Add option allowed_domains_template enabling identity templating for issuing PKI certs #8509
Conversation
andrejvanderzee
changed the title
|
@jefferai Any chance merging the long-awaited closure of security hole of spoofing CNs in issuing x509 certificates? |
|
Hi! Thanks for submitting this pull request. I notice there are some test failures that appear related: Happy to take a closer look after the tests are passing. |
|
@andrejvanderzee , thank you for non stoping decision in implementation this features. As I've counted it's third PR and I hope the last one. =) Could you please provide status info, if you have time to finish it, so we all can finally use this must-have feature? Thanks again for you work. |
|
@qk4l Thanks, let me fix the comments today. |
|
Hi @qk4l and @tyrannosaurus-becks I have pushed fixes for the failing test. Now |
andrejvanderzee
changed the title
|
Minimized the PR and pushed again... |
|
Hi @qk4l and @tyrannosaurus-becks any update on this MR? |
|
Thank you for working on this feature, it is clearly in high demand. We're sorry it took so long to come to a consensus internally on how to proceed, but we finally have. As you may be aware, there are currently 2 open PRs trying to implement identity templating for PKI, of which yours is one: #7216 and #8509. It would be great if you would coordinate amongst yourselves to see who has the time and inclination to move forward with the proposal. The proposal:
Other requirements:
Not a strict requirement but a suggestion: limit the PR to |
|
@ncabatoff Sorry for the delay it was a busy time for me. Today I was ably to implement the requirements that you have sent in your last post. Please let me know if something is still missing or not according to standards. Thank you. |
|
Hi @ncabatoff @qk4l @tyrannosaurus-becks |
…issuing PKI certs.
|
@ncabatoff I have added the two testcases and resolved the conversation. |
|
Thanks again for the PR and your patience. |
|
Thank you all, this PR has grown a long beard ;-) |
|
I've noticed that this regex force to use only one pure variable. Additional domain suffices or other variables is not allowed. Is it a feature or bug? What do you think? |
Yes I think that makes sense. Its easy to add a testcase for your suggestion. I can implement it this week or if you have time you could add it, either way fine with me! |
|
I'm so happy that this feature is merged!! Thanks so much to everyone that worked on this! |
I did it in #9498 |
…issuing PKI certs. (#8509) (#9748) Co-authored-by: Andrej van der Zee <[email protected]>
…domains #8509 (#9498) (#9749) Co-authored-by: Artem Alexandrov <[email protected]>
* master: Add a section to the MySQL secrets plugin docs about x509 (#9757) Update documentation for MySQL Secrets Engine (#9671) Conditionally overwrite TLS parameters for MySQL secrets engine (#9729) Correctly mark Cassandra as not supporting static roles (#9750) changelog++ pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498) agent/templates: update consul-template to v0.25.1 (#9626) Restoring the example policies for blocking sha1 (#9677) changelog++ changelog++ Document the new SSH signing algorithm option. (#9197) CHANGELOG-+ CHANGELOG++ Trail of bits 018 (#9674)
Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in hashicorp#8509
* Add allowed_uri_sans_template Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in #8509 * changelog++ * Update docs with URI SAN templating
* Add allowed_uri_sans_template Enables identity templating for the allowed_uri_sans field in PKI cert roles. Implemented as suggested in hashicorp#8509 * changelog++ * Update docs with URI SAN templating
Implementation of identity templating when issuing a PKI cert using the exported sdk/framework merged in #8088
Duplicate of #6558
Similar to #7548