-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option allowed_domains_template enabling identity templating for issuing PKI certs #8509
Add option allowed_domains_template enabling identity templating for issuing PKI certs #8509
Conversation
@jefferai Any chance merging the long-awaited closure of security hole of spoofing CNs in issuing x509 certificates? |
Hi! Thanks for submitting this pull request. I notice there are some test failures that appear related:
Happy to take a closer look after the tests are passing. |
@andrejvanderzee , thank you for non stoping decision in implementation this features. As I've counted it's third PR and I hope the last one. =) Could you please provide status info, if you have time to finish it, so we all can finally use this must-have feature? Thanks again for you work. |
@qk4l Thanks, let me fix the comments today. |
Hi @qk4l and @tyrannosaurus-becks I have pushed fixes for the failing test. Now |
Minimized the PR and pushed again... |
Hi @qk4l and @tyrannosaurus-becks any update on this MR? |
Thank you for working on this feature, it is clearly in high demand. We're sorry it took so long to come to a consensus internally on how to proceed, but we finally have. As you may be aware, there are currently 2 open PRs trying to implement identity templating for PKI, of which yours is one: #7216 and #8509. It would be great if you would coordinate amongst yourselves to see who has the time and inclination to move forward with the proposal. The proposal:
Other requirements:
Not a strict requirement but a suggestion: limit the PR to |
@ncabatoff Sorry for the delay it was a busy time for me. Today I was ably to implement the requirements that you have sent in your last post. Please let me know if something is still missing or not according to standards. Thank you. |
Hi @ncabatoff @qk4l @tyrannosaurus-becks |
…issuing PKI certs.
@ncabatoff I have added the two testcases and resolved the conversation. |
Thanks again for the PR and your patience. |
Thank you all, this PR has grown a long beard ;-) |
I've noticed that this regex force to use only one pure variable. Additional domain suffices or other variables is not allowed. Is it a feature or bug? What do you think? |
Yes I think that makes sense. Its easy to add a testcase for your suggestion. I can implement it this week or if you have time you could add it, either way fine with me! |
I'm so happy that this feature is merged!! Thanks so much to everyone that worked on this! |
I did it in #9498 |
…issuing PKI certs. (#8509) (#9748) Co-authored-by: Andrej van der Zee <[email protected]>
…domains #8509 (#9498) (#9749) Co-authored-by: Artem Alexandrov <[email protected]>
* master: Add a section to the MySQL secrets plugin docs about x509 (#9757) Update documentation for MySQL Secrets Engine (#9671) Conditionally overwrite TLS parameters for MySQL secrets engine (#9729) Correctly mark Cassandra as not supporting static roles (#9750) changelog++ pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498) agent/templates: update consul-template to v0.25.1 (#9626) Restoring the example policies for blocking sha1 (#9677) changelog++ changelog++ Document the new SSH signing algorithm option. (#9197) CHANGELOG-+ CHANGELOG++ Trail of bits 018 (#9674)
Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in hashicorp#8509
* Add allowed_uri_sans_template Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in #8509 * changelog++ * Update docs with URI SAN templating
* Add allowed_uri_sans_template Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in hashicorp#8509 * changelog++ * Update docs with URI SAN templating
Implementation of identity templating when issuing a PKI cert using the exported sdk/framework merged in #8088
Duplicate of #6558
Similar to #7548