2018-03-26 00:39:18 +00:00
|
|
|
package connect
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/url"
|
2018-05-09 13:25:48 +00:00
|
|
|
"strings"
|
2018-03-26 00:39:18 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// SpiffeIDSigning is the structure to represent the SPIFFE ID for a
|
|
|
|
|
// signing certificate (not a leaf service).
|
|
|
|
|
type SpiffeIDSigning struct {
|
|
|
|
|
ClusterID string // Unique cluster ID
|
|
|
|
|
Domain string // The domain, usually "consul"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// URI returns the *url.URL for this SPIFFE ID.
|
2021-06-25 21:47:47 +00:00
|
|
|
func (id SpiffeIDSigning) URI() *url.URL {
|
2018-03-26 00:39:18 +00:00
|
|
|
var result url.URL
|
|
|
|
|
result.Scheme = "spiffe"
|
2018-05-09 13:25:48 +00:00
|
|
|
result.Host = id.Host()
|
2018-03-26 00:39:18 +00:00
|
|
|
return &result
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-09 13:25:48 +00:00
|
|
|
// Host is the canonical representation as a DNS-compatible hostname.
|
2021-06-25 21:47:47 +00:00
|
|
|
func (id SpiffeIDSigning) Host() string {
|
2018-05-09 13:25:48 +00:00
|
|
|
return strings.ToLower(fmt.Sprintf("%s.%s", id.ClusterID, id.Domain))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CanSign takes any CertURI and returns whether or not this signing entity is
|
|
|
|
|
// allowed to sign CSRs for that entity (i.e. represents the trust domain for
|
|
|
|
|
// that entity).
|
|
|
|
|
//
|
2019-03-06 17:13:28 +00:00
|
|
|
// I choose to make this a fixed centralized method here for now rather than a
|
2018-05-09 13:25:48 +00:00
|
|
|
// method on CertURI interface since we don't intend this to be extensible
|
|
|
|
|
// outside and it's easier to reason about the security properties when they are
|
2020-05-29 18:19:16 +00:00
|
|
|
// all in one place with "allowlist" semantics.
|
2021-06-25 21:47:47 +00:00
|
|
|
func (id SpiffeIDSigning) CanSign(cu CertURI) bool {
|
2018-05-09 13:25:48 +00:00
|
|
|
switch other := cu.(type) {
|
|
|
|
|
case *SpiffeIDSigning:
|
|
|
|
|
// We can only sign other CA certificates for the same trust domain. Note
|
|
|
|
|
// that we could open this up later for example to support external
|
|
|
|
|
// federation of roots and cross-signing external roots that have different
|
|
|
|
|
// URI structure but it's simpler to start off restrictive.
|
2018-09-13 02:52:24 +00:00
|
|
|
return id.URI().String() == other.URI().String()
|
2018-05-09 13:25:48 +00:00
|
|
|
case *SpiffeIDService:
|
|
|
|
|
// The host component of the service must be an exact match for now under
|
|
|
|
|
// ascii case folding (since hostnames are case-insensitive). Later we might
|
|
|
|
|
// worry about Unicode domains if we start allowing customisation beyond the
|
|
|
|
|
// built-in cluster ids.
|
|
|
|
|
return strings.ToLower(other.Host) == id.Host()
|
|
|
|
|
default:
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-08 13:23:44 +00:00
|
|
|
// SpiffeIDSigningForCluster returns the SPIFFE signing identifier (trust
|
2018-05-09 16:15:29 +00:00
|
|
|
// domain) representation of the given CA config. If config is nil this function
|
|
|
|
|
// will panic.
|
2018-05-08 13:23:44 +00:00
|
|
|
//
|
|
|
|
|
// NOTE(banks): we intentionally fix the tld `.consul` for now rather than tie
|
|
|
|
|
// this to the `domain` config used for DNS because changing DNS domain can't
|
|
|
|
|
// break all certificate validation. That does mean that DNS prefix might not
|
|
|
|
|
// match the identity URIs and so the trust domain might not actually resolve
|
|
|
|
|
// which we would like but don't actually need.
|
2021-11-05 22:20:24 +00:00
|
|
|
func SpiffeIDSigningForCluster(clusterID string) *SpiffeIDSigning {
|
|
|
|
|
return &SpiffeIDSigning{ClusterID: clusterID, Domain: "consul"}
|
2018-05-08 13:23:44 +00:00
|
|
|
}
|
