Use inclusive terminology for cert blocking (#272)
This commit is contained in:
forfuncsake
22
cert/ca.go
22
cert/ca.go
@ -8,14 +8,14 @@ import (
|
||||
|
||||
type NebulaCAPool struct {
|
||||
CAs map[string]*NebulaCertificate
|
||||
certBlacklist map[string]struct{}
|
||||
certBlocklist map[string]struct{}
|
||||
}
|
||||
|
||||
// NewCAPool creates a CAPool
|
||||
func NewCAPool() *NebulaCAPool {
|
||||
ca := NebulaCAPool{
|
||||
CAs: make(map[string]*NebulaCertificate),
|
||||
certBlacklist: make(map[string]struct{}),
|
||||
certBlocklist: make(map[string]struct{}),
|
||||
}
|
||||
|
||||
return &ca
|
||||
@ -67,24 +67,24 @@ func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error) {
|
||||
return pemBytes, nil
|
||||
}
|
||||
|
||||
// BlacklistFingerprint adds a cert fingerprint to the blacklist
|
||||
func (ncp *NebulaCAPool) BlacklistFingerprint(f string) {
|
||||
ncp.certBlacklist[f] = struct{}{}
|
||||
// BlocklistFingerprint adds a cert fingerprint to the blocklist
|
||||
func (ncp *NebulaCAPool) BlocklistFingerprint(f string) {
|
||||
ncp.certBlocklist[f] = struct{}{}
|
||||
}
|
||||
|
||||
// ResetCertBlacklist removes all previously blacklisted cert fingerprints
|
||||
func (ncp *NebulaCAPool) ResetCertBlacklist() {
|
||||
ncp.certBlacklist = make(map[string]struct{})
|
||||
// ResetCertBlocklist removes all previously blocklisted cert fingerprints
|
||||
func (ncp *NebulaCAPool) ResetCertBlocklist() {
|
||||
ncp.certBlocklist = make(map[string]struct{})
|
||||
}
|
||||
|
||||
// IsBlacklisted returns true if the fingerprint fails to generate or has been explicitly blacklisted
|
||||
func (ncp *NebulaCAPool) IsBlacklisted(c *NebulaCertificate) bool {
|
||||
// IsBlocklisted returns true if the fingerprint fails to generate or has been explicitly blocklisted
|
||||
func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool {
|
||||
h, err := c.Sha256Sum()
|
||||
if err != nil {
|
||||
return true
|
||||
}
|
||||
|
||||
if _, ok := ncp.certBlacklist[h]; ok {
|
||||
if _, ok := ncp.certBlocklist[h]; ok {
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
@ -244,10 +244,10 @@ func (nc *NebulaCertificate) Expired(t time.Time) bool {
|
||||
return nc.Details.NotBefore.After(t) || nc.Details.NotAfter.Before(t)
|
||||
}
|
||||
|
||||
// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blacklist, etc)
|
||||
// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)
|
||||
func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error) {
|
||||
if ncp.IsBlacklisted(nc) {
|
||||
return false, fmt.Errorf("certificate has been blacklisted")
|
||||
if ncp.IsBlocklisted(nc) {
|
||||
return false, fmt.Errorf("certificate has been blocked")
|
||||
}
|
||||
|
||||
signer, err := ncp.GetCAForCert(nc)
|
||||
|
||||
@ -172,13 +172,13 @@ func TestNebulaCertificate_Verify(t *testing.T) {
|
||||
|
||||
f, err := c.Sha256Sum()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlacklistFingerprint(f)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
v, err := c.Verify(time.Now(), caPool)
|
||||
assert.False(t, v)
|
||||
assert.EqualError(t, err, "certificate has been blacklisted")
|
||||
assert.EqualError(t, err, "certificate has been blocked")
|
||||
|
||||
caPool.ResetCertBlacklist()
|
||||
caPool.ResetCertBlocklist()
|
||||
v, err = c.Verify(time.Now(), caPool)
|
||||
assert.True(t, v)
|
||||
assert.Nil(t, err)
|
||||
|
||||
Reference in New Issue
Block a user