Summary

Add wildcard certificate storage to the file backend.

Review Request #13266 — Created Sept. 7, 2023 and submitted Oct. 1, 2023, 5:26 p.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-6.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

This updates the file backend to allow wildcard certificates to be
stored and fetched, and to use them as a fallback if a specific
certificate cannot be found.

Normal certs are now stored in the form of {hostname}__{port}.{ext},
and wildcard certs are stored as __.{hostname}__{port}.{ext}. This
avoids issues with naming a file with a wildcard, and _ is not a valid
character in domains so it's safe to use.

Wildcards are only permitted as the first character in the name.

When fetching a certificate, the backend checks first for an an exact
hostname match. If not found, it checks for a wildcard certificate. The
resulting Certificate object will use the specific hostname, but will
refer to the wildcard storage ID.

Wildcards are not supported nor needed for CA bundles and fingerprints.

There's also no special handling of certificates that list multiple
domains without using wildcards. In this case, administrators should
upload the cert for each hostname they need individually. We don't
expect this will come up much in real usage.

Testing Done

All unit tests pass.

Commits

Summary	ID
Add wildcard certificate storage to the file backend. This updates the file backend to allow wildcard certificates to be stored and fetched, and to use them as a fallback if a specific certificate cannot be found. Normal certs are now stored in the form of `{hostname}__{port}.{ext}`, and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This avoids issues with naming a file with a wildcard, and `_` is not a valid character in domains so it's safe to use. Wildcards are only permitted as the first character in the name. When fetching a certificate, the backend checks first for an an exact hostname match. If not found, it checks for a wildcard certificate. The resulting `Certificate` object will use the specific hostname, but will refer to the wildcard storage ID. Wildcards are not supported nor needed for CA bundles and fingerprints. There's also no special handling of certificates that list multiple domains without using wildcards. In this case, administrators should upload the cert for each hostname they need individually. We don't expect this will come up much in real usage.	2691715230e4fbefabfddf5df213f66a7692698b

Summary

Add wildcard certificate storage to the file backend.

This updates the file backend to allow wildcard certificates to be stored and fetched, and to use them as a fallback if a specific certificate cannot be found. Normal certs are now stored in the form of `{hostname}__{port}.{ext}`, and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This avoids issues with naming a file with a wildcard, and `_` is not a valid character in domains so it's safe to use. Wildcards are only permitted as the first character in the name. When fetching a certificate, the backend checks first for an an exact hostname match. If not found, it checks for a wildcard certificate. The resulting `Certificate` object will use the specific hostname, but will refer to the wildcard storage ID. Wildcards are not supported nor needed for CA bundles and fingerprints. There's also no special handling of certificates that list multiple domains without using wildcards. In this case, administrators should upload the cert for each hostname they need individually. We don't expect this will come up much in real usage.

2691715230e4fbefabfddf5df213f66a7692698b

Issues

Description	From	Last Updated
line too long (80 > 79 characters) Column: 80 Error code: E501	reviewbot	Sept. 8, 2023, 4:08 p.m.

flake8 failed.

JSHint passed.

flake8

reviewboard/certs/tests/test_file_storage_backend.py (Diff revision 1)
The issue has been resolved. Show all issues
```
line too long (80 > 79 characters)

Column: 80
Error code: E501
```

Change Summary:

Fixed a line length issue.

Commits:

	Summary	ID
	Add wildcard certificate storage to the file backend. This updates the file backend to allow wildcard certificates to be stored and fetched, and to use them as a fallback if a specific certificate cannot be found. Normal certs are now stored in the form of `{hostname}__{port}.{ext}`, and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This avoids issues with naming a file with a wildcard, and `_` is not a valid character in domains so it's safe to use. Wildcards are only permitted as the first character in the name. When fetching a certificate, the backend checks first for an an exact hostname match. If not found, it checks for a wildcard certificate. The resulting `Certificate` object will use the specific hostname, but will refer to the wildcard storage ID. Wildcards are not supported nor needed for CA bundles and fingerprints. There's also no special handling of certificates that list multiple domains without using wildcards. In this case, administrators should upload the cert for each hostname they need individually. We don't expect this will come up much in real usage.	c34667b1ecc04a9af7805d2cad36ff15556c46b0
	Add wildcard certificate storage to the file backend. This updates the file backend to allow wildcard certificates to be stored and fetched, and to use them as a fallback if a specific certificate cannot be found. Normal certs are now stored in the form of `{hostname}__{port}.{ext}`, and wildcard certs are stored as `__.{hostname}__{port}.{ext}`. This avoids issues with naming a file with a wildcard, and `_` is not a valid character in domains so it's safe to use. Wildcards are only permitted as the first character in the name. When fetching a certificate, the backend checks first for an an exact hostname match. If not found, it checks for a wildcard certificate. The resulting `Certificate` object will use the specific hostname, but will refer to the wildcard storage ID. Wildcards are not supported nor needed for CA bundles and fingerprints. There's also no special handling of certificates that list multiple domains without using wildcards. In this case, administrators should upload the cert for each hostname they need individually. We don't expect this will come up much in real usage.	2691715230e4fbefabfddf5df213f66a7692698b

Diff:

Revision 2 (+1178 -190)

Show changes

	reviewboard/certs/storage/file_storage.py
	reviewboard/certs/tests/test_file_storage_backend.py
	reviewboard/certs/tests/testdata/file_storage/make-cert.sh
	reviewboard/certs/tests/testdata/file_storage/certs/__.eng.example.com__443.key
	reviewboard/certs/tests/testdata/file_storage/certs/__.eng.example.com__443.crt
	reviewboard/certs/tests/testdata/file_storage/certs/ldap.example.com_636.key
	reviewboard/certs/tests/testdata/file_storage/certs/ldap.example.com_636.crt
	reviewboard/certs/tests/testdata/file_storage/certs/reviewboard.eng.example.com__443.key
	15 more

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status: Closed (submitted)

Change Summary:

Pushed to release-6.x (f5957b2)