agent/connect: support SpiffeIDSigning
This commit is contained in:
Mitchell Hashimoto
parent
da1bc48372
commit
8934f00d03
|
|
@ -53,18 +53,15 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
||||||
}
|
}
|
||||||
|
|
||||||
// The URI (SPIFFE compatible) for the cert
|
// The URI (SPIFFE compatible) for the cert
|
||||||
uri, err := url.Parse(fmt.Sprintf("spiffe://%s.consul", testClusterID))
|
id := &SpiffeIDSigning{ClusterID: testClusterID, Domain: "consul"}
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("error parsing CA URI: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Create the CA cert
|
// Create the CA cert
|
||||||
template := x509.Certificate{
|
template := x509.Certificate{
|
||||||
SerialNumber: sn,
|
SerialNumber: sn,
|
||||||
Subject: pkix.Name{CommonName: result.Name},
|
Subject: pkix.Name{CommonName: result.Name},
|
||||||
URIs: []*url.URL{uri},
|
URIs: []*url.URL{id.URI()},
|
||||||
PermittedDNSDomainsCritical: true,
|
PermittedDNSDomainsCritical: true,
|
||||||
PermittedDNSDomains: []string{uri.Hostname()},
|
PermittedDNSDomains: []string{id.URI().Hostname()},
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
KeyUsage: x509.KeyUsageCertSign |
|
KeyUsage: x509.KeyUsageCertSign |
|
||||||
x509.KeyUsageCRLSign |
|
x509.KeyUsageCRLSign |
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/url"
|
"net/url"
|
||||||
"regexp"
|
"regexp"
|
||||||
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CertURI represents a Connect-valid URI value for a TLS certificate.
|
// CertURI represents a Connect-valid URI value for a TLS certificate.
|
||||||
|
|
@ -38,6 +39,17 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Test for signing ID
|
||||||
|
if input.Path == "" {
|
||||||
|
idx := strings.Index(input.Host, ".")
|
||||||
|
if idx > 0 {
|
||||||
|
return &SpiffeIDSigning{
|
||||||
|
ClusterID: input.Host[:idx],
|
||||||
|
Domain: input.Host[idx+1:],
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil, fmt.Errorf("SPIFFE ID is not in the expected format")
|
return nil, fmt.Errorf("SPIFFE ID is not in the expected format")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -58,3 +70,18 @@ func (id *SpiffeIDService) URI() *url.URL {
|
||||||
id.Namespace, id.Datacenter, id.Service)
|
id.Namespace, id.Datacenter, id.Service)
|
||||||
return &result
|
return &result
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SpiffeIDSigning is the structure to represent the SPIFFE ID for a
|
||||||
|
// signing certificate (not a leaf service).
|
||||||
|
type SpiffeIDSigning struct {
|
||||||
|
ClusterID string // Unique cluster ID
|
||||||
|
Domain string // The domain, usually "consul"
|
||||||
|
}
|
||||||
|
|
||||||
|
// URI returns the *url.URL for this SPIFFE ID.
|
||||||
|
func (id *SpiffeIDSigning) URI() *url.URL {
|
||||||
|
var result url.URL
|
||||||
|
result.Scheme = "spiffe"
|
||||||
|
result.Host = fmt.Sprintf("%s.%s", id.ClusterID, id.Domain)
|
||||||
|
return &result
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,16 @@ var testCertURICases = []struct {
|
||||||
},
|
},
|
||||||
"",
|
"",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
{
|
||||||
|
"signing ID",
|
||||||
|
"spiffe://1234.consul",
|
||||||
|
&SpiffeIDSigning{
|
||||||
|
ClusterID: "1234",
|
||||||
|
Domain: "consul",
|
||||||
|
},
|
||||||
|
"",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestParseCertURI(t *testing.T) {
|
func TestParseCertURI(t *testing.T) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue