diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 52f0a33e0..b129fc283 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -330,7 +330,9 @@ func validateNames(b *backend, data *inputBundle, names []string) string { // is enabled if data.role.AllowBareDomains && (strings.EqualFold(sanitizedName, currDomain) || - (isEmail && strings.EqualFold(emailDomain, currDomain))) { + (isEmail && strings.EqualFold(emailDomain, currDomain)) || + // Handle the use case of AllowedDomain being an email address + (isEmail && strings.EqualFold(name, currDomain))) { valid = true break } diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go index b1f815d1a..d27cb7d6d 100644 --- a/builtin/logical/pki/cert_util_test.go +++ b/builtin/logical/pki/cert_util_test.go @@ -164,7 +164,8 @@ func TestPki_PermitFQDNs(t *testing.T) { cases := map[string]struct { input *inputBundle - expected []string + expectedDnsNames []string + expectedEmails []string }{ "base valid case": { input: &inputBundle{ @@ -181,7 +182,8 @@ func TestPki_PermitFQDNs(t *testing.T) { EnforceHostnames: true, }, }, - expected: []string{"example.com."}, + expectedDnsNames: []string{"example.com."}, + expectedEmails: []string{}, }, "case insensitivity validation": { input: &inputBundle{ @@ -199,20 +201,65 @@ func TestPki_PermitFQDNs(t *testing.T) { MaxTTL: 3600, }, }, - expected: []string{"Example.Net", "eXaMPLe.COM"}, + expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"}, + expectedEmails: []string{}, + }, + "case email as AllowedDomain with bare domains": { + input: &inputBundle{ + apiData: &framework.FieldData{ + Schema: fields, + Raw: map[string]interface{}{ + "common_name": "test@testemail.com", + "ttl": 3600, + }, + }, + role: &roleEntry{ + AllowedDomains: []string{"test@testemail.com"}, + AllowBareDomains: true, + MaxTTL: 3600, + }, + }, + expectedDnsNames: []string{}, + expectedEmails: []string{"test@testemail.com"}, + }, + "case email common name with bare domains": { + input: &inputBundle{ + apiData: &framework.FieldData{ + Schema: fields, + Raw: map[string]interface{}{ + "common_name": "test@testemail.com", + "ttl": 3600, + }, + }, + role: &roleEntry{ + AllowedDomains: []string{"testemail.com"}, + AllowBareDomains: true, + MaxTTL: 3600, + }, + }, + expectedDnsNames: []string{}, + expectedEmails: []string{"test@testemail.com"}, }, } - for _, testCase := range cases { - cb, err := generateCreationBundle(&b, testCase.input, nil, nil) - if err != nil { - t.Fatalf("Error: %v", err) - } + for name, testCase := range cases { + t.Run(name, func(t *testing.T) { + cb, err := generateCreationBundle(&b, testCase.input, nil, nil) + if err != nil { + t.Fatalf("Error: %v", err) + } - actual := cb.Params.DNSNames + actualDnsNames := cb.Params.DNSNames - if !reflect.DeepEqual(testCase.expected, actual) { - t.Fatalf("Expected %v, got %v", testCase.expected, actual) - } + if !reflect.DeepEqual(testCase.expectedDnsNames, actualDnsNames) { + t.Fatalf("Expected dns names %v, got %v", testCase.expectedDnsNames, actualDnsNames) + } + + actualEmails := cb.Params.EmailAddresses + + if !reflect.DeepEqual(testCase.expectedEmails, actualEmails) { + t.Fatalf("Expected email addresses %v, got %v", testCase.expectedEmails, actualEmails) + } + }) } } diff --git a/changelog/12716.txt b/changelog/12716.txt new file mode 100644 index 000000000..9a41d313c --- /dev/null +++ b/changelog/12716.txt @@ -0,0 +1,3 @@ +```release-note:bug +pki: Fix regression preventing email addresses being used as a common name within certificates +```