diff --git a/pkg/acceptance/cluster/certs.go b/pkg/acceptance/cluster/certs.go index 3cfe9279ab11..79ca3b9a2323 100644 --- a/pkg/acceptance/cluster/certs.go +++ b/pkg/acceptance/cluster/certs.go @@ -53,12 +53,12 @@ func GenerateCerts(ctx context.Context) func() { // Root user. maybePanic(security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedCAKey), - 2048, 48*time.Hour, false, security.RootUserName(), true /* generate pk8 key */)) + 2048, 48*time.Hour, false, security.RootUserName(), "" /* tenantID */, true /* generate pk8 key */)) // Test user. maybePanic(security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedCAKey), - 1024, 48*time.Hour, false, security.TestUserName(), true /* generate pk8 key */)) + 1024, 48*time.Hour, false, security.TestUserName(), "" /* tenantID */, true /* generate pk8 key */)) // Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize. maybePanic(security.CreateNodePair( diff --git a/pkg/cli/cert.go b/pkg/cli/cert.go index 51580c3782ae..0182bf3131d6 100644 --- a/pkg/cli/cert.go +++ b/pkg/cli/cert.go @@ -177,6 +177,7 @@ func runCreateClientCert(cmd *cobra.Command, args []string) error { certCtx.certificateLifetime, certCtx.overwriteFiles, username, + certCtx.tenantScope, certCtx.generatePKCS8Key), "failed to generate client certificate and key") } diff --git a/pkg/cli/client_url.go b/pkg/cli/client_url.go index c5116388c1ae..1fa945e5b281 100644 --- a/pkg/cli/client_url.go +++ b/pkg/cli/client_url.go @@ -16,7 +16,6 @@ import ( "path/filepath" "github.com/cockroachdb/cockroach/pkg/cli/cliflags" - "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/rpc" "github.com/cockroachdb/cockroach/pkg/security" "github.com/cockroachdb/cockroach/pkg/server/pgurl" @@ -360,7 +359,7 @@ func (cliCtx *cliContext) makeClientConnURL() (*pgurl.URL, error) { userName = security.RootUserName() } - sCtx := rpc.MakeSecurityContext(cliCtx.Config, security.CommandTLSSettings{}, roachpb.SystemTenantID) + sCtx := rpc.MakeSecurityContext(cliCtx.Config, security.CommandTLSSettings{}, cliCtx.tenantID) if err := sCtx.LoadSecurityOptions(purl, userName); err != nil { return nil, err } diff --git a/pkg/cli/cliflags/flags.go b/pkg/cli/cliflags/flags.go index c35d6b1c8d07..b38a4135873f 100644 --- a/pkg/cli/cliflags/flags.go +++ b/pkg/cli/cliflags/flags.go @@ -734,6 +734,14 @@ Note: that --external-io-disable-http or --external-io-disable-implicit-credenti Description: `Certificate and key files are overwritten if they exist.`, } + TenantScope = FlagInfo{ + Name: "tenant-scope", + Description: `Assign a tenant scope to the certificate. +This will allow for the certificate to only be used specifically for a particular +tenant. This flag is optional, when omitted, the certificate is not tied +for usage on a specific tenant.`, + } + GeneratePKCS8Key = FlagInfo{ Name: "also-generate-pkcs8-key", Description: `Also write the key in pkcs8 format to <certs-dir>/client.<username>.key.pk8.`, @@ -1465,6 +1473,14 @@ Can be set to 1 to ensure only one node is polled for data at a time. `, } + ZipTenant = FlagInfo{ + Name: "tenant-id", + Description: ` +Specify the tenant ID of the server. This is required to be set while +running debug zip against a SQL only server for a tenant. +`, + } + StmtDiagDeleteAll = FlagInfo{ Name: "all", Description: `Delete all bundles.`, diff --git a/pkg/cli/context.go b/pkg/cli/context.go index 25c3da5d0621..bbfd8e32ebc5 100644 --- a/pkg/cli/context.go +++ b/pkg/cli/context.go @@ -26,6 +26,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/cli/clisqlshell" "github.com/cockroachdb/cockroach/pkg/cli/democluster" "github.com/cockroachdb/cockroach/pkg/config/zonepb" + "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/security" "github.com/cockroachdb/cockroach/pkg/server" "github.com/cockroachdb/cockroach/pkg/server/pgurl" @@ -200,6 +201,10 @@ type cliContext struct { // For `cockroach version --build-tag`. showVersionUsingOnlyBuildTag bool + + // tenantID indicates the tenant to run the CLI utility against. + // Default value is the system tenant. + tenantID roachpb.TenantID } // cliCtx captures the command-line parameters common to most CLI utilities. @@ -233,6 +238,7 @@ func setCliContextDefaults() { // TODO(knz): Deprecated in v21.1. Remove this. cliCtx.deprecatedLogOverrides.reset() cliCtx.showVersionUsingOnlyBuildTag = false + cliCtx.tenantID = roachpb.SystemTenantID } // sqlConnContext captures the connection configuration for all SQL @@ -266,6 +272,10 @@ var certCtx struct { // This configuration flag is only used for 'cert' commands // that generate certificates. certPrincipalMap []string + // tenantScope indicates the ID of the tenant that a certificate is being + // scoped to. By creating a tenant-scoped certicate, the usage of that certificate + // is restricted to a specific tenant. + tenantScope string } func setCertContextDefaults() { @@ -278,6 +288,7 @@ func setCertContextDefaults() { certCtx.overwriteFiles = false certCtx.generatePKCS8Key = false certCtx.certPrincipalMap = nil + certCtx.tenantScope = "" } var sqlExecCtx = clisqlexec.Context{ @@ -345,6 +356,10 @@ type zipContext struct { // The log/heap/etc files to include. files fileSelection + + // tenantID of the server being connected to. This flag should + // be set while running debug zip against a tenant SQL server. + tenantID roachpb.TenantID } // setZipContextDefaults set the default values in zipCtx. This @@ -364,6 +379,7 @@ func setZipContextDefaults() { now := timeutil.Now() zipCtx.files.startTimestamp = timestampValue(now.Add(-48 * time.Hour)) zipCtx.files.endTimestamp = timestampValue(now.Add(24 * time.Hour)) + zipCtx.tenantID = roachpb.SystemTenantID } // dumpCtx captures the command-line parameters of the `dump` command. diff --git a/pkg/cli/democluster/demo_cluster.go b/pkg/cli/democluster/demo_cluster.go index 394b26c5539e..e9298066d6e3 100644 --- a/pkg/cli/democluster/demo_cluster.go +++ b/pkg/cli/democluster/demo_cluster.go @@ -1073,6 +1073,7 @@ func (demoCtx *Context) generateCerts(certsDir string) (err error) { demoCtx.DefaultCertLifetime, false, /* overwrite */ security.RootUserName(), + "", /* tenantID */ false, /* generatePKCS8Key */ ); err != nil { return err diff --git a/pkg/cli/flags.go b/pkg/cli/flags.go index 27d72e1653d9..ccf3ea3c25c1 100644 --- a/pkg/cli/flags.go +++ b/pkg/cli/flags.go @@ -271,6 +271,33 @@ func (f *keyTypeFilter) Set(v string) error { return nil } +// tenantIDSetter wraps the tenantID variable within zipContext +// and verifies its value during execution. +type tenantIDSetter struct { + tenantID *roachpb.TenantID +} + +// String implements the pflag.Value interface. +func (t tenantIDSetter) String() string { return t.tenantID.String() } + +// Type implements the pflag.Value interface. +func (t tenantIDSetter) Type() string { return "<uint>" } + +// Set implements the pflag.Value interface. +func (t tenantIDSetter) Set(v string) error { + if v == "" { + *t.tenantID = roachpb.SystemTenantID + return nil + } + + tID, err := roachpb.ParseTenantID(v) + if err != nil { + return err + } + *t.tenantID = tID + return nil +} + const backgroundEnvVar = "COCKROACH_BACKGROUND_RESTART" // flagSetForCmd is a replacement for cmd.Flag() that properly merges @@ -580,6 +607,7 @@ func init() { stringFlag(f, &certCtx.caKey, cliflags.CAKey) intFlag(f, &certCtx.keySize, cliflags.KeySize) boolFlag(f, &certCtx.overwriteFiles, cliflags.OverwriteFiles) + stringFlag(f, &certCtx.tenantScope, cliflags.TenantScope) if strings.HasSuffix(cmd.Name(), "-ca") { // CA-only commands. @@ -684,6 +712,7 @@ func init() { boolFlag(f, &zipCtx.redactLogs, cliflags.ZipRedactLogs) durationFlag(f, &zipCtx.cpuProfDuration, cliflags.ZipCPUProfileDuration) intFlag(f, &zipCtx.concurrency, cliflags.ZipConcurrency) + varFlag(f, tenantIDSetter{&zipCtx.tenantID}, cliflags.ZipTenant) } // List-files + Zip commands. for _, cmd := range []*cobra.Command{debugZipCmd, debugListFilesCmd} { diff --git a/pkg/cli/start.go b/pkg/cli/start.go index e44047f80a3f..2e7a75ec4c98 100644 --- a/pkg/cli/start.go +++ b/pkg/cli/start.go @@ -1263,7 +1263,7 @@ func getClientGRPCConn( stopper := stop.NewStopper(stop.WithTracer(tracer)) rpcContext := rpc.NewContext(ctx, rpc.ContextOptions{ - TenantID: roachpb.SystemTenantID, + TenantID: cfg.TenantID, Config: cfg.Config, Clock: clock, Stopper: stopper, diff --git a/pkg/cli/testdata/zip/testzip_tenant b/pkg/cli/testdata/zip/testzip_tenant index 10a2c3a09043..316c9024c282 100644 --- a/pkg/cli/testdata/zip/testzip_tenant +++ b/pkg/cli/testdata/zip/testzip_tenant @@ -1,6 +1,6 @@ zip ---- -debug zip --concurrency=1 --cpu-profile-duration=1s /dev/null +debug zip --concurrency=1 --cpu-profile-duration=1s --tenant-id=10 /dev/null [cluster] establishing RPC connection to ... [cluster] retrieving the node status to get the SQL address... done [cluster] using SQL address: ... diff --git a/pkg/cli/testutils.go b/pkg/cli/testutils.go index 7d411763c07e..8b27159e6bca 100644 --- a/pkg/cli/testutils.go +++ b/pkg/cli/testutils.go @@ -328,18 +328,30 @@ func isSQLCommand(args []string) (bool, error) { return false, nil } -func (c TestCLI) getRPCAddr() string { - if c.tenant != nil { - return c.tenant.RPCAddr() +func (c TestCLI) getRPCAddr(tenantID roachpb.TenantID) (string, error) { + if tenantID == roachpb.SystemTenantID { + return c.ServingRPCAddr(), nil } - return c.ServingRPCAddr() + if c.tenant == nil { + return "", errors.Errorf("cannot run CLI for tenant %d on system tenant", tenantID) + } + if c.tenant.RPCContext().TenantID != tenantID { + return "", errors.Errorf("cannot run CLI for tenant %d on tenant %d", tenantID, c.tenant.RPCContext().TenantID) + } + return c.tenant.RPCAddr(), nil } -func (c TestCLI) getSQLAddr() string { - if c.tenant != nil { - return c.tenant.SQLAddr() +func (c TestCLI) getSQLAddr(tenantID roachpb.TenantID) (string, error) { + if tenantID == roachpb.SystemTenantID { + return c.ServingSQLAddr(), nil + } + if c.tenant == nil { + return "", errors.Errorf("cannot run CLI for tenant %d on system tenant", tenantID) } - return c.ServingSQLAddr() + if c.tenant.RPCContext().TenantID != tenantID { + return "", errors.Errorf("cannot run CLI for tenant %d on tenant %d", tenantID, c.tenant.RPCContext().TenantID) + } + return c.tenant.SQLAddr(), nil } // RunWithArgs add args according to TestCLI cfg. @@ -349,11 +361,21 @@ func (c TestCLI) RunWithArgs(origArgs []string) { if err := func() error { args := append([]string(nil), origArgs[:1]...) if c.TestServer != nil { - addr := c.getRPCAddr() + tenantID, err := getTenantID(origArgs) + if err != nil { + return err + } + addr, err := c.getRPCAddr(tenantID) + if err != nil { + return err + } if isSQL, err := isSQLCommand(origArgs); err != nil { return err } else if isSQL { - addr = c.getSQLAddr() + addr, err = c.getSQLAddr(tenantID) + if err != nil { + return err + } } h, p, err := net.SplitHostPort(addr) if err != nil { @@ -526,3 +548,20 @@ func MatchCSV(csvStr string, matchColRow [][]string) (err error) { } return err } + +func getTenantID(args []string) (roachpb.TenantID, error) { + for _, arg := range args { + if strings.HasPrefix(arg, "--tenant-id") { + parts := strings.Split(arg, "=") + if len(parts) != 2 { + return roachpb.TenantID{}, errors.Errorf("invalid tenant-id argument %s", arg) + } + tenantID, err := roachpb.ParseTenantID(parts[1]) + if err != nil { + return roachpb.TenantID{}, nil + } + return tenantID, nil + } + } + return roachpb.SystemTenantID, nil +} diff --git a/pkg/cli/zip.go b/pkg/cli/zip.go index aed5db2dbf2e..459544d9d803 100644 --- a/pkg/cli/zip.go +++ b/pkg/cli/zip.go @@ -166,6 +166,7 @@ func runDebugZip(_ *cobra.Command, args []string) (retErr error) { zr := zipCtx.newZipReporter("cluster") s := zr.start("establishing RPC connection to %s", serverCfg.AdvertiseAddr) + serverCfg.TenantID = zipCtx.tenantID conn, _, finish, err := getClientGRPCConn(ctx, serverCfg) if err != nil { return s.fail(err) @@ -192,6 +193,7 @@ func runDebugZip(_ *cobra.Command, args []string) (retErr error) { s = zr.start("using SQL address: %s", sqlAddr.AddressField) cliCtx.clientConnHost, cliCtx.clientConnPort, err = net.SplitHostPort(sqlAddr.AddressField) + cliCtx.tenantID = zipCtx.tenantID if err != nil { return s.fail(err) } diff --git a/pkg/cli/zip_tenant_test.go b/pkg/cli/zip_tenant_test.go index 099fff97a0a6..a6225c6b5668 100644 --- a/pkg/cli/zip_tenant_test.go +++ b/pkg/cli/zip_tenant_test.go @@ -11,6 +11,7 @@ package cli import ( + "fmt" "os" "testing" @@ -34,8 +35,9 @@ func TestTenantZip(t *testing.T) { skip.UnderRace(t, "test too slow under race") tenantDir, tenantDirCleanupFn := testutils.TempDir(t) defer tenantDirCleanupFn() + tenantID := serverutils.TestTenantID() tenantArgs := base.TestTenantArgs{ - TenantID: serverutils.TestTenantID(), + TenantID: tenantID, HeapProfileDirName: tenantDir, GoroutineDumpDirName: tenantDir, } @@ -53,7 +55,8 @@ func TestTenantZip(t *testing.T) { }) defer c.Cleanup() - out, err := c.RunWithCapture("debug zip --concurrency=1 --cpu-profile-duration=1s " + os.DevNull) + zipCmd := fmt.Sprintf("debug zip --concurrency=1 --cpu-profile-duration=1s --tenant-id=%d %s", tenantID.ToUint64(), os.DevNull) + out, err := c.RunWithCapture(zipCmd) if err != nil { t.Fatal(err) } diff --git a/pkg/roachpb/tenant.go b/pkg/roachpb/tenant.go index 191a1fc69985..1ce4bc94877f 100644 --- a/pkg/roachpb/tenant.go +++ b/pkg/roachpb/tenant.go @@ -14,6 +14,8 @@ import ( "context" "math" "strconv" + + "github.com/cockroachdb/errors" ) // SystemTenantID is the ID associated with the system's internal tenant in a @@ -97,5 +99,14 @@ func TenantFromContext(ctx context.Context) (tenID TenantID, ok bool) { return } +// ParseTenantID parses a tenant ID contained a string. +func ParseTenantID(tenantID string) (TenantID, error) { + tID, err := strconv.ParseUint(tenantID, 10, 64) + if err != nil { + return TenantID{}, errors.Wrapf(err, "invalid tenant ID %s, tenant ID should be an unsigned int greater than 0", tenantID) + } + return MakeTenantID(tID), nil +} + // Silence unused warning. var _ = TenantFromContext diff --git a/pkg/rpc/pg.go b/pkg/rpc/pg.go index 56933e81ee25..f39aaa1ead99 100644 --- a/pkg/rpc/pg.go +++ b/pkg/rpc/pg.go @@ -77,34 +77,28 @@ func (ctx *SecurityContext) LoadSecurityOptions(u *pgurl.URL, username security. // (Re)populate the transport information. u.WithTransport(pgurl.TransportTLS(tlsMode, caCertPath)) - var missing bool // certs found on file system? - loader := security.GetAssetLoader() - // Fetch client certs, but don't fail if they're absent, we may be // using a password. certPath := ctx.ClientCertPath(username) keyPath := ctx.ClientKeyPath(username) - _, err1 := loader.Stat(certPath) - _, err2 := loader.Stat(keyPath) - if err1 != nil || err2 != nil { - missing = true + certsAvailable := checkCertAndKeyAvailable(certPath, keyPath) + if !certsAvailable { + // Fetch tenant scoped client certs, if any. + certPath = ctx.ClientForTenantCertPath(username, ctx.tenID.String()) + keyPath = ctx.ClientForTenantKeyPath(username, ctx.tenID.String()) + certsAvailable = checkCertAndKeyAvailable(certPath, keyPath) } // If the command specifies user node, and we did not find // client.node.crt, try with just node.crt. - if missing && username.IsNodeUser() { - missing = false + if !certsAvailable && username.IsNodeUser() { certPath = ctx.NodeCertPath() keyPath = ctx.NodeKeyPath() - _, err1 = loader.Stat(certPath) - _, err2 = loader.Stat(keyPath) - if err1 != nil || err2 != nil { - missing = true - } + certsAvailable = checkCertAndKeyAvailable(certPath, keyPath) } // If we found some certs, add them to the URL authentication // method. - if !missing { + if certsAvailable { pwEnabled, hasPw, pwd := u.GetAuthnPassword() if !pwEnabled { u.WithAuthn(pgurl.AuthnClientCert(certPath, keyPath)) @@ -130,3 +124,10 @@ func (ctx *SecurityContext) PGURL(user *url.Userinfo) (*pgurl.URL, error) { } return u, nil } + +func checkCertAndKeyAvailable(certPath string, keyPath string) bool { + loader := security.GetAssetLoader() + _, err1 := loader.Stat(certPath) + _, err2 := loader.Stat(keyPath) + return err1 == nil && err2 == nil +} diff --git a/pkg/security/BUILD.bazel b/pkg/security/BUILD.bazel index 756adbb8c1d0..911d2bcaec2b 100644 --- a/pkg/security/BUILD.bazel +++ b/pkg/security/BUILD.bazel @@ -23,6 +23,7 @@ go_library( visibility = ["//visibility:public"], deps = [ "//pkg/clusterversion", + "//pkg/roachpb", "//pkg/server/telemetry", "//pkg/settings", "//pkg/settings/cluster", diff --git a/pkg/security/auth.go b/pkg/security/auth.go index 0e38efdb3e7a..e7cc43d5142a 100644 --- a/pkg/security/auth.go +++ b/pkg/security/auth.go @@ -17,6 +17,7 @@ import ( "fmt" "strings" + "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/util/syncutil" "github.com/cockroachdb/errors" ) @@ -108,15 +109,22 @@ func Contains(sl []string, s string) bool { // UserAuthCertHook builds an authentication hook based on the security // mode and client certificate. -func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAuthHook, error) { +func UserAuthCertHook( + insecureMode bool, tlsState *tls.ConnectionState, tenantID roachpb.TenantID, +) (UserAuthHook, error) { var certUsers []string - + var certTenantID roachpb.TenantID + var isTenantScopedCert bool if !insecureMode { var err error certUsers, err = GetCertificateUsers(tlsState) if err != nil { return nil, err } + certTenantID, isTenantScopedCert, err = maybeGetTenantScopeFromClientCert(tlsState) + if err != nil { + return nil, err + } } return func(ctx context.Context, systemIdentity SQLUsername, clientConnection bool) error { @@ -141,8 +149,19 @@ func UserAuthCertHook(insecureMode bool, tlsState *tls.ConnectionState) (UserAut return errors.Errorf("using tenant client certificate as user certificate is not allowed") } - // The client certificate user must match the requested user. - if !Contains(certUsers, systemIdentity.Normalized()) { + // If the certificate is a tenant scoped client certificate, we should enforce that the tenant ID + // and client name matches with the certificate. Otherwise, it is sufficient to just check that the + // client name matches the certificate. + // TODO(rima): Should we enforce always using tenant scoped client cert for non-system tenants? + if isTenantScopedCert { + // Enforce that the tenant ID *and* user matches the certificate + if tenantID != certTenantID { + return errors.Errorf("certificate is for tenant ID %s, but current tenant ID is %s", certTenantID, tenantID) + } + if !Contains(certUsers, systemIdentity.Normalized()) { + return errors.Errorf("requested user is %s, but certificate is for %s", systemIdentity, certUsers) + } + } else if !Contains(certUsers, systemIdentity.Normalized()) { return errors.Errorf("requested user is %s, but certificate is for %s", systemIdentity, certUsers) } @@ -220,3 +239,37 @@ func (i *PasswordUserAuthError) Format(s fmt.State, verb rune) { errors.FormatEr func (i *PasswordUserAuthError) FormatError(p errors.Printer) error { return i.err } + +// maybeGetTenantScopeFromClientCert returns a tenantID if the client certificate is scoped +// to a tenant. It returns a bool value which is set to true if the certificate is a tenant +// scoped client certificate. +func maybeGetTenantScopeFromClientCert( + tlsState *tls.ConnectionState, +) (tenantScope roachpb.TenantID, isTenantScopedCert bool, _ error) { + if tlsState == nil { + return roachpb.TenantID{}, false, errors.Errorf("request is not using TLS") + } + if len(tlsState.PeerCertificates) == 0 { + return roachpb.TenantID{}, false, errors.Errorf("no client certificates in request") + } + // The go server handshake code verifies the first certificate, using + // any following certificates as intermediates. See: + // https://github.com/golang/go/blob/go1.8.1/src/crypto/tls/handshake_server.go#L723:L742 + peerCert := tlsState.PeerCertificates[0] + uris := peerCert.URIs + var tenantID roachpb.TenantID + var err error + for _, uri := range uris { + if uri.Host == "tenant" { + tenantInfo := strings.TrimPrefix(uri.Path, "/") + tenantID, err = roachpb.ParseTenantID(tenantInfo) + if err != nil { + return roachpb.TenantID{}, true, errors.Wrapf(err, "tenant ID: %s contained in cert is invalid", tenantInfo) + } + return tenantID, true, nil + } + } + + // No tenant info contained within cert, return default system tenant + return roachpb.SystemTenantID, false, nil +} diff --git a/pkg/security/auth_test.go b/pkg/security/auth_test.go index def5a48a6aa7..fa981e4a6353 100644 --- a/pkg/security/auth_test.go +++ b/pkg/security/auth_test.go @@ -15,9 +15,11 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" + "net/url" "strings" "testing" + "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/security" "github.com/cockroachdb/cockroach/pkg/testutils" "github.com/cockroachdb/cockroach/pkg/util/leaktest" @@ -25,18 +27,24 @@ import ( ) // Construct a fake tls.ConnectionState object. The spec is a semicolon -// separated list if peer certificate specifications. Each peer certificate +// separated list of peer certificate specifications. Each peer certificate // specification can have an optional OU in parenthesis followed by // a comma separated list of names where the first name is the -// CommonName and the remaining names are SubjectAlternateNames. For example, +// CommonName and the remaining names are SubjectAlternateNames. +// The SubjectAlternateNames can go under DNSNames or URIs. To distinguish +// the two, prefix the SAN with the type dns: or uri:. For example, // "foo" creates a single peer certificate with the CommonName "foo". The spec -// "foo,bar" creates a single peer certificate with the CommonName "foo" and a -// single SubjectAlternateName "bar". "(Tenants)foo,bar" creates a single -// tenant client certificate with OU=Tenants, CN=foo and subjectAlternativeName=bar +// "foo,dns:bar,dns:blah" creates a single peer certificate with the CommonName "foo" and a +// DNSNames "bar" and "blah". "(Tenants)foo,dns:bar" creates a single +// tenant client certificate with OU=Tenants, CN=foo and DNSName=bar. +// A spec with "foo,dns:bar,uri:crdb://tenant/123" creates a single peer certificate +// with CommonName foo, DNSName bar and URI set to crdb://tenant/123. // Contrast that with "foo;bar" which creates two peer certificates with the // CommonNames "foo" and "bar" respectively. -func makeFakeTLSState(spec string) *tls.ConnectionState { +func makeFakeTLSState(t *testing.T, spec string) *tls.ConnectionState { tls := &tls.ConnectionState{} + uriPrefix := "uri:" + dnsPrefix := "dns:" if spec != "" { for _, peerSpec := range strings.Split(spec, ";") { var ou []string @@ -54,7 +62,20 @@ func makeFakeTLSState(spec string) *tls.ConnectionState { CommonName: names[0], OrganizationalUnit: ou, } - peerCert.DNSNames = names[1:] + for i := 1; i < len(names); i++ { + if strings.HasPrefix(names[i], dnsPrefix) { + peerCert.DNSNames = append(peerCert.DNSNames, strings.TrimPrefix(names[i], dnsPrefix)) + } else if strings.HasPrefix(names[i], uriPrefix) { + rawURI := strings.TrimPrefix(names[i], uriPrefix) + url, err := url.Parse(rawURI) + if err != nil { + t.Fatalf("unable to create tls spec due to invalid URI %s", rawURI) + } + peerCert.URIs = append(peerCert.URIs, url) + } else { + t.Fatalf("subject altername names are expected to have uri: or dns: prefix") + } + } tls.PeerCertificates = append(tls.PeerCertificates, peerCert) } } @@ -69,33 +90,33 @@ func TestGetCertificateUsers(t *testing.T) { } // No certificates. - if _, err := security.GetCertificateUsers(makeFakeTLSState("")); err == nil { + if _, err := security.GetCertificateUsers(makeFakeTLSState(t, "")); err == nil { t.Error("unexpected success") } // Good request: single certificate. - if names, err := security.GetCertificateUsers(makeFakeTLSState("foo")); err != nil { + if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo")); err != nil { t.Error(err) } else { require.EqualValues(t, names, []string{"foo"}) } // Request with multiple certs, but only one chain (eg: origin certs are client and CA). - if names, err := security.GetCertificateUsers(makeFakeTLSState("foo;CA")); err != nil { + if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo;CA")); err != nil { t.Error(err) } else { require.EqualValues(t, names, []string{"foo"}) } // Always use the first certificate. - if names, err := security.GetCertificateUsers(makeFakeTLSState("foo;bar")); err != nil { + if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo;bar")); err != nil { t.Error(err) } else { require.EqualValues(t, names, []string{"foo"}) } // Extract all of the principals from the first certificate. - if names, err := security.GetCertificateUsers(makeFakeTLSState("foo,bar,blah;CA")); err != nil { + if names, err := security.GetCertificateUsers(makeFakeTLSState(t, "foo,dns:bar,dns:blah;CA")); err != nil { t.Error(err) } else { require.EqualValues(t, names, []string{"foo", "bar", "blah"}) @@ -145,11 +166,11 @@ func TestGetCertificateUsersMapped(t *testing.T) { // The last mapping for a principal takes precedence. {"foo", "foo:bar,foo:blah", "blah"}, // First principal mapped, second principal unmapped. - {"foo,bar", "foo:blah", "blah,bar"}, + {"foo,dns:bar", "foo:blah", "blah,bar"}, // First principal unmapped, second principal mapped. - {"bar,foo", "foo:blah", "bar,blah"}, + {"bar,dns:foo", "foo:blah", "bar,blah"}, // Both principals mapped. - {"foo,bar", "foo:bar,bar:foo", "bar,foo"}, + {"foo,dns:bar", "foo:bar,bar:foo", "bar,foo"}, // Verify desired string splits. {"foo:has:colon", "foo:has:colon:bar", "bar"}, } @@ -159,7 +180,7 @@ func TestGetCertificateUsersMapped(t *testing.T) { if err := security.SetCertPrincipalMap(vals); err != nil { t.Fatal(err) } - names, err := security.GetCertificateUsers(makeFakeTLSState(c.spec)) + names, err := security.GetCertificateUsers(makeFakeTLSState(t, c.spec)) if err != nil { t.Fatal(err) } @@ -184,29 +205,34 @@ func TestAuthenticationHook(t *testing.T) { buildHookSuccess bool publicHookSuccess bool privateHookSuccess bool + tenantID roachpb.TenantID }{ // Insecure mode, empty username. - {true, "", security.SQLUsername{}, "", true, false, false}, + {true, "", security.SQLUsername{}, "", true, false, false, roachpb.SystemTenantID}, // Insecure mode, non-empty username. - {true, "", fooUser, "", true, true, false}, + {true, "", fooUser, "", true, true, false, roachpb.SystemTenantID}, // Secure mode, no TLS state. - {false, "", security.SQLUsername{}, "", false, false, false}, + {false, "", security.SQLUsername{}, "", false, false, false, roachpb.SystemTenantID}, // Secure mode, bad user. - {false, "foo", security.NodeUserName(), "", true, false, false}, + {false, "foo", security.NodeUserName(), "", true, false, false, roachpb.SystemTenantID}, // Secure mode, node user. - {false, security.NodeUser, security.NodeUserName(), "", true, true, true}, + {false, security.NodeUser, security.NodeUserName(), "", true, true, true, roachpb.SystemTenantID}, // Secure mode, node cert and unrelated user. - {false, security.NodeUser, fooUser, "", true, false, false}, + {false, security.NodeUser, fooUser, "", true, false, false, roachpb.SystemTenantID}, // Secure mode, root user. - {false, security.RootUser, security.NodeUserName(), "", true, false, false}, + {false, security.RootUser, security.NodeUserName(), "", true, false, false, roachpb.SystemTenantID}, // Secure mode, tenant cert, foo user. - {false, "(Tenants)foo", fooUser, "", true, false, false}, + {false, "(Tenants)foo", fooUser, "", true, false, false, roachpb.SystemTenantID}, // Secure mode, multiple cert principals. - {false, "foo,bar", fooUser, "", true, true, false}, - {false, "foo,bar", barUser, "", true, true, false}, + {false, "foo,dns:bar", fooUser, "", true, true, false, roachpb.SystemTenantID}, + {false, "foo,dns:bar", barUser, "", true, true, false, roachpb.SystemTenantID}, // Secure mode, principal map. - {false, "foo,bar", blahUser, "foo:blah", true, true, false}, - {false, "foo,bar", blahUser, "bar:blah", true, true, false}, + {false, "foo,dns:bar", blahUser, "foo:blah", true, true, false, roachpb.SystemTenantID}, + {false, "foo,dns:bar", blahUser, "bar:blah", true, true, false, roachpb.SystemTenantID}, + {false, "foo,uri:crdb://tenant/123", fooUser, "", true, true, false, roachpb.MakeTenantID(123)}, + {false, "foo,uri:crdb://tenant/123", fooUser, "", true, false, false, roachpb.SystemTenantID}, + {false, "foo", fooUser, "", true, true, false, roachpb.MakeTenantID(123)}, + {false, "foo,uri:crdb://tenant/123", blahUser, "", true, false, false, roachpb.MakeTenantID(123)}, } ctx := context.Background() @@ -217,7 +243,7 @@ func TestAuthenticationHook(t *testing.T) { if err != nil { t.Fatal(err) } - hook, err := security.UserAuthCertHook(tc.insecure, makeFakeTLSState(tc.tlsSpec)) + hook, err := security.UserAuthCertHook(tc.insecure, makeFakeTLSState(t, tc.tlsSpec), tc.tenantID) if (err == nil) != tc.buildHookSuccess { t.Fatalf("expected success=%t, got err=%v", tc.buildHookSuccess, err) } diff --git a/pkg/security/certificate_loader.go b/pkg/security/certificate_loader.go index 653c1b5e0b49..891097e1be89 100644 --- a/pkg/security/certificate_loader.go +++ b/pkg/security/certificate_loader.go @@ -20,6 +20,7 @@ import ( "strings" "time" + "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/util/envutil" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/cockroach/pkg/util/sysutil" @@ -93,6 +94,9 @@ const ( UIPem // ClientPem describes a client certificate. ClientPem + // TenantScopedClientPem describes a tenant scoped client certificate. + // This certificate can only be used to authenticate a client for a specific tenant. + TenantScopedClientPem // TenantPem describes a SQL tenant client certificate. TenantPem // TenantSigningPem describes a SQL tenant signing certificate. @@ -226,7 +230,16 @@ func CertInfoFromFilename(filename string) (*CertInfo, error) { fileUsage = ClientPem // Strip prefix and suffix and re-join middle parts. name = strings.Join(parts[1:numParts-1], `.`) - if len(name) == 0 { + if strings.Contains(name, "@tenant") { + // This is a tenant scoped client certificate, drop tenant ID from the name and update file usage. + fileUsage = TenantScopedClientPem + nameParts := strings.Split(name, "@") + if len(nameParts) != 2 || len(nameParts[0]) == 0 { + return nil, errors.Errorf("tenant scoped client certificate filename should match <user>@tenant-<tenant-id>") + } + name = nameParts[0] + } else if len(name) == 0 { + // This is not a tenant scoped client certificate, enforce that username is not empty. return nil, errors.Errorf("client certificate filename should match client.<user>%s", certExtension) } case `client-tenant`: @@ -506,3 +519,26 @@ func validateCockroachCertificate(ci *CertInfo, cert *x509.Certificate) error { } return nil } + +func extractTenantAndUserFromCertName(filename string) (SQLUsername, roachpb.TenantID, error) { + tenantScopeFilenameError := errors.Errorf("expected tenant scoped cert name format is client.<user>@tenant-<tenant-id>.crt") + // Expected certificate filename format to be client.<user>@tenant-<tenant_id>.crt + parts := strings.Split(filename, ".") + if len(parts) != 3 { + return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError + } + userTenantPair := strings.Split(parts[1], "@") + if len(userTenantPair) != 2 { + return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError + } + username := MakeSQLUsernameFromPreNormalizedString(userTenantPair[0]) + tenantInfo := strings.Split(userTenantPair[1], "-") + if len(tenantInfo) != 2 { + return SQLUsername{}, roachpb.TenantID{}, tenantScopeFilenameError + } + tenantID, err := roachpb.ParseTenantID(tenantInfo[1]) + if err != nil { + return SQLUsername{}, roachpb.TenantID{}, errors.Errorf("invalid tenant id %s", tenantInfo[1]) + } + return username, tenantID, nil +} diff --git a/pkg/security/certificate_loader_test.go b/pkg/security/certificate_loader_test.go index 386314b62eec..ea3b95d096fa 100644 --- a/pkg/security/certificate_loader_test.go +++ b/pkg/security/certificate_loader_test.go @@ -53,6 +53,7 @@ func TestCertNomenclature(t *testing.T) { {"client.root.crt", "", security.ClientPem, "root"}, {"client.foo-bar.crt", "", security.ClientPem, "foo-bar"}, {"client....foo.bar.baz.how.many.dots.do.you.need...really....crt", "", security.ClientPem, "...foo.bar.baz.how.many.dots.do.you.need...really..."}, + {"client.foo-bar@tenant-123.crt", "", security.TenantScopedClientPem, "foo-bar"}, // Bad names. This function is only called on filenames ending with '.crt'. {"crt", "not enough parts found", 0, ""}, @@ -68,6 +69,7 @@ func TestCertNomenclature(t *testing.T) { {"client2.crt", "unknown prefix \"client2\"", 0, ""}, {"client.crt", "client certificate filename should match client.<user>.crt", 0, ""}, {"root.crt", "unknown prefix \"root\"", 0, ""}, + {"client.foo-bar@tenant-123@456.crt", "tenant scoped client certificate filename should match <user>@tenant-<tenant-id>", 0, ""}, } for i, tc := range testCases { diff --git a/pkg/security/certificate_manager.go b/pkg/security/certificate_manager.go index 1d8c244a25e5..86b63b21f4f8 100644 --- a/pkg/security/certificate_manager.go +++ b/pkg/security/certificate_manager.go @@ -117,13 +117,14 @@ type CertificateManager struct { initialized bool // Set of certs. These are swapped in during Load(), and never mutated afterwards. - caCert *CertInfo // default CA certificate - clientCACert *CertInfo // optional: certificate to verify client certificates - uiCACert *CertInfo // optional: certificate to verify UI certificates - nodeCert *CertInfo // certificate for nodes (always server cert, sometimes client cert) - nodeClientCert *CertInfo // optional: client certificate for 'node' user. Also included in 'clientCerts' - uiCert *CertInfo // optional: server certificate for the admin UI. - clientCerts map[SQLUsername]*CertInfo + caCert *CertInfo // default CA certificate + clientCACert *CertInfo // optional: certificate to verify client certificates + uiCACert *CertInfo // optional: certificate to verify UI certificates + nodeCert *CertInfo // certificate for nodes (always server cert, sometimes client cert) + nodeClientCert *CertInfo // optional: client certificate for 'node' user. Also included in 'clientCerts' + uiCert *CertInfo // optional: server certificate for the admin UI. + clientCerts map[SQLUsername]*CertInfo + tenantScopedClientCerts map[SQLUsername]*CertInfo // Certs only used with multi-tenancy. tenantCACert, tenantCert, tenantSigningCert *CertInfo @@ -431,6 +432,16 @@ func ClientCertFilename(user SQLUsername) string { return "client." + user.Normalized() + certExtension } +// ClientForTenantCertPath returns the expected file path for the user's tenant scoped certificate. +func (cl CertsLocator) ClientForTenantCertPath(user SQLUsername, tenantID string) string { + return filepath.Join(cl.certsDir, ClientForTenantCertFilename(user, tenantID)) +} + +// ClientForTenantCertFilename returns the expected file name for the user's tenant scoped certificate. +func ClientForTenantCertFilename(user SQLUsername, tenantID string) string { + return "client." + user.Normalized() + "@tenant-" + tenantID + certExtension +} + // ClientKeyPath returns the expected file path for the user's key. func (cl CertsLocator) ClientKeyPath(user SQLUsername) string { return filepath.Join(cl.certsDir, ClientKeyFilename(user)) @@ -441,6 +452,16 @@ func ClientKeyFilename(user SQLUsername) string { return "client." + user.Normalized() + keyExtension } +// ClientForTenantKeyPath returns the expected file path for the user's tenant scoped key +func (cl CertsLocator) ClientForTenantKeyPath(user SQLUsername, tenantID string) string { + return filepath.Join(cl.certsDir, ClientForTenantKeyFilename(user, tenantID)) +} + +// ClientForTenantKeyFilename returns the expected file name for the user's key. +func ClientForTenantKeyFilename(user SQLUsername, tenantID string) string { + return "client." + user.Normalized() + "@tenant-" + tenantID + keyExtension +} + // SQLServiceCertPath returns the expected file path for the // SQL service certificate func (cl CertsLocator) SQLServiceCertPath() string { @@ -589,6 +610,14 @@ func (cm *CertificateManager) ClientCerts() map[SQLUsername]*CertInfo { return cm.clientCerts } +// TenantScopedClientCerts returns the tenant scoped client certs. +// Callers should check for internal Error fields. +func (cm *CertificateManager) TenantScopedClientCerts() map[SQLUsername]*CertInfo { + cm.mu.RLock() + defer cm.mu.RUnlock() + return cm.tenantScopedClientCerts +} + // Error is the error type for this package. // TODO(knz): make this an error wrapper. type Error struct { @@ -623,6 +652,7 @@ func (cm *CertificateManager) LoadCertificates() error { var caCert, clientCACert, uiCACert, nodeCert, uiCert, nodeClientCert *CertInfo var tenantCACert, tenantCert, tenantSigningCert *CertInfo clientCerts := make(map[SQLUsername]*CertInfo) + tenantScopedClientCerts := make(map[SQLUsername]*CertInfo) for _, ci := range cl.Certificates() { switch ci.FileUsage { case CAPem: @@ -665,6 +695,14 @@ func (cm *CertificateManager) LoadCertificates() error { if username.IsNodeUser() { nodeClientCert = ci } + case TenantScopedClientPem: + username, tenantID, err := extractTenantAndUserFromCertName(ci.Filename) + if err != nil { + return err + } + if cm.tenantIdentifier == tenantID.ToUint64() { + tenantScopedClientCerts[username] = ci + } default: return errors.Errorf("unsupported certificate %v", ci.Filename) } @@ -722,6 +760,7 @@ func (cm *CertificateManager) LoadCertificates() error { cm.nodeClientCert = nodeClientCert cm.uiCert = uiCert cm.clientCerts = clientCerts + cm.tenantScopedClientCerts = tenantScopedClientCerts cm.initialized = true @@ -982,6 +1021,14 @@ func (cm *CertificateManager) getClientCertLocked(user SQLUsername) (*CertInfo, return ci, nil } +func (cm *CertificateManager) getTenantScopedClientCertLocked(user SQLUsername) (*CertInfo, error) { + ci := cm.tenantScopedClientCerts[user] + if err := checkCertIsValid(ci); err != nil { + return nil, makeErrorf(err, "problem with client cert for user %s", user) + } + return ci, nil +} + // getNodeClientCertLocked returns the client cert/key for the node user. // Use the client certificate for 'node' if it exists, otherwise use // the node certificate which should be a combined client/server certificate. @@ -1086,6 +1133,7 @@ func (cm *CertificateManager) GetTenantSigningCert() (*CertInfo, error) { // GetClientTLSConfig returns the most up-to-date client tls.Config. // Returns the dual-purpose node certs if user == NodeUser and there is no // separate client cert for 'node'. +// Returns the tenant-scoped client certificate if there is no separate client certificate. func (cm *CertificateManager) GetClientTLSConfig(user SQLUsername) (*tls.Config, error) { cm.mu.Lock() defer cm.mu.Unlock() @@ -1112,7 +1160,6 @@ func (cm *CertificateManager) GetClientTLSConfig(user SQLUsername) (*tls.Config, if err != nil { return nil, err } - cfg, err := newClientTLSConfig( cm.tlsSettings, clientCert.FileContents, diff --git a/pkg/security/certificate_manager_test.go b/pkg/security/certificate_manager_test.go index 922d13f3baf1..e7c493e723c2 100644 --- a/pkg/security/certificate_manager_test.go +++ b/pkg/security/certificate_manager_test.go @@ -26,7 +26,7 @@ import ( func TestManagerWithEmbedded(t *testing.T) { defer leaktest.AfterTest(t)() - cm, err := security.NewCertificateManager("test_certs", security.CommandTLSSettings{}) + cm, err := security.NewCertificateManager(security.EmbeddedCertsDir, security.CommandTLSSettings{}) if err != nil { t.Error(err) } @@ -43,6 +43,10 @@ func TestManagerWithEmbedded(t *testing.T) { t.Errorf("expected %d client certs, found %d", e, a) } + // Verify that there are no embedded tenant scoped certificates for system tenant. + tenantScopedClientCerts := cm.TenantScopedClientCerts() + require.Equal(t, 0, len(tenantScopedClientCerts)) + if _, ok := clientCerts[security.RootUserName()]; !ok { t.Error("no client cert for root user found") } @@ -68,6 +72,17 @@ func TestManagerWithEmbedded(t *testing.T) { security.MakeSQLUsernameFromPreNormalizedString("my-random-user")); err == nil { t.Error("unexpected success") } + + // Verify tenant scoped certificates embedded certificates are loaded. + tenant := security.EmbeddedTenantIDs()[0] + cm, err = security.NewCertificateManager(security.EmbeddedCertsDir, security.CommandTLSSettings{}, security.ForTenant(tenant)) + require.NoError(t, err) + tenantScopedClientCerts = cm.TenantScopedClientCerts() + require.Equal(t, 1, len(tenantScopedClientCerts)) + + if _, ok := tenantScopedClientCerts[security.TestUserName()]; !ok { + t.Errorf("no tenant scoped client cert for %s user found for tenant %d", security.TestUser, tenant) + } } func TestManagerWithPrincipalMap(t *testing.T) { @@ -91,7 +106,7 @@ func TestManagerWithPrincipalMap(t *testing.T) { certsDir, caKey, testKeySize, time.Hour*96, true, true, )) require.NoError(t, security.CreateClientPair( - certsDir, caKey, testKeySize, time.Hour*48, true, security.TestUserName(), false, + certsDir, caKey, testKeySize, time.Hour*48, true, security.TestUserName(), "", false, )) require.NoError(t, security.CreateNodePair( certsDir, caKey, testKeySize, time.Hour*48, true, []string{"127.0.0.1", "foo"}, diff --git a/pkg/security/certs.go b/pkg/security/certs.go index 926bfa6a54d3..8bfaa9112143 100644 --- a/pkg/security/certs.go +++ b/pkg/security/certs.go @@ -26,6 +26,7 @@ import ( "path/filepath" "time" + "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/util/envutil" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/errors" @@ -377,12 +378,16 @@ func CreateUIPair( // exist in the CA cert, the first one is used. // If a client CA exists, this is used instead. // If wantPKCS8Key is true, the private key in PKCS#8 encoding is written as well. +// If the client certificate being created needs to be scoped to a specific tenant, +// the tenantScope should be set to the tenant ID. Otherwise, the tenantScope +// should be set to an empty string. func CreateClientPair( certsDir, caKeyPath string, keySize int, lifetime time.Duration, overwrite bool, user SQLUsername, + tenantScope string, wantPKCS8Key bool, ) error { if len(caKeyPath) == 0 { @@ -391,6 +396,12 @@ func CreateClientPair( if len(certsDir) == 0 { return errors.New("the path to the certs directory is required") } + if len(tenantScope) != 0 { + // Confirm tenantID is valid. + if _, err := roachpb.ParseTenantID(tenantScope); err != nil { + return errors.Wrapf(err, "tenant scope %s is invalid", tenantScope) + } + } // The certificate manager expands the env for the certs directory. // For consistency, we need to do this for the key as well. @@ -423,18 +434,26 @@ func CreateClientPair( return errors.Wrap(err, "could not generate new client key") } - clientCert, err := GenerateClientCert(caCert, caPrivateKey, clientKey.Public(), lifetime, user) + clientCert, err := GenerateClientCert(caCert, caPrivateKey, clientKey.Public(), lifetime, user, tenantScope) if err != nil { return errors.Wrap(err, "error creating client certificate and key") } - certPath := cm.ClientCertPath(user) + var certPath string + var keyPath string + + if tenantScope != "" { + certPath = cm.ClientForTenantCertPath(user, tenantScope) + keyPath = cm.ClientForTenantKeyPath(user, tenantScope) + } else { + certPath = cm.ClientCertPath(user) + keyPath = cm.ClientKeyPath(user) + } if err := writeCertificateToFile(certPath, clientCert, overwrite); err != nil { return errors.Wrapf(err, "error writing client certificate to %s", certPath) } log.Infof(context.Background(), "generated client certificate: %s", certPath) - keyPath := cm.ClientKeyPath(user) if err := writeKeyToFile(keyPath, clientKey, overwrite); err != nil { return errors.Wrapf(err, "error writing client key to %s", keyPath) } diff --git a/pkg/security/certs_test.go b/pkg/security/certs_test.go index 6b3cdec44dfa..0e7ac5d51074 100644 --- a/pkg/security/certs_test.go +++ b/pkg/security/certs_test.go @@ -170,6 +170,78 @@ func TestGenerateTenantCerts(t *testing.T) { }, infos) } +// TestGenerateClientCerts tests client certificates are generated as expected: +// - Regular client certificates have the username set correctly. +// - Tenant scoped client certificates have the username set correctly and also +// have the tenant ID embedded as a SAN. +func TestGenerateClientCerts(t *testing.T) { + defer leaktest.AfterTest(t)() + // Do not mock cert access for this test. + security.ResetAssetLoader() + defer ResetTest() + + certsDir := t.TempDir() + + caKeyFile := certsDir + "/ca.key" + // Generate CA key and crt. + require.NoError(t, security.CreateCAPair(certsDir, caKeyFile, testKeySize, + time.Hour*72, false /* allowReuse */, false /* overwrite */)) + username := "test-user" + tenantScope := "123" + // Create tenant-scoped client cert. + require.NoError(t, security.CreateClientPair( + certsDir, + caKeyFile, + testKeySize, + 48*time.Hour, + false, /*overwrite */ + security.MakeSQLUsernameFromPreNormalizedString(username), + tenantScope, + false /* wantPKCS8Key */)) + + // Create a regular client cert that is not scoped to a specific tenant. + require.NoError(t, security.CreateClientPair( + certsDir, + caKeyFile, + testKeySize, + 48*time.Hour, + false, /*overwrite */ + security.MakeSQLUsernameFromPreNormalizedString(username), + "", /* tenantScope */ + false /* wantPKCS8Key */)) + + // Load and verify the certificates. + cl := security.NewCertificateLoader(certsDir) + require.NoError(t, cl.Load()) + infos := cl.Certificates() + for _, info := range infos { + require.NoError(t, info.Error) + } + + // We expect three certificates: the CA certificate, the tenant scoped client certificate + // and the regular client certificate. + require.Equal(t, len(infos), 3) + expectedClientCrtName := fmt.Sprintf("client.%s.crt", username) + expectedTenantScopedClientCrtName := fmt.Sprintf("client.%s@tenant-%s.crt", username, tenantScope) + for _, info := range infos { + if info.Filename == "ca.crt" { + continue + } + if info.Filename == expectedClientCrtName { + require.Equal(t, info.FileUsage, security.ClientPem) + require.Equal(t, username, info.Name) + } else if info.Filename == expectedTenantScopedClientCrtName { + require.Equal(t, info.FileUsage, security.TenantScopedClientPem) + require.Equal(t, username, info.Name) + require.Equal(t, 1, len(info.ParsedCertificates)) + require.Equal(t, 1, len(info.ParsedCertificates[0].URIs)) + require.Equal(t, "crdb://tenant/123", info.ParsedCertificates[0].URIs[0].String()) + } else { + t.Fatalf("Unexpected cert %s", info.Filename) + } + } +} + func TestGenerateNodeCerts(t *testing.T) { defer leaktest.AfterTest(t)() // Do not mock cert access for this test. @@ -227,7 +299,7 @@ func generateBaseCerts(certsDir string) error { if err := security.CreateClientPair( certsDir, caKey, - testKeySize, time.Hour*48, true, security.RootUserName(), false, + testKeySize, time.Hour*48, true, security.RootUserName(), "", false, ); err != nil { return err } @@ -281,14 +353,14 @@ func generateSplitCACerts(certsDir string) error { if err := security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedClientCAKey), - testKeySize, time.Hour*48, true, security.NodeUserName(), false, + testKeySize, time.Hour*48, true, security.NodeUserName(), "", false, ); err != nil { return errors.Wrap(err, "could not generate Client pair") } if err := security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedClientCAKey), - testKeySize, time.Hour*48, true, security.RootUserName(), false, + testKeySize, time.Hour*48, true, security.RootUserName(), "", false, ); err != nil { return errors.Wrap(err, "could not generate Client pair") } diff --git a/pkg/security/securitytest/test_certs/ca-client-tenant.crt b/pkg/security/securitytest/test_certs/ca-client-tenant.crt index 80516c312dc1..76486aaa949d 100644 --- a/pkg/security/securitytest/test_certs/ca-client-tenant.crt +++ b/pkg/security/securitytest/test_certs/ca-client-tenant.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDJjCCAg6gAwIBAgIRAP3ot2EqZmVMs9ZW7K+ge8cwDQYJKoZIhvcNAQELBQAw +MIIDJjCCAg6gAwIBAgIRAIB1w/vjXWICyZP8tNsASaEwDQYJKoZIhvcNAQELBQAw KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN -MjIwMTEwMTkwMTIwWhcNMzIwMTE5MTkwMTIwWjArMRIwEAYDVQQKEwlDb2Nrcm9h +MjIwNDEwMjAwNDM3WhcNMzIwNDE4MjAwNDM3WjArMRIwEAYDVQQKEwlDb2Nrcm9h Y2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBAMeGaYPQCNgFEeW30pFfUzuge7AX96mHjgcAwkwonBfYWFL4LduV -/bry0uGuXfr079sULQFSaB5BQUvWWjGSW9lPQ3oQAw0PXqFCj0euBaypMAQgTQcw -MQOis1OWOs+8gIAb17dXPxMC0DsRj/aEjt7WIEfQFpkHjdl9CjFfXn6FgQMDpp6/ -W1WEXG0AU8l4XRyrT3450VaPRudi/88muPdvSWPuRNxolepEgzpCQHJptaPBn0Tr -gZQHxfoY93vvoEJJjh6QC9JqgTpwS8Dmv4bKkkAsSpVVXR5tKW3wtqGGh2fTWmcl -cIcNEFudTJ2Nry5/mY9zB4Xiqx/IAgrJatMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD -AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFAw9X1Nmta6HSkIVuZTb -D9czNUg6MA0GCSqGSIb3DQEBCwUAA4IBAQDEeaGEFc49osHz81rb6+j6K9GWqWuP -v9ktK+A3sBG8xbF763OFPF7yXWtSPxe9g3sqpAursQ2wPCm6R3j4gd2ekoT8aE86 -WZNcVJ0oLy/HWOjPtiKlbbh4rQIZNhV2f1UXkkfLANbjdZhtlD1ljuSC7IOtdRuy -g0y9Rxp9BChA1s5M1GQevW0qzUSiZbhDiQ2zjB5Uq0GIjhUrKgh4H7w9Ra2uozRO -v2u8GNXRBRsTIWYaHT80Kb9wZIqEsXQ3YlrjTO1WY/Blv0WtTCkeU3wwV6NzHmCr -isRyL6YpvKCbdvWXWd5Q7LV4zKHxi7yy9gkxvmuXbvL6asqdHeWcvvSX +ADCCAQoCggEBALItc0WreTLL2dRVi5T6qq0KyXVQQTNKLJwJQYOFOmL0GXZnHCAF +IBDBYEXekFxDk6bbUvofqBtmyuoY+8F3KKF4ycVhFnJX8BjcBc6dYqKsw+L3tjOc +4DpjR7p1QNdI3tSA5oDAZ/3ZXMzGhwRNehv3yzlrk+qkhXEmOJriz5/hGP4p+EyL +sN2A8bJlFkc1CHH3GSrKCffax3hRkwOxs34nCgjLVOPDZKEEvQoCpYTRQb/gjpRs +jRHGlMOwP/IjLmQ53Fzfkt+maY6H8vBjjBABdCMRdpEh/mWO4HdT0DtNtXONosqZ +lkqlnjJagwVvXMTpeio+2/Ca1751N0JhcscCAwEAAaNFMEMwDgYDVR0PAQH/BAQD +AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMsdl2EGWPecLB+3N0ry +HPl5HQarMA0GCSqGSIb3DQEBCwUAA4IBAQCbEV0KWbOCOTC4NwXPg0K1lz8Sjk4U +jepBsoq+hVmd6QDo5VRG4Lac6Eo0MsNaZV7apqpj7EkYeqYnqHv7AUSa0ffv1i2S ++Lr9/Rvt7Zg3xO3zBS97NDnGZ22lyLRh6wcq/Slgaotsz2gPRqUlv6FM3SDTV7U5 +wInIBmeH6IlgT/MOLmWRKFUJFjXnFci+m+7BWdjb+Sg488XT9Qisoz5z3pF35iQQ +w3eeMebxzsuCN+f/0PuH/HNN3BmsDwX2sxlvmKHC5tBxAekNq5RvkEQYQuzZ9leT +44/u7rnHpUEFQ8U1fN+TtnH1AdsbrWzFNGS5yQqNI3MMgzyf79uV7S0X -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/ca-client-tenant.key b/pkg/security/securitytest/test_certs/ca-client-tenant.key index 6c017817d5d6..00b0e064ed46 100644 --- a/pkg/security/securitytest/test_certs/ca-client-tenant.key +++ b/pkg/security/securitytest/test_certs/ca-client-tenant.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAx4Zpg9AI2AUR5bfSkV9TO6B7sBf3qYeOBwDCTCicF9hYUvgt -25X9uvLS4a5d+vTv2xQtAVJoHkFBS9ZaMZJb2U9DehADDQ9eoUKPR64FrKkwBCBN -BzAxA6KzU5Y6z7yAgBvXt1c/EwLQOxGP9oSO3tYgR9AWmQeN2X0KMV9efoWBAwOm -nr9bVYRcbQBTyXhdHKtPfjnRVo9G52L/zya4929JY+5E3GiV6kSDOkJAcmm1o8Gf -ROuBlAfF+hj3e++gQkmOHpAL0mqBOnBLwOa/hsqSQCxKlVVdHm0pbfC2oYaHZ9Na -ZyVwhw0QW51MnY2vLn+Zj3MHheKrH8gCCslq0wIDAQABAoIBAAaVBpIUoNYPhMGh -SM8G6AYFi08J21+6WxMcEUzV4iBfQLqr+UdPMWmjbRWI3QzUW71McxeiElE9MdxA -nAUaoPEQTleOg6tAoIyNV5CzyvghNLZOInxkOJm4GlZdlF8aBtszD/C6bhhAdYId -WDR3twbe5X24/aXau/E60MVEMifWTLn9Pto1XGapbyaf+2hGL9raji3DBP4JiM2d -Xdf7TOqrVIF7qmiADvFVnsSSWMr04VH45FojBdEZKHXbVoCLwC9qn8nptTlPFojd -ihnBUy9QXLr8R+YUgTGpQZmbiWapEqHYa3eS8vwsbB8i4YHrm504lvybdzBgi0x8 -E3OMeAECgYEA6TgW61JLCtOiuDmupDyThP8QEHHs/9k57b7PplVEimbVuIlUNs+u -c2isHRiM3rts+/CZUrP7I4Om5qMA1HatquBxL2Hawh1M2ztSNFJTEB2OTOQQ4Iz9 -oThi988xSBAIDQ94gpj0B1ZlgtQSVGj4imOVU4BAHawcDSBFjaIWsNMCgYEA2wPD -qZoa9kbu7OWCOsTUua4ERWeR4Tsy6QH0RakckcuJy/ZKBfpv1wiDyKAJhvpIPMvC -5xYaw2hb85YcmAWzi2Lu9jymO9oFv5QRMGGetE8Alm2/qThec2moPR80iYrOmydy -Ie4dNxasulcdAofPdL0n0lm+L7sFaYofPFPeHgECgYB2+zmeJqbISD581FjHy2vL -b0En0qeBw7YtF6rihh/oqBwjAFTpfbzXfjBIy8yamW45fn8KVW4rqS/N/J0gx8dE -JSs5bCfp3n7mXfZLYTClSR7fFX+Sv/tpc9Xx7U+MHzmsSBdIMXZWA/rX6w/K5p7e -I338UrLjMHpDLBKv9mCzJwKBgQDCW8nUhfStX2+CfX4fhzM8gCg8K1gzJ6TbUKek -9hlrbNQhU7SHL6L2khDZBuTNiuh2Q2D4UA56IO+Q8EL5yf12kdp8XIAtFyMIy26h -n9AGNSHRXR28H1D6XOY3L60g7jTBTbUkVTpJ++5XAx20dC9varmfG5MCqpZ3/WIQ -2GCCAQKBgHgUmqRxe2Hg4r5lrlVE1K71kT50GlQzuS/aegu087J3vFyhV3ySRJMH -hyi4zW3g2YKH0/piwp+x8jq5Sm2GZKYPyciYQe7fRrLSK56HnlD+OUakbKO4I19m -UJfNlyGITsqzAPe6Ax7ETLt6MIaAV1KG6PwG3xFJJ7wYQtNFgogO +MIIEowIBAAKCAQEAsi1zRat5MsvZ1FWLlPqqrQrJdVBBM0osnAlBg4U6YvQZdmcc +IAUgEMFgRd6QXEOTpttS+h+oG2bK6hj7wXcooXjJxWEWclfwGNwFzp1ioqzD4ve2 +M5zgOmNHunVA10je1IDmgMBn/dlczMaHBE16G/fLOWuT6qSFcSY4muLPn+EY/in4 +TIuw3YDxsmUWRzUIcfcZKsoJ99rHeFGTA7GzficKCMtU48NkoQS9CgKlhNFBv+CO +lGyNEcaUw7A/8iMuZDncXN+S36Zpjofy8GOMEAF0IxF2kSH+ZY7gd1PQO021c42i +ypmWSqWeMlqDBW9cxOl6Kj7b8JrXvnU3QmFyxwIDAQABAoIBAHAsxSHbrtYYGO/h +W5tTpRiEbgj5mdLco/EosqJGwleCLnWovMA7+dASrrXORTyRHugxtK/cNk3qDV4M +lJNcnavrC7zEPwmF65b7DnziATNBaaH/KiqcXV7lGkd9gnEHY6KN9JCikdXzfsU9 +R8uhq3roKn3gCKP1KD3wPjrlCKoyUv5f5gUyALUP+On4ukgLDTdq/lrmuEGGUPaz +nQqib2MEO4V6wpzLcvCF9nePEDbyBzw8wPSOq8BlYG2KZC4z7O5OmKI1O32GF1Gs +teWyh0mAZ/q5ATqx75gFg940DcxJZPEF1sUHvrXptSE2aymUEf2uTp+UbEnzoE0L +gIgyC8ECgYEAwZ4ABq9GYaj0laPE62cDHq0KidzyO1aE+HCvtrj1yJLB5WNL3fbT +HAK4SB5zvuH37odAgMSI3+5gQ6tZWq5ANJMx45L2DRHhURdl3o9jmVgPNr6N0GM5 +kUynuR8c4JAGf16SHtU5Woxp07uomrUKhQ7BQIpvDj20CJKrRn9RBt8CgYEA65Xz +qfUT1bnRZEKJArC1nZyRfZ8qaE2be5wEUOYZcevxhivmNiC/C8Ok/VYkmxoPz/fm +O4TkGKgYgavKtigQkoJcPHzjwRos56yXZeRPdajIwmYfD6idSYVG+kBqFij2cfQO +Z0aQx4isWPOoU0fWHZ0WwE0S3PjdXUarDou0GRkCgYBb8Dry8afqF+CMbgfEAFZq +6qBmdpRPuPXLQzcs/Qc5Bvcrhcswy1PTqTb4h/1OVt70VSU8ABc+vmLXvzXe6X9z +d7Ho7pAIBMWJTCMDW/NfjYEr7bBJk9RyOoQqU6vStpFfSfj4yydA6AwYjrOxQuaL +6EW78ABsMsCakYrjHvHK4QKBgH00+gaXIU6S7o2ZqxXJ8wxsXQrl3/UFYiBlAAo6 +8MUSQBAuHrEf4EmRVovqD5R7WnIOb8esTkoodLXeJuN/Eae8Luda/PTxQ3Jx0Rkv +KWgAJ4riGZoJ5GZhtiJkv709UhWoP0t2PpY9tlOkVA7G/C5LAf98Nw1IGuZrG5ik +eThpAoGBAKY1jD2/uaTFg1VyJijNHqXwd/jmz6x0YquJsPKqbRvnjpg3tw7eeNx0 +prvwb5/YzAFTaMKXLjp8ssInhfPQy/Qmg7qLoykGnkF5QJMGRMQpyZe0RWWUosHB +Hxd9xATUvuIs7Z8cjGkizKDgn1f8IfCAM2c+aMHI5lqsEOIG3VzR -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/ca.crt b/pkg/security/securitytest/test_certs/ca.crt index 33eeefe9e2a9..e1d68800f19d 100644 --- a/pkg/security/securitytest/test_certs/ca.crt +++ b/pkg/security/securitytest/test_certs/ca.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDJTCCAg2gAwIBAgIQVTqh0bKWaGc9mXyKQM1r3DANBgkqhkiG9w0BAQsFADAr -MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y -MjAxMTAxOTAxMThaFw0zMjAxMTkxOTAxMThaMCsxEjAQBgNVBAoTCUNvY2tyb2Fj -aDEVMBMGA1UEAxMMQ29ja3JvYWNoIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAySkLp2+7YudQOZYTc/fmF0RHeLXgcDSY2Y+2wb2lZ616lSsgmXGP -aWVHLza9E2vsS2C9BaY2qrK/lUlxMOFXnT3GVnRPdbJVt6uPz0K9hzcKZHT+6WjC -0R1tfUBK6GNmlvsby9+U1WMkThR2f7KH5ARrv7Lihm062INZQzJljkYcFVEEEmoL -+eYT0y1+SrJfuYrQeIdVYSC+4IhAHzryVxDA14lzInBXgVxVuC1b6uGOry/f++s/ -pBFo0FRUOs4noT30gFkJ434oX/YCMIld/frnLcpwR/qkbZZA6mLwOrFeniJsz7kh -sP3u76Cz6lUHPwyHJzW7oa8PR4udYdvibQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMC -AuQwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUizkuY+BH48avRNXEnr/N -Ei9cteowDQYJKoZIhvcNAQELBQADggEBAIu67a1RKpmdD/DTB3Qxg+uSgyeTpcIe -fUNwyym4h8C6Mtp0jjYqrHNH6h6aGhuDj9vTPBLdAtp/s5gH5EMydFvr+2LiuyOo -N5LAszEN+A+6TrCN3EpcsRR+YpF/fGbvgdTibFdnnqCfpaPxZd1+8Nse2bFm6xjj -0mRDSzNU+Ti6kAKvYtFSmFXSOMWtGImHJXR46CV54CF+rOhvRllKsjSgZcKBikrQ -fyJBU8TtjpDA6xVTCTMJg0dp+c9rvYET40lEvuGMOxRmgkOOKdbsrSv2KD5FPrIk -y2gzRhcB2HnC44lhPBX1AxBbKdH7dsKeAQFaBzdIpLBMLPW19XsJmaI= +MIIDJjCCAg6gAwIBAgIRAOn+8zquSiVxaR1YePQs+2gwDQYJKoZIhvcNAQELBQAw +KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN +MjIwNDEwMjAwNDM2WhcNMzIwNDE4MjAwNDM2WjArMRIwEAYDVQQKEwlDb2Nrcm9h +Y2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAJy54SHa5tts/hmXO928UOd9NhxFWN9sIha8b4mJJYWaYtnyZM0h +wU4bh/aTBgo5f2MFk7FNiytJI2VUyc3OYI40TxMspQb9a2BBZsPgr5qhIKJPcmCm +2t+lAGoa3uWKbOttiQv69T4O7DftnVroP+03MSLxaVZ8WDpmdUWC/EpL+/JD2u/g +p4O6vJW7ZXPhz5+/I2TTP1GFi63glNTVe/a0VdtDbll1mdA97k0UPgG6VUiusxik +909ZVwbHRB8mfWizFP9jWtFggW8nLs0uutDc9f8lwhfpd9eSw97HhjvR+V+MaF+P +LnK48VDrUHCDkCzzPG0bCcK2bnyhBugCICECAwEAAaNFMEMwDgYDVR0PAQH/BAQD +AgLkMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFEK0fDrlBvtbh8HRFAqF +kkBzdY/MMA0GCSqGSIb3DQEBCwUAA4IBAQCXFrsfgf6/cfVUePR/1M8iJiho58hK +RtuDSamES1bjTFE0cno9N3TX91PZs+vn3A6o9D8gmfPXV2KLQUeA54KN+W/cilzo +ECI++9NH4WKRi/S704obj8lgS0/ZiuQrvJ2YMhoZGR/FKhZqQJq8kqb3/H9+dV+T +wc8yH8hHikjSgqFoqcPC0GhLJUWyhuxtd1wzUtwC9zwLcHY97C3LBDqMOBLOIoQI +A7Qcj04cEfb/VxCFcyBMdE7iYBSnuhiMofBwS1jKzviNJYc98mKSBuVK1JMZVjxH +29YemYXBbRLv7kjmO2OlOSw5A+JyOmqPnW3xb381hf1myqfzrPF3pcUj -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/ca.key b/pkg/security/securitytest/test_certs/ca.key index fc771f664b18..52ae40f998e3 100644 --- a/pkg/security/securitytest/test_certs/ca.key +++ b/pkg/security/securitytest/test_certs/ca.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAySkLp2+7YudQOZYTc/fmF0RHeLXgcDSY2Y+2wb2lZ616lSsg -mXGPaWVHLza9E2vsS2C9BaY2qrK/lUlxMOFXnT3GVnRPdbJVt6uPz0K9hzcKZHT+ -6WjC0R1tfUBK6GNmlvsby9+U1WMkThR2f7KH5ARrv7Lihm062INZQzJljkYcFVEE -EmoL+eYT0y1+SrJfuYrQeIdVYSC+4IhAHzryVxDA14lzInBXgVxVuC1b6uGOry/f -++s/pBFo0FRUOs4noT30gFkJ434oX/YCMIld/frnLcpwR/qkbZZA6mLwOrFeniJs -z7khsP3u76Cz6lUHPwyHJzW7oa8PR4udYdvibQIDAQABAoIBAQCVYeHBqXuiatxs -p0Iy8Hjx9kaNIaNWL/kCN3MkVM0sPOu3Mpu211oEjq1aJnAqqA6Fu4UjWNdn0+3p -0uw3vF/v6RwMv7ryUEjPaJwW8h0E+J7DEw7qDl3+JLhWNxRplsdsf3WY5KQGAuXH -BfMpyU6YyZ+qcBFAeoUknAYBnL9F8wFupYvlO4Gd9pKoli5gho26pw74A1NB21mh -dDyc9tmNpq8Nvz5qMdUrV1opK6a965qqxMG/wGVlUjg8iN4y1lQXyQv5/RyPOwZC -IaK3CbMgiQQjmQzpteeW2HlOyWZktg5AXs+JOusVKbURpXFSblONic1rMcLiD2Zn -/EMi2tYBAoGBAN3SrbmDg5aZe0nIgOGv8p9r+ONDxs6UP2wpr3DC8u0Sm8Hbnt83 -KoP7+BRCZ+iauTD8sRl1T+OOpi6na3dZCqXPXgUymMdNSPyYObbHC6Uqjx0j7ytA -wbimYqhi/FCgv6TjsG5ocOP3CkDoqyEmBSAfHGZWJfgCGdmba/bHpS/hAoGBAOgn -X+1a6YlWGzXxIGyYyZCz+Ffi6dU7r9antX4+Mjr7MVN1n6bTr15spS3IzwY7FXKO -lQM5m7t+TtB1cwAgVd7e9LlcY7XjEibZxI8d7rK7v+08boItsM2Uvv0LGawL1Y7F -l1dXbP9MeVFDT7H93Bs+KoVn9+9zo2N1suWflvQNAoGBAIwDyoJZn/q0YFy/QZKz -M6srRQt2oYuNicblPQcpFptL7qLb1JlCwgRTTFDFZb8two1IQyU1pjqVtRGnva60 -toLYtJkFSegrQVGnaG6VjyUvCuyy3OlpU54Q8B8nc+oUvUMAMUJPjEpoicFU24ft -7rhKyutRn1+/O7/eWbSIah0hAoGAQCFgZnkOulmG+se5ZUZvqAGPQPf2EGmEkY+S -m2UjCxgI8D019SfU8gihOJyYU+hObG7myxVG5+xkaUGImyhTkFWW1P2orb4kbYcK -vV5PaiBjTG29OUjV5nSIre47EUPTorUCsaX8/ilp+gDWKx0tiHkL1f56hzMyl28U -FEqZsKECgYA2FAfuoOXotKOSNYKfyPWu+LjK4ii6soDlFIgu6DOgspy9sjz9nXYV -6GCMl6mKLqPmC/chTmKaQBnONw905Hu4GOTVSQ8JlQBwmE1xis0r0Mzc0fl0viH3 -1p2fxauenvPwMTQtTbHxdCpXe7g7p2KanscOPxOsuvRvBCHSdFu9UA== +MIIEpAIBAAKCAQEAnLnhIdrm22z+GZc73bxQ5302HEVY32wiFrxviYklhZpi2fJk +zSHBThuH9pMGCjl/YwWTsU2LK0kjZVTJzc5gjjRPEyylBv1rYEFmw+CvmqEgok9y +YKba36UAahre5Yps622JC/r1Pg7sN+2dWug/7TcxIvFpVnxYOmZ1RYL8Skv78kPa +7+Cng7q8lbtlc+HPn78jZNM/UYWLreCU1NV79rRV20NuWXWZ0D3uTRQ+AbpVSK6z +GKT3T1lXBsdEHyZ9aLMU/2Na0WCBbycuzS660Nz1/yXCF+l315LD3seGO9H5X4xo +X48ucrjxUOtQcIOQLPM8bRsJwrZufKEG6AIgIQIDAQABAoIBAEHSPx781F/rUnxk +65ugb0oJaCRPa5fJzjdGRIG6u6t0v3dROcx9FLY9EckYzjyVEU8BFJouOvie6uKv +zWFF/385sMwYv+ZDoEj4rrQtNRL4AMCqJRs6eEnc/mORjXNRw5TMl/YUG9NIaSTE +AoYfbFmwCE7onJjZ+CPuy+m5rUN2JcFm4JaHQpygnMZOO/QwCr70l2EEOPgFBhg3 +EjHNjp9SiI/AlvdFW4Zg9LeHsW5DKb+bhLperJHqvX7hKCdbgIzKXu6TwIBo2QmF +g4tC6FtPvt7AkW5NMt0ODu0EXl2acgCtXosZmXTYmZEPqfVbDo1+LwzgGg+YPZfZ +8QFaMsECgYEAy1lDWBxYmob99947v9LXgMBGhsBSY5EACnTIrwCgEif007b/yWy5 +xC9ypbstKMZoqKq4vYjlT4y7O+sZFIrM+DFquo+y/KRNXmeW0Qimo36jpZWLQQtK +ctBAGGv/JcXnexVW9gEgeS5I66dAQd2MSrZotCzf21QR/YjtGB5IsM0CgYEAxU5K +aqr7CZDHZUyCapBfekyYqPEvLWmOtjCZmvdxa1MlX6tqT54U6WxLfxs36wY5OzGc +exGYhtRLve87+pirJYZZ13hCESAT+qQrKWoj+p3Itv9kQlWEL074FBMGxgJHW5+/ +EjrKL/FqpG78d9oEEgFEgmssH6pCP8R+1bgY3KUCgYEAyll+ESzL4qFYEhJcBItL +lTxAMhEpKxj8IGuL09FceBS4pQDiUc7WoGnSvSagToX5WXXhNgIGpf1Vx88veuiQ +BJ4wJYufQZZBwyJzynjAUctQDxLbqpMQt2WRknvNPwpLSYi3qz790HiFabJZ1/Ed +jK8tS7Wn4PosmM1rmWdxUDUCgYEAgO9fjAM914tn8hekZhUAf8BMRqKNzORdIUvz +JSSsVpFYLAOtjmfkjIF7eI2F5i0D+125P2dJQFq9QFp03JclyHjafwcUTXKj+7eK +iR7WcjDn+EY+82ZE4lF9pkiktYLJtONYjoYimF/v65Kno36yCD4R0hRNGkg90MQM +iocqoA0CgYA/TLgR1Pcds/ewj0PBKuoexnKfp3Fw3jLza3BUB4guZ7UOnxNyEDSQ +XaCJKlu5I74KRvQeHgHUxmbMAdkhJISC8yi6ha8Xdevp/ZXbMkaBg6Juhc5wthJh +aJU/uubU08+F/d5xrXG8E6mgNLp2qPMHwTkxVxqAz1kgDAr9kaoj0w== -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.10.crt b/pkg/security/securitytest/test_certs/client-tenant.10.crt index 22bfa6b2d7ec..99fa7c73211f 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.10.crt +++ b/pkg/security/securitytest/test_certs/client-tenant.10.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDdDCCAlygAwIBAgIRANJrz/fSnAE8mJrPPyNpr7IwDQYJKoZIhvcNAQELBQAw -KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN -MjIwMTEwMTkwMTIxWhcNMjcwMTE1MTkwMTIxWjAzMRIwEAYDVQQKEwlDb2Nrcm9h -Y2gxEDAOBgNVBAsTB1RlbmFudHMxCzAJBgNVBAMTAjEwMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAz1f7YcFm2Kkg4ZGGdX2HDKRoLgvwSjiqZ+LzBD86 -ZPu6lMrd8nr0LGdP/omKIbgqTdIUUbRdjay4oyVAjj8gi/VnqC12nL6lHkoP/Shd -Nhzz26o5s5mKry3P8G2Dw7KfrOJoGXFOGferEP598Dpl8kPR6AgU2ByxmnLQ89yV -SdSlxtWScXuzS+a6Rk7jgcjMLhsirkewonPlo7pllc5QW7n9AenpVl6TigC1uepa -UO+f/BsmecBwXV5RDp809GtdvxmTcETj3geLVJyaNFGUEhyiRpq5CoRbJcJyXnGA -a+JB+mibaNhGYNwFsStbRt2tWAKhzcs3N946iRfCif1Q1QIDAQABo4GKMIGHMA4G -A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYD -VR0jBBgwFoAUDD1fU2a1rodKQhW5lNsP1zM1SDowNQYDVR0RBC4wLIIJbG9jYWxo -b3N0ggcqLmxvY2FshwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEB -CwUAA4IBAQABsIoGVpxCdZPFEq8lgBUaFombn/5x7SJ0RCn1RM4hw3x4xvOStiIS -KKHU7je+4eXR8m2WhT16NvF6nCDEJOCyDDGAPmzAYXRAyMR019C5TmCL+8SIKW8S -eR/gPSTYlQ6KZdIrSsQkPX0ytXdcifZHGQh5PIa9WQY999DheH7sSf0OQcstRG1W -ZX/kQzkBRf9wO6qY8Vhr05WWcFjug28/u2Ah7IbXxRxtAU6INu7bO65NOv2fRgxG -MvDDCtcjMEH+6wzlBz5aGj/DWqtrbxag43/HB4A+tNqQZRm9VRoEbH4ll/xskiuv -b1gpWAxDkoSK3eGmtVJkkLhWEhl2RDcR +MIIDczCCAlugAwIBAgIQTktcO7d/objpPjW3mjQQnDANBgkqhkiG9w0BAQsFADAr +MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y +MjA0MTAyMDA0MzhaFw0yNzA0MTUyMDA0MzhaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj +aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMTAwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDlcjABzGbkx7I66tGSRPxOQWLtEHZDSvQdXvf3Zjx6 +t4TsXxXdh6zi6Gr4T/LF7mSxUAEvqQntddgGrCBdaE4A3sEJwO913iuJNl2yjOjo ++oJ++wsRKvZFo8i09V7zLor3LEs6VcJGvNE4I+5G89eeHCx6Y1Y7keNzY1lnPgxG +B4mOPasWa/CaZ3JJiwQcBAgxq3IxnoeLKniTrU5rsAaGzHKvDt5b3HyNjvW2pDzR +cj4lifknZgZMvJjMHqTr2wiGliRzK+3OEVESqJTaDG105JMQlWnt1HWABzBAlY83 +70hkLwu3OvZesSc7X9IJW7Z07seiF8lBVRulY+QCveHxAgMBAAGjgYowgYcwDgYD +VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV +HSMEGDAWgBTLHZdhBlj3nCwftzdK8hz5eR0GqzA1BgNVHREELjAsgglsb2NhbGhv +c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL +BQADggEBACQuF64kqyuS7zSKuLQOl4sxTN/b2Jmc7fEAD/MB1Ai9G7EGam0p0QFn +AXdq3dYMe4i2pyE0qhI4sVbX53KYiUVc94n+LfBTRZ4uVdi8FOXeL983Ham0Q+XX +k4bn2PstMcSobGT58UtjY/2wTWYok4VDf0EgUGJEc8gXkX+u88jvDCujPApMRYQO +/xSKusztT8OPBvc3f1n2kCxG06CySeAE2KznvXqF5WmS1w4n3tTaS0DYi1+kUbPS +yDZtTuWDlvcLZZL89HvhriCWgv65TlTlfI2wB0XXbGsHNAfB3PH9Y7TxBBBP76/H +fOKslm9rPdod6qig2RNl2xUsNK1Rh7A= -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.10.key b/pkg/security/securitytest/test_certs/client-tenant.10.key index 617a69d7f628..75e7c3b29670 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.10.key +++ b/pkg/security/securitytest/test_certs/client-tenant.10.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAz1f7YcFm2Kkg4ZGGdX2HDKRoLgvwSjiqZ+LzBD86ZPu6lMrd -8nr0LGdP/omKIbgqTdIUUbRdjay4oyVAjj8gi/VnqC12nL6lHkoP/ShdNhzz26o5 -s5mKry3P8G2Dw7KfrOJoGXFOGferEP598Dpl8kPR6AgU2ByxmnLQ89yVSdSlxtWS -cXuzS+a6Rk7jgcjMLhsirkewonPlo7pllc5QW7n9AenpVl6TigC1uepaUO+f/Bsm -ecBwXV5RDp809GtdvxmTcETj3geLVJyaNFGUEhyiRpq5CoRbJcJyXnGAa+JB+mib -aNhGYNwFsStbRt2tWAKhzcs3N946iRfCif1Q1QIDAQABAoIBAQCnEaadux+qvoSf -HQpxyyaxehvz1mzU8VnlgYn9RxE/Y1KRJ/G0u3vZ95kOaTbjOqjjsb3ro+CqEp1n -39FnjNglziSq748ed8NGZ7kAbLDGtIeN3VjHLZYA13IwsZ21Z02gGYJ11cVvyQ+P -DvDdS8Dvd9RAGZrqFBzLbW6OwJOOO5T1DNsCspjivbrAi6EiZ1rE4pxmFl34z6+o -n/BTxrKhtgTuWBvMkCxflY3fAfSSsW5i16qAweDT5XHGoWRi4plQKdJF5jrvSS/x -NH4Y7rSBCHnhNBhUVdwyQ5Sxhqnxa5YoqpmVf2ev//QRocyBc54ZKr/XSFwYUb04 -OADjXIbVAoGBAPcBALZzxI6scMXm5QASZhk68clak9Z58QEDodRCiqq7M74FICQ8 -mtpLPYDfkL5Lw1zGiShOJFTcy5Svdz+kIZ/lU4XuVsgOzIM/0w2f6t4byOHpFuY4 -RnXUtIt/+//PysZ/wi44rD6JKSYEr5W6qz0UR6AiGsLKna6jjqvD5SpHAoGBANbl -MqttdIklZ1YAh6Goz4q8X8xryarMfv49Z9IH4VNvS9dKVEbkvS3o36f/A94hxnAl -vehkTHHh1sbhp4J++QxeE1DIS0ow7vQJz0cfYoyaCLZMQbm3kCz1GfzaeiisoAnU -dSHn0qZrGpzEDyZ26Nh6zEFO4Zc3aG/O9UDlGp4DAoGADx70mDbGFaXg0XytEDAQ -KAM/wf/VhQ+5/UHnqkLYklMbe8p8iTtcj3iDr1wAVGX287sDsn/2IWvS2qtTNYYq -uMslLdHFZkHhqzdBCFh93FL/HTVTvYw8ZAI9ezy+hI6H71bq4EF/6eQjrLwks5nV -2ctgByGPWdVlicdheIppgQkCgYEAh0+WUh7/jAPDR4HZ5U7YL/FhGOSd/S/6nren -kbZoiRLBXHRvEJyjCi9h9PQ8SThXLPJ228eb4vFjPaOEyESPKNxrqSgVUEfzjjJH -E++NLB8pcTAfCoOtAsHqdS5UURwxQT9H6euA1k0GWsORDpU9FGJuDolOvtqiphRY -lV4tHmUCgYB+Zn1kMM7MlpoWzgbOP/f1jixSWrwHfb2X5uRhjpqvqAWOcQF8WtFk -87tUe2XJHwWjoF+eKaTSOpqHL0spS12oPyLznAgpmqg3TG1j97Luo54zbgPamlR0 -zDnAJIDiDcudkFCwdF+3+zwySE0kNIHKv0gSa9kIljXtNqGXHfjU/A== +MIIEowIBAAKCAQEA5XIwAcxm5MeyOurRkkT8TkFi7RB2Q0r0HV7392Y8ereE7F8V +3Yes4uhq+E/yxe5ksVABL6kJ7XXYBqwgXWhOAN7BCcDvdd4riTZdsozo6PqCfvsL +ESr2RaPItPVe8y6K9yxLOlXCRrzROCPuRvPXnhwsemNWO5Hjc2NZZz4MRgeJjj2r +FmvwmmdySYsEHAQIMatyMZ6Hiyp4k61Oa7AGhsxyrw7eW9x8jY71tqQ80XI+JYn5 +J2YGTLyYzB6k69sIhpYkcyvtzhFREqiU2gxtdOSTEJVp7dR1gAcwQJWPN+9IZC8L +tzr2XrEnO1/SCVu2dO7HohfJQVUbpWPkAr3h8QIDAQABAoIBAB1ycTzZ2d7EzlgH +aQwntGXquGKKeVMbnIbkeFiVE3AAe5vGfEzpK8QXZhsmT5cdiGjFRtGyFScXt7jr +gF/ckh5EeGvjChiLgfTjOFVBBmdYN0VKvNngNKktYwXuc9gsAgPE+IatGPjxJLza +x6rtgp+1J/QxKZENoS5e8stwSCz4bmyQBcxDeX5PYTNUvaOWpgI3ewgOZtynBLi0 +h6HZN7sloqyrfbfF35vqDIC7hEEk8GNAYu5kOf0ucqcdPgp5bDO++HbqxtOOQye2 +QLsk3SV5kTgSTG8G504dQL2nOJqGLXeMLcl1BjxtSlrfqwEY4deEdRYnN3yeC34j +qjIJJL0CgYEA+wEtsmuZc6hr5ihLSVvi2B9uzK7DOjoyv+vQf8HUGowHCADGZ6vT +IerqKXozxXN4dirpD/dKMEd/pAD/0+ZKqVrv+hcOGzD8XNTeUsAf3OO5FOjxtiLL +3sREBUrrrMv8jGeZmKzH1k8Kdmb/9YNUIYNm5xsRFDPEYO79BDeGB9sCgYEA6gMs +FWP1SMDkhaAUNNneuiJxz634xFIY8ke03VKC6Id3mLD019zhtt0nHQ0cOAoWWD3O +9Ju6EBxq1C3UHvpRnzQTHwKv7Mda752m8Ea9GwrFkiHPdFLMvak1rHgVnwsbPs91 +HaXFpcEUNRIJq2BC9wcSEe/97A52VnMaMePFHSMCgYA4Di9SZU1D0x0lrWIC5A5p +DbwE4hKfclfbHKLXpUXlF9iKJQIqLOld7cSVtsDRG9SPL04VTri2x4Dt83suq4OJ +BtIJHBT+ZZY2dSOhf16eSg0PamZwspytB0/Zjr3LPVMNWCWpPwzyA3zmrGIFRmsH +gPz+J8FMrbLxou3Gf0/jeQKBgQCHT7RC3hyrp9W7qndkpAIUsOwMQTVSF4KTPYFI +ZHiLiiFOaiv5UaA2Q6RlOPpzMOoAtiSf7hflTvk6nRFFpEpj+xF/Yedly1Q6r3cj +AlRAebcKK4Cwa1w14szFYF5oK1ziscSvkvY5RO6xTS/IJ44xFqaNNq8luqsUi9O+ +u0xz7wKBgFJP5dFqv88sjWqzmacgmd4Va1q5NW9/RL0BY4nNEbPsJa3JQXdFeVkZ +hyb6SyhljxgqZwX5cGzqhXdOQ/H4ZkYx5W2PH5O5O4cI3ALxmHHf1n7wfZMHrOsU +LdhDd3QwcQ3wCL7FVNotnjU+Xd2oAxvwwQVU28CPRj7WId825x2e -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.11.crt b/pkg/security/securitytest/test_certs/client-tenant.11.crt index c5e90fbc9441..02931f11ed1c 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.11.crt +++ b/pkg/security/securitytest/test_certs/client-tenant.11.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDczCCAlugAwIBAgIQMrEKZlCQe8qOSmFZrdjGXzANBgkqhkiG9w0BAQsFADAr -MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y -MjAxMTAxOTAxMjFaFw0yNzAxMTUxOTAxMjFaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj -aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMTEwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQC1hIfulxvujaZPaFH+m7CZxfO0EpfdFDy07uyw0p3V -JXnK9Lrk/ynhX/hhg2wR50sjaZH5bSjaFXQY6UIOaBjncG8a344S0788gvsDoTm1 -n9+GglVF5hvCsvnWTiZgWBH/sZ+rLzRXIVuc8ItJL9nhI5Y0n4pwvhuK7UN1B1gm -Yx+SwJvsLpnXNHxj8SYva/X0bstDkaP5gZfIHt6kHZJXVjasAWTYNdeCnPWoyErF -0yCl4W6NSocDa9MPtmDNlI0WS7KMyCymqPs+DKoMzV+6XfrrSrhJnuQkLhmXDKij -1b/0PvsHSxy+nPcRTQd2d1PI/2zdIxZDWSGuL7iV38HxAgMBAAGjgYowgYcwDgYD -VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV -HSMEGDAWgBQMPV9TZrWuh0pCFbmU2w/XMzVIOjA1BgNVHREELjAsgglsb2NhbGhv -c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL -BQADggEBADbOdSWk3gD9Xhdi9ESXzaDzJHNx1gljzBZFZW/qWuJEYJJ9H2GPGZpf -Y4Pkq79xsQ40tsSdqp+vpNqIkM+QvdbT+G+B0PA/Y9sgNzr5UBAaRQN5ISfvhxFv -/uiOrOuDxiiGg7xmPEY7PnW78iezzIOZHQSNuPev+t7UocrEMzj10znOA76Mh2wQ -pBnZP7LUEAOZ+Bjly6fzdNGv9sCnGF0ZlAfASUz/V1rEGY9GXRTgg6O4C69qBw+d -4KkI/9vkfcPosqobAcAUKA5mvkQkAfHP2W0n+bD5iBgJ8uEQt4qktjLQNhdAhpVE -Eb23bdtWe6a/7WmRfbMky7R1xFt2uqQ= +MIIDdDCCAlygAwIBAgIRAMlXMnnNPC2qd3f2KhqqY7EwDQYJKoZIhvcNAQELBQAw +KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN +MjIwNDEwMjAwNDM4WhcNMjcwNDE1MjAwNDM4WjAzMRIwEAYDVQQKEwlDb2Nrcm9h +Y2gxEDAOBgNVBAsTB1RlbmFudHMxCzAJBgNVBAMTAjExMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA0tIn59qoyBo3D43SRld43H/S5c7qEZa+NPwN/3uH +o/ouFWIkzD4E0+Y39gJJX0mQ67EwLeW1ZtWvgqHyiXkKBzUal56oQCEzEi5okYNW +YaiCR2FkDwOwjjEU4MipcjU79sFaO2niAT8CyhnKWNWEOXULIZyJvo85R1xwhqSe +acwv3uUtQ+BAe3dY9i3YeUfXWbQfocoEdBEs8A/ssdCZ9WkvbYFSJEG7ZuwCfZzm +wxN5X7a5j0RTWp3gDQN6hSmBPXCFceX0JpjuqmRnzV8ShXKdlZOGM58Vo5GDJTqN +NSSVpbL/3n7Mw2sWUbrqJv8CtYy5taes9Rh/jz89P7l9HwIDAQABo4GKMIGHMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYD +VR0jBBgwFoAUyx2XYQZY95wsH7c3SvIc+XkdBqswNQYDVR0RBC4wLIIJbG9jYWxo +b3N0ggcqLmxvY2FshwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEB +CwUAA4IBAQCt94Rrh6cvrX1miFx0YCAq2mpRuPP0P+DjRu99JWnj588VYeuvAX7E +rtUMWzr3937aY3bWWh58RSqXYfFY3hPehpdMdeTBQHLgJBSizzH6GuZMd7Ar+EWI +R78OfiEAxylTFU/1+OOoBFSycQ4mOFmgK+yWW+AUFMOk8v12/8kOKqYK+QwFHVhz +YuucOz9aBD4klH3nUzeH6gow9DRpD3ukz/j7Q2J8Fgrlz04/C9abklG2j3uCv7Bf +TCDQ2Ko+EeDNJydRZCaECRsfme95PnC+Vr4Nd4/mYqsG/TtEshv1e9TklbhESqy3 +1jeeZ18fFJTyPx1tzMRTZmpLTA8ymr3s -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.11.key b/pkg/security/securitytest/test_certs/client-tenant.11.key index c57f734ed3de..a3296737fe52 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.11.key +++ b/pkg/security/securitytest/test_certs/client-tenant.11.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtYSH7pcb7o2mT2hR/puwmcXztBKX3RQ8tO7ssNKd1SV5yvS6 -5P8p4V/4YYNsEedLI2mR+W0o2hV0GOlCDmgY53BvGt+OEtO/PIL7A6E5tZ/fhoJV -ReYbwrL51k4mYFgR/7Gfqy80VyFbnPCLSS/Z4SOWNJ+KcL4biu1DdQdYJmMfksCb -7C6Z1zR8Y/EmL2v19G7LQ5Gj+YGXyB7epB2SV1Y2rAFk2DXXgpz1qMhKxdMgpeFu -jUqHA2vTD7ZgzZSNFkuyjMgspqj7PgyqDM1ful3660q4SZ7kJC4Zlwyoo9W/9D77 -B0scvpz3EU0HdndTyP9s3SMWQ1khri+4ld/B8QIDAQABAoIBAGQiBT6oG1+AwqMB -gGH9DvH1Ulge/amWtVp2hxmQRkND1ikQ0lzrKfZLE+DvN9m0hy202jMHdcbAmPf5 -DViXMk3SJ2hitKRMLS27b69z7Dr2Q7+W/GV/6AaC5vHC0MbLLrqoCNXNR4ldPIWZ -6Kxp+j6JfB3xeNRy+wyrkE/pykX570JXazZIBiBTBZkbwcVv2BvWOh+1fmBST/To -WQuhni3zoU1pIve4nYwu0S/Tm7xASiRSkYep/vsdRHTxBJMlko8OHFpYkh5rGNDp -v2I1dIOqBPoAvhQgLFaIbpB7jGXAfCyOvr/bQDhvgJuThe8vbbOSC2dQN/+ZGmJS -KC+IKNUCgYEA8Cyhb2u5B5+ghtLd2BDpbpcLR1fKJR+hCh+C6XANAwX7WTL8c294 -AR9XAET5Ahg0KD0RmXFNMlNzCRrD7q21Z4c0YQckcQLBirecALaqSAkoxKHDDnv7 -BunT9e27PBmDafJNYGM+As1zROj1lgXznkpuaC14KSQc8Ufh0cLcUmsCgYEAwXp0 -IpG6asCLhrvT/NBGQiSeKuuP/nAqt8vT+eCC1anltwlkG/PxcSbkD5XIKdsEZzOm -TaeorgVNrA1dugRTUej1Z5GvV7EYLwEizbgTZVlQgw1oMdZu1MZ5D7jL3qm2bTnX -hcMAlrDG82pp4rPS9eOg6IXAMDdIEjXS5pth7BMCgYEAo+LQhedL6xfRwi5Bkx53 -Ky+GUrhlB8/9Y5r9Ca2cM2Pxj3xrJ5n4mUt5YoWuJO+/J3YEfGAD/UNUS/InoMaH -8o0gANWO2E65Ip8HpLUAnQci+oonP8r6EE2ehUIjcW83bSQaCJuvxNnMvkj4y9Zj -1q+ThyL/y5MI7NvQDAKbtOECgYB6NxXhOFifUl1QkJlKG24mHedjiUV+HfB+BV0z -fKRov1eCFYaNOb0MEtsBFUZJWjYf0rp8VynwMx1rT04jUNQo65UJBTfTluSF3JvV -gy+NV6vJ/NASmzeLZIvYaI0va9j2ihEgR5u5lJU38cJNF/ZsqIteFg7e5iy6hBFi -5kgmzQKBgQCvqra2081hOAgLiIth4wF0MaPFoP78508XHNt6Rw0NB7nJU4vcVdTK -XXxl9ZI+em8joFCJ1g5xrA80ACHxodcESePNrPB30jwJc3Iw6Jc3Ivn4iL55pkN9 -beOVq4tCdXJHp5FwRwIiiv/h16eZwlli4oJwj5zrO/7qCk4cXEtvUg== +MIIEpAIBAAKCAQEA0tIn59qoyBo3D43SRld43H/S5c7qEZa+NPwN/3uHo/ouFWIk +zD4E0+Y39gJJX0mQ67EwLeW1ZtWvgqHyiXkKBzUal56oQCEzEi5okYNWYaiCR2Fk +DwOwjjEU4MipcjU79sFaO2niAT8CyhnKWNWEOXULIZyJvo85R1xwhqSeacwv3uUt +Q+BAe3dY9i3YeUfXWbQfocoEdBEs8A/ssdCZ9WkvbYFSJEG7ZuwCfZzmwxN5X7a5 +j0RTWp3gDQN6hSmBPXCFceX0JpjuqmRnzV8ShXKdlZOGM58Vo5GDJTqNNSSVpbL/ +3n7Mw2sWUbrqJv8CtYy5taes9Rh/jz89P7l9HwIDAQABAoIBAGIxim6+dNDHDRBM +kT08LsodK2DokDNjD/Lj161AnzvsIhzJmrQayurblwMZq40bWcm9vOAT1vsv2lCx +F6OaYeZbgKhQOLOuAvib7w6fqtNPxmZy4UTxBgIksEHGlM3iJ6zWAC4eMis8axMx +EgNwZ+bPMkEUhT/hu98WGj9MW5CQtpvYV4ks7Hb2J1K8JeUJkgkn1uNwGd3+hacx +7dASC8tjVGJvrF7EnKBk5HyTHhlpEqgh3s66cqkOP/Ciecu5FJQn+B64HR/g+mRs +lZM45KAfqmdKtF81yytwCUGnZe5uwAyfGCxc4ZcbLmMDKOeuZTiGqLWQeEvKAnyk +2auJ/GECgYEA9UoJEgeHpm8sT8L8GUYabSB0wixC97J+Xt6FmeQVgOfv0YwGVd1T +/akpzEXLe/x2LvY5wD56A+0tA7jDl/7dkeahJHhakBv3Wa/N3uJlV3zZKybntV6I +DEh+K7y73SxLfw0yLKeu6Z+1ryp6WZ8PO5yOfYUgRIZQWOzlcTKdQa8CgYEA3AbR +IAuXU/IWmckMylXxt/6cFAYjITOpO8z99ReViz+3i/EYgOx4pyogIkvICQak+OJv +UjEAxxulvO5GFloXkRBO2AzF3yO/gucFuVXMuJ49Dl9dYQX7d3pUoANn9IMm6V0k +UqtZ8oVDWZDCUFmU4GRl0vP59hRn1lXwG148h5ECgYEAnavUfslmUf7effr5cAmX +DRSy2On4th3/i14AhTaO+AifKJSYsfMOfVyS6KLotS9IjNFrt/6xEfsQV3caC4ch +yBp29OmEVWQUsIsIi7/9oqo3MrzUbspwK20h5V1xaS+C7A2AdiHnlnc6I3nrodZT +xV7SXS8I2eN4nGDS79u4KDMCgYAaFgzROc6VO0yGqxmDG7Fu2Rb0IM4lb5SO7Hzn +hAZM3h8KzmjTUDX1y77HkiiDOXBxuZbtLbYj5Rk/TxisKb5FiqNuZgVHsVtRT8aT +9KIy+T/P5mqRyD3KKozB8+VtTeddH5fg3UPqxvX3NnxzPkuyVvTjj92A2WZ+OO4g +sImIoQKBgQCtHJi0BWbWa0uu3OoK0eDpljr5Efs3BIhEuv5UZALhSRYuwoWPMUzE +19BC9t++SPf5cVaepk1VpHsFr8Gj5ez9ZCzXwbAiMi3ulq1DKxWoJmLm+bIRMijJ +Th/7BqzlDl4AWvSePSDU4oT455kE9PaIKWseqHrG6D7n5REnbbxgUg== -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.20.crt b/pkg/security/securitytest/test_certs/client-tenant.20.crt index 66f1b80bcfcf..5bc17c9a314c 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.20.crt +++ b/pkg/security/securitytest/test_certs/client-tenant.20.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDczCCAlugAwIBAgIQQwcxVR4R88JtcUteJru52TANBgkqhkiG9w0BAQsFADAr +MIIDczCCAlugAwIBAgIQee3huhR2tVgRzSYD9j0R7zANBgkqhkiG9w0BAQsFADAr MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y -MjAxMTAxOTAxMjFaFw0yNzAxMTUxOTAxMjFaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj +MjA0MTAyMDA0MzlaFw0yNzA0MTUyMDA0MzlaMDMxEjAQBgNVBAoTCUNvY2tyb2Fj aDEQMA4GA1UECxMHVGVuYW50czELMAkGA1UEAxMCMjAwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDGVVmuxLLyjdTpKfrWfdm038n329OYn1GFxfeLGeRc -18rN6XczYkI+yAJyH0mweSMjq7x5X85J7CC6IOQOLcrAwBs/oNYHU+xK0uSCgOoU -G9PXu5Gz/Q6VdBKqXXH5Uy3XlDAz8eE1x9RePMdPHJ7Qoq4UJjbRx0QX0LaZ8ZCV -epDEJoRfhDTZYyEKkS4xjErKUzMlydRw4IYOycvbz5PAZ611WG9L+BZCa5az1xBL -FEUyMfMeAuMvAkmzD9IPfx7/p797l8uW1p2zCbQ6nnqDIiDQk2yUye6jmB6qwVBj -UYUxHeopGCtHTWPqSDga8ylg+s8g0dtuDsCm7+GYUJ61AgMBAAGjgYowgYcwDgYD +AQUAA4IBDwAwggEKAoIBAQDM7Shix/hkZl5JF4ngLwftfVB06WbHNLwM4D/nIdTi +JtSMRaXO0UKPnserDbEJMZVQEGXwZyeNCsAYTGpcIhvp7Fv17gQsrxk2IvDYSrjF +ap0CYsBz4YGPPnLkJt7pPCflnvNT2gdpJMA9C61y8p+xKwZJn6BstpWRQlvpponY +n8kSE6ykTwVN2SBZstjDPlHCkZPsF/zeCt0u/ALdKfPwZnJ1LdZYsQ75TjdQrf0b +QqaTKKIhzxRHkd01hUQh5DxCozKFt/CKuRRS95+FEnnjMMQSK63R+zpqXDFsluld +924RiC6qIvB0DCpGA1nTox6+A0LUBb9hVNiuFSKpZ1wrAgMBAAGjgYowgYcwDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNV -HSMEGDAWgBQMPV9TZrWuh0pCFbmU2w/XMzVIOjA1BgNVHREELjAsgglsb2NhbGhv +HSMEGDAWgBTLHZdhBlj3nCwftzdK8hz5eR0GqzA1BgNVHREELjAsgglsb2NhbGhv c3SCByoubG9jYWyHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL -BQADggEBAHQPeU7HlsBiWZiIKQstSCcoevqeHtyEtA9hrRIef9EcZHLOKOeyYVpf -C9lLigYMrhAlYt6Q387sldzBvKBuC961jGhG7FvAFdYLHSon3aHnZmq1NIYesJmw -YdUt7OPJtpzW6tpBhmqeDZBXKrN9BYxcrUFBJzOpDPB5zBnhdtMn5krAjJzrQJ5V -29AACpttr+fWzFZchPgDU2jxbATHUZTUCbaf8KBSBQOgbwhrEoAXKAsEpTdBD0f/ -QN+Miof/WEOT869KOmFtp+gFlfTJUidi3pg5y77FiXwasUYwgzvmoHGfAzHHztzI -rzPaKSUAFwZBduzsUghQChXoT1vLvKE= +BQADggEBACd4zYK92utMHRv6o8Pm7G8wRmOA60nERPXB0VrrWR1vFaAo0/YoAusk +pCXT5JWw1cqtmrL8OmqDPVDHRoHsRQvxEEuQxfPpzjYbLFqsAdcO3eqCRDF0wzjf +LF6Uk962j3Vmaa+GQnn5JOKNgfiR9IWtApmEt5FYdd1eQ921ZUlnktR3NMuZM76+ +iQ5B/FenIjhh0PbhmFhy9kpVBX8Z0+Ljwruoklvl5NceNw0DxdXNQm82axxdPvDO +f5hUBB12tO+Sma49pIZRkSzMHuHCR+Z3ASYNdgPGPxTJcRI29qRoDKQonCvQgwso +Tf1rv4+aK0IZ9qOh6IiDUxPUAmAvGZI= -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client-tenant.20.key b/pkg/security/securitytest/test_certs/client-tenant.20.key index 23bfda906ae3..49096084f699 100644 --- a/pkg/security/securitytest/test_certs/client-tenant.20.key +++ b/pkg/security/securitytest/test_certs/client-tenant.20.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAxlVZrsSy8o3U6Sn61n3ZtN/J99vTmJ9RhcX3ixnkXNfKzel3 -M2JCPsgCch9JsHkjI6u8eV/OSewguiDkDi3KwMAbP6DWB1PsStLkgoDqFBvT17uR -s/0OlXQSql1x+VMt15QwM/HhNcfUXjzHTxye0KKuFCY20cdEF9C2mfGQlXqQxCaE -X4Q02WMhCpEuMYxKylMzJcnUcOCGDsnL28+TwGetdVhvS/gWQmuWs9cQSxRFMjHz -HgLjLwJJsw/SD38e/6e/e5fLltadswm0Op56gyIg0JNslMnuo5geqsFQY1GFMR3q -KRgrR01j6kg4GvMpYPrPINHbbg7Apu/hmFCetQIDAQABAoIBAHooq9p3kPjQ3yjW -EIf4cBV2GYIuxf+lcaMBslzdD8kXqPR3LlJZ3Q+qRcdg+hRWKIyaBLaFihwB8o5y -H8WT8uQR7zabq/hLeqkDiHfRS1wjX7Hq9+1ymn73RV/luoOk9gFoZuA3xU1IzcdV -jDVwHWnIKYyDlRRUtd4tUas0HKfUBmRNJrH8YCKOZMCXE+jKi483UtQQ/ASakRVn -K+nZe/aisZVOPO/pzWgZMUoakq5mMUbCu4cJ7JM3NUCnriDcJUSsDnhdZ3cN8R4y -f+3RwwbIoj5onKrEZZCHBAFLiPcm8OJ8ZSbZZYby8TrIqFvevBPCESQsGK7AnqwA -Zch0ysECgYEA1zyxj9XLMkko0Jo0xaaPlh3xxoeuqq2kYSgwxmgljsVC9ESbOZxr -8rrQsVjfvY+RtvRr299Mwlwy8SDAEOX7bco842AANkdUqTNOMJf3BaStUWKwOfXR -C3+JzQnYzG9Ig3klTqNIHr25wbdqr1eLJoriHPzJN7MyP79pm90uUH0CgYEA6+Ue -NBPLFXgf/JrAdMVk0DYy3Hss+8k0kuVnYXRkFNXPeSYv6/c4PSOjnRlxFYN6vo+i -yiDH42APSGM/ihxFSVJuDIUMFhm0xA7fiSnd7b5UfC2MkoC6GYLToHuOlasaZWsF -r9wfmatgXSympMDgEJ7h4gIo5u/O/HEp8oTX1JkCgYBp0FnOx6FUwGjDXPxSqxbu -CxygqHWzTRiB9zs7X1oPfWT0J4JUaVUciMEuXu3oCFvvoOwhtP7Mkn0s1Bf4dsgL -6p/SfJC+HoU9hY6MDzmO2a2nVCgk5nd1+qZpWczufEse74DqzxUWn9lhpeVZ/GTZ -du/ApnnZ20v50QV/bdZmFQKBgQC5gM60o1ATzQhSbBumeEgkGEr86XxhcEOAtRgM -IixF2jGykp4i0KGQKsOSWhx8j41p56hbjVXDb5n1Ed84q6ys0T6rZ8Eua/6kIxIU -WjEksYTctjESUFqIj0H+tMtW1VwHnxa0ycSr4oIAI4nUi7xoNZlqUsp5eOHr0M3s -4hycGQKBgAo75A02xiRf0fvUxisVXvk6avQ4ToN6MDRppgcLoMFd9XRgLHhTZ7Bc -K2KVFoKxOd9Y9+7lG6AzPUz1QF3YvaOIEMPKR4Im1VT+EFrFaSn4vdKzMQU8K1RX -m8w+SbNa/2moEvnFZDoTHec6NbezmSRWtIVbogONwHjgJh39J5zG +MIIEpAIBAAKCAQEAzO0oYsf4ZGZeSReJ4C8H7X1QdOlmxzS8DOA/5yHU4ibUjEWl +ztFCj57Hqw2xCTGVUBBl8GcnjQrAGExqXCIb6exb9e4ELK8ZNiLw2Eq4xWqdAmLA +c+GBjz5y5Cbe6Twn5Z7zU9oHaSTAPQutcvKfsSsGSZ+gbLaVkUJb6aaJ2J/JEhOs +pE8FTdkgWbLYwz5RwpGT7Bf83grdLvwC3Snz8GZydS3WWLEO+U43UK39G0Kmkyii +Ic8UR5HdNYVEIeQ8QqMyhbfwirkUUvefhRJ54zDEEiut0fs6alwxbJbpXfduEYgu +qiLwdAwqRgNZ06MevgNC1AW/YVTYrhUiqWdcKwIDAQABAoIBAQDJlKR8fv7dLEGl +Hq12xGzE9dc2Gf4LCNnOxKy3nPT/PXkpPr26sugJxQPeRIqYY5jf+DF+iMpEGIYb +oNejJ75Tnjhbs7WRivB+62IFMYOOVrB6D1AG7ZX3pVN5EK+HuK/6VSBApKFTkV40 +7o7BGt9xdMQrmgVBy11XVXJ6ZWMFnW0vwmNgTqG9FoSPeYNMuk9YvmuJXWivNvJ7 +kxaXcDCaZKEA/QUi7KaPJYNMCGCns7vV5NeCa3YZPwsQdmcc/OY5pFXA/Wgp/Lcf +N3tT0yCfLbnlseVVrq+Mw9kOJx8Vp8hb2fpsWCy8Mz1/3bdVNL0x8jLDbJAnEWcw +gwM8uOlxAoGBANtRgMTtnB3qim3u4UtvbMILYrAjcaBaKSneylBMIqFiit3KOJym +Xx6cgtATb8AxMxGjLgibmyJx3v7amhI8w/JkfKAVX3WAZzqHbO2sEcEEQ5q+SkTt +njsl/srLZ/ZgtUTGgVM0sl02IAi5Q8peviaX9P3dF4qyrgw/zKbxI5mzAoGBAO8z +b/m4MSFv/WZJ7iTytnV3hUhCbfDdvUuYklwKL3ckDYfZ0eMBX0F8wcyxWGFkTaaW +DGRrLyZLC74p/WljdtYPBA/wE7KqM5pgy1Y8JD/G9bwNJT4eK1zFXa79V5uIR9Ho +fg/1WBPdpyfS1whFd9sdIJfFFbwrys2E6ceCAQepAoGBAKxtbqTk/rmSfVUi2yQY +rVP96Y/7vcjJOdW+YCczRILHW9A1vb6DGwORH1OCBHkA9VqnhXilBhnVlvGdYkZ2 +WcPHdyfQxeU2l3IvqNdPUgIDXTda5j885gswuxorQ0g0Di/NNT36j0SzWgohxgdj +53GmRKoWWfzkr+vXeQnDSi77AoGAKsevSiEoIEvQLSAhyFfkTAPxQWgoE4EE3uVN +n8pujMdU6CwLvqa7K5Itcvdw0BJJVPbXBoqo5xda5UrLOLMCSOxslJEiZLzN99lB +5I1jCkkCH/zV4VMx/CiMRcSni3iHJ8KF8UK22u60e4nYzXDnK7f84UftSDco0TLp +QLY+iukCgYAkbBq4jAB40s+SVIRRIjRFdOsT9hgzpsbPkTK9tbIvvt1SaDybYhKc +hTXBsnXovYnI3hgrS2paSnOxVvxDec1kNfzN33DwFeYs2A1p5uD1KOmGLXiOp3QM +uu4zedmZ/V5ziiRbo/h4YPxFRYr7szwuBKnPhUnAWzFZIfaGqhwb7g== -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.root.crt b/pkg/security/securitytest/test_certs/client.root.crt index f704030710e0..957fcc7cb80a 100644 --- a/pkg/security/securitytest/test_certs/client.root.crt +++ b/pkg/security/securitytest/test_certs/client.root.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIQcgkmM8M7za0dPIlRWKOCMDANBgkqhkiG9w0BAQsFADAr -MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y -MjAxMTAxOTAxMTlaFw0yNzAxMTUxOTAxMTlaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj -aDENMAsGA1UEAxMEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AKNJzS0UydhoR9W74/Ikkw/oO4eS2FIJT99YHhHriUQJ8L/SZCtp48sVZmPlNzU6 -qt9cJTgx8tCJ6vu97fRjpyLT4/78objzt4jb0o3+xk+zZ9yaLQlQdI5Ff/QVuNcU -Jc7CFCbcHgepyHovY9kkU2Fl1V2+r9IzafpiicoHHlM0OHmTjmiF3KfY3OdUsANS -USr7f+c5yKy7/6kd1RzeqqRGS+bNpgAb1LP6EQGCzqrjG7nojvWSMq+TZbxGtPvw -iYPKQS52Sil4upJwEsNywcrxGa63Aqo6JLWdYqxw1zCAB2SQmMUOW7th1zvOjyNj -P95LfrgQHpzqDYmvDDFXoekCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud -JQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFIs5LmPgR+PGr0TVxJ6/zRIvXLXq -MA0GCSqGSIb3DQEBCwUAA4IBAQAVtCgQR5MqTcCchlanTM+FDGDl3TYKCsQQvKDa -c7qlUu1Hg3FTI0Ahw2D8X4aHd7kcujTslh8P0pDe1vi/mP3rS27bpx/d/0LEI3Vk -miavTUhixkl3Tw9Ovd1waCNMiysCuHV1V/bvKhn406qNO9hYFjK1saUhfPa+rZzv -HuuVyK3+OSgU23Pc2ifQXg3XDAabHldreCHt+x4YEAlwVqeurGClyrMiqqvRRsdi -6kvis/xYoZesT0nMmUi9fmjw/Ot6gZy/YMKJzQ1qqxUd0L1yW1h5uhDJE1JYXREb -dV34oUpjHI1y9K40bMHeQ6lwzWwfydIGDliSVmlXYuiuXPwr +MIIDITCCAgmgAwIBAgIRAOIAvv/cEkioeGjZo+qfSwQwDQYJKoZIhvcNAQELBQAw +KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN +MjIwNDEwMjAwNDM3WhcNMjcwNDE1MjAwNDM3WjAjMRIwEAYDVQQKEwlDb2Nrcm9h +Y2gxDTALBgNVBAMTBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQClf5C+KX39aACduNsdbDiVEUCxeQEab4YaCCLzWo/kCAwrr+Hm8S0Ia89+9aCI +hqnG6DfOgCYd/tv7Sll4pIh5jRA6/hAG94MMVGexAIVJhP/jW21Om7MGG5yKSCf8 +I0/Y/7ubTunR075vX36ekfHYkHlbax6UZhYaxSQtodEAAo2T7sEJ+eunroxyfmiD +joPqNjGqCBEB8ADv2qtILrGBM6z6a+BiaXmFtVgdz6PNEzmc0vKcWhD3uocRT4/l +JNbNOUFXZULJXW6O1+DshcpWL1fwq8Ni9+EWvRicvr7Y+qh4t+mtyA5AWIaWIbHu ++yRoWqLjspkDBvxxkZyJVu41AgMBAAGjSDBGMA4GA1UdDwEB/wQEAwIFoDATBgNV +HSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJAc3WP +zDANBgkqhkiG9w0BAQsFAAOCAQEAft5/12m/PJiH6ONWqIJpu77x6HL5IJQdWTEj +OZMCT7Z0STfQhd9fIAbcnqSCH0niJcoq6Zt9oTZO/F+57tW0dFNWYqoT7ZX4yc23 +mRoODnfUKUQg2R/2C3RcpXMpVVhgNh/PH8x2cz2KTWOIBiwsH9urgxPXYEbXlMRK +rVt/iXtjMk8L/fFufXQsLZXhe25cWZ1mnU3MaIY4a6HQ1OSzCIZx+K5sPWRBrd2w +D2O85znWy1ZQHf/zXT8nA6OQk4wNa+4u1c5FlBVPrRoWfcBkyvh6X+T8JZGZt01b +Cn80SwYNM6Gxt4davGQqLXdNK8BLzGnS25dPCSQiq16rEmpvjQ== -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.root.key b/pkg/security/securitytest/test_certs/client.root.key index 77d6f803b5cb..25e89dc00bfb 100644 --- a/pkg/security/securitytest/test_certs/client.root.key +++ b/pkg/security/securitytest/test_certs/client.root.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAo0nNLRTJ2GhH1bvj8iSTD+g7h5LYUglP31geEeuJRAnwv9Jk -K2njyxVmY+U3NTqq31wlODHy0Inq+73t9GOnItPj/vyhuPO3iNvSjf7GT7Nn3Jot -CVB0jkV/9BW41xQlzsIUJtweB6nIei9j2SRTYWXVXb6v0jNp+mKJygceUzQ4eZOO -aIXcp9jc51SwA1JRKvt/5znIrLv/qR3VHN6qpEZL5s2mABvUs/oRAYLOquMbueiO -9ZIyr5NlvEa0+/CJg8pBLnZKKXi6knASw3LByvEZrrcCqjoktZ1irHDXMIAHZJCY -xQ5bu2HXO86PI2M/3kt+uBAenOoNia8MMVeh6QIDAQABAoIBADmk9CnWDOu45KMv -kWkKQGB9O4bA8F0FrIzMLtFktTCv0a3mODabSy+Gfn8FjFfePjRb80fDWlUEW1BD -3J1KENbatsJtrSn93+0QrWQzbQ715tSaGQwQuxT+tA0XHgnPswkqurJ9Qpyx83Qv -BrDBgi4AJTLS/n7WZ7Nc1gfcO3hjhp2JBK6EECAB0JrNNXsbJIzJ5w/gqoplCRlA -floHgZS2PNtR3V72Vb23QLR6D65S46fpnIbzxektIOvj9UqoAzSpc4iOiyjbUqOS -XgBSOpIYBcAx6cKZ1HKV8FJSmkFLcfav/na34deTiqSK/vAoBxV3Rrg2fHYxxCGM -3ytuN4ECgYEA0zrOD+wkVsFMHgaI7hO6+z+qP29cBOUR2CDdYwaPH8jbbNwtGD0J -sgwWh9gEp4+n1cQ2AZTD7MOzlG+qwCu+DqO+XPZAzph6SynOCiRgNQJfeEqQtwTV -aXJKD1jhlHfbmyisRgcv8r2VmNheY+AiAYlgdxwO5J3Iz3ypmhh/wVcCgYEAxeW5 -bkq2hHBxTDGM57sA2vcyOiniE1Nan/A+xKYAoY9heISfN+NtnPIaFOTb8CGTmCn0 -XK+V1QDojs8199aZt9BTrdiVkwfkox3d2xeiXO9P3JvVGdkMqiE4B3Y6JGd+rVxy -E0l7tD1LsCLBkaVCDG8jXuVUj4swLTIC9YvFbr8CgYAD0OwoHXwKlTNq13Nh2bln -EJ9ixgBDll/cJ7vYLiYnzNkp/lBSP8gND2rYyW5MGKxPkFvpa2aewGpeJCZRkni8 -ivjFdS12jgqnkPnH9SBH1OMkqTQ0GkJAxW/RFyn8JK4y/2kdWsPi/snVGRObelEi -9fhoLnmWZ8NY/EeUIR0twQKBgAqjXcN7CrK15LFG3J88Y0BiF3Ye+EM3sOB2Jrml -ftUwgvnaj0CO3j6YmSRUZSpUc72zS6qL2c8YfGfo5arMA3lpHoZy5R+BRh4qpdl4 -PMcoKi/exKbeDxs6K+vixB9e3OVu2ccFpTu8K8xtIeC1dIZ8lvcr9s68mbtkO9p9 -SAC7AoGAZU+UvgKzN7Ln8RhvKl9IwBiPOYUJtAY+YCpLW0kbW9peDZOEhJcyFa54 -HwetoUZOig0162y8rb6//VCyDBSmsBb9yv5hilZG00wba5BW0SjlR1xk+j9V9ZYH -kVJOMLxqGQGtHgJjuzYJx7/SG2L1wkFcrcZIezzsrfxwmAOh7DE= +MIIEpAIBAAKCAQEApX+Qvil9/WgAnbjbHWw4lRFAsXkBGm+GGggi81qP5AgMK6/h +5vEtCGvPfvWgiIapxug3zoAmHf7b+0pZeKSIeY0QOv4QBveDDFRnsQCFSYT/41tt +TpuzBhucikgn/CNP2P+7m07p0dO+b19+npHx2JB5W2selGYWGsUkLaHRAAKNk+7B +Cfnrp66Mcn5og46D6jYxqggRAfAA79qrSC6xgTOs+mvgYml5hbVYHc+jzRM5nNLy +nFoQ97qHEU+P5STWzTlBV2VCyV1ujtfg7IXKVi9X8KvDYvfhFr0YnL6+2PqoeLfp +rcgOQFiGliGx7vskaFqi47KZAwb8cZGciVbuNQIDAQABAoIBAQCJ8pnQmD9HUUBq +N2KU1NcZEedtxuHvihQqcKvJUqxrs3WJmLJg0Jjr0wmC1vS3uB+eB4Q04UZkbEIq +5N9NG0ASqU1lDs6HMBqQ1W4U8M0o6e5tMZEcG9YOekdyUBDcLwboZsmW/CET4D51 +ERE21YnULSCq3dAAfFNifv7X9nCCY0bX6Tn5arqJLvlfBcWo8uBGfNtZ+mIrDAYG +K9j2vO14Jum6I10Pxri6tUF4Yz9sgRGhJ+GQV/cPeoVaau4dKLAcOZcJYGxVyhoz +/cTtNyd4WkyeGmFskuP9+6OgokNgZBs2UJ7BeA1C6mgksRAmBu/1nlsMLmWB8B4X +u7nB8oMFAoGBANgoouzI3viOvp2NwgDvs1MCsiky+d4lGyHqTicRXeA3WDNmm3uj +uTLiNjZ8beYA14j6pBR+ZflwdI+0XEF3KlwHr9symUiTDZH6/bFwGTFYppXrz40a +jrGYsvpSVHs/78vYjOMpNeh6cEYu8ZWNMeNzdky9M43PacjJVnsAkVDvAoGBAMQA +iWJy0uvEtlEecokXPoffG5zyipseCUOUeR1LgZ9QKc/nbCDtqlOc8ysuzDhnE5Q+ +Id1JVkcnSjexTZACeGeU3uBam5QPAEFJScuicHceshw0mY5SBpeHhsDGFBK0/UrF +aAqGNRLb9TyzTpY4rC88KP4nFt9y0M2DwOLGyOsbAoGAItza+imjnJ8ZKzwT0CbY +20iSB4cLOcLuT1gE5tQsOd9zQEcKSLStSAGoEL2c0/3KxXL3R77jH4n9orfKMVzQ +3ir3N/k/M69T/vlmNVoJFiZgJ8nynaVs4kPoiesBaSd0u4HfpzucUDR/KzKjECXH +qBGVQOc7C2Iqg5HFeu0qgs0CgYA/PE0WziTunBCWK1SYlj8+ZuTpxfaiBRbIDubk +ZK/1Tk+vG+Lu3L7PKxvpGrgYmmjesw0J79c+LZbsUO/NPn7KLGWbzJ/VLOHQLmz4 +nffa9rRQFUhVenFWAguftkhToMD3lqjyfEozQ3PjmZYJMU+cDbTMCqB+hvSG2bMp +dyjrcQKBgQDX5k6x0cwA4nFZxN9W5NFoHjNcuIj9Yxw0U50wiFkj05vcOFO35Qi+ +fx2OJhMDiAcD+e35aH2OMfLA6JbFEcg2vYLmtshnJeRlwABjEBO+5thA6jvbL0Og +6LhYa2EpmbUX73fZJ/RcAfRaK5Ndk/M2STAl1BfgZPn9rTwY2L6ddA== -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.testuser.crt b/pkg/security/securitytest/test_certs/client.testuser.crt index 1445eea84a8a..d36fee272558 100644 --- a/pkg/security/securitytest/test_certs/client.testuser.crt +++ b/pkg/security/securitytest/test_certs/client.testuser.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDJTCCAg2gAwIBAgIRAKDLzHuf1H4wP0HR3GmF9ZwwDQYJKoZIhvcNAQELBQAw -KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN -MjIwMTEwMTkwMTIwWhcNMjcwMTE1MTkwMTIwWjAnMRIwEAYDVQQKEwlDb2Nrcm9h -Y2gxETAPBgNVBAMTCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA3/uh9wMNN8SeFzDg7ZHowA6Oo9Hf2CFRZjscNxV2bK+Qm2HSiuEzj3HB -20b0nkbPXQBUF2vVTfMrsrI4Tfn00Ja4FddFp8z+y3Ol5mpXcM9mtn10hnJcXWIx -d+ApLbfsugEmZst00GsbvyKVDV24owJLllFMnHMZtymdbd068KNt2w4jgbTNpl2w -7e/8mE+fcdTm9Q3sXPDTTbbW/Lbvgc5oPpazPBNfVg/JkC+kzxjTbBiLfooi+Srj -TdJ/Bqk6I0+sntxq0O8xd/mzLdwqGuHoUm001pzw8E6SsmaErQdZVwYv2tm7lvRU -0iTzTRW/UzbP/g1g3AM7AmaPJfKvSwIDAQABo0gwRjAOBgNVHQ8BAf8EBAMCBaAw -EwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUizkuY+BH48avRNXEnr/N -Ei9cteowDQYJKoZIhvcNAQELBQADggEBAHRZZfTFulWx4oeGoamhGZ/jiOEaM5ii -MV8K1DwTOk9sWGANEFRV78utEJyHTvONcoSDYO97Iar0Hc3SmRG8iKtNqCAsGTqV -+BbUxKqEkkIBXJ3jZ0obEdNIJ73u34Fm0iJeGcqUwqmSWsqLV/NJrs3F/QlTPK4p -JGcW9wkT7kLFugsUKaTxPrVHjfbYMdQ9mYFFOd74Eem/gCS3O8XmEunIH+pAo3wR -7lcv1bHz3b31+eHh82vbFMj4tUUqRq7Z0vLsGHpy3JzI0/aWcBqJi96jYmRRCf9a -i0jsTsUzMBxTp1rOrzjAf9OPxG/8ZvqjIrgv8NXsBtSZDyAH71Jo0Xc= +MIIDJDCCAgygAwIBAgIQWHu+HW36tPMHhJReQZWUljANBgkqhkiG9w0BAQsFADAr +MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y +MjA0MTAyMDA0MzdaFw0yNzA0MTUyMDA0MzdaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj +aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDVgJDt+y85S9FAT9PNRtizbct49YeTKbhZoGpwKiWNh5LTtxBl6SoCdhVB +w/HBAkN29EsbZqWOb9C5xSD5qpz7Pcd7mzlix+4MR6vJd8BX6hnWrnW0fnIKQSWl +TnaBvuEOPugbZ4eY3vYKtzQN5qfqSILf1NHjbMeFdgK+VP6LJTegyuAMSNOC7iwm +J4r5AH8Rd+wlFd0YNry0tuT9/4G2cdrSnBZOyFqKyv350PbLzmRes3YmBcuOxjOp +XXjq8Zlu6mOIy6lcYkcJEW0l7IBKAqqhJ00D/14xx7NwskGyMBptVtHNUYXaY0pF +F5AtoizK5RjzVXhBJj9orkIKAAklAgMBAAGjSDBGMA4GA1UdDwEB/wQEAwIFoDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA +c3WPzDANBgkqhkiG9w0BAQsFAAOCAQEAOCDIkd/1CnSszihUop7zv9CqLYCFYbHi +2QSFpWNSJm3ngTKsGUiSSiNAmlR34pYwcY0BqaEF2g1yPioJ4SAyOfREHNw1dI04 +aCNalKGrLukPlMJUkW5a8WqxoazpsA4ZHwJZIAz1R2FmJlpJ0XXVu1cESM1jZvm5 +CWc8iDbUMycoJE1BMIQ+eVhSgNbuFML4iBP1Ub9oMBh4UrV5NxvgQ6bArtDvImE5 +lgoNv/+Q5Y9Y1AW2EE747SQBnKm0LR/1VwixdErXCkhPEM6hfbcIRrmA9vTCYF3a +REq8zljHOncQkdW3nuZ9wAHZ4Ha3wR/0XbXZkrwHw03mD81zY2CvQA== -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.testuser.key b/pkg/security/securitytest/test_certs/client.testuser.key index 62e3c9a413de..ab7b7d0c91f3 100644 --- a/pkg/security/securitytest/test_certs/client.testuser.key +++ b/pkg/security/securitytest/test_certs/client.testuser.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA3/uh9wMNN8SeFzDg7ZHowA6Oo9Hf2CFRZjscNxV2bK+Qm2HS -iuEzj3HB20b0nkbPXQBUF2vVTfMrsrI4Tfn00Ja4FddFp8z+y3Ol5mpXcM9mtn10 -hnJcXWIxd+ApLbfsugEmZst00GsbvyKVDV24owJLllFMnHMZtymdbd068KNt2w4j -gbTNpl2w7e/8mE+fcdTm9Q3sXPDTTbbW/Lbvgc5oPpazPBNfVg/JkC+kzxjTbBiL -fooi+SrjTdJ/Bqk6I0+sntxq0O8xd/mzLdwqGuHoUm001pzw8E6SsmaErQdZVwYv -2tm7lvRU0iTzTRW/UzbP/g1g3AM7AmaPJfKvSwIDAQABAoIBAASGZONEoIO76SW2 -yxSBmh4nLSKKHueS5L4X+53xRQ81DMrW0xYTLqN7PNtdN5vq+k16sDg46XpFq2BU -0WZh4lxEbzuhubqGHa+mind5NoME7aJKLox4yvzn+u/dC3fs+09WrpvtCFMdltXp -sPEwL4a7iSNkSRPwD1jv8kpB6erqmJ9+SY35hLqtf0EsAxgY8AGds9MxvAk2/B7/ -Kor7wuKHriPOUaDoRigpLSOWrw4pOPitSBhbUcjODJpD29HuDW8mmsjv803MJTGJ -wyd74Qlbcz34GBIWviUXUWfljuGL4M6gG3sXBYsKqBcGNvilpyhdwrmZGFHg6ic3 -iVuyX8ECgYEA/3bfbATAUF3z4KHnBDAWWYzl29AVcvmXuwK8mw2g6nR3GhLg6e+6 -hDZADrl+/F4vb5eQ1JyK+scI/WB8KhjdLLNv5ygPXVKIlc4QkgMwX6jEbHXbI4h4 -PB2zQ8298Pf6XkVPdKkZe4E4Psmxqqxxb736d/iJEs9RFAC8MtK33KkCgYEA4HPc -iEJa1KQE5W/A/czC66884TTpJ5v/Ht7WXABt0+JOqxRrQt+zhrzxgjtEpGkfslnl -JfAIBiQ+PgkXSDVczcjPJ8a1B73tYI8LBqEwt6UQ/ktMEOIYSVmr1yp3UJfmoN59 -3WE4AdAWvk/upOJC5gIcCUHgvmSgW5K9lbS7UNMCgYEAn0jgT/q6aqHaMSLh5zOQ -i++VVrRs206S89DmBou93NIXfRNuV47ZLhyhXkz8x6B2VU8cx+R/p5O4oDurz5fH -OFr9mBTbV6Xhcf6VSGVioRKavsHRjFtIFLu0Db/YAcqsumDfBO926xIMHuIlvDRf -WnwLEwjNdwP7GszGi63lZFkCgYBLoV7HHyzCB/6KXQy3uH5ZsjOeYxjJOvxNJ6Mt -Xwui4NfHN9sorn4swY/TZSstBysiCr52+RmLED1U4/VPZIO/55E+AuvPDwVkiu6Z -LklfKCTAuxiHe9fZJ3kKyIlpw7V3sWDR7sdTfQ2c1QxBzOfj3wQZbnRPU1LhaGGv -hzWy9wKBgQCD1VELtjlzZZ4A+9lOOPLM90OHggmfVtsk2dGKGTg/5e+VWeqX8z7g -NXdSWKTG8S0wp/Yoc+o/cqwjes5BXXPry35wB9pFsGm415cGIOtM5oCwUJfsZ0H6 -0shHW67yAvWwqSxA5DjNnfBPGRSiDueSkGrF2ZxLbKhVAws/XccSUA== +MIIEowIBAAKCAQEA1YCQ7fsvOUvRQE/TzUbYs23LePWHkym4WaBqcColjYeS07cQ +ZekqAnYVQcPxwQJDdvRLG2aljm/QucUg+aqc+z3He5s5YsfuDEeryXfAV+oZ1q51 +tH5yCkElpU52gb7hDj7oG2eHmN72Crc0Dean6kiC39TR42zHhXYCvlT+iyU3oMrg +DEjTgu4sJieK+QB/EXfsJRXdGDa8tLbk/f+BtnHa0pwWTshaisr9+dD2y85kXrN2 +JgXLjsYzqV146vGZbupjiMupXGJHCRFtJeyASgKqoSdNA/9eMcezcLJBsjAabVbR +zVGF2mNKRReQLaIsyuUY81V4QSY/aK5CCgAJJQIDAQABAoIBAQCSqqBlK8H0LVZR +RMVuZjXlhQ5bSOhauzVONLoJ1Zo4kKLX2BFmwPc/+5h8tju0aHaqGAYki649nCia +BYaynHb8zSLlkeupJUktnGqxmxdCDaq0ZOKtHJQA4WIYHj+gv9zhKWvPr55h8QC6 +ucIDrqk5c5icZRnOjuK9lyUpVUALm0KwjCEs6YCpVTlebFhlgDMcu6IXOhQj4sNL +Rh5GrTdtFj5hIEKMHeO/XZ8XXHQ1HUlZYxDsrnim0uKuYQrSte2H2tuRRJAqv3IV ++fe6oLJBuBG0XuJ3x7ylofMkWHSCIUJSFiGOb+GKilBcCcmQ+iNy1BSrPSQWv+qj +ZmtYJWtBAoGBAPkp9eiXFgSOxvaTFLoS98/SPUOI8oxtY/yU1kSwSbqiye1pWUtY +osSQMafCIDdVasgVHWSf8CgVdFlmxAAHEjkTlbXt4qc4oJOs3HomxeA47RyH/mu2 +UVGlYVwGlt6Ti0XCgf1IzT7E/zWu0z27U1wNfS0YjEthc/JVM+6QrWcVAoGBANtc +IV/IbgKeqr1BekcwsNiGFMFUKpMIEoa6OluHmsGNwLAz0t9ckJcXijEWJmA1h3K9 +b2liGv+xDCdNK/oYG5S0mjrScmh3p0/PEYgEpaUhfLTngoNc8Mky1R3FfLDdQOSA +YwFPgdO4BKHAX2QKg1S++l+HJHReErKXNHAhG53RAoGACSqVBGCCi9pg0XNpwMqv +2TJn1JM2MRpZIlKra018+OPCP/yvL0lse4S+fuhyXPbEfeXg9fG4WREo/Zz9Ou8H +qZfh2xaMTxCTP7uNROUmRHBzsKgEIRxM8478/PC1Hi0ZY5CbTaEfA98lcGklFlFM +6McKQt1zU9aa+GBQD8e8yV0CgYA1nhBeTCxvoX7UYbPUwNcJJcTe+Iarh7aXjd+D +zeKK2u41Y4VwqTyCYfOaSfK5Y3wnFJyt4pf81bbFyHwuVkQvlfF43UWvuUeBH3kG +iTQ/566GvWvOViJY237yFvqCdKJO9/67LEbsjDc9njryxgsR5NhoDy1e8DubwY/E +tKL+cQKBgDKDXDUhXFxMc26danCgrKI3GUsA2wSQno0jLrtn/Xqh+08C0tLoh2Er +lrFcGtSvB+OFrbyneoRdbP6dnFzPJb1++czIMDCijkG6+7L6puNQDmLwz0F4246T +7vf5RzXBgUB6qfl92rf4P9irgzyB6oO8NxaMj5BbhhHjlWnsTRsW -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.testuser2.crt b/pkg/security/securitytest/test_certs/client.testuser2.crt index c35f0a72143c..d925e0ecfd3b 100644 --- a/pkg/security/securitytest/test_certs/client.testuser2.crt +++ b/pkg/security/securitytest/test_certs/client.testuser2.crt @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDJjCCAg6gAwIBAgIRAKFvTOA9+71Z6FxeIzdsUMgwDQYJKoZIhvcNAQELBQAw +MIIDJjCCAg6gAwIBAgIRAP4mmXEPPNVv7a+f3Ihxj0MwDQYJKoZIhvcNAQELBQAw KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN -MjIwMTEwMTkwMTIwWhcNMjcwMTE1MTkwMTIwWjAoMRIwEAYDVQQKEwlDb2Nrcm9h +MjIwNDEwMjAwNDM3WhcNMjcwNDE1MjAwNDM3WjAoMRIwEAYDVQQKEwlDb2Nrcm9h Y2gxEjAQBgNVBAMTCXRlc3R1c2VyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBALiduQvG/etVIE4hrs6m9IR/+fdpVhcEmBetr0h4C9Du84bQn4q+zAhB -j/hrUaN6HR01hFaNLU0RpJBdTi8A/AwFX8KT0BV6EYSRkAbrt5qvw9kmd+AdHogV -YVSGH0amHUH9Z9VBy5/mmO9ONaor/rCvuXdq3YLXTrEyF4q8ChaE0LQZ4+knMX6Z -0CnQXFAXRQE+jFpBhklqgwIpeaY1wQjI02WZtxTL15j1z1BFrDNlF16yPoNVUjOt -1p8LM1418PvOE+KWWUAP1WmxOzGyCFv3VQiCxFfUeFANt4DqQnMufZURDnxTLydm -VFvqJPTTPj0JHoxoWBPzCdZX8jkS0xkCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWg -MBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFIs5LmPgR+PGr0TVxJ6/ -zRIvXLXqMA0GCSqGSIb3DQEBCwUAA4IBAQC/2EZcZwiB0zxVaUh+ZssB9FZbipSZ -kENeSLTNAG3POM/4FdvkWh+YsLJfu6rASmzde9lt5gDb/3Jo/i453X33n/SUNaLf -ISBYM8H1BraGLD0IyySy69JWL760YyM3CxQurf+Gl/27FfWx2mj0q2LcTzV60NED -gL+BMKvwCd83UeYhzcnDmZ52QIB5rwifqfDhEWpdoIkJAtki5bZiCSD4gc61TuPi -Ov3x/o+PgdD1bceemv90MZv9Y3oE/X6Ft9bU34vWB08ZJqliY8zjBmwWfCK5Ke18 -NO9gDuBh6MgyOMylERufsrt5QEcwGODH9DQkNqxq1njL4bKiqFuHUDeR +AQoCggEBAN4xdwMibmNy5HlNsxeQj5oW58eVTp8XrCiLqyeG0b5Kea//tu3QIFe+ +3cRyzuNgFmPPubI0l4BTn4/233X1JwGsMHZ64j8dkh5MndZWSNTrryYWlhrEYven +NvEodutqldPJ2WFPLXexLd6KtRg8JgRyl5YklYtolWh2m/zM0ZN/G/4sqGa6UdoM +l8LwLvO/H8R0mMLFm+/PyuZTnPa4jIVj/TZCWLyJMXkzIMtwfo8NMv2DjifPGuwc +LkC02R6McOd8yVH+3AtC0SaFWz8I3rFG2QLMWEf4eTSRo4183kzo3s9RBxQAK153 +jSP4lnTsueD8Ryd5WWS7Mc9nQiaMguECAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgWg +MBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFEK0fDrlBvtbh8HRFAqF +kkBzdY/MMA0GCSqGSIb3DQEBCwUAA4IBAQBejgrM66cuusRjCW9bZ/0mZ3fGI6SN +VN/C9gvQlD+yyyICQ1zFlH09xeUkFgwHUnRIdI153WRYE/neoLzKMzASmTOX9na5 +/VxFbYJ0+xFlvFgSaQC20shEY4Nai3JDpzilwRzbnuCowng0Zf9NCFhAMqNQVFuw +MluUuyWDXDcygBm/VrH1XrtbNTfrsn9gtFHAkVhuUWfkqgkVN90o49YBOtVaq4Uk +xkdX+j8ixvOiTM5bbQ/UNcDUTgie/U3zDBF0ejvylW4h0HEkytEuoJHp2REloJiu +wZsR2AM5nVX1ZR6nLWk9dr3jbGy6TRqwYiSZZV0lD6ZnnDD6Whbl7TZB -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.testuser2.key b/pkg/security/securitytest/test_certs/client.testuser2.key index 8483635b843f..2a0c2a5083c8 100644 --- a/pkg/security/securitytest/test_certs/client.testuser2.key +++ b/pkg/security/securitytest/test_certs/client.testuser2.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAuJ25C8b961UgTiGuzqb0hH/592lWFwSYF62vSHgL0O7zhtCf -ir7MCEGP+GtRo3odHTWEVo0tTRGkkF1OLwD8DAVfwpPQFXoRhJGQBuu3mq/D2SZ3 -4B0eiBVhVIYfRqYdQf1n1UHLn+aY7041qiv+sK+5d2rdgtdOsTIXirwKFoTQtBnj -6ScxfpnQKdBcUBdFAT6MWkGGSWqDAil5pjXBCMjTZZm3FMvXmPXPUEWsM2UXXrI+ -g1VSM63WnwszXjXw+84T4pZZQA/VabE7MbIIW/dVCILEV9R4UA23gOpCcy59lREO -fFMvJ2ZUW+ok9NM+PQkejGhYE/MJ1lfyORLTGQIDAQABAoIBAQCpl9phw0+HXA/t -NmwLUrvU7GuIqK95PbMqLVeUTxMrwBbehc/J+TQdcXz8TDoW3xrXtk335ID1B3wR -UmV8MH9Z26X4bSj+UcC986pHcUqdQ1G6ref5bUaa5Gkg6ITatcay1EMKWQLhxUhA -rawGw5uYXBUYaodKpteXV9jgjZUG0TJsecpyP1igRLEiU9M5P+IP5QhrPGsM+QPz -X+tQlin4utROuaW3avPxBuS/UaJ9hGQjgurpR9WBwAf428/rTxArSzmPHWkh+S5x -WK3MfZn0YSq3RTIWeIb6spni0CDzOx4hsGUwk1zxEHptvmcr/o3DpqHsPb/tAown -SCw7rvkxAoGBAMX6qC/qsLRHTQzERhTg46fNf01NI/m9Ua8+X/z2vLNJiM0YmCdS -Tuuu1U9uRFNaWD/wmzczHW0PFxdslRMxootc6rCIgkFwuCl8MJaY3tkDDujoelBO -SSCeXNcx3VxotpueoiQlh4oy2PPXcj88uJTCPbg4tT8sfxvc8yryF6ujAoGBAO64 -gfwyQ57YGIXuTdtoHNvy3LilcWjswgb1sQiu2rDIDqkaT7t3yEX+Ukbgdt7Ufx3q -QitwdJZ4ZuBtuJwjZTQDS0HnDVbl+KzrpvwI0EzQsBfLIBKhDENsQQ7BAEMU+r4s -L/zKHPCtQx5cUu7pJnnHCyAIwpMZ0o/Sj6SLu/ITAoGAbBGdSTq05lOdbYCeOLth -ybFU8h9Pqf1730sPHoiZDMzxDfOE6sH1LpWq/sbUKSPB1HVEZOdUArogArtUzLtl -XOmFeoOphos/G/Ycl7guvQr8UorEaZ2yMUoAp78idFT8iQoYu954lCmZX9GVHYvJ -vfohsrPRzABACjebzS+FWD0CgYEArt37YclUHVyAgkMxRyJ52WiK5LtUWx7rdnut -ZgXn7o1tp9O9Sj8RNqx4irDMgqg4QaqjM/zZeovSGF5nWADZloM/MpRVAi3NvqWU -mZS/OTW5eIR0BxFv0UfQVEVusrUAhCQMNum6z1asDuZkXdvuMlBqxtmD5ouI4Y/F -ZyxwzX8CgYEAjuuYnHXJWhRA8JPns8PZ4y6vfI3RUkj4sjBZAzxN3Zwn1FTnbKQf -ODG2HuOCXbvLe/3vqyItnHTx0yeIc1CE9Fz6MjLUcmTVuwdcIY2VprTok0SMIsea -oX240ucbS2rp3p1j/MZXXHQJtRzf1BzsylpdxShQzeb7M5g/XBlQqbU= +MIIEpgIBAAKCAQEA3jF3AyJuY3LkeU2zF5CPmhbnx5VOnxesKIurJ4bRvkp5r/+2 +7dAgV77dxHLO42AWY8+5sjSXgFOfj/bfdfUnAawwdnriPx2SHkyd1lZI1OuvJhaW +GsRi96c28Sh262qV08nZYU8td7Et3oq1GDwmBHKXliSVi2iVaHab/MzRk38b/iyo +ZrpR2gyXwvAu878fxHSYwsWb78/K5lOc9riMhWP9NkJYvIkxeTMgy3B+jw0y/YOO +J88a7BwuQLTZHoxw53zJUf7cC0LRJoVbPwjesUbZAsxYR/h5NJGjjXzeTOjez1EH +FAArXneNI/iWdOy54PxHJ3lZZLsxz2dCJoyC4QIDAQABAoIBAQC2/Zn8dODg+oB7 +/qfeYmpCB1dAIhEsKTzZ75034mrfA0sQzdMELIJWgZT28268CCioby2KPJIBV91z +nWgQJ6TGVd9b1Hx8aogqeAMNwOYepTQMdFGPHeo79/Thy+eUnqViVTy4TZMunjce +rrHSkcblptJ9DwgyViGmdPimzLBVfbLckFHVqP+jYJBFUaas2X8uNQlJYq1E958z +sPitlJnS3Nz0D/8YJ28gxtevjQuRhUbzNTBaV3/ig0t8fpsXEWqCikiPqXoya+Wg +8bey8tRtt2RRS2HnzlAGghnyKKx0cT5eiFIWcJ1FRCd7uNdB4/AVzosUxlCq/e2x +B6xBRTlZAoGBAOv/FwcE/BJOPZrXec0eHMufCw1R8/X/hMU0sult1fogyDpqe9GT +cgPfATm3FZ7P4/tUXoqHw5xDKxUQQeC91styFcQDN2YZvPRPb5v+8dZx+Y3oYj6k +Uw5ClDtTW/H4RY/0ozjZSJdnZL4/hrbwWB9xUUmZD72M0EwxdrdT+gL3AoGBAPEG +24Hqq5objyYF/Fz3PgrDcuZ8XRcK4NM7ONimp9sk4L6NJOPDOhI77DdIPX2LYdPz +WANj52/tk8ZPhmPgDq8zc59aGId29AYelZtB0srjkC3pTn10jm8RXBD2suar8IBr +fVt9821FqJu5ptasZbHjDaG0xHpv1XSJ6HkZH1rnAoGBAOdN7Fn67r1aZlMfosgC +HaMNzR1PF9giixVmo3zbJIC2JMnsmFM/Ot7EckUJR22SwRcTCF6q1nSP+Of6OTd3 +mdFpjh/CL0gpLeQe/3tcE9hleX03KSPQl39AjlzfRR0Sg8umsVwEy3tp4Xn+daFU +TGr0/AEwvhbAr2Aekwb4jfDdAoGBANnfMgMRBwdqDA758DJ1B+8g17dDCb7vhWVL +rkog87CjeEinO4ZrDg43foJGWdcnbEn0OUXvQ+CoaCEl97xGZ9+1abnM7kldnJ3/ +fYr3iD0AUW8+60V6W9pIXemzpune2Kqs/4b5plbLVetWeVqqQc74CHV4+vYWK2SJ +2MvGitJXAoGBANxUA/gbx4WWhiP6Majn69SVLbvimKfQqawt9p1tvEkuJWfgwnvO +lrOxGj68QfEPTsiIOgrb1XIOJENYjhWiGecPxVTs+Pe1+n2VLxPMnhcPteaj94FO +nMDrOnX2HPu4nCA9aR4Kvi84qfL1W9I2H30jAC4wzWbIhNkTwA5xE1MB -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt new file mode 100644 index 000000000000..1b2cd503fe21 --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgIQR12t05hguq4c9puVarEMjTANBgkqhkiG9w0BAQsFADAr +MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y +MjA0MTAyMDA0MzhaFw0yNzA0MTUyMDA0MzhaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj +aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDV5p7i/eqfWvfpaYItjcUNSpXyVRWjEKI0PIeOFFSkf5Zj1ReSEhoW1qbl +snn2UMsgeMCWt9nIF2/QiHPgOpvuEbBJpeWdSizMRVllLuxyeCMWG8DlIR1sLvIv +0VuN7ZDDfYg4nWjYL+vL0pfmlQr2Gaa5HRSW/W3tt1dbUsB7tJz4BFf0fSvw41oR +8gXwv/dPnw2XAVx12pdyU5FrZZc2nBYnjDrxNiw8/r2o6PJLQ6C7fCQ+N7W259QO +nV/j7K1F1arxHHiNaUNYLfVXOIAqsMXy8HsnLyfDC9cDFpQ6nhlL9x/PHMy2dnXH +nayAwS1xQdQ2MsK6whTqV5pYrVhPAgMBAAGjZTBjMA4GA1UdDwEB/wQEAwIFoDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA +c3WPzDAbBgNVHREEFDAShhBjcmRiOi8vdGVuYW50LzEwMA0GCSqGSIb3DQEBCwUA +A4IBAQAtBz44UEL1EMIkiU1rXhgXd46+gvAUC1tRPjCC+63jqYJ8hicyJOcSVVDM +pLB+VomX/MlmpfbKJo/1WSzpX67E4wyTaTjQrlpOsDU6H4280gSkPCnmXUYX61Cd +p9QH3hzKE+qcXqKCtZMXicSWDJFXS1fwHKmltY7uQ7nqBdjkZmEIjPT1Hi2f5Y6t +AdliKIX9FRo9oi868QWHdCCnUcxDwdOTjM4rTjI/jT+jLR35z0nSTGGXA7ha3TZO +v7NxhfWRFcmxwq8Pk6qj15XHmEBWe/Ggbjn3e58H3zA6mB6PHCa+9OuGVGTzHvHE +5Y3CzdgXRfM0TV839kN1AimN3XRx +-----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key new file mode 100644 index 000000000000..8daa4b0b2dfd --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-10.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1eae4v3qn1r36WmCLY3FDUqV8lUVoxCiNDyHjhRUpH+WY9UX +khIaFtam5bJ59lDLIHjAlrfZyBdv0Ihz4Dqb7hGwSaXlnUoszEVZZS7scngjFhvA +5SEdbC7yL9Fbje2Qw32IOJ1o2C/ry9KX5pUK9hmmuR0Ulv1t7bdXW1LAe7Sc+ARX +9H0r8ONaEfIF8L/3T58NlwFcddqXclORa2WXNpwWJ4w68TYsPP69qOjyS0Ogu3wk +Pje1tufUDp1f4+ytRdWq8Rx4jWlDWC31VziAKrDF8vB7Jy8nwwvXAxaUOp4ZS/cf +zxzMtnZ1x52sgMEtcUHUNjLCusIU6leaWK1YTwIDAQABAoIBAFG/tSO9tWi35J3B +ZC4yy4e75LjcCcvrdIKQS6JiZMMFvB1leH+sCWqHGPwajQA1epxrafdwRnxxcJt7 +OwYMgEGpYv2SuMG3co2TR4ojN9y7y3UMoFkxocQR4R+jXOFOVRBRrrksd8B/+BdK +4iEO/0R1I0IGOjNGojfC5VESvFvKRSm0xzEtzTemxoGAI044QpxHMzBrnxcbB+82 +a46rY+kPUOkwihaf7H9+gE5IV6lvfPFeXOGzkcRei8qNlQMijjFA7DOkUFzkp6eN +INDix/wcIrxpXDD+75MSyA6T7dlvD9JVGOC9goJcYz1IjeaqXHwFOrm1fcQtZrpV +t9Y8iJkCgYEA2/cP+7k9I2tKRnJ1qtYzZFtD/RcZThP1TEh0oHKlAD+PjGwizXx4 +NKpmph4uNNNade3ss02BN0pHdKYvTep2+ZV8sVFowrs90wjSs+j8vMGPaAUzUbCc +hRVwRRFrbjBYj5qUAqdzTm1ctrN/hOvw9SB0mT7fBE7KeCfYcKbu+DUCgYEA+PE8 +TjBDSie1u++hbbuH6kPitb4xoWFp//d9Lo0OchqyXtxmYQFj4Txm+RDUalB6PLYU +fie00BbKArG1jHFan6sVKm66m/XUbwz8IyA2S+kNbX/iix5/vdrprQ5bwmd50yVK +rIDLKHPlY7AMVoCvmprihdge8DskDaQLYUu8hvMCgYEAorBhCfU/2uqHzQLrNKeo +6xj1eEOVW8I3M2yDlgg1MbHRIjL4qrLc1VcTBNpdooSP65lF8HfqklJF92jSo/Y+ +eOqvhxaHPT/vwh5MePRhudoPjwgJpOnTWjs5BlyT8LOhTNUvk6b2CZOpdxfbwRwg +46xVkOKHYFBGQAh4dRmCteECgYEAmdH9sFZ0DasRyUmdVr+MkP1XZXNbGVum8snK +6Oux5GGIm8LV49THEZKQEhALIJIPpdngOb9xIy8hrZ5/DoOwOn6s+mYnGl1A4UmF +tnKd+jPL30ApDEtRJU/SGeOIYUws44HkbUi7v4g1Um6igQTM/Nv9YjSTkV8JvQAD +JCB3Im8CgYAeIy9INBvcFqVxRc2AFkc4c0YorQBxdVPMFb/CYOODvEsFgQezsk2J +wUvAgsxcdkfY0KKQ175wriJUCYBnSFkFPS+omKCLIIByhWQCC7za8sVYDZQbcqyz +hyAR2w4UiEBur6cPbiwz3EKk4+k+8tfakGB8Hf5MvDaJZk04BGsvNw== +-----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt new file mode 100644 index 000000000000..52af62372364 --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQjCCAiqgAwIBAgIRAJk9fleT4N9lYz+SMu1xYLswDQYJKoZIhvcNAQELBQAw +KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN +MjIwNDEwMjAwNDM4WhcNMjcwNDE1MjAwNDM4WjAnMRIwEAYDVQQKEwlDb2Nrcm9h +Y2gxETAPBgNVBAMTCHRlc3R1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuTbZpiOjj0qy75n/HICQwcI6+MJWbdXi7/T/hE+z9abjArLuNx+wFFHp +av5Q9Coh1iIjgRYILFbb+mhCwtbtFzYggIqgAmsx/A3OjJLHY3Wh5klkRhv386/h +rcvtuh7v0jd3va423hbhWdQHhuE/LQ8PhNxZNqObrwStOxGOwLW1bLlhkmpcA+l6 +sJr5KeZbuh43tYoJDy2gRtaP8CNqCD1UcjuvVCXSiqYoKvs0smAqxJLx3Dv33dvL +LOWbDNuX8tMlzKPpwbNcTOs8Y+uPnH79Y+BCr4RcE5dWFN/eOo84RndQNaYthPOe +p1TE49fUSRUH3kx09X4RPrqma36KowIDAQABo2UwYzAOBgNVHQ8BAf8EBAMCBaAw +EwYDVR0lBAwwCgYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUQrR8OuUG+1uHwdEUCoWS +QHN1j8wwGwYDVR0RBBQwEoYQY3JkYjovL3RlbmFudC8xMTANBgkqhkiG9w0BAQsF +AAOCAQEAQvL4RMipUEV7w/5d3PsPkte4r5+w6uvaCP8NjnRpaYME4LgU4zTpF8P+ +Yd3MDMWjo3RDhGwPncfu/VxiFxHh0MR8LcXt2IvIiLhsYj6ZqbTNUj3OTeQJ61Da +igl/1AiCGsEOoB484AGjmya6a5praGIt6z4vWRMUgggGbr8DFqfb0T2ZoHXJ/wmv +Erj9TvWbfuZaVbO9CI648SyN2F4IBErtW0CmDjOpTUb+0zKqVbkBY5xlXqCJNov1 +MlEQc5s+jtyA4E/0R6SuBYQ+rGJWLpExhk4T1c077ghg626cUIBTIPP30SVy16sW +LRU6W7UocMO1p9KThV3M+nRdpbuGkA== +-----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key new file mode 100644 index 000000000000..351ef28c86e9 --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-11.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuTbZpiOjj0qy75n/HICQwcI6+MJWbdXi7/T/hE+z9abjArLu +Nx+wFFHpav5Q9Coh1iIjgRYILFbb+mhCwtbtFzYggIqgAmsx/A3OjJLHY3Wh5klk +Rhv386/hrcvtuh7v0jd3va423hbhWdQHhuE/LQ8PhNxZNqObrwStOxGOwLW1bLlh +kmpcA+l6sJr5KeZbuh43tYoJDy2gRtaP8CNqCD1UcjuvVCXSiqYoKvs0smAqxJLx +3Dv33dvLLOWbDNuX8tMlzKPpwbNcTOs8Y+uPnH79Y+BCr4RcE5dWFN/eOo84RndQ +NaYthPOep1TE49fUSRUH3kx09X4RPrqma36KowIDAQABAoIBAAkwCl3ueKecCgJO +vlP4oLWr3+cFJOpv6MEEg0RZ+9BcxfgVTjHX1ZE8evq+wN9L07/ek6pMoH0qleD3 +GRC3Pq2fFr+poMRd8u3Q9YUNpuxtImndDCdaLdOdzvEjI5jO/hCMhdkX8krUEbu2 +A+WR+ONQUvHBSH+oYAmvjrRWa6FtjIFN5dMQukYptdOr/SxIuRA/hF73x/gxQpfe +Ke5wZrAmX2Xmf8fLzHi+n8FUbwO32cV3NicUQBQBA6xUcDrNe5G03vTwMYRbpcMC +vp36CN7hOAOPLLejjjEb/KNUOshA7yCVDi/8yMjSA6MPi1DZR00nvS595Hs+QXF0 +/H2a7oECgYEA48XbyDSmh49sbWOIo3WToMKAsHwOkvow3JwFp6lfbIaOcgI4ZCKi +mLKo6+qAvk+Qakj4oEQAplwzMk+HgJdfqU8uD6H1d3u2P1Najnj/IyL8EF97POqX +08dxEM56F7xy5v0UM7ybSprACi0RuclcMbfA2vtj1ly9TFu7d3dIu2MCgYEA0CrP +flwRXfPSBMQ6MSUsRoFzvp9x8COJf58aJ+8EeO9y6psEBw5EmkN39Z8JR1z+uV7w +47j1ORNUXYrprJc1qZCh9prhmEOI4EoU18DSh1VcRTqilE/3VXRfxjwDfiqpytQK +71k7VSBQrfwtR7TGvvXiDBw6rIYcc/WgJG8tN8ECgYBWj3jo6ulmlyDzqWHiDOrf +q0tQxrSbMq2jCUA06W80RSaZOTLJC0iTk0IS9fmbWY1edwDVl0JP9rYWJpcuTViz +dT3h/wDUOZWXF0xQ3LbJWaBFcKPbEKRGfYMAihdoMdvQ4NjumHzDq2/T7jDQVC/P +TS/jiKn2ayQdgrcJvbFMVQKBgQCoge8jD24zipp4p0uf2sKDdGj4ZuN5i5rTRzyK +FO6e4t44UTGqcH9SDMl/d7SwIvRDpDoFbQR8pkwFyNwtjN2wnFavZGK3ufuD7BQB +LqJ9ULj3hWZz/mNttl2M/6moKOr3ODx90dK4rwcAQAF7aTf0/t90BCnu3EUODUgM +Fj8ZQQKBgDIaqGj/nT3aUDXbel0gnCEbqj6CjWPY9s4V4REP2XAFCuU+z5HaVCeJ +NW/0/S9otEWhS2TLXk8vYdVrk3608zjEpjeN23TrKaWp8BupXElR4IZwjbE7YGjb +nEIc3VzHI8M7nUbfG120Z6gfddR54A3xktXcw6GLxsWdoOPptaX/ +-----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt new file mode 100644 index 000000000000..f1854373a9b7 --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgIQNDA7sb05Go8JF2cEbT5kKDANBgkqhkiG9w0BAQsFADAr +MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y +MjA0MTAyMDA0MzlaFw0yNzA0MTUyMDA0MzlaMCcxEjAQBgNVBAoTCUNvY2tyb2Fj +aDERMA8GA1UEAxMIdGVzdHVzZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC96hlu4JfE8+ABA4/rLcbA3HL6fPSPcdpeZQlXS6g+EQ9Bf2ObMSomJUBF +WmkBQKCppvi0IAK+V68FBAHhn820bfZY5vbR4Gfh0MGa0dyCF/mwEjti6l3D/qds +hGDUdWSRhGBizufxKFlaVRsyoJkD4QKpBSzm65a1vfGLSmtUp1CEPs8O40pILo7c +sU3l+qgWZ1vwBuNu9U6xs2L2hD6+S/sLNIJVwIcxE0IQAxVqC3771RxFrhZugjIS +S2pxyZCosYP4nOzsTSEoqCV2zMb+vCHEbrjdnf+SbSTE9L9vb/hYkBxSTPQstISy +mkgMDS/mS/P4yiJX3Mr63+zG0pc7AgMBAAGjZTBjMA4GA1UdDwEB/wQEAwIFoDAT +BgNVHSUEDDAKBggrBgEFBQcDAjAfBgNVHSMEGDAWgBRCtHw65Qb7W4fB0RQKhZJA +c3WPzDAbBgNVHREEFDAShhBjcmRiOi8vdGVuYW50LzIwMA0GCSqGSIb3DQEBCwUA +A4IBAQCBAK2CubNhP5wTNdod12w6vvFxz4hx+vnsKmryhVQtuDj15SmhYl5e21R0 +8RRNgC98o4VFWOZ+pSAMMqJ/LzJXb4dSlaPn08xk8y/lRYoLx7LKurQ8y5iu4tSj +voxqtIvYDPiRWIWm0MAUgCxH0jxfXazp2QzSusFgg5/1g3RjD8RACaOQDh+i9qrx +GJm8EV93E745AWnuB7Q52awax0ckFaFgAoMr51V9H4UtNTzkg1ISgLLJCvyBRJus +rAQWbGFEdoeU3YZ1Av/W2OxYvakjCdSqLrfZTOcTHZhOdCsLcIPVVo1Z+OR5VX83 +2dqEuJc/NNAPu6+nZolzvGMETwqy +-----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key new file mode 100644 index 000000000000..3d3d1f46d0ec --- /dev/null +++ b/pkg/security/securitytest/test_certs/client.testuser@tenant-20.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAveoZbuCXxPPgAQOP6y3GwNxy+nz0j3HaXmUJV0uoPhEPQX9j +mzEqJiVARVppAUCgqab4tCACvlevBQQB4Z/NtG32WOb20eBn4dDBmtHcghf5sBI7 +Yupdw/6nbIRg1HVkkYRgYs7n8ShZWlUbMqCZA+ECqQUs5uuWtb3xi0prVKdQhD7P +DuNKSC6O3LFN5fqoFmdb8AbjbvVOsbNi9oQ+vkv7CzSCVcCHMRNCEAMVagt++9Uc +Ra4WboIyEktqccmQqLGD+Jzs7E0hKKgldszG/rwhxG643Z3/km0kxPS/b2/4WJAc +Ukz0LLSEsppIDA0v5kvz+MoiV9zK+t/sxtKXOwIDAQABAoIBACQTMOuX7Bx0euuW +YqM42dVOyuR8EfShmuptZN3ZOEc59Fzrtt8G8su2LcQ+zU14mkw/tGR65CqF+3AH +d9gFBA0vCimPDfmGGBWUEwK2tJ1dsodYn0FF5bPSTrlVWBNjjUv7Clgal4J+uKJp +IjZ2vTo4Zsn2erYOsF0rjJN5+nNk1Q4kIGJWyB0/Ng2pim1L9JOQ5DTUAlL0tb9L +fAF4MOR+ESqMGwHOlyAtVFHrlbAZg8+KRbpXjZ7tB8hJm9Qmt0U7xMBou7A3yeUW +KrrEliGE6B35n8ErPsPUWkhwSprJjCXWyMD/rqWla9Pa0b2Uw+m7VJHpQS6qBTsn +NzE2yKECgYEA58BdwB4dNp8Vz2j8vLkaomYfr/x/yLBJMImfizYm667YYr7h0gYU +RZZKKDM73ALl6/ca7KRFlrRrZKEWZWkw+hEUl/oE4DT7Ll/RPkQ5KJh/61wZUsTb +GJJOwIem0FHkltBAhf+zqrt95/IeB6MXHG7v9LrxV+TD/9cCZF2kfIsCgYEA0ckZ +P6raYnX31uW9kn6mXRhS3PX4bdLdifkVkGAExNOMuyQtOv73xK8IGT2IiG+9AjoW +wlyjAQXaiSSZOaQWzQFfUA4HB/I/FsYfrrr9tcH9lRYQEBpNuwiG5R4jaDGsYyts +1mI35033JHKI7WKjQUr/fpF73FJAi7JntxUDNhECgYAFyBvOpjGuYiumIAVmI+wR +LyENP+xkMlmxF03eqDwyVwtY81Ao8DPjRIuXEygkJgJcb67BRpvh1aB0QzyOzSAG +rRRpcjha65d0oblTp1oRtDREx+ht0zFwHH5QeVHlEpX0WT+y2B1AXisW9UhggmYa +NH5SCbPpsHBfWprZrChlXwKBgAiShRua6a2YUHZRkPuJfVbUhZ5N1sb2FONscDsk +EU3RrzB+e/KrNIiu9k/BufCJUFnk8cUjb+28xX9RJYm7cMsTwUdOK29hsL5Hfkfv +kCp7MNeEvUdLK932rTxzjNLXJMownhPsk4g6IV016O56V111qRcM7tjD66tJsP9E +NothAoGAIez7YxtTAFaig/J7ftn9cII+yZFlzUQDn4E7c8DNw2kHH05O7GRHcLR+ +dffR5cE/VmXFMygXZ4YQ/9mDAe9TgBsvJpoK4XkiJn1T46Y49H01xbB8QS/1QNYk +S2SzKNtR0ORTq7286PjAtg9NoKfuelju4qO9TsDY9mm7MSEB5No= +-----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/node.crt b/pkg/security/securitytest/test_certs/node.crt index 2c513d3a0930..b1714197b1f3 100644 --- a/pkg/security/securitytest/test_certs/node.crt +++ b/pkg/security/securitytest/test_certs/node.crt @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDZDCCAkygAwIBAgIRAN83bo8ZydHRqc6pm2T0rIgwDQYJKoZIhvcNAQELBQAw -KzESMBAGA1UEChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcN -MjIwMTEwMTkwMTE5WhcNMjcwMTE1MTkwMTE5WjAjMRIwEAYDVQQKEwlDb2Nrcm9h -Y2gxDTALBgNVBAMTBG5vZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQC2ymvgVD1xJh7Gy8qNJrlVgM3TNezpnW5hbPa6NHEV0Asj4+hq2hEaDBsG1aUA -MA6B355uzeonlcSLffUogKi4vMCjHS6s/Nv5Nwo/JowtS9Af4udrnQN30R6dDJpU -NprHFv2BRCRnWmQWnq8ALsitB6svi4QJf9Q3qwCgoOTaZody57glus6ABZsmIsPg -BaTqKyzkif8GVVfZrGBJKp1vnl5R493RV7vP8t6tIZd/PW2uw90LTaVdqhjBYggm -jVy1pjklXOVX0XdQIdd588868Qd8TLzV8vvR26uPyKZ7rCQltCvf01N3fgo4aiz8 -4xZ9VAv82Oo0IEbFc+S1IENFAgMBAAGjgYowgYcwDgYDVR0PAQH/BAQDAgWgMB0G -A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSLOS5j4Efj -xq9E1cSev80SL1y16jA1BgNVHREELjAsgglsb2NhbGhvc3SCByoubG9jYWyHBH8A -AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADggEBALuPAJKeSDhU -Vt3w3EeSlKnxL34WHxX8mOZzGkZAaZyBFUvFAdglVStLS4U3tKmtOH6b9vk41pbo -n8vW56aChzAoyJITEpeZriBXIPb48WIb2L039nHFW/dnXJrgV1EPk+7XdGvDBeqO -VgHqrfnLZO6wP/yMWa48tAa6PRH+x62VvjEd/fm6ZxKiy62jnhNV874kPhT4H/jE -vD790LHzzilpKp2Rjv18BbnwVu3wv93V5Ka9FXYwP7OMtMArRFQPKQBnAYyCxNAA -G5V042U1CbTLKM+xbJ7AL7ZhF1Aqn4c0x2EX08D4pF4of+9ubpSvrbjSEseZjrBx -txBzRZsA8rQ= +MIIDYzCCAkugAwIBAgIQNQoOmY9e9DvbaBekNM1gXTANBgkqhkiG9w0BAQsFADAr +MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0y +MjA0MTAyMDA0MzZaFw0yNzA0MTUyMDA0MzZaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj +aDENMAsGA1UEAxMEbm9kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AMVKoR+nCmilfK7EzC23uoLsbSCcAaAW11fW+FcNZQSLCRmADj/AnhhzLPaAmOPT +RrVR8QFRXxHp4yBbdUQRBhsHZ1nUXc+B7F1btoD4p7R4MbflQmHrQzU9IawNQ1pS +CuY4SBOB1WO0WrKxdSpqRp3k7r85wspWtPFz+IqwE8m4sGlU/ZF4gUf8ahZvwp10 +mzSL41icFqz2h0yHwnzDEyhBd9I0z5b60Xe6p1mSk2SzlwXw09Om5AhD6BudPZUR +Z9GNdzLpVoKFRQJ/TE887M8AqS7NeDyqgF4cDhKwuSRwEF8LeHdP2t207PGjzRUW +LZUrY/yn69pYdhfy7Kzj1JECAwEAAaOBijCBhzAOBgNVHQ8BAf8EBAMCBaAwHQYD +VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFEK0fDrlBvtb +h8HRFAqFkkBzdY/MMDUGA1UdEQQuMCyCCWxvY2FsaG9zdIIHKi5sb2NhbIcEfwAA +AYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAKztJWZzj3aev +3eCT4a6FKlcke0lo71Tj5u62+QBHme8ClNEd9yG7xr3IWmwPesD3fYz/gfeb0CUT +73W6u9jp6uj+IL1BcMrXHkPd0lTSo8yDTOPQpiCNrIV4luIYc211fj7asANS4U2u +rMpUpKPfVvZ5x3TeYc3Xg+2hJmtKHWwVzdIcgW3UzhJqDdCfLPNJVpvsCGQNuWAc +HXdvk6vFdgMfM03CpjwG31dCNJnQV9e6PagzUEFt3UFOpkLo83rnYA5W7V3ZjH0e +nKhjQAbeIGb+BCr94HjogUgJflsrBSQk1R/ViwyZnCa1j5e6RyAvvuYwq0FI111H +tm/C1Lbbkw== -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/node.key b/pkg/security/securitytest/test_certs/node.key index c1a9595c7c52..79102e2b2478 100644 --- a/pkg/security/securitytest/test_certs/node.key +++ b/pkg/security/securitytest/test_certs/node.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAtspr4FQ9cSYexsvKjSa5VYDN0zXs6Z1uYWz2ujRxFdALI+Po -atoRGgwbBtWlADAOgd+ebs3qJ5XEi331KICouLzAox0urPzb+TcKPyaMLUvQH+Ln -a50Dd9EenQyaVDaaxxb9gUQkZ1pkFp6vAC7IrQerL4uECX/UN6sAoKDk2maHcue4 -JbrOgAWbJiLD4AWk6iss5In/BlVX2axgSSqdb55eUePd0Ve7z/LerSGXfz1trsPd -C02lXaoYwWIIJo1ctaY5JVzlV9F3UCHXefPPOvEHfEy81fL70durj8ime6wkJbQr -39NTd34KOGos/OMWfVQL/NjqNCBGxXPktSBDRQIDAQABAoIBADd9VahBCnHp55fj -z7Zv1f1d353JlgUJVLPgtzmpp9a+VFNt4WVmk6B7oky92Jwo+o50iw0KF5Yywfqy -nxTPkeia7EPYHQ5IqKKMEeE/23f4ttKnOCeT/7SE2C1G4SbFeNENaqGuRPrXFuFD -BM8iZKsaU95YFRopIwxPLh6VGUQvLha1/kP53aV8cKOiVCDN1L6KaVNn9vUW6Caf -mg5+fMW4u+CGEYWeI738EEkqjMaYsSCR08HLC3k0LW+kMidpvsPKOm5ZMEAMztX1 -yc8GAaFBq6nz5+BtNOG0Hocg4rXFy6+Tnil/NEaDnkpVPAMRpO5trGVTrNPL057k -WKSoZtUCgYEA6lwuyDui2Vrvk54UoK2nI0DwLeMNYl3ETNxfJYT/kW2n1uzT9sJ1 -5KjzTsSIuKdZYq+aqSi2qESUPcv/1GE/BrdQqh0AlKegAdY6lp9ej2LgGytkmFxI -3GPoS/ABpp8OHlH3q+fMmAgl0z4qWTwHWUvGpV8eQDdBzWUdUIgrM2sCgYEAx6s9 -GaGlxpkwWtXGkjqrVOPaYBgG6GIhnqNIkBBmwwUsYoALzBd+tERM2qPwIEkrtLdm -MNCNUlru4lV/AKCSB6LVR3tMaoKnd/0EA+pftkK/REH8aTw1QXPUxYGY/LawqXWA -2WjlUWw7ZNna3SfXgW+KWn6xE2E9jBBKIQYYwA8CgYAf6YWFRnmaV0OgOjpc1siX -iFQsK2q7JkGApdFe7olOaDwejAkg5MHg7RCUfTaQzljhkz/gIOceapg1Af5IESXf -6D5Xq7NUiq7DEUTRFcpug+w4RuRfytExEXmkPX48DhSCFG9BPUMiwJlF9oUVuZLW -mfbmtdkMrXmMWmRvfttDGQKBgGVfGfk+aYTn13X2nQc2xC+oMwGgkTlAQSNicP+7 -ZADVSpCDw/mNYCWzm3VR0CMEIy1wA3D7IRTT1/6PO5ic7Sb1U+Ujw0s8JDw19+jp -AEjvoF3ORpFDISKm5TqVLo/3TL/sSUuYBv0MvybXuFeZ177+WzbQpaRaNT48MvaL -OtufAoGAe7nk37VP/HZ/xqMYUYqdQ6Udn28WK6uVZQ1wG6pF4rUXjJ7qzQTzvYps -cLK50EQH/g1W59BU72dwHgOkC9pLzTr3n2bmL15zcW0LjZ6hob2b/f7yPYz1Euf2 -HMp85FpxKx5Jhs+mwxb0XGAkQj9iUc4GCInB7AkColQBaY921V0= +MIIEpQIBAAKCAQEAxUqhH6cKaKV8rsTMLbe6guxtIJwBoBbXV9b4Vw1lBIsJGYAO +P8CeGHMs9oCY49NGtVHxAVFfEenjIFt1RBEGGwdnWdRdz4HsXVu2gPintHgxt+VC +YetDNT0hrA1DWlIK5jhIE4HVY7RasrF1KmpGneTuvznCyla08XP4irATybiwaVT9 +kXiBR/xqFm/CnXSbNIvjWJwWrPaHTIfCfMMTKEF30jTPlvrRd7qnWZKTZLOXBfDT +06bkCEPoG509lRFn0Y13MulWgoVFAn9MTzzszwCpLs14PKqAXhwOErC5JHAQXwt4 +d0/a3bTs8aPNFRYtlStj/Kfr2lh2F/LsrOPUkQIDAQABAoIBAD/KP4qCcgUf7M59 +Zx8pFq8aTraKeqQOfpYyNZ3AAPeVFN4f33uRhgyVwOX68nRHbcdWtTwd2UVrgDqI +F8RoVLcMj8gluCdN9OTCsKHGxEK/0iOJhwsuDE78cxS0PSDJAikp7XQROLPCLsk0 +Q5PxRN/sk51UybyuiFbBjo0ZHWzNLzhOpN/v9hNaA4KZAEdCVRGU+hM/k9p543zJ +zSlhFVjybxXQ7ofZlciJJI21mvIq3pvMlgpuLKouYJlcGR3OZxYX4HAsXalNC9xR +EXTVpOTK8fx6d9WwL0OCbgEQES9/s+wwinzXHpgf4Cjiyfsq70H0AXBnYea/uqRv +eICjwAECgYEA4YDjYhUYumMIS6PYwlhCDv33GpirbxEXoW3RMK0DD446aN9rbOQe +FPQwytlOYMxeUYqrRljZRbLrdXNUxmW8d2uAk6/SQY2M7jNx5FzlyTLgnOaMtOMy +2Ruf6mv3wyRaSSEe5NW/AJ9R8kZqJLQ2Aj1MCifXM5lPS/Kv3e6gYpECgYEA3/kF +UlbjY5huLTpC4aEahsDo+Exske9CD4SGE4yNN08Hwjrc2y/UFzfBFVIQ6s+9VEjz +hgBSWmijfJdcavvrjmoS5hKa0SMiwQ7tJu1NI6D1qGbvBKJdbPvcsqZug4Y/cO9w +clGX3c4AfXNNVu19SrgrFUDujnnML60/CQohUgECgYEAubeCjQa+5NImxNTd8cDq +NpqmZbsShVhYU9SzkhkLCkaiiDhoqrd8ptktTgKF8GafzxwbTsZhumtOS95+FR84 +hkl9DSSiTuabCJpJ1D9F59wE7HNbsqXi/LcpjtD4rjhEOzIR1XjL42FTBetEA5J/ +YHzHIR4KuC4tBmmKuYaLhGECgYEAiTPQSb+GbpWLMNOW8wcw68mzLaALhl6OFll1 +lPYt7+rO8vICJ5emEk8KThhG2sFF1yMVY0pBKLcfJ4zFhZgrlcNvLlfJVUJz4NZW ++ti1v5SzyGS+GRWpq8CiUyJXYuTTakiTlsRbBvpSHIeMoiq77RDi+5MaUFdWeQJl +MhFtlgECgYEA0D/yAYS6gKz2dT7+3n/mC+1ZSkCKFM7M7Kx+HnBz3+RZ8o/O5cHm +AxigiWGxKisWWxhq06z/CsnDa19tQVWhyOi2fMh09Y/Kgfp2JLNOizTSo4liaVpd +JtVj+v8wf9Unu74EKRqKs42hRY7B0zxdgaRl77oJ2t1PBHvUK+X4+b8= -----END RSA PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/regenerate.sh b/pkg/security/securitytest/test_certs/regenerate.sh index 06936c49b49e..4377b44a618d 100755 --- a/pkg/security/securitytest/test_certs/regenerate.sh +++ b/pkg/security/securitytest/test_certs/regenerate.sh @@ -14,6 +14,7 @@ rm -f "${dir_n}"/*.{crt,key} for id in 10 11 20; do ./cockroach mt cert --certs-dir="${dir_n}" --ca-key="${dir_n}/ca-client-tenant.key" create-tenant-client "${id}" 127.0.0.1 ::1 localhost *.local ./cockroach mt cert --certs-dir="${dir_n}" create-tenant-signing "${id}" +./cockroach cert --certs-dir="${dir_n}" --ca-key="${dir_n}/ca.key" --tenant-scope "${id}" create-client testuser done make generate PKG=./pkg/security/securitytest diff --git a/pkg/security/securitytest/test_certs/tenant-signing.10.crt b/pkg/security/securitytest/test_certs/tenant-signing.10.crt index 58fa08c455a0..a2c4e821f312 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.10.crt +++ b/pkg/security/securitytest/test_certs/tenant-signing.10.crt @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBJjCB2aADAgECAhEAwYXboWr0rlxwzYhqt/W0FDAFBgMrZXAwKzESMBAGA1UE -ChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcNMjIwMTEwMTkw -MTIxWhcNMjcwMTE1MTkwMTIxWjArMRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNV -BAMTDENvY2tyb2FjaCBDQTAqMAUGAytlcAMhAF0oSVEnZtHsrEsPTaVLsqP+N1s7 -QJFlo+i8Yk0ewtTSoxIwEDAOBgNVHQ8BAf8EBAMCBaAwBQYDK2VwA0EAoUoP7SQF -OXPyWEsDcxXxIG7MRDhVV90R7AYUTjOv7OB7foyTtxCXfTZCi9PLL5JQ92qKCgz/ -MB/5DKB+KudkDA== +MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMTAgVG9r +ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzhaFw0yNzA0MTUy +MDA0MzhaMC4xLDAqBgNVBAMTI1RlbmFudCAxMCBUb2tlbiBTaWduaW5nIENlcnRp +ZmljYXRlMCowBQYDK2VwAyEA8YctiQALuxqPOg4PwRE5j2IrCmmGWjNpu68xpzhm +4/yjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBALyh +VZSA3sPxDoUeYvhA9q6LVUXvwY/s6tKorT1nJ51RoK77NvyJwJSkeXeqxq0qKQPl +t72c5TK9HjklhLLWcAw= -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/tenant-signing.10.key b/pkg/security/securitytest/test_certs/tenant-signing.10.key index 6b3d066ac488..f32ea2026044 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.10.key +++ b/pkg/security/securitytest/test_certs/tenant-signing.10.key @@ -1,3 +1,3 @@ -----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIFAgC7O1AQOgd49BJJGHO3PezuEGV5OeG7DnoLiaPE5L +MC4CAQAwBQYDK2VwBCIEIFkIdOrjPpLcIOtoQkAtdPdSw8mFS8QSQAJ/QQQoBgxY -----END PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/tenant-signing.11.crt b/pkg/security/securitytest/test_certs/tenant-signing.11.crt index cd3be4714e4a..68d6c0f59bb3 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.11.crt +++ b/pkg/security/securitytest/test_certs/tenant-signing.11.crt @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBJTCB2KADAgECAhBqyjNPz4jSnANHz/6OIzgaMAUGAytlcDArMRIwEAYDVQQK -EwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0yMjAxMTAxOTAx -MjFaFw0yNzAxMTUxOTAxMjFaMCsxEjAQBgNVBAoTCUNvY2tyb2FjaDEVMBMGA1UE -AxMMQ29ja3JvYWNoIENBMCowBQYDK2VwAyEA6LLJUILUOGqH/GBtYwC/5SeDYwbw -xjrJUeaZA2l9Ia+jEjAQMA4GA1UdDwEB/wQEAwIFoDAFBgMrZXADQQDNiES6JpRA -R5S6h/6Pz/MOT4uS7eZ91JY/YJoaaw2t4+QvBXqm+y57t3DBf2EGUK3SHmdFgHPi -etrC0zm+bSgM +MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMTEgVG9r +ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzhaFw0yNzA0MTUy +MDA0MzhaMC4xLDAqBgNVBAMTI1RlbmFudCAxMSBUb2tlbiBTaWduaW5nIENlcnRp +ZmljYXRlMCowBQYDK2VwAyEAfW4dxH9rfcK4SERSpPb7NrHkowYa7ETmqYFTCQcr +VVOjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBABU8 +q3orNXzlE9LvHxr9Zr+KV9/yWIw9PeuyKw7uXbyPV4eeCTylOxsEPAfWRLGLgQ/e +CCRQmueLDnsGxrVEGA0= -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/tenant-signing.11.key b/pkg/security/securitytest/test_certs/tenant-signing.11.key index a11bf6881898..d27dc47d0921 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.11.key +++ b/pkg/security/securitytest/test_certs/tenant-signing.11.key @@ -1,3 +1,3 @@ -----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEILAan5LFiNxCE40Ac7oGWUS1nQuBcYHY28bJu0booQI0 +MC4CAQAwBQYDK2VwBCIEIAni2hU0+rqRi0zFCblwsJH7Pwjv4Ldhukbo6NP1HhBz -----END PRIVATE KEY----- diff --git a/pkg/security/securitytest/test_certs/tenant-signing.20.crt b/pkg/security/securitytest/test_certs/tenant-signing.20.crt index c4c88f3e056b..9a5d4953fdc9 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.20.crt +++ b/pkg/security/securitytest/test_certs/tenant-signing.20.crt @@ -1,9 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBJjCB2aADAgECAhEAuH7vVx4nwdKhJsaZRGuirDAFBgMrZXAwKzESMBAGA1UE -ChMJQ29ja3JvYWNoMRUwEwYDVQQDEwxDb2Nrcm9hY2ggQ0EwHhcNMjIwMTEwMTkw -MTIxWhcNMjcwMTE1MTkwMTIxWjArMRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNV -BAMTDENvY2tyb2FjaCBDQTAqMAUGAytlcAMhABI/EmtjPSxifwP8zHg09u59Ai2v -pMbQ1R0Tf4mwZMw1oxIwEDAOBgNVHQ8BAf8EBAMCBaAwBQYDK2VwA0EAhGkpAAeX -R92VWUazcfN+Dq9IX8PJ8fxgb3KU+JuK652uog1rwM4/NK7RfMtlIH3dQ8/GMBpR -SUCl7JGgrI+LDQ== +MIIBKjCB3aADAgECAgEBMAUGAytlcDAuMSwwKgYDVQQDEyNUZW5hbnQgMjAgVG9r +ZW4gU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMjA0MTAyMDA0MzlaFw0yNzA0MTUy +MDA0MzlaMC4xLDAqBgNVBAMTI1RlbmFudCAyMCBUb2tlbiBTaWduaW5nIENlcnRp +ZmljYXRlMCowBQYDK2VwAyEAsVrI/TDf0D/Fe+h1k4NRqPde3Qwec2/VBYsIMHlO ++9yjIDAeMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMAUGAytlcANBAHRW +77cSMghfk3qBppHDECqjCF/GIqL/9mHLvzaZWcahjXm1G9ep2oJsdBHwfEoqi/1C +AgfvdKXUZCSECBzyZw8= -----END CERTIFICATE----- diff --git a/pkg/security/securitytest/test_certs/tenant-signing.20.key b/pkg/security/securitytest/test_certs/tenant-signing.20.key index 767343a82f92..98b3fd7c1f7a 100644 --- a/pkg/security/securitytest/test_certs/tenant-signing.20.key +++ b/pkg/security/securitytest/test_certs/tenant-signing.20.key @@ -1,3 +1,3 @@ -----BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIHPb1nVztKWqTGLk22FoU23W8e9q469cYQd/CPZuKaWS +MC4CAQAwBQYDK2VwBCIEICaAPXx2U72309PpKIQySgdF71B9g/Aocm8S5GC7BD+b -----END PRIVATE KEY----- diff --git a/pkg/security/x509.go b/pkg/security/x509.go index b530298d6f65..7d0fa67119e6 100644 --- a/pkg/security/x509.go +++ b/pkg/security/x509.go @@ -18,6 +18,7 @@ import ( "fmt" "math/big" "net" + "net/url" "time" "github.com/cockroachdb/cockroach/pkg/util/timeutil" @@ -247,6 +248,7 @@ func GenerateClientCert( clientPublicKey crypto.PublicKey, lifetime time.Duration, user SQLUsername, + tenantID string, ) ([]byte, error) { // TODO(marc): should we add extra checks? @@ -268,7 +270,14 @@ func GenerateClientCert( // Set client-specific fields. // Client authentication only. template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} - + if tenantID != "" { + var url *url.URL + url, err := makeTenantURISAN(tenantID) + if err != nil { + return nil, err + } + template.URIs = append(template.URIs, url) + } certBytes, err := x509.CreateCertificate(rand.Reader, template, caCert, clientPublicKey, caPrivateKey) if err != nil { return nil, err @@ -308,3 +317,7 @@ func GenerateTenantSigningCert( return certBytes, nil } + +func makeTenantURISAN(tenantID string) (*url.URL, error) { + return url.Parse(fmt.Sprintf("crdb://tenant/%s", tenantID)) +} diff --git a/pkg/security/x509_test.go b/pkg/security/x509_test.go index a03a2abefc02..580c3d9fa16b 100644 --- a/pkg/security/x509_test.go +++ b/pkg/security/x509_test.go @@ -86,14 +86,14 @@ func TestGenerateCertLifetime(t *testing.T) { // Create a Client certificate expiring in 4 days. Should get reduced to the CA lifetime. clientDuration := time.Hour * 96 - _, err = security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName()) + _, err = security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName(), "" /* tenantID */) if !testutils.IsError(err, "CA lifetime is .*, shorter than the requested .*") { t.Fatal(err) } // Try again, but expiring before the CA cert. clientDuration = time.Hour * 24 - clientBytes, err := security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName()) + clientBytes, err := security.GenerateClientCert(caCert, testKey, testKey.Public(), clientDuration, security.TestUserName(), "" /* tenantID */) if err != nil { t.Fatal(err) } diff --git a/pkg/sql/pgwire/auth_methods.go b/pkg/sql/pgwire/auth_methods.go index 7d5efdd0ddad..b5ddc2d4998c 100644 --- a/pkg/sql/pgwire/auth_methods.go +++ b/pkg/sql/pgwire/auth_methods.go @@ -408,7 +408,7 @@ func authCert( _ context.Context, _ AuthConn, tlsState tls.ConnectionState, - _ *sql.ExecutorConfig, + execCfg *sql.ExecutorConfig, hbaEntry *hba.Entry, identMap *identmap.Conf, ) (*AuthBehaviors, error) { @@ -427,7 +427,7 @@ func authCert( tlsState.PeerCertificates[0].Subject.CommonName = tree.Name( tlsState.PeerCertificates[0].Subject.CommonName, ).Normalize() - hook, err := security.UserAuthCertHook(false /*insecure*/, &tlsState) + hook, err := security.UserAuthCertHook(false /*insecure*/, &tlsState, execCfg.RPCContext.TenantID) if err != nil { return err }