Index: tools/origin_trials/generate_token.py |
diff --git a/tools/origin_trials/generate_token.py b/tools/origin_trials/generate_token.py |
index a79f169234b01b78da36485504799b2302ae6c1a..f1c07a9d60bde1ee304d72f264297d375b8d0e26 100755 |
--- a/tools/origin_trials/generate_token.py |
+++ b/tools/origin_trials/generate_token.py |
@@ -86,6 +86,24 @@ def ExpiryFromArgs(args): |
return int(args.expire_timestamp) |
return (int(time.time()) + (int(args.expire_days) * 86400)) |
+def ValidateSubdomainTokenOrigin(origin): |
+ """ Calls validate_subdomain_origin utility to check the origin |
+ |
+ If the utility is not found, prints a warning for manual validation, and |
+ returns True |
+ """ |
+ utility_path = "bin/validate_subdomain_origin" |
iclelland
2016/11/02 15:25:47
How does this utility end up in a bin/ directory?
chasej
2016/11/03 19:23:39
I forgot to add instructions, but I just used a sy
|
+ if not os.path.exists(utility_path): |
+ print "WARNING!" |
+ print "Origin not validated for use in subdomain token" |
+ print " (missing '%s' utility)" % utility_path |
+ print "Must manually check origin against the Public Suffix List" |
+ return True |
+ |
+ rc = os.system("%s %s >/dev/null 2>&1" % (utility_path, origin)) |
+ return rc == 0 |
iclelland
2016/11/02 15:25:47
It is also possible for other non-zero status to b
chasej
2016/11/03 19:23:39
Done.
|
+ |
def GenerateTokenData(origin, is_subdomain, feature_name, expiry): |
data = {"origin": origin, |
"feature": feature_name, |
@@ -159,6 +177,12 @@ def main(): |
print("Unable to use the specified private key file.") |
sys.exit(1) |
+ # For subdomain tokens, validate that the origin is allowed |
+ if args.is_subdomain: |
+ if not ValidateSubdomainTokenOrigin(args.origin): |
+ print "The specified origin is not valid for use in a subdomain token." |
+ sys.exit(1) |
+ |
token_data = GenerateTokenData(args.origin, args.is_subdomain, |
args.trial_name, expiry) |
data_to_sign = GenerateDataToSign(VERSION, token_data) |