pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498)

This commit is contained in:
Artem Alexandrov 2020-08-17 21:37:00 +03:00 committed by GitHub
parent e3fcb4c5b9
commit 301ea4c0f0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 3 deletions

View file

@ -2797,7 +2797,8 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
// Write role PKI.
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
"allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}"},
"allowed_domains": []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com"},
"allowed_domains_template": true,
"allow_bare_domains": true,
})
@ -2824,6 +2825,12 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
t.Fatal("expected error")
}
// Issue certificate for foo.userpassname.domain.
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
if err != nil {
t.Fatal("expected error")
}
// Set allowed_domains_template to false.
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
"allowed_domains_template": false,

View file

@ -315,8 +315,8 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
}
if data.role.AllowedDomainsTemplate {
matched, _ := regexp.MatchString(`^{{.+?}}$`, currDomain)
if matched && data.req.EntityID != "" {
isTemplate, _ := framework.ValidateIdentityTemplate(currDomain)
if isTemplate && data.req.EntityID != "" {
tmpCurrDomain, err := framework.PopulateIdentityTemplate(currDomain, data.req.EntityID, b.System())
if err != nil {
continue