From 52cb8234a66f048536f95da1f7864f0e497e1eb4 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Fri, 25 May 2018 10:39:23 -0400
Subject: [PATCH] Changelogify and fix some minor website bits

---
 CHANGELOG.md                               |  2 +
 website/source/api/auth/cert/index.html.md | 43 +++++++++++-----------
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b406d7f7..fac6031aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,8 @@ IMPROVEMENTS:
 
  * api: Close renewer's doneCh when the renewer is stopped, so that programs
    expecting a final value through doneCh behave correctly [GH-4472]
+ * auth/cert: Break out `allowed_names` into component parts and add
+   `allowed_uri_sans` [GH-4231]
  * cli: `vault login` now supports a `-no-print` flag to suppress printing
    token information but still allow storing into the token helper [GH-4454]
  * core/pkcs11 (enterprise): Add support for CKM_AES_CBS_PAD, CKM_RSA_PKCS, and 
diff --git a/website/source/api/auth/cert/index.html.md b/website/source/api/auth/cert/index.html.md
index a189997b8..655a89521 100644
--- a/website/source/api/auth/cert/index.html.md
+++ b/website/source/api/auth/cert/index.html.md
@@ -29,39 +29,38 @@ Sets a CA cert and associated parameters in a role name.
 
 - `name` `(string: <required>)` - The name of the certificate role.
 - `certificate` `(string: <required>)` - The PEM-format CA certificate.
-- `allowed_names` `(string: "")` - Constrain the Common and Alternative Names in
-  the client certificate with a [globbed pattern]
+- `allowed_names` `(string: "")` - DEPRECATED: Please use the individual
+  `allowed_X_sans` parameters instead. Constrain the Common and Alternative
+  Names in the client certificate with a [globbed pattern]
   (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
   a comma-separated list of patterns. Authentication requires at least one Name
   matching at least one pattern. If not set, defaults to allowing all names.
-  Note: This parameter is deprecated please use individual parameters 
-  allowed_common_names, allowed_dns_sans, allowed_email_sans, allowed_uri_sans,
-  required_extensions 
-- `allowed_common_names` `(string: "")` - Constrain the Common Names in
-  the client certificate with a [globbed pattern]
+- `allowed_common_names` `(string: "" or array: [])` - Constrain the Common
+  Names in the client certificate with a [globbed pattern]
   (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
   a comma-separated list of patterns. Authentication requires at least one Name
   matching at least one pattern. If not set, defaults to allowing all names.
-- `allowed_dns_sans` `(string: "")` - Constrain the Alternative Names in
-  the client certificate with a [globbed pattern]
+- `allowed_dns_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern]
   (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
   a comma-separated list of patterns. Authentication requires at least one DNS
   matching at least one pattern. If not set, defaults to allowing all dns.
-- `allowed_email_sans` `(string: "")` - Constrain the Alternative Names in
-  the client certificate with a [globbed pattern]
+- `allowed_email_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern]
   (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of patterns. Authentication requires at least one Email
-  matching at least one pattern. If not set, defaults to allowing all emails.
-- `allowed_uri_sans` `(string: "")` - Constrain the Alternative Names in
-  the client certificate with a [globbed pattern]
+  a comma-separated list of patterns. Authentication requires at least one
+  Email matching at least one pattern. If not set, defaults to allowing all
+  emails.
+- `allowed_uri_sans` `(string: "" or array: [])` - Constrain the Alternative
+  Names in the client certificate with a [globbed pattern]
   (https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
-  a comma-separated list of URI patterns. Authentication requires at least one URI
-  matching at least one pattern. If not set, defaults to allowing all URIs.
-- `required_extensions` `(string: "" or array:[])` - Require specific Custom
-   Extension OIDs to exist and match the pattern. Value is a comma separated
-   string or array of `oid:value`. Expects the extension value to be some type
-   of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
-   `value`.
+  a comma-separated list of URI patterns. Authentication requires at least one
+  URI matching at least one pattern. If not set, defaults to allowing all URIs.
+- `required_extensions` `(string: "" or array: [])` - Require specific Custom
+  Extension OIDs to exist and match the pattern. Value is a comma separated
+  string or array of `oid:value`. Expects the extension value to be some type
+  of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
+  `value`.
 - `policies` `(string: "")` - A comma-separated list of policies to set on
   tokens issued when authenticating against this CA certificate.
 - `display_name` `(string: "")` - The `display_name` to set on tokens issued