From 86c2979281d4d87bc55b5203b064af12ec3795c2 Mon Sep 17 00:00:00 2001 From: J08nY Date: Fri, 18 Aug 2017 16:04:17 +0200 Subject: Check that the sent key is a private key in REST list key PUT. --- src/mailman_pgp/rest/lists.py | 8 +++++++- src/mailman_pgp/rest/tests/test_lists.py | 17 +++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/mailman_pgp/rest/lists.py b/src/mailman_pgp/rest/lists.py index 251ed7a..708635f 100644 --- a/src/mailman_pgp/rest/lists.py +++ b/src/mailman_pgp/rest/lists.py @@ -186,8 +186,14 @@ class AListKey: except (ValueError, PGPError) as error: bad_request(response, str(error)) return + + key = values.pop('key') + if key.is_public: + bad_request(response, 'Cannot set a public key.') + return + with transaction(): - self._mlist.key = values.pop('key') + self._mlist.key = key accepted(response) diff --git a/src/mailman_pgp/rest/tests/test_lists.py b/src/mailman_pgp/rest/tests/test_lists.py index 5d7c6aa..cae3138 100644 --- a/src/mailman_pgp/rest/tests/test_lists.py +++ b/src/mailman_pgp/rest/tests/test_lists.py @@ -272,6 +272,23 @@ class TestListKey(TestCase): method='PUT') self.assertEqual(cm.exception.code, 400) + def test_set_list_key_public(self): + new_key = load_key('rsa_1024.priv.asc') + with self.assertRaises(HTTPError) as cm: + call_api('http://localhost:9001/3.1/plugins/pgp/lists/' + 'test.example.com/key', + data=dict(key=str(new_key.pubkey)), + method='PUT') + + self.assertEqual(cm.exception.code, 400) + + json, response = call_api( + 'http://localhost:9001/3.1/plugins/pgp/lists/' + 'test.example.com/key') + + key, _ = PGPKey.from_blob(json['key']) + self.assertEqual(key.fingerprint, self.list_key.fingerprint) + def test_get_list_pubkey(self): json, response = call_api( 'http://localhost:9001/3.1/plugins/pgp/lists/' -- cgit v1.2.3-70-g09d2