Add domain policy rules to request validation

G-Research · Aug 27, 2024 · 7d7a911 · 7d7a911
1 parent 8c103db
commit 7d7a911
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/app/controllers/certificates_controller.rb b/app/controllers/certificates_controller.rb
@@ -8,6 +8,7 @@ def create
     end
     result = IssueCert.call(request: req)
     if result.success?
+      # TODO use jbuilder to make the json
       render json: result.cert
     else
       raise StandardError.new result.message

diff --git a/app/models/cert_issue_request.rb b/app/models/cert_issue_request.rb
@@ -22,9 +22,22 @@ class CertIssueRequest
   validates :common_name, presence: true
   validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] }
   validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] }
-
+  validates :ttl, numericality: {
+              less_than_or_equal_to: Rails.configuration.astral[:cert_ttl],
+              greater_than: 0
+            }
+  validate :validate_no_wildcards
 
   def fqdns
     alt_names + [ common_name ]
   end
+
+  def validate_no_wildcards
+    if common_name.present?
+      errors.add(:common_name, "cannot be a wildcard") if common_name.start_with? "*"
+    end
+    alt_names.each do |fqdn|
+      errors.add(:alt_names, "cannot include a wildcard") if fqdn.start_with? "*"
+    end
+  end
 end