[FABG-948] Add support for extra hosts at enrollment #46
Conversation
Provide WithHosts option and add hosts to CSR info at enrollment request This allows us to pass extra hosts for certificate enrollment, so it can be valid to those hosts as well for its CN Signed-off-by: Manoel <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #46 +/- ##
=========================================
Coverage ? 74.54%
=========================================
Files ? 176
Lines ? 12605
Branches ? 0
=========================================
Hits ? 9396
Misses ? 2289
Partials ? 920Continue to review full report at Codecov.
|
Signed-off-by: Manoel <[email protected]>
vieirin
force-pushed
the
master
branch
5 times, most recently
from
5eed268
to
91aeb64
Compare
Signed-off-by: Manoel <[email protected]>
|
@alikic any other changes? |
pkg/client/msp/ca.go
Outdated
| @@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0 | |||
|
|
|||
| package msp | |||
|
|
|||
| import "github.com/cloudflare/cfssl/csr" | |||
There was a problem hiding this comment.
We don't include third party structures in our high level API. This import shouldn't be here.
pkg/client/msp/ca.go
Outdated
| Names []csr.Name | ||
| Hosts []string | ||
| KeyRequest *BasicKeyRequest | ||
| CA *csr.CAConfig |
There was a problem hiding this comment.
This API shouldn't have dependencies on "github.com/cloudflare/cfssl/csr". CAConfig should be added to our API, and any mapping between this API and third party should be hidden. While we have a freedom to design our API structures independently from the third party, it is useful to keep them close as we keep extending support for Fabric CA features.
There was a problem hiding this comment.
I strongly disagree, to create a new struct and re-map it as done in CSR struct seems a bad thing to me, caapi depends on cloudflare structure, this dependency is already packaged with sdk code, btw.
I don't see how creating same structs and "convert this type to that type" functions, where those types have the exact same fields but are different definitions is beneficial
what do you think
There was a problem hiding this comment.
Neither fabric-ca nor cloudflare/cfssl are used directly in the exposed API, all uses are internal. I see that we do use cloudflare/cfssl in a couple of tests, perhaps we shouldn't, we can easily change that. Usage of cloudflare/cfssl internally is an implementation detail, shouldn't be in public API.
You wanted to add only hosts to the API call, and my thinking was, if we keep adding the missing pieces of Fabric CA support, we will likely end up with structures similar to what the CA is using. This is why I thought we should introduce CSRInfo, to group hosts and future (currently missing) elements together in a way it makes sense. CSRInfo could initially have only hosts, and whatever you currently need. Ideally, all additions should have proper integration tests.
|
Any updates on this issue? |
|
Here is where we stand - the feature is useful, but the implementation has two issues. It introduces a third party dependency in the public API, and it is missing an integration test which would verify that the resulting certificate has desired properties. It makes sense to group all parameters relevant to the creation of a CSR into a structure (perhaps initially having only hosts in the structure), which could be called CSRInfo, but no third party structures are allowed in the public API. |
|
I'm going back to this issue, @alikic this test should be written in integration tests too, right? |
vieirin
force-pushed
the
master
branch
2 times, most recently
from
b15e9ac
to
aeb3136
Compare
Signed-off-by: Manoel <[email protected]>
|
Integration tests are broken again |
|
Done :) |
| t.Fatalf("Registration failed: %s", err) | ||
| } | ||
|
|
||
| extraHosts := []string{"localhost"} |
There was a problem hiding this comment.
Need to test with more values in extraHosts, it should add all of them to the cert....
There was a problem hiding this comment.
Can this comparison be O(n²) in test or should it be optimized with a map-based search?
I mean can I compare all requested hosts with all received hosts or may I convert requested hosts to a map first to compare? Does it makes difference? Just to write it right from start haha
There was a problem hiding this comment.
Haha, you can implement comparison any way you want, I am just looking for having at least two values there, just to have a little more confidence that the mapping works correctly through the layers all the way to the CA itself.
| t.Fatalf("GetSigningIdentity failed: %s", err) | ||
| } | ||
|
|
||
| has, err := hasHost(si, extraHosts[0]) |
There was a problem hiding this comment.
.... and then verify that all the requested hosts are in the cert.
| t.Fatalf("GetSigningIdentity failed: %s", err) | ||
| } | ||
|
|
||
| has, err = hasHost(si, extraHosts[0]) |
There was a problem hiding this comment.
.... and then verify that all the requested hosts are in the cert.
Provide WithHosts option and add hosts to CSR info at enrollment request
This allows us to pass extra hosts for certificate enrollment, so it can be valid to
those hosts as well for its CN
Signed-off-by: Manoel [email protected]