Fix 1.8 regression preventing email addresses being used as common name within pki certificates (#12336) (#12716)

* Fix 1.8 regression preventing email addresses being used as common name within pki certs (#12336)

* Add changelog
This commit is contained in:
Steven Clark 2021-10-04 14:02:47 -04:00 committed by GitHub
parent a3796997d9
commit fa57ba0ccf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 65 additions and 13 deletions

View file

@ -330,7 +330,9 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
// is enabled // is enabled
if data.role.AllowBareDomains && if data.role.AllowBareDomains &&
(strings.EqualFold(sanitizedName, currDomain) || (strings.EqualFold(sanitizedName, currDomain) ||
(isEmail && strings.EqualFold(emailDomain, currDomain))) { (isEmail && strings.EqualFold(emailDomain, currDomain)) ||
// Handle the use case of AllowedDomain being an email address
(isEmail && strings.EqualFold(name, currDomain))) {
valid = true valid = true
break break
} }

View file

@ -164,7 +164,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
cases := map[string]struct { cases := map[string]struct {
input *inputBundle input *inputBundle
expected []string expectedDnsNames []string
expectedEmails []string
}{ }{
"base valid case": { "base valid case": {
input: &inputBundle{ input: &inputBundle{
@ -181,7 +182,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
EnforceHostnames: true, EnforceHostnames: true,
}, },
}, },
expected: []string{"example.com."}, expectedDnsNames: []string{"example.com."},
expectedEmails: []string{},
}, },
"case insensitivity validation": { "case insensitivity validation": {
input: &inputBundle{ input: &inputBundle{
@ -199,20 +201,65 @@ func TestPki_PermitFQDNs(t *testing.T) {
MaxTTL: 3600, MaxTTL: 3600,
}, },
}, },
expected: []string{"Example.Net", "eXaMPLe.COM"}, expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
expectedEmails: []string{},
},
"case email as AllowedDomain with bare domains": {
input: &inputBundle{
apiData: &framework.FieldData{
Schema: fields,
Raw: map[string]interface{}{
"common_name": "test@testemail.com",
"ttl": 3600,
},
},
role: &roleEntry{
AllowedDomains: []string{"test@testemail.com"},
AllowBareDomains: true,
MaxTTL: 3600,
},
},
expectedDnsNames: []string{},
expectedEmails: []string{"test@testemail.com"},
},
"case email common name with bare domains": {
input: &inputBundle{
apiData: &framework.FieldData{
Schema: fields,
Raw: map[string]interface{}{
"common_name": "test@testemail.com",
"ttl": 3600,
},
},
role: &roleEntry{
AllowedDomains: []string{"testemail.com"},
AllowBareDomains: true,
MaxTTL: 3600,
},
},
expectedDnsNames: []string{},
expectedEmails: []string{"test@testemail.com"},
}, },
} }
for _, testCase := range cases { for name, testCase := range cases {
cb, err := generateCreationBundle(&b, testCase.input, nil, nil) t.Run(name, func(t *testing.T) {
if err != nil { cb, err := generateCreationBundle(&b, testCase.input, nil, nil)
t.Fatalf("Error: %v", err) if err != nil {
} t.Fatalf("Error: %v", err)
}
actual := cb.Params.DNSNames actualDnsNames := cb.Params.DNSNames
if !reflect.DeepEqual(testCase.expected, actual) { if !reflect.DeepEqual(testCase.expectedDnsNames, actualDnsNames) {
t.Fatalf("Expected %v, got %v", testCase.expected, actual) t.Fatalf("Expected dns names %v, got %v", testCase.expectedDnsNames, actualDnsNames)
} }
actualEmails := cb.Params.EmailAddresses
if !reflect.DeepEqual(testCase.expectedEmails, actualEmails) {
t.Fatalf("Expected email addresses %v, got %v", testCase.expectedEmails, actualEmails)
}
})
} }
} }

3
changelog/12716.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
pki: Fix regression preventing email addresses being used as a common name within certificates
```