Merge pull request #555 from hashicorp/toggleable-hostname-enforcement

Allow enforcement of hostnames to be toggleable for certificates.
2015-08-21 19:23:09 -07:00 · 2015-08-21 19:23:09 -07:00 · f7845234b4
parent 5695d57ba0 41b85a1c83
commit f7845234b4
3 changed files with 21 additions and 2 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@ -277,6 +277,7 @@ func generateRoleSteps(t *testing.T) []logicaltest.TestStep {
 		Wildcard          bool `structs:"*.example.com"`
 		Subdomain         bool `structs:"foo.bar.example.com"`
 		SubdomainWildcard bool `structs:"*.bar.example.com"`
+		NonHostname       bool `structs:"daɪˈɛrɨsɨs"`
 		AnyHost           bool `structs:"porkslap.beer"`
 	}

@ -356,8 +357,13 @@ func generateRoleSteps(t *testing.T) []logicaltest.TestStep {
 		addCnTests()

 		roleVals.AllowAnyName = true
+		roleVals.EnforceHostnames = true
 		commonNames.AnyHost = true
 		addCnTests()
+
+		roleVals.EnforceHostnames = false
+		commonNames.NonHostname = true
+		addCnTests()
 	}

 	// IP SAN tests
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@ -117,9 +117,13 @@ func validateCommonNames(req *logical.Request, commonNames []string, role *roleE
 			sanitizedName = name[2:]
 			isWildcard = true
 		}
-		if !hostnameRegex.MatchString(sanitizedName) {
-			return name, nil
+
+		if role.EnforceHostnames {
+			if !hostnameRegex.MatchString(sanitizedName) {
+				return name, nil
+			}
 		}
+
 		if role.AllowAnyName {
 			continue
 		}
--- a/builtin/logical/pki/path_roles.go
+++ b/builtin/logical/pki/path_roles.go
@ -74,6 +74,13 @@ any CN they like. See the documentation for more
 information.`,
 			},

+			"enforce_hostnames": &framework.FieldSchema{
+				Type:    framework.TypeBool,
+				Default: false,
+				Description: `If set, only valid host names are allowed for
+CN and SANs.`,
+			},
+
 			"allow_ip_sans": &framework.FieldSchema{
 				Type:    framework.TypeBool,
 				Default: true,
@ -185,6 +192,7 @@ func (b *backend) pathRoleCreate(
 		AllowTokenDisplayName: data.Get("allow_token_displayname").(bool),
 		AllowSubdomains:       data.Get("allow_subdomains").(bool),
 		AllowAnyName:          data.Get("allow_any_name").(bool),
+		EnforceHostnames:      data.Get("enforce_hostnames").(bool),
 		AllowIPSANs:           data.Get("allow_ip_sans").(bool),
 		ServerFlag:            data.Get("server_flag").(bool),
 		ClientFlag:            data.Get("client_flag").(bool),
@ -259,6 +267,7 @@ type roleEntry struct {
 	AllowTokenDisplayName bool   `json:"allow_token_displayname" structs:"allow_token_displayname" mapstructure:"allow_token_displayname"`
 	AllowSubdomains       bool   `json:"allow_subdomains" structs:"allow_subdomains" mapstructure:"allow_subdomains"`
 	AllowAnyName          bool   `json:"allow_any_name" structs:"allow_any_name" mapstructure:"allow_any_name"`
+	EnforceHostnames      bool   `json:"enforce_hostnames" structs:"enforce_hostnames" mapstructure:"enforce_hostnames"`
 	AllowIPSANs           bool   `json:"allow_ip_sans" structs:"allow_ip_sans" mapstructure:"allow_ip_sans"`
 	ServerFlag            bool   `json:"server_flag" structs:"server_flag" mapstructure:"server_flag"`
 	ClientFlag            bool   `json:"client_flag" structs:"client_flag" mapstructure:"client_flag"`