Update to add checks for the name of secrets and certificates (#21)

az-acme · Jul 24, 2022 · 7d77d6e · 7d77d6e
1 parent d01b7e3
commit 7d77d6e
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 4 deletions.
diff --git a/src/AzAcme.Cli/Commands/OrderCommand.cs b/src/AzAcme.Cli/Commands/OrderCommand.cs
@@ -1,6 +1,7 @@
 using AzAcme.Cli.Commands.Options;
 using AzAcme.Cli.Util;
 using AzAcme.Core;
+using AzAcme.Core.Exceptions;
 using AzAcme.Core.Extensions;
 using AzAcme.Core.Providers.Models;
 using Microsoft.Extensions.Logging;
@@ -27,6 +28,10 @@ public OrderCommand(ILogger logger,
 
  protected override async Task<int> OnExecute(OrderOptions opts)
  {
+ // check the name is valid first.
+ await certificateStore.ValidateCertificateName(opts.Certificate);
+
+ Console.WriteLine(opts.Certificate);
  var certificateRequest = new CertificateRequest(opts.Certificate, opts.Subject, opts.SubjectAlternativeNames);
 
  this.logger.LogInformation("Loading metadata from certificate store for certificate '{0}'.", opts.Certificate);

diff --git a/src/AzAcme.Core/ICertificateStore.cs b/src/AzAcme.Core/ICertificateStore.cs
@@ -4,6 +4,8 @@ namespace AzAcme.Core
 {
  public interface ICertificateStore
  {
+ Task ValidateCertificateName(string name);
+
  Task<CertificateMetadata> GetMetadata(CertificateRequest request);
 
  Task<CertificateCsr> Prepare(CertificateRequest request);

diff --git a/src/AzAcme.Core/ISecretStore.cs b/src/AzAcme.Core/ISecretStore.cs
@@ -2,6 +2,8 @@
 {
  public interface ISecretStore
  {
+ Task ValidateSecretName(string name);
+
  Task<IScopedSecret> CreateScopedSecret(string name);
  }
 }
diff --git a/src/AzAcme.Core/Providers/KeyVault/AzureKeyVaultCertificateStore.cs b/src/AzAcme.Core/Providers/KeyVault/AzureKeyVaultCertificateStore.cs
@@ -1,4 +1,6 @@
-using AzAcme.Core.Providers.Models;
+using System.Text.RegularExpressions;
+using AzAcme.Core.Exceptions;
+using AzAcme.Core.Providers.Models;
 using Azure;
 using Azure.Security.KeyVault.Certificates;
 using Microsoft.Extensions.Logging;
@@ -30,6 +32,17 @@ public Task<CertificateMetadata> GetMetadata(CertificateRequest request)
  return Task.FromResult(info);
  }
 
+ public Task ValidateCertificateName(string name)
+ {
+ const string regex = "^[A-Za-z0-9-]+$";
+
+ if (!Regex.IsMatch(name, regex))
+ {
+ throw new ConfigurationException($"Key Vault Certificate '{name}' invalid. Should be alphanumeric and dashes only.");
+ }
+
+ return Task.CompletedTask;
+ }
  public async Task<CertificateCsr> Prepare(CertificateRequest request)
  {
  const string IssuerName = "Unknown"; // always same for externally managed lifecycles in azure.

diff --git a/src/AzAcme.Core/Providers/KeyVault/AzureKeyVaultSecretStore.cs b/src/AzAcme.Core/Providers/KeyVault/AzureKeyVaultSecretStore.cs
@@ -1,4 +1,6 @@
-using Azure.Security.KeyVault.Secrets;
+using System.Text.RegularExpressions;
+using AzAcme.Core.Exceptions;
+using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Logging;
 
 namespace AzAcme.Core.Providers.KeyVault
@@ -14,11 +16,26 @@ public AzureKeyVaultSecretStore(ILogger logger, SecretClient client)
  this.client = client ?? throw new ArgumentNullException(nameof(client));
  }
 
- public Task<IScopedSecret> CreateScopedSecret(string name)
+ public Task ValidateSecretName(string name)
  {
+ const string regex = "^[A-Za-z0-9-]+$";
+
+ if (!Regex.IsMatch(name, regex))
+ {
+ throw new ConfigurationException($"Key Vault Certificate '{name}' invalid. Should be alphanumeric and dashes only.");
+ }
+
+ return Task.CompletedTask;
+ }
+
+ public async Task<IScopedSecret> CreateScopedSecret(string name)
+ {
+ // ensure validation has occured.
+ await ValidateSecretName(name);
+
  IScopedSecret ss = new AzureKeyVaultScopedSecret(this.client, name);
 
- return Task.FromResult(ss);
+ return ss;
  }
 
  internal class AzureKeyVaultScopedSecret : IScopedSecret