forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validation.go
104 lines (81 loc) · 3.46 KB
/
validation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package validation
import (
errs "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
kval "github.com/GoogleCloudPlatform/kubernetes/pkg/api/validation"
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
routeapi "github.com/openshift/origin/pkg/route/api"
)
// ValidateRoute tests if required fields in the route are set.
func ValidateRoute(route *routeapi.Route) errs.ValidationErrorList {
result := errs.ValidationErrorList{}
//ensure meta is set properly
result = append(result, kval.ValidateObjectMeta(&route.ObjectMeta, true, kval.ValidatePodName)...)
//host is not required but if it is set ensure it meets DNS requirements
if len(route.Host) > 0 {
if !util.IsDNSSubdomain(route.Host) {
result = append(result, errs.NewFieldInvalid("host", route.Host, "Host must conform to DNS 952 subdomain conventions"))
}
}
if len(route.ServiceName) == 0 {
result = append(result, errs.NewFieldRequired("serviceName", ""))
}
if errs := validateTLS(route.TLS); len(errs) != 0 {
result = append(result, errs.Prefix("tls")...)
}
return result
}
// ValidateTLS tests fields for different types of TLS combinations are set. Called
// by ValidateRoute.
func validateTLS(tls *routeapi.TLSConfig) errs.ValidationErrorList {
result := errs.ValidationErrorList{}
//no termination, ignore other settings
if tls == nil || tls.Termination == "" {
return nil
}
//reencrypt must specify cert, key, cacert, and destination ca cert
if tls.Termination == routeapi.TLSTerminationReencrypt {
if len(tls.Certificate) == 0 {
result = append(result, errs.NewFieldRequired("certificate", tls.Certificate))
}
if len(tls.Key) == 0 {
result = append(result, errs.NewFieldRequired("key", tls.Key))
}
if len(tls.CACertificate) == 0 {
result = append(result, errs.NewFieldRequired("caCertificate", tls.CACertificate))
}
if len(tls.DestinationCACertificate) == 0 {
result = append(result, errs.NewFieldRequired("destinationCACertificate", tls.DestinationCACertificate))
}
}
//passthrough term should not specify any cert
if tls.Termination == routeapi.TLSTerminationPassthrough {
if len(tls.Certificate) > 0 {
result = append(result, errs.NewFieldInvalid("certificate", tls.Certificate, "passthrough termination does not support certificates"))
}
if len(tls.Key) > 0 {
result = append(result, errs.NewFieldInvalid("key", tls.Key, "passthrough termination does not support certificates"))
}
if len(tls.CACertificate) > 0 {
result = append(result, errs.NewFieldInvalid("caCertificate", tls.CACertificate, "passthrough termination does not support certificates"))
}
if len(tls.DestinationCACertificate) > 0 {
result = append(result, errs.NewFieldInvalid("destinationCACertificate", tls.DestinationCACertificate, "passthrough termination does not support certificates"))
}
}
//edge cert should specify cert, key, and cacert
if tls.Termination == routeapi.TLSTerminationEdge {
if len(tls.Certificate) == 0 {
result = append(result, errs.NewFieldRequired("certificate", tls.Certificate))
}
if len(tls.Key) == 0 {
result = append(result, errs.NewFieldRequired("key", tls.Key))
}
if len(tls.CACertificate) == 0 {
result = append(result, errs.NewFieldRequired("caCertificate", tls.CACertificate))
}
if len(tls.DestinationCACertificate) > 0 {
result = append(result, errs.NewFieldInvalid("destinationCACertificate", tls.DestinationCACertificate, "edge termination does not support destination certificates"))
}
}
return result
}