Fix 1.8 regression preventing email addresses being used as common name within pki certificates (#12336) (#12716)
* Fix 1.8 regression preventing email addresses being used as common name within pki certs (#12336) * Add changelog
This commit is contained in:
parent
a3796997d9
commit
fa57ba0ccf
|
@ -330,7 +330,9 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
|
||||||
// is enabled
|
// is enabled
|
||||||
if data.role.AllowBareDomains &&
|
if data.role.AllowBareDomains &&
|
||||||
(strings.EqualFold(sanitizedName, currDomain) ||
|
(strings.EqualFold(sanitizedName, currDomain) ||
|
||||||
(isEmail && strings.EqualFold(emailDomain, currDomain))) {
|
(isEmail && strings.EqualFold(emailDomain, currDomain)) ||
|
||||||
|
// Handle the use case of AllowedDomain being an email address
|
||||||
|
(isEmail && strings.EqualFold(name, currDomain))) {
|
||||||
valid = true
|
valid = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
|
@ -164,7 +164,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
|
||||||
|
|
||||||
cases := map[string]struct {
|
cases := map[string]struct {
|
||||||
input *inputBundle
|
input *inputBundle
|
||||||
expected []string
|
expectedDnsNames []string
|
||||||
|
expectedEmails []string
|
||||||
}{
|
}{
|
||||||
"base valid case": {
|
"base valid case": {
|
||||||
input: &inputBundle{
|
input: &inputBundle{
|
||||||
|
@ -181,7 +182,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
|
||||||
EnforceHostnames: true,
|
EnforceHostnames: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: []string{"example.com."},
|
expectedDnsNames: []string{"example.com."},
|
||||||
|
expectedEmails: []string{},
|
||||||
},
|
},
|
||||||
"case insensitivity validation": {
|
"case insensitivity validation": {
|
||||||
input: &inputBundle{
|
input: &inputBundle{
|
||||||
|
@ -199,20 +201,65 @@ func TestPki_PermitFQDNs(t *testing.T) {
|
||||||
MaxTTL: 3600,
|
MaxTTL: 3600,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: []string{"Example.Net", "eXaMPLe.COM"},
|
expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
|
||||||
|
expectedEmails: []string{},
|
||||||
|
},
|
||||||
|
"case email as AllowedDomain with bare domains": {
|
||||||
|
input: &inputBundle{
|
||||||
|
apiData: &framework.FieldData{
|
||||||
|
Schema: fields,
|
||||||
|
Raw: map[string]interface{}{
|
||||||
|
"common_name": "test@testemail.com",
|
||||||
|
"ttl": 3600,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
role: &roleEntry{
|
||||||
|
AllowedDomains: []string{"test@testemail.com"},
|
||||||
|
AllowBareDomains: true,
|
||||||
|
MaxTTL: 3600,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectedDnsNames: []string{},
|
||||||
|
expectedEmails: []string{"test@testemail.com"},
|
||||||
|
},
|
||||||
|
"case email common name with bare domains": {
|
||||||
|
input: &inputBundle{
|
||||||
|
apiData: &framework.FieldData{
|
||||||
|
Schema: fields,
|
||||||
|
Raw: map[string]interface{}{
|
||||||
|
"common_name": "test@testemail.com",
|
||||||
|
"ttl": 3600,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
role: &roleEntry{
|
||||||
|
AllowedDomains: []string{"testemail.com"},
|
||||||
|
AllowBareDomains: true,
|
||||||
|
MaxTTL: 3600,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectedDnsNames: []string{},
|
||||||
|
expectedEmails: []string{"test@testemail.com"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, testCase := range cases {
|
for name, testCase := range cases {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
cb, err := generateCreationBundle(&b, testCase.input, nil, nil)
|
cb, err := generateCreationBundle(&b, testCase.input, nil, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Error: %v", err)
|
t.Fatalf("Error: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
actual := cb.Params.DNSNames
|
actualDnsNames := cb.Params.DNSNames
|
||||||
|
|
||||||
if !reflect.DeepEqual(testCase.expected, actual) {
|
if !reflect.DeepEqual(testCase.expectedDnsNames, actualDnsNames) {
|
||||||
t.Fatalf("Expected %v, got %v", testCase.expected, actual)
|
t.Fatalf("Expected dns names %v, got %v", testCase.expectedDnsNames, actualDnsNames)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
actualEmails := cb.Params.EmailAddresses
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(testCase.expectedEmails, actualEmails) {
|
||||||
|
t.Fatalf("Expected email addresses %v, got %v", testCase.expectedEmails, actualEmails)
|
||||||
|
}
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
3
changelog/12716.txt
Normal file
3
changelog/12716.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
pki: Fix regression preventing email addresses being used as a common name within certificates
|
||||||
|
```
|
Loading…
Reference in a new issue