From 699e966c198a1bc1a7be2c4b1f804b6942863037 Mon Sep 17 00:00:00 2001 From: Artem Alexandrov Date: Mon, 17 Aug 2020 21:37:00 +0300 Subject: [PATCH] pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498) --- builtin/logical/pki/backend_test.go | 9 ++++++++- builtin/logical/pki/cert_util.go | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 8a96b81c2c4d..09642906733f 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2797,7 +2797,8 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) { // Write role PKI. _, err = client.Logical().Write("pki/roles/test", map[string]interface{}{ - "allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}"}, + "allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}", + "foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com"}, "allowed_domains_template": true, "allow_bare_domains": true, }) @@ -2824,6 +2825,12 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) { t.Fatal("expected error") } + // Issue certificate for foo.userpassname.domain. + _, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"}) + if err != nil { + t.Fatal("expected error") + } + // Set allowed_domains_template to false. _, err = client.Logical().Write("pki/roles/test", map[string]interface{}{ "allowed_domains_template": false, diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 608dbf014c22..2a2c9b9b5639 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -315,8 +315,8 @@ func validateNames(b *backend, data *inputBundle, names []string) string { } if data.role.AllowedDomainsTemplate { - matched, _ := regexp.MatchString(`^{{.+?}}$`, currDomain) - if matched && data.req.EntityID != "" { + isTemplate, _ := framework.ValidateIdentityTemplate(currDomain) + if isTemplate && data.req.EntityID != "" { tmpCurrDomain, err := framework.PopulateIdentityTemplate(currDomain, data.req.EntityID, b.System()) if err != nil { continue