From 25964b54f625743e176cbd3d2aefe7e4c7146e45 Mon Sep 17 00:00:00 2001 From: forfuncsake Date: Thu, 6 Aug 2020 11:17:47 +1000 Subject: [PATCH] Use inclusive terminology for cert blocking (#272) --- cert.go | 12 +++++++++--- cert/ca.go | 22 +++++++++++----------- cert/cert.go | 6 +++--- cert/cert_test.go | 6 +++--- examples/config.yml | 6 +++--- 5 files changed, 29 insertions(+), 23 deletions(-) diff --git a/cert.go b/cert.go index ff75922..bc51175 100644 --- a/cert.go +++ b/cert.go @@ -149,10 +149,16 @@ func loadCAFromConfig(c *Config) (*cert.NebulaCAPool, error) { return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err) } - // pki.blacklist entered the scene at about the same time we aliased x509 to pki, not supporting backwards compat + for _, fp := range c.GetStringSlice("pki.blocklist", []string{}) { + l.WithField("fingerprint", fp).Infof("Blocklisting cert") + CAs.BlocklistFingerprint(fp) + } + + // Support deprecated config for at leaast one minor release to allow for migrations for _, fp := range c.GetStringSlice("pki.blacklist", []string{}) { - l.WithField("fingerprint", fp).Infof("Blacklisting cert") - CAs.BlacklistFingerprint(fp) + l.WithField("fingerprint", fp).Infof("Blocklisting cert") + l.Warn("pki.blacklist is deprecated and will not be supported in a future release. Please migrate your config to use pki.blocklist") + CAs.BlocklistFingerprint(fp) } return CAs, nil diff --git a/cert/ca.go b/cert/ca.go index 43a47a2..6584529 100644 --- a/cert/ca.go +++ b/cert/ca.go @@ -8,14 +8,14 @@ import ( type NebulaCAPool struct { CAs map[string]*NebulaCertificate - certBlacklist map[string]struct{} + certBlocklist map[string]struct{} } // NewCAPool creates a CAPool func NewCAPool() *NebulaCAPool { ca := NebulaCAPool{ CAs: make(map[string]*NebulaCertificate), - certBlacklist: make(map[string]struct{}), + certBlocklist: make(map[string]struct{}), } return &ca @@ -67,24 +67,24 @@ func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error) { return pemBytes, nil } -// BlacklistFingerprint adds a cert fingerprint to the blacklist -func (ncp *NebulaCAPool) BlacklistFingerprint(f string) { - ncp.certBlacklist[f] = struct{}{} +// BlocklistFingerprint adds a cert fingerprint to the blocklist +func (ncp *NebulaCAPool) BlocklistFingerprint(f string) { + ncp.certBlocklist[f] = struct{}{} } -// ResetCertBlacklist removes all previously blacklisted cert fingerprints -func (ncp *NebulaCAPool) ResetCertBlacklist() { - ncp.certBlacklist = make(map[string]struct{}) +// ResetCertBlocklist removes all previously blocklisted cert fingerprints +func (ncp *NebulaCAPool) ResetCertBlocklist() { + ncp.certBlocklist = make(map[string]struct{}) } -// IsBlacklisted returns true if the fingerprint fails to generate or has been explicitly blacklisted -func (ncp *NebulaCAPool) IsBlacklisted(c *NebulaCertificate) bool { +// IsBlocklisted returns true if the fingerprint fails to generate or has been explicitly blocklisted +func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool { h, err := c.Sha256Sum() if err != nil { return true } - if _, ok := ncp.certBlacklist[h]; ok { + if _, ok := ncp.certBlocklist[h]; ok { return true } diff --git a/cert/cert.go b/cert/cert.go index b2d2e0b..fac72f9 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -244,10 +244,10 @@ func (nc *NebulaCertificate) Expired(t time.Time) bool { return nc.Details.NotBefore.After(t) || nc.Details.NotAfter.Before(t) } -// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blacklist, etc) +// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc) func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error) { - if ncp.IsBlacklisted(nc) { - return false, fmt.Errorf("certificate has been blacklisted") + if ncp.IsBlocklisted(nc) { + return false, fmt.Errorf("certificate has been blocked") } signer, err := ncp.GetCAForCert(nc) diff --git a/cert/cert_test.go b/cert/cert_test.go index 50f53d1..a647c0b 100644 --- a/cert/cert_test.go +++ b/cert/cert_test.go @@ -172,13 +172,13 @@ func TestNebulaCertificate_Verify(t *testing.T) { f, err := c.Sha256Sum() assert.Nil(t, err) - caPool.BlacklistFingerprint(f) + caPool.BlocklistFingerprint(f) v, err := c.Verify(time.Now(), caPool) assert.False(t, v) - assert.EqualError(t, err, "certificate has been blacklisted") + assert.EqualError(t, err, "certificate has been blocked") - caPool.ResetCertBlacklist() + caPool.ResetCertBlocklist() v, err = c.Verify(time.Now(), caPool) assert.True(t, v) assert.Nil(t, err) diff --git a/examples/config.yml b/examples/config.yml index 63f454b..4236c70 100644 --- a/examples/config.yml +++ b/examples/config.yml @@ -7,8 +7,8 @@ pki: ca: /etc/nebula/ca.crt cert: /etc/nebula/host.crt key: /etc/nebula/host.key - #blacklist is a list of certificate fingerprints that we will refuse to talk to - #blacklist: + #blocklist is a list of certificate fingerprints that we will refuse to talk to + #blocklist: # - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). @@ -64,7 +64,7 @@ lighthouse: # the inverse). CIDR rules are matched after interface name rules. # Default is all local IP addresses. #local_allow_list: - # Example to blacklist tun0 and all docker interfaces. + # Example to block tun0 and all docker interfaces. #interfaces: #tun0: false #'docker.*': false