Clean up validator lists

Move signature validation to standards validators. Remove old validator entries from the setup.cfg. Partial-Bug: #1548610 Change-Id: I667b0ad1a49766c2df09489ea3a11e0e77bc4333
2016-02-06 11:04:21 +11:00 · 2016-02-06 11:04:21 +11:00 · 65621def14
commit 65621def14
parent 3cf8e51dce
5 changed files with 38 additions and 34 deletions
--- a/anchor/validators/custom.py
+++ b/anchor/validators/custom.py
@ -22,7 +22,6 @@ from pyasn1_modules import rfc2459

 from anchor.validators import errors as v_errors
 from anchor.validators import utils
-from anchor.X509 import errors
 from anchor.X509 import extension
 from anchor.X509 import name as x509_name

@ -207,15 +206,6 @@ def source_cidrs(request=None, cidrs=None, **kwargs):
        request.client_addr)


-def csr_signature(csr=None, **kwargs):
-    """Ensure that the CSR has a valid self-signature."""
-    try:
-        if not csr.verify():
-            raise v_errors.ValidationError("Signature on the CSR is not valid")
-    except errors.X509Error:
-        raise v_errors.ValidationError("Signature on the CSR is not valid")
-
-
 def public_key(csr=None, allowed_keys=None, **kwargs):
    """Ensure the public key has the known type and size.

--- a/anchor/validators/standards.py
+++ b/anchor/validators/standards.py
@ -25,6 +25,7 @@ from __future__ import absolute_import

 from anchor import util
 from anchor.validators import errors
+from anchor.X509 import errors as x509_errors
 from anchor.X509 import extension


@ -33,6 +34,7 @@ def standards_compliance(csr=None, **kwargs):
    _no_extension_duplicates(csr)
    _critical_flags(csr)
    _valid_domains(csr)
+    _csr_signature(csr)
    # TODO(stan): validate srv/uri, distinct DNs, email format, identity keys


@ -80,3 +82,12 @@ def _valid_domains(csr):
            util.verify_domain(domain, allow_wildcards=True)
        except ValueError as e:
            raise errors.ValidationError(str(e))
+
+
+def _csr_signature(csr):
+    """Ensure that the CSR has a valid self-signature."""
+    try:
+        if not csr.verify():
+            raise errors.ValidationError("Signature on the CSR is not valid")
+    except x509_errors.X509Error:
+        raise errors.ValidationError("Signature on the CSR is not valid")
--- a/setup.cfg
+++ b/setup.cfg
@ -31,9 +31,6 @@ anchor.signing_backends =
    anchor = anchor.certificate_ops:sign

 anchor.validators =
-    check_domains = anchor.validators.custom:check_domains
-    iter_alternative_names = anchor.validators.custom:iter_alternative_names
-    check_networks = anchor.validators.custom:check_networks
    common_name = anchor.validators.custom:common_name
    alternative_names = anchor.validators.custom:alternative_names
    alternative_names_ip = anchor.validators.custom:alternative_names_ip
@ -41,8 +38,10 @@ anchor.validators =
    server_group = anchor.validators.custom:server_group
    extensions = anchor.validators.custom:extensions
    key_usage = anchor.validators.custom:key_usage
+    ext_key_usage = anchor.validators.custom:ext_key_usage
    source_cidrs = anchor.validators.custom:source_cidrs
    whitelist_names = anchor.validators.custom:whitelist_names
+    public_key = anchor.validators.custom:public_key
    standards_compliance = anchor.validators.standards:standards_compliance

 anchor.authentication =
--- a/tests/validators/test_callable_validators.py
+++ b/tests/validators/test_callable_validators.py
@ -20,7 +20,6 @@ import unittest
 import mock
 import netaddr
 from pyasn1.codec.der import decoder
-from pyasn1_modules import rfc2459

 from anchor.asn1 import rfc5280
 from anchor.validators import custom
@ -554,26 +553,6 @@ class TestValidators(tests.DefaultRequestMixin, unittest.TestCase):
            )
        )

-    def test_csr_signature(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        self.assertIsNone(custom.csr_signature(csr=csr))
-
-    def test_csr_signature_bad_sig(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        with mock.patch.object(x509_csr.X509Csr, '_get_signature',
-                               return_value=(b'A'*49)):
-            with self.assertRaisesRegexp(errors.ValidationError,
-                                         "Signature on the CSR is not valid"):
-                custom.csr_signature(csr=csr)
-
-    def test_csr_signature_bad_algo(self):
-        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
-        with mock.patch.object(x509_csr.X509Csr, '_get_signing_algorithm',
-                               return_value=rfc2459.id_dsa_with_sha1):
-            with self.assertRaisesRegexp(errors.ValidationError,
-                                         "Signature on the CSR is not valid"):
-                custom.csr_signature(csr=csr)
-
    def test_public_key_good_rsa(self):
        csr = x509_csr.X509Csr.from_buffer(self.csr_sample_bytes)
        self.assertIsNone(custom.public_key(csr=csr,
--- a/tests/validators/test_standards_validator.py
+++ b/tests/validators/test_standards_validator.py
@ -16,7 +16,9 @@

 import unittest

+import mock
 from pyasn1.codec.der import encoder
+from pyasn1_modules import rfc2459

 from anchor.asn1 import rfc5280
 from anchor.validators import errors
@ -160,3 +162,26 @@ class TestValidDomains(unittest.TestCase):
        csr = self._create_csr_with_domain_san('foo*.example.com')
        with self.assertRaises(errors.ValidationError):
            standards._valid_domains(csr)
+
+
+class TestCsrSignature(tests.DefaultRequestMixin, unittest.TestCase):
+    def test_csr_signature(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        self.assertIsNone(standards._csr_signature(csr=csr))
+
+    def test_csr_signature_bad_sig(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        with mock.patch.object(signing_request.X509Csr, '_get_signature',
+                               return_value=(b'A'*49)):
+            with self.assertRaisesRegexp(errors.ValidationError,
+                                         "Signature on the CSR is not valid"):
+                standards._csr_signature(csr=csr)
+
+    def test_csr_signature_bad_algo(self):
+        csr = signing_request.X509Csr.from_buffer(self.csr_sample_bytes)
+        with mock.patch.object(signing_request.X509Csr,
+                               '_get_signing_algorithm',
+                               return_value=rfc2459.id_dsa_with_sha1):
+            with self.assertRaisesRegexp(errors.ValidationError,
+                                         "Signature on the CSR is not valid"):
+                standards._csr_signature(csr=csr)