From 051b5f289d363ac6cbbcf02e3a17c2bd4a537001 Mon Sep 17 00:00:00 2001
From: DQ <dengq@vmware.com>
Date: Wed, 27 Jan 2021 17:16:31 +0800
Subject: [PATCH] Add sen existed check for internal cert

fali ealier when there is no san

Signed-off-by: DQ <dengq@vmware.com>
---
 make/photon/prepare/models.py     | 17 +++++++++++++----
 make/photon/prepare/utils/cert.py |  5 ++---
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/make/photon/prepare/models.py b/make/photon/prepare/models.py
index c72fb9b17..e3530acd5 100644
--- a/make/photon/prepare/models.py
+++ b/make/photon/prepare/models.py
@@ -5,7 +5,7 @@ from shutil import copytree, rmtree
 
 from g import internal_tls_dir, DEFAULT_GID, DEFAULT_UID, PG_GID, PG_UID
 from utils.misc import check_permission, owner_can_read, get_realpath, port_number_valid
-
+from utils.cert import san_existed
 
 class InternalTLS:
 
@@ -75,7 +75,7 @@ class InternalTLS:
 
     def _check(self, filename: str):
         """
-        Check the permission of cert and key is correct
+        Check cert and key files are correct
         """
 
         path = Path(os.path.join(internal_tls_dir, filename))
@@ -92,12 +92,21 @@ class InternalTLS:
         if filename.endswith('.key') and not check_permission(path, mode=0o600):
             raise Exception('key file {} permission is not 600'.format(filename))
 
-        # check owner can read cert file
-        if filename.endswith('.crt') and not owner_can_read(path.stat().st_mode):
+        # check certificate file
+        if filename.endswith('.crt'):
+            if not owner_can_read(path.stat().st_mode):
+                # check owner can read cert file
                 raise Exception('File {} should readable by owner'.format(filename))
+            if not san_existed(path):
+                # check SAN included
+                if filename == 'harbor_internal_ca.crt':
+                    return
+                raise Exception('cert file {} should include SAN'.format(filename))
+
 
     def validate(self) -> bool:
         if not self.enabled:
+            # pass the validation if not enabled
             return True
 
         if not internal_tls_dir.exists():
diff --git a/make/photon/prepare/utils/cert.py b/make/photon/prepare/utils/cert.py
index 410529222..2c51b02f5 100644
--- a/make/photon/prepare/utils/cert.py
+++ b/make/photon/prepare/utils/cert.py
@@ -58,9 +58,8 @@ def create_ext_file(cn, ext_filename):
 
 def san_existed(cert_path):
     try:
-        return len(subprocess.check_output(
-            ["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"]
-            )) > 0
+        return "Subject Alternative Name:" in str(subprocess.check_output(
+            ["/usr/bin/openssl", "x509", "-in", cert_path, "-text"]))
     except subprocess.CalledProcessError:
         pass
     return False