Require self-signed user IDs when publishing certs in a WKD.

- Fixes #449.
2024-11-27 11:36:32 +01:00 · 2024-11-27 11:36:32 +01:00 · 1c6bf5d6fd
commit 1c6bf5d6fd
parent 7b2be4d93c
1 changed files with 26 additions and 2 deletions
--- a/src/commands/network.rs
+++ b/src/commands/network.rs
@ -1268,8 +1268,32 @@ pub fn dispatch_wkd(mut sq: Sq, c: cli::network::wkd::Command)
                return Err(anyhow::anyhow!("Failed to resolve certificates"));
            }
-            let mut insert = BTreeMap::from_iter(
+            let mut skipping = Vec::new();
-                insert.into_iter().map(|c| (c.fingerprint(), c)));
+            let mut insert: BTreeMap<_, _> = insert.into_iter()
                .filter(|cert| {
                    if ! cert.with_policy(sq.policy, sq.time)
                        .ok()
                        .map(|vc| vc.userids().any(
                            |u| u.userid().email2().ok().flatten().map(
                                |a| a.ends_with(&c.domain))
                                .unwrap_or(false)))
                        .unwrap_or(false)
                    {
                        skipping.push(cert.fingerprint());
                        false // Drop.
                    } else {
                        true // Keep.
                    }
                })
                .map(|c| (c.fingerprint(), c))
                .collect();
            if ! skipping.is_empty() {
                qprintln!("Note: Skipping the following certificates because \
                           they don't have a valid self-signed user ID in \
                           {}:", c.domain);
                skipping.into_iter().for_each(|fipr| qprintln!(" - {}", fipr))
            }
            if c.create && insert.is_empty() {
                sq.hint(format_args!(