func()

in cmd/gcp-controller-manager/istiod_csr_approver.go [27:66]

• 33 lines of code
• 14 McCabe index (conditional complexity)

func (a *istiodApprover) handle(csr *capi.CertificateSigningRequest) error {
	if csr.Spec.SignerName != istiodSignerName {
		return nil
	}
	if approved, denied := certificates.GetCertApprovalCondition(&csr.Status); approved || denied {
		return nil
	}

	if !hasExactUsages(csr, []capi.KeyUsage{
		capi.UsageKeyEncipherment,
		capi.UsageDigitalSignature,
		capi.UsageServerAuth,
	}) {
		return a.deny(csr, "disallowed usages requested")
	}

	x509cr, err := certutil.ParseCSR(csr.Spec.Request)
	if err != nil {
		return a.deny(csr, "unable to parse csr")
	}

	if len(x509cr.URIs) != 0 || len(x509cr.EmailAddresses) != 0 || len(x509cr.IPAddresses) != 0 {
		return a.deny(csr, "disallowed sans requested")
	}

	if x509cr.Subject.CommonName != "" && x509cr.Subject.CommonName != csr.Spec.Username {
		return a.deny(csr, "bad common name")
	}

	if csr.Spec.Username != "system:serviceaccount:istio-system:istiod" &&
		!strings.HasPrefix(csr.Spec.Username, "system:serviceaccount:istio-system:istiod-") {
		return a.deny(csr, "permission denied")
	}

	if !a.validDomainNames(x509cr.DNSNames) {
		return a.deny(csr, "bad dns name")
	}

	return a.approve(csr)
}