Skip to content
This repository has been archived by the owner on Sep 26, 2019. It is now read-only.

Commit

Permalink
Merge "Validate TLD during ssl cert creation"
Browse files Browse the repository at this point in the history
  • Loading branch information
@openstack-gerrit
Jenkins authored and openstack-gerrit committed Sep 6, 2016
2 parents 67a259e + 7e0e0e6 commit 665c577
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 3 deletions.
3 changes: 2 additions & 1 deletion poppy/manager/default/ssl_certificate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ def create_ssl_certificate(

if (not validators.is_valid_domain_name(cert_obj.domain_name)) or \
(validators.is_root_domain(
domain.Domain(cert_obj.domain_name).to_dict())):
domain.Domain(cert_obj.domain_name).to_dict())) or \
(not validators.is_valid_tld(cert_obj.domain_name)):
# here created a http domain object but it does not matter http or
# https
raise ValueError('%s must be a valid non-root domain' %
Expand Down
21 changes: 21 additions & 0 deletions poppy/transport/validators/helpers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,12 @@
# limitations under the License.

import datetime
import dns.resolver
import functools
import json
import re
import whois

try:
set
except NameError: # noqa pragma: no cover
Expand All @@ -30,6 +33,7 @@
from poppy.transport.validators import root_domain_regexes as regexes
from poppy.transport.validators.stoplight import decorators
from poppy.transport.validators.stoplight import exceptions
from tld import get_tld


def req_accepts_json_pecan(request, desired_content_type='application/json'):
Expand Down Expand Up @@ -134,6 +138,23 @@ def is_valid_shared_ssl_domain_name(domain_name):
return re.match(shared_ssl_domain_regex, domain_name) is not None


def is_valid_tld(domain_name):
try:
status = whois.whois(domain_name)['status']
if status is not None or status != '':
url = 'https://{domain}'
tld_obj = get_tld(url.format(domain=domain_name),
as_object=True)
tld = tld_obj.suffix
try:
dns.resolver.query(tld + '.', 'SOA')
return True
except dns.resolver.NXDOMAIN:
return False
except Exception:
return False


def is_valid_domain_name(domain_name):
# only allow ascii
domain_regex = ('^((?=[a-z0-9-]{1,63}\.)[a-z0-9]+'
Expand Down
4 changes: 4 additions & 0 deletions requirements/common.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,7 @@ oslo.log>=1.12.1
oslo.serialization>=1.7.0
oslo.utils>=2.0.0
SecretStorage==2.1.4

python-whois>=0.6.2
tld>=0.7.6
dnspython>=1.14.0
5 changes: 5 additions & 0 deletions tests/functional/transport/pecan/controllers/test_ssl_certificate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@
import uuid

import ddt
import mock

from poppy.transport.validators import helpers as validators
from tests.functional.transport.pecan import base


Expand Down Expand Up @@ -56,6 +58,7 @@ def setUp(self):

@ddt.file_data("data_create_ssl_certificate.json")
def test_create_ssl_certificate(self, ssl_certificate_json):
validators.is_valid_tld = mock.Mock(return_value=True)

# override the hardcoded flavor_id in the ddt file with
# a custom one defined in setUp()
Expand All @@ -81,6 +84,7 @@ def test_get_ssl_certificate_non_existing_domain(self):
self.assertEqual(404, response.status_code)

def test_get_ssl_certificate_existing_domain(self):
validators.is_valid_tld = mock.Mock(return_value=True)
domain = 'www.iexist.com'
ssl_certificate_json = {
"cert_type": "san",
Expand Down Expand Up @@ -113,6 +117,7 @@ def test_get_ssl_certificate_existing_domain(self):
response_list[0]["project_id"])

def test_get_ssl_certificate_existing_domain_different_project_id(self):
validators.is_valid_tld = mock.Mock(return_value=True)
domain = 'www.iexist.com'
ssl_certificate_json = {
"cert_type": "san",
Expand Down
3 changes: 1 addition & 2 deletions tests/test-requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
coverage
ddt==1.0.0
dnspython
fixtures
hacking
mock
Expand All @@ -11,4 +10,4 @@ requests-mock
testrepository
testtools
beautifulsoup4
hypothesis
hypothesis
12 changes: 12 additions & 0 deletions tests/unit/manager/default/test_ssl_certificate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
from poppy.manager.default import driver
from poppy.manager.default import ssl_certificate
from poppy.model import ssl_certificate as ssl_cert_model
from poppy.transport.validators import helpers as validators
from tests.unit import base


Expand Down Expand Up @@ -88,6 +89,17 @@ def test_create_ssl_certificate_exception_validation(self):
with testtools.ExpectedException(ValueError):
self.scc.create_ssl_certificate('project_id', cert_obj=cert_obj)

def test_create_ssl_certificate_invalid_domain(self):
cert_obj = ssl_cert_model.SSLCertificate(
'premium',
'www.krusty.happyclowns',
'san',
project_id='000'
)
validators.is_valid_tld = mock.Mock(return_value=False)
with testtools.ExpectedException(ValueError):
self.scc.create_ssl_certificate('project_id', cert_obj=cert_obj)

def test_create_ssl_certificate_exception_storage_create_cert(self):
cert_obj = ssl_cert_model.SSLCertificate(
'flavor_id',
Expand Down

0 comments on commit 665c577

Please sign in to comment.