Fix vault plugin

lemur/constants.py

@@ -46,6 +46,95 @@
                    r"@([-!#-'*+/-9=?A-Z^-~]+(\.[-!#-'*+/-9=?A-Z^-~]+)*|\[[\t -Z^-~]*])")
 EMAIL_RE_HELP = "Comma delimited list of email addresses"
 
+# https://github.com/python-validators/validators/blob/0.20.6/validators/url.py
+URL_RE_ip_middle_octet = r"(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5]))"
+URL_RE_ip_last_octet = r"(?:\.(?:0|[1-9]\d?|1\d\d|2[0-4]\d|25[0-5]))"
+
+URL_RE = re.compile(  # noqa: W605
+    r"^"
+    # protocol identifier
+    r"(?:(?:https?|ftp)://)"
+    # user:pass authentication
+    r"(?:[-a-z\u00a1-\uffff0-9._~%!$&'()*+,;=:]+"
+    r"(?::[-a-z0-9._~%!$&'()*+,;=:]*)?@)?"
+    r"(?:"
+    r"(?P<private_ip>"
+    # IP address exclusion
+    # private & local networks
+    r"(?:(?:10|127)" + URL_RE_ip_middle_octet + r"{2}" + URL_RE_ip_last_octet + r")|"
+    r"(?:(?:169\.254|192\.168)" + URL_RE_ip_middle_octet + URL_RE_ip_last_octet + r")|"
+    r"(?:172\.(?:1[6-9]|2\d|3[0-1])" + URL_RE_ip_middle_octet + URL_RE_ip_last_octet + r"))"
+    r"|"
+    # private & local hosts
+    r"(?P<private_host>"
+    r"(?:localhost))"
+    r"|"
+    # IP address dotted notation octets
+    # excludes loopback network 0.0.0.0
+    # excludes reserved space >= 224.0.0.0
+    # excludes network & broadcast addresses
+    # (first & last IP address of each class)
+    r"(?P<public_ip>"
+    r"(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])"
+    r"" + URL_RE_ip_middle_octet + r"{2}"
+    r"" + URL_RE_ip_last_octet + r")"
+    r"|"
+    # IPv6 RegEx from https://stackoverflow.com/a/17871737
+    r"\[("
+    # 1:2:3:4:5:6:7:8
+    r"([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|"
+    # 1::                              1:2:3:4:5:6:7::
+    r"([0-9a-fA-F]{1,4}:){1,7}:|"
+    # 1::8             1:2:3:4:5:6::8  1:2:3:4:5:6::8
+    r"([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|"
+    # 1::7:8           1:2:3:4:5::7:8  1:2:3:4:5::8
+    r"([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|"
+    # 1::6:7:8         1:2:3:4::6:7:8  1:2:3:4::8
+    r"([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|"
+    # 1::5:6:7:8       1:2:3::5:6:7:8  1:2:3::8
+    r"([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|"
+    # 1::4:5:6:7:8     1:2::4:5:6:7:8  1:2::8
+    r"([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|"
+    # 1::3:4:5:6:7:8   1::3:4:5:6:7:8  1::8
+    r"[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|"
+    # ::2:3:4:5:6:7:8  ::2:3:4:5:6:7:8 ::8       ::
+    r":((:[0-9a-fA-F]{1,4}){1,7}|:)|"
+    # fe80::7:8%eth0   fe80::7:8%1
+    # (link-local IPv6 addresses with zone index)
+    r"fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|"
+    r"::(ffff(:0{1,4}){0,1}:){0,1}"
+    r"((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}"
+    # ::255.255.255.255   ::ffff:255.255.255.255  ::ffff:0:255.255.255.255
+    # (IPv4-mapped IPv6 addresses and IPv4-translated addresses)
+    r"(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|"
+    r"([0-9a-fA-F]{1,4}:){1,4}:"
+    r"((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}"
+    # 2001:db8:3:4::192.0.2.33  64:ff9b::192.0.2.33
+    # (IPv4-Embedded IPv6 Address)
+    r"(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])"
+    r")\]|"
+    # host name
+    r"(?:(?:(?:xn--[-]{0,2})|[a-z\u00a1-\uffff\U00010000-\U0010ffff0-9]-?)*"
+    r"[a-z\u00a1-\uffff\U00010000-\U0010ffff0-9]+)"
+    # domain name
+    r"(?:\.(?:(?:xn--[-]{0,2})|[a-z\u00a1-\uffff\U00010000-\U0010ffff0-9]-?)*"
+    r"[a-z\u00a1-\uffff\U00010000-\U0010ffff0-9]+)*"
+    # TLD identifier
+    r"(?:\.(?:(?:xn--[-]{0,2}[a-z\u00a1-\uffff\U00010000-\U0010ffff0-9]{2,})|"
+    r"[a-z\u00a1-\uffff\U00010000-\U0010ffff]{2,}))"
+    r")"
+    # port number
+    r"(?::\d{2,5})?"
+    # resource path
+    r"(?:/[-a-z\u00a1-\uffff\U00010000-\U0010ffff0-9._~%!$&'()*+,;=:@/]*)?"
+    # query string
+    r"(?:\?\S*)?"
+    # fragment
+    r"(?:#\S*)?"
+    r"$",
+    re.UNICODE | re.IGNORECASE
+)
+
 
 # As per RFC 5280 section 5.3.1 (https://tools.ietf.org/html/rfc5280#section-5.3.1)
 class CRLReason(IntEnum):

lemur/plugins/lemur_vault_dest/plugin.py

@@ -16,7 +16,7 @@
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from flask import current_app
-from validators.url import url
+from lemur.constants import URL_RE
 
 from lemur.common.defaults import common_name, country, state, location, organizational_unit, organization
 from lemur.common.utils import parse_certificate, check_validation
@@ -39,7 +39,7 @@ class VaultSourcePlugin(SourcePlugin):
             "name": "vaultUrl",
             "type": "str",
             "required": True,
-            "validation": url,
+            "validation": URL_RE,
             "helpMessage": "Valid URL to Hashi Vault instance",
         },
         {
@@ -166,7 +166,7 @@ class VaultDestinationPlugin(DestinationPlugin):
             "name": "vaultUrl",
             "type": "str",
             "required": True,
-            "validation": url,
+            "validation": URL_RE,
             "helpMessage": "Valid URL to Hashi Vault instance",
         },
         {

lemur/plugins/lemur_vault_dest/tests/conftest.py

@@ -1 +1,10 @@
 from lemur.tests.conftest import *  # noqa
+
+
+@pytest.fixture
+def vault_source_plugin():
+    from lemur.plugins.base import register
+    from lemur.plugins.lemur_vault_dest.tests.plugin import TestSourcePlugin
+
+    register(TestSourcePlugin)
+    return TestSourcePlugin

lemur/plugins/lemur_vault_dest/tests/plugin.py

@@ -0,0 +1,96 @@
+from validators.url import url
+from lemur.plugins.bases import SourcePlugin
+import pytest
+
+
+class TestSourcePlugin(SourcePlugin):
+    title = "Test"
+    slug = "test-source"
+    description = "Enables testing"
+
+    author = "Test"
+    author_url = "https://github.com/netflix/lemur.git"
+
+    options = [
+        {
+            "name": "vaultUrl",
+            "type": "str",
+            "required": True,
+            "validation": url,
+            "helpMessage": "Valid URL to Hashi Vault instance",
+        },
+    ]
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    def get_certificates(self):
+        return
+
+    def update_endpoint(self, endpoint, certificate):
+        return
+
+
+def test_plugin_input_schema_invalid_url_validator(vault_source_plugin):
+    from lemur.schemas import PluginInputSchema
+
+    input_data = {
+        "description": "Enables testing",
+        "slug": "test-source",
+        "title": "Test",
+        "plugin_options": [
+            {
+                "name": "vaultUrl",
+                "value": "https://vault.example.com",
+            },
+        ],
+    }
+
+    with pytest.raises(TypeError):
+        data, errors = PluginInputSchema().load(input_data)
+
+
+def test_vault_plugin_input_schema(session):
+    from lemur.schemas import PluginInputSchema
+
+    input_data = {
+        "description": "Discovers all certificates in a given path",
+        "slug": "vault-source",
+        "title": "Test",
+        "plugin_options": [
+            {
+                "name": "vaultUrl",
+                "value": "https://vault.example.com",
+            },
+            {
+                "name": "vaultKvApiVersion",
+                "value": "2",
+            },
+            {
+                "name": "authenticationMethod",
+                "value": "token",
+            },
+            {
+                "name": "tokenFileOrVaultRole",
+                "value": "/path/file",
+            },
+            {
+                "name": "vaultMount",
+                "value": "mount",
+            },
+            {
+                "name": "vaultPath",
+                "value": "path/",
+            },
+            {
+                "name": "objectName",
+                "value": "name",
+            },
+        ],
+    }
+
+    data, errors = PluginInputSchema().load(input_data)
+
+    assert not errors
+    assert data
+    assert "plugin_object" in data