From d3e186d79eb453357b1d320f8fef345d731641c3 Mon Sep 17 00:00:00 2001
From: Pavlo Kushneryk <levelup.kpi@gmail.com>
Date: Fri, 28 Jul 2023 22:36:18 +0300
Subject: [PATCH 1/2] bug(20562): allowed_domains are compared case-sensitive
 if they use glob patterns

---
 builtin/logical/pki/cert_util.go      |  2 +-
 builtin/logical/pki/cert_util_test.go | 18 ++++++++++++++++++
 changelog/20562.txt                   |  3 +++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 changelog/20562.txt

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 185488a7a109..9e81383bcadb 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -659,7 +659,7 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 
 				if data.role.AllowGlobDomains &&
 					strings.Contains(currDomain, "*") &&
-					glob.Glob(currDomain, name) {
+					glob.Glob(currDomain, strings.ToLower(name)) {
 					valid = true
 					break
 				}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index 7fb811cb8fcf..584e4ad8ff09 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -174,6 +174,24 @@ func TestPki_PermitFQDNs(t *testing.T) {
 			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
 			expectedEmails:   []string{},
 		},
+		"case insensitivity subdomain validation": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "SUB.EXAMPLE.COM",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"example.com", "*.example.com"},
+					AllowGlobDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{"SUB.EXAMPLE.COM"},
+			expectedEmails:   []string{},
+		},
 		"case email as AllowedDomain with bare domains": {
 			input: &inputBundle{
 				apiData: &framework.FieldData{
diff --git a/changelog/20562.txt b/changelog/20562.txt
new file mode 100644
index 000000000000..e5de88213923
--- /dev/null
+++ b/changelog/20562.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+pki: allowed_domains are compared case-sensitive if they use glob patterns
+```
\ No newline at end of file

From 325eb0637c01b47edfa48989d49581d8d9f2f857 Mon Sep 17 00:00:00 2001
From: Pavlo Kushneryk <levelup.kpi@gmail.com>
Date: Wed, 2 Aug 2023 12:08:12 +0300
Subject: [PATCH 2/2] bug(20562): review fixes

---
 builtin/logical/pki/cert_util.go      | 2 +-
 builtin/logical/pki/cert_util_test.go | 2 +-
 changelog/20562.txt                   | 3 ---
 changelog/22126.txt                   | 3 +++
 4 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 changelog/20562.txt
 create mode 100644 changelog/22126.txt

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 9e81383bcadb..e99100657858 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -659,7 +659,7 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 
 				if data.role.AllowGlobDomains &&
 					strings.Contains(currDomain, "*") &&
-					glob.Glob(currDomain, strings.ToLower(name)) {
+					glob.Glob(strings.ToLower(currDomain), strings.ToLower(name)) {
 					valid = true
 					break
 				}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index 584e4ad8ff09..82a4f2a50bde 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -184,7 +184,7 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					},
 				},
 				role: &roleEntry{
-					AllowedDomains:   []string{"example.com", "*.example.com"},
+					AllowedDomains:   []string{"example.com", "*.Example.com"},
 					AllowGlobDomains: true,
 					MaxTTL:           3600,
 				},
diff --git a/changelog/20562.txt b/changelog/20562.txt
deleted file mode 100644
index e5de88213923..000000000000
--- a/changelog/20562.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-```release-note:bug
-pki: allowed_domains are compared case-sensitive if they use glob patterns
-```
\ No newline at end of file
diff --git a/changelog/22126.txt b/changelog/22126.txt
new file mode 100644
index 000000000000..e6633ec3a050
--- /dev/null
+++ b/changelog/22126.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns
+```
\ No newline at end of file