Skip to content

Commit

Permalink
pki: Allow to use not only one variable during templating in allowed_…
Browse files Browse the repository at this point in the history
…domains hashicorp#8509
  • Loading branch information
Artem Alexandrov committed Jul 16, 2020
1 parent 73b1eed commit 56d9078
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
9 changes: 8 additions & 1 deletion builtin/logical/pki/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2797,7 +2797,8 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {

// Write role PKI.
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
"allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}"},
"allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com"},
"allowed_domains_template": true,
"allow_bare_domains": true,
})
Expand All @@ -2824,6 +2825,12 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
t.Fatal("expected error")
}

// Issue certificate for foo.userpassname.domain.
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
if err != nil {
t.Fatal("expected error")
}

// Set allowed_domains_template to false.
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
"allowed_domains_template": false,
Expand Down
4 changes: 2 additions & 2 deletions builtin/logical/pki/cert_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -315,8 +315,8 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
}

if data.role.AllowedDomainsTemplate {
matched, _ := regexp.MatchString(`^{{.+?}}$`, currDomain)
if matched && data.req.EntityID != "" {
isTemplate, _ := framework.ValidateIdentityTemplate(currDomain)
if isTemplate && data.req.EntityID != "" {
tmpCurrDomain, err := framework.PopulateIdentityTemplate(currDomain, data.req.EntityID, b.System())
if err != nil {
continue
Expand Down

0 comments on commit 56d9078

Please sign in to comment.