnames:
-                if not cname.endswith('.'):
-                    cname = u'%s.%s' % (cname, zone)
-                ips.update(_san_dnsname_ips(cname, True))
+
+    if cname_depth > 0:
+        for cname in result.get('cnamerecord', []):
+            if not cname.endswith('.'):
+                cname = u'%s.%s' % (cname, zone)
+            ips.update(_san_dnsname_ips(cname, cname_depth=cname_depth - 1))
+
     return ips