Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added URI Subject Alternative Names to secrets/pki #4675

Closed
wants to merge 7 commits into from
Closed

Added URI Subject Alternative Names to secrets/pki #4675

wants to merge 7 commits into from

Conversation

nicholasjackson
Copy link
Contributor

@nicholasjackson nicholasjackson commented Jun 1, 2018
edited
Loading

Added new parameter uri_sans when generating x.509 certificates
Added new parameter allow_uri_sans to role
Updated documentation

@jefferai I am not sure which test to modify to validate this change (have tested manually for now), ip_sans testing seems to be in the OID test however I think I should probably create a separate test for this?

In addition to this, should I also modify the UI to add the new parameter?

@jefferai jefferai added this to the 0.10.2 milestone Jun 1, 2018
@jefferai
Copy link
Member

jefferai commented Jun 1, 2018

@nicholasjackson Thanks for this! I think, similarly to allowed_oid_sans, it should be a []string not a bool and should allow a list of glob-supporting URIs. Think SVIDs scoping to specific groups/orgs/whatever. If you want the same semantics as this bool you simply provide *.

@jefferai jefferai modified the milestones: 0.10.2, 0.10.3 Jun 3, 2018
@nicholasjackson
Copy link
Contributor Author

Cool, will update tomorrow morning

@meirish meirish added the ui label Jun 5, 2018
@nicholasjackson
Copy link
Contributor Author

Updated code to change allow_uri_sans bool to allowed_uri_sans []string, I have also added the tests for both the role and the cert-generation.

jefferai
jefferai reviewed Jun 11, 2018
View reviewed changes
builtin/logical/pki/fields.go Outdated
@@ -39,6 +39,12 @@ pkcs8 instead. Defaults to "der".`,
comma-delimited list`,
}

fields["uri_sans"] = &framework.FieldSchema{
Type: framework.TypeString,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be TypeCommaStringSlice

jefferai
jefferai reviewed Jun 11, 2018
View reviewed changes
builtin/logical/pki/cert_util.go Outdated
}
}

for _, v := range strings.Split(uriAlt, ",") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than do this, please use TypeCommaStringSlice for the parameter which will return you a []string already.

@jefferai jefferai modified the milestones: 0.10.3, 0.10.4 Jun 12, 2018
banks
banks reviewed Jun 13, 2018
View reviewed changes
website/source/api/secret/pki/index.html.md Outdated
@@ -908,6 +920,7 @@ $ curl \
"data": {
"allow_any_name": false,
"allow_ip_sans": true,
"allow_uri_sans": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this was missed in the bool -> slice change. Should be allowed_uri_sans: "spiffe://*" or something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also from below:

Only valid if the role allows URI SANs (which is the default).

We should probably mention that default here too as it's non-obvious that it's only mentioned in other fields that relate to this...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, will get on this first thing tomorrow morning.

@jefferai jefferai modified the milestones: 0.10.4, 0.10.3 Jun 13, 2018
@jefferai jefferai mentioned this pull request Jun 14, 2018
Merged
@jefferai jefferai closed this Jun 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai left review comments

@banks banks banks left review comments

Assignees
No one assigned
Labels
ui
Projects
None yet
Milestone
0.10.3
Development

Successfully merging this pull request may close these issues.
4 participants
@nicholasjackson @jefferai @banks @meirish