agent/connect: support SpiffeIDSigning
This commit is contained in:
Mitchell Hashimoto
parent
da1bc48372
commit
8934f00d03
|
|
@ -53,18 +53,15 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
|||
}
|
||||
|
||||
// The URI (SPIFFE compatible) for the cert
|
||||
uri, err := url.Parse(fmt.Sprintf("spiffe://%s.consul", testClusterID))
|
||||
if err != nil {
|
||||
t.Fatalf("error parsing CA URI: %s", err)
|
||||
}
|
||||
id := &SpiffeIDSigning{ClusterID: testClusterID, Domain: "consul"}
|
||||
|
||||
// Create the CA cert
|
||||
template := x509.Certificate{
|
||||
SerialNumber: sn,
|
||||
Subject: pkix.Name{CommonName: result.Name},
|
||||
URIs: []*url.URL{uri},
|
||||
URIs: []*url.URL{id.URI()},
|
||||
PermittedDNSDomainsCritical: true,
|
||||
PermittedDNSDomains: []string{uri.Hostname()},
|
||||
PermittedDNSDomains: []string{id.URI().Hostname()},
|
||||
BasicConstraintsValid: true,
|
||||
KeyUsage: x509.KeyUsageCertSign |
|
||||
x509.KeyUsageCRLSign |
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"fmt"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// CertURI represents a Connect-valid URI value for a TLS certificate.
|
||||
|
|
@ -38,6 +39,17 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
// Test for signing ID
|
||||
if input.Path == "" {
|
||||
idx := strings.Index(input.Host, ".")
|
||||
if idx > 0 {
|
||||
return &SpiffeIDSigning{
|
||||
ClusterID: input.Host[:idx],
|
||||
Domain: input.Host[idx+1:],
|
||||
}, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("SPIFFE ID is not in the expected format")
|
||||
}
|
||||
|
||||
|
|
@ -58,3 +70,18 @@ func (id *SpiffeIDService) URI() *url.URL {
|
|||
id.Namespace, id.Datacenter, id.Service)
|
||||
return &result
|
||||
}
|
||||
|
||||
// SpiffeIDSigning is the structure to represent the SPIFFE ID for a
|
||||
// signing certificate (not a leaf service).
|
||||
type SpiffeIDSigning struct {
|
||||
ClusterID string // Unique cluster ID
|
||||
Domain string // The domain, usually "consul"
|
||||
}
|
||||
|
||||
// URI returns the *url.URL for this SPIFFE ID.
|
||||
func (id *SpiffeIDSigning) URI() *url.URL {
|
||||
var result url.URL
|
||||
result.Scheme = "spiffe"
|
||||
result.Host = fmt.Sprintf("%s.%s", id.ClusterID, id.Domain)
|
||||
return &result
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,6 +33,16 @@ var testCertURICases = []struct {
|
|||
},
|
||||
"",
|
||||
},
|
||||
|
||||
{
|
||||
"signing ID",
|
||||
"spiffe://1234.consul",
|
||||
&SpiffeIDSigning{
|
||||
ClusterID: "1234",
|
||||
Domain: "consul",
|
||||
},
|
||||
"",
|
||||
},
|
||||
}
|
||||
|
||||
func TestParseCertURI(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue