5 years ago · 25964b54f6
--- a/cert.go
+++ b/cert.go
@@ -149,10 +149,16 @@ func loadCAFromConfig(c *Config) (*cert.NebulaCAPool, error) {
 
				 		return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
			
 
				 	}
			
 
				 
			
 
				-	// pki.blacklist entered the scene at about the same time we aliased x509 to pki, not supporting backwards compat
			
 
				+	for _, fp := range c.GetStringSlice("pki.blocklist", []string{}) {
			
 
				+		l.WithField("fingerprint", fp).Infof("Blocklisting cert")
			
 
				+		CAs.BlocklistFingerprint(fp)
			
 
				+	}
			
 
				+
			
 
				+	// Support deprecated config for at leaast one minor release to allow for migrations
			
 
				 	for _, fp := range c.GetStringSlice("pki.blacklist", []string{}) {
			
 
				-		l.WithField("fingerprint", fp).Infof("Blacklisting cert")
			
 
				-		CAs.BlacklistFingerprint(fp)
			
 
				+		l.WithField("fingerprint", fp).Infof("Blocklisting cert")
			
 
				+		l.Warn("pki.blacklist is deprecated and will not be supported in a future release. Please migrate your config to use pki.blocklist")
			
 
				+		CAs.BlocklistFingerprint(fp)
			
 
				 	}
			
 
				 
			
 
				 	return CAs, nil
			
--- a/cert/ca.go
+++ b/cert/ca.go
@@ -8,14 +8,14 @@ import (
 
				 
			
 
				 type NebulaCAPool struct {
			
 
				 	CAs           map[string]*NebulaCertificate
			
 
				-	certBlacklist map[string]struct{}
			
 
				+	certBlocklist map[string]struct{}
			
 
				 }
			
 
				 
			
 
				 // NewCAPool creates a CAPool
			
 
				 func NewCAPool() *NebulaCAPool {
			
 
				 	ca := NebulaCAPool{
			
 
				 		CAs:           make(map[string]*NebulaCertificate),
			
 
				-		certBlacklist: make(map[string]struct{}),
			
 
				+		certBlocklist: make(map[string]struct{}),
			
 
				 	}
			
 
				 
			
 
				 	return &ca
			
@@ -67,24 +67,24 @@ func (ncp *NebulaCAPool) AddCACertificate(pemBytes []byte) ([]byte, error) {
 
				 	return pemBytes, nil
			
 
				 }
			
 
				 
			
 
				-// BlacklistFingerprint adds a cert fingerprint to the blacklist
			
 
				-func (ncp *NebulaCAPool) BlacklistFingerprint(f string) {
			
 
				-	ncp.certBlacklist[f] = struct{}{}
			
 
				+// BlocklistFingerprint adds a cert fingerprint to the blocklist
			
 
				+func (ncp *NebulaCAPool) BlocklistFingerprint(f string) {
			
 
				+	ncp.certBlocklist[f] = struct{}{}
			
 
				 }
			
 
				 
			
 
				-// ResetCertBlacklist removes all previously blacklisted cert fingerprints
			
 
				-func (ncp *NebulaCAPool) ResetCertBlacklist() {
			
 
				-	ncp.certBlacklist = make(map[string]struct{})
			
 
				+// ResetCertBlocklist removes all previously blocklisted cert fingerprints
			
 
				+func (ncp *NebulaCAPool) ResetCertBlocklist() {
			
 
				+	ncp.certBlocklist = make(map[string]struct{})
			
 
				 }
			
 
				 
			
 
				-// IsBlacklisted returns true if the fingerprint fails to generate or has been explicitly blacklisted
			
 
				-func (ncp *NebulaCAPool) IsBlacklisted(c *NebulaCertificate) bool {
			
 
				+// IsBlocklisted returns true if the fingerprint fails to generate or has been explicitly blocklisted
			
 
				+func (ncp *NebulaCAPool) IsBlocklisted(c *NebulaCertificate) bool {
			
 
				 	h, err := c.Sha256Sum()
			
 
				 	if err != nil {
			
 
				 		return true
			
 
				 	}
			
 
				 
			
 
				-	if _, ok := ncp.certBlacklist[h]; ok {
			
 
				+	if _, ok := ncp.certBlocklist[h]; ok {
			
 
				 		return true
			
 
				 	}
			
 
				 
			
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -244,10 +244,10 @@ func (nc *NebulaCertificate) Expired(t time.Time) bool {
 
				 	return nc.Details.NotBefore.After(t) || nc.Details.NotAfter.Before(t)
			
 
				 }
			
 
				 
			
 
				-// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blacklist, etc)
			
 
				+// Verify will ensure a certificate is good in all respects (expiry, group membership, signature, cert blocklist, etc)
			
 
				 func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error) {
			
 
				-	if ncp.IsBlacklisted(nc) {
			
 
				-		return false, fmt.Errorf("certificate has been blacklisted")
			
 
				+	if ncp.IsBlocklisted(nc) {
			
 
				+		return false, fmt.Errorf("certificate has been blocked")
			
 
				 	}
			
 
				 
			
 
				 	signer, err := ncp.GetCAForCert(nc)
			
--- a/cert/cert_test.go
+++ b/cert/cert_test.go
@@ -172,13 +172,13 @@ func TestNebulaCertificate_Verify(t *testing.T) {
 
				 
			
 
				 	f, err := c.Sha256Sum()
			
 
				 	assert.Nil(t, err)
			
 
				-	caPool.BlacklistFingerprint(f)
			
 
				+	caPool.BlocklistFingerprint(f)
			
 
				 
			
 
				 	v, err := c.Verify(time.Now(), caPool)
			
 
				 	assert.False(t, v)
			
 
				-	assert.EqualError(t, err, "certificate has been blacklisted")
			
 
				+	assert.EqualError(t, err, "certificate has been blocked")
			
 
				 
			
 
				-	caPool.ResetCertBlacklist()
			
 
				+	caPool.ResetCertBlocklist()
			
 
				 	v, err = c.Verify(time.Now(), caPool)
			
 
				 	assert.True(t, v)
			
 
				 	assert.Nil(t, err)
			
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -7,8 +7,8 @@ pki:
 
				   ca: /etc/nebula/ca.crt
			
 
				   cert: /etc/nebula/host.crt
			
 
				   key: /etc/nebula/host.key
			
 
				-  #blacklist is a list of certificate fingerprints that we will refuse to talk to
			
 
				-  #blacklist:
			
 
				+  #blocklist is a list of certificate fingerprints that we will refuse to talk to
			
 
				+  #blocklist:
			
 
				   #  - c99d4e650533b92061b09918e838a5a0a6aaee21eed1d12fd937682865936c72
			
 
				 
			
 
				 # The static host map defines a set of hosts with fixed IP addresses on the internet (or any network).
			
@@ -64,7 +64,7 @@ lighthouse:
 
				   # the inverse). CIDR rules are matched after interface name rules.
			
 
				   # Default is all local IP addresses.
			
 
				   #local_allow_list:
			
 
				-    # Example to blacklist tun0 and all docker interfaces.
			
 
				+    # Example to block tun0 and all docker interfaces.
			
 
				     #interfaces:
			
 
				       #tun0: false
			
 
				       #'docker.*': false