Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-03-11 22:20:00 +01:00
Code Issues Projects Releases Wiki Activity

Add sen existed check for internal cert

Browse Source 
fali ealier when there is no san

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2021-01-27 17:16:31 +08:00
parent 50a1e85095
commit 051b5f289d
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
make/photon/prepare/models.py
View File

@ -5,7 +5,7 @@ from shutil import copytree, rmtree
from g import internal_tls_dir, DEFAULT_GID, DEFAULT_UID, PG_GID, PG_UID from g import internal_tls_dir, DEFAULT_GID, DEFAULT_UID, PG_GID, PG_UID
from utils.misc import check_permission, owner_can_read, get_realpath, port_number_valid from utils.misc import check_permission, owner_can_read, get_realpath, port_number_valid
from utils.cert import san_existed
class InternalTLS: class InternalTLS:
@ -75,7 +75,7 @@ class InternalTLS:
def _check(self, filename: str): def _check(self, filename: str):
""" """
Check the permission of cert and key is correct Check cert and key files are correct
""" """
path = Path(os.path.join(internal_tls_dir, filename)) path = Path(os.path.join(internal_tls_dir, filename))
@ -92,12 +92,21 @@ class InternalTLS:
if filename.endswith('.key') and not check_permission(path, mode=0o600): if filename.endswith('.key') and not check_permission(path, mode=0o600):
raise Exception('key file {} permission is not 600'.format(filename)) raise Exception('key file {} permission is not 600'.format(filename))
# check owner can read cert file # check certificate file
if filename.endswith('.crt') and not owner_can_read(path.stat().st_mode): if filename.endswith('.crt'):
if not owner_can_read(path.stat().st_mode):
# check owner can read cert file
raise Exception('File {} should readable by owner'.format(filename)) raise Exception('File {} should readable by owner'.format(filename))
if not san_existed(path):
# check SAN included
if filename == 'harbor_internal_ca.crt':
return
raise Exception('cert file {} should include SAN'.format(filename))
def validate(self) -> bool: def validate(self) -> bool:
if not self.enabled: if not self.enabled:
# pass the validation if not enabled
return True return True
if not internal_tls_dir.exists(): if not internal_tls_dir.exists():

5
make/photon/prepare/utils/cert.py
View File

@ -58,9 +58,8 @@ def create_ext_file(cn, ext_filename):
def san_existed(cert_path): def san_existed(cert_path):
try: try:
return len(subprocess.check_output( return "Subject Alternative Name:" in str(subprocess.check_output(
["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"] ["/usr/bin/openssl", "x509", "-in", cert_path, "-text"]))
)) > 0
except subprocess.CalledProcessError: except subprocess.CalledProcessError:
pass pass
return False return False