From cd90384651c42c4469c174ac0c2cd831ce5c1433 Mon Sep 17 00:00:00 2001 From: Frantisek Tobias Date: Wed, 28 Aug 2024 09:14:14 +0200 Subject: [PATCH] datamodel/types: fix check for base64 encoded sha256 pin sha256 were used and tested for in incorrect format, refer to: https://www.rfc-editor.org/rfc/rfc7469#section-2.1.5 --- etc/config/config.dev.yaml | 5 +++-- .../knot_resolver_manager/datamodel/types/types.py | 2 +- .../manager/datamodel/templates/test_common_macros.py | 2 +- tests/manager/datamodel/types/test_custom_types.py | 11 ++++++----- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/etc/config/config.dev.yaml b/etc/config/config.dev.yaml index ef25a37ae..1ceddfb38 100644 --- a/etc/config/config.dev.yaml +++ b/etc/config/config.dev.yaml @@ -64,9 +64,10 @@ forward: transport: tls hostname: odvr.nic.cz - address: [ 192.0.2.1, 192.0.2.2 ] + transport: tls pin-sha256: - - YmE3ODE2YmY4ZjAx+2ZlYTQxNDE0MGRlNWRhZTIyMjNiMDAzNjFhMzk/MTc3YTljYjQxMGZmNjFmMjAwMTVhZA== - - OTJmODU3ZDMyOWMwOWNlNTU4Y2M0YWNjMjI5NWE2NWJlMzY4MzRmMzY3NGU3NDAwNTI1YjMxZTMxYTgzMzQwMQ== + - d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM= + - E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g= - subtree: 1.168.192.in-addr.arpa options: dnssec: false diff --git a/manager/knot_resolver_manager/datamodel/types/types.py b/manager/knot_resolver_manager/datamodel/types/types.py index fa0d2793d..d9a0b9105 100644 --- a/manager/knot_resolver_manager/datamodel/types/types.py +++ b/manager/knot_resolver_manager/datamodel/types/types.py @@ -195,7 +195,7 @@ class PinSha256(PatternBase): A string that stores base64 encoded sha256. """ - _re = re.compile(r"^[A-Za-z\d+/]{86}==$") + _re = re.compile(r"^[A-Za-z\d+/]{43}=$") class InterfacePort(StrBase): diff --git a/tests/manager/datamodel/templates/test_common_macros.py b/tests/manager/datamodel/templates/test_common_macros.py index 0e794fce6..e64b278fd 100644 --- a/tests/manager/datamodel/templates/test_common_macros.py +++ b/tests/manager/datamodel/templates/test_common_macros.py @@ -75,7 +75,7 @@ def test_tls_servers_table(): ForwardServerSchema( { "address": "192.0.2.1", - "pin-sha256": "OTJmODU3ZDMyOWMwOWNlNTU4Y2M0YWNjMjI5NWE2NWJlMzY4MzRmMzY3NGU3NDAwNTI1YjMxZTMxYTgzMzQwMQ==", + "pin-sha256": "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", } ), ] diff --git a/tests/manager/datamodel/types/test_custom_types.py b/tests/manager/datamodel/types/test_custom_types.py index 5eebef3a0..c82779c88 100644 --- a/tests/manager/datamodel/types/test_custom_types.py +++ b/tests/manager/datamodel/types/test_custom_types.py @@ -97,8 +97,8 @@ def test_checked_path(): @pytest.mark.parametrize( "val", [ - "YmE3ODE2YmY4ZjAx+2ZlYTQxNDE0MGRlNWRhZTIyMjNiMDAzNjFhMzk/MTc3YTljYjQxMGZmNjFmMjAwMTVhZA==", - "OTJmODU3ZDMyOWMwOWNlNTU4Y2M0YWNjMjI5NWE2NWJlMzY4MzRmMzY3NGU3NDAwNTI1YjMxZTMxYTgzMzQwMQ==", + "d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", + "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", ], ) def test_pin_sha256_valid(val: str): @@ -109,9 +109,10 @@ def test_pin_sha256_valid(val: str): @pytest.mark.parametrize( "val", [ - "!YmE3ODE2YmY4ZjAxY2ZlYTQxNDE0MGRlNWRhZTIyMjNiMDAzNjFhMzk2MTc3YTljjQxMGZmNjFmMjAwMTVhZA==", - "OTJmODU3ZDMyOWMwOWNlNTU4Y2M0YWNjMjI5NWE2NWJlMzY4MzRmMzY3NGU3NDAwNTI1YjMxZTMxYTgzMzQwMQ", - "YmFzZTY0IQ", + "d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM==", + "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g", + "!E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=", + "d6qzRu9zOE", ], ) def test_pin_sha256_invalid(val: str): -- 2.47.3