forked from TrueCloudLab/certificates
Merge pull request #260 from anxolerd/feat-force-cn-if-empty
[Feature] Force CommonName for certificates from ACME provisioner
This commit is contained in:
commit
ba91f4ed13
5 changed files with 116 additions and 4 deletions
|
@ -1143,7 +1143,7 @@ func TestOrderFinalize(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
sa: &mockSignAuth{
|
sa: &mockSignAuth{
|
||||||
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
||||||
assert.Equals(t, len(signOps), 4)
|
assert.Equals(t, len(signOps), 5)
|
||||||
return []*x509.Certificate{crt, inter}, nil
|
return []*x509.Certificate{crt, inter}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1192,7 +1192,7 @@ func TestOrderFinalize(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
sa: &mockSignAuth{
|
sa: &mockSignAuth{
|
||||||
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
||||||
assert.Equals(t, len(signOps), 4)
|
assert.Equals(t, len(signOps), 5)
|
||||||
return []*x509.Certificate{crt, inter}, nil
|
return []*x509.Certificate{crt, inter}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1239,7 +1239,7 @@ func TestOrderFinalize(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
sa: &mockSignAuth{
|
sa: &mockSignAuth{
|
||||||
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
sign: func(csr *x509.CertificateRequest, pops provisioner.Options, signOps ...provisioner.SignOption) ([]*x509.Certificate, error) {
|
||||||
assert.Equals(t, len(signOps), 4)
|
assert.Equals(t, len(signOps), 5)
|
||||||
return []*x509.Certificate{crt, inter}, nil
|
return []*x509.Certificate{crt, inter}, nil
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -15,6 +15,7 @@ type ACME struct {
|
||||||
Type string `json:"type"`
|
Type string `json:"type"`
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
Claims *Claims `json:"claims,omitempty"`
|
Claims *Claims `json:"claims,omitempty"`
|
||||||
|
ForceCN bool `json:"forceCN,omitempty"`
|
||||||
claimer *Claimer
|
claimer *Claimer
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -67,6 +68,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
||||||
return []SignOption{
|
return []SignOption{
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
||||||
|
newForceCNOption(p.ForceCN),
|
||||||
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
|
|
@ -168,7 +168,7 @@ func TestACME_AuthorizeSign(t *testing.T) {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if assert.Nil(t, tc.err) && assert.NotNil(t, opts) {
|
if assert.Nil(t, tc.err) && assert.NotNil(t, opts) {
|
||||||
assert.Len(t, 4, opts)
|
assert.Len(t, 5, opts)
|
||||||
for _, o := range opts {
|
for _, o := range opts {
|
||||||
switch v := o.(type) {
|
switch v := o.(type) {
|
||||||
case *provisionerExtensionOption:
|
case *provisionerExtensionOption:
|
||||||
|
@ -176,6 +176,8 @@ func TestACME_AuthorizeSign(t *testing.T) {
|
||||||
assert.Equals(t, v.Name, tc.p.GetName())
|
assert.Equals(t, v.Name, tc.p.GetName())
|
||||||
assert.Equals(t, v.CredentialID, "")
|
assert.Equals(t, v.CredentialID, "")
|
||||||
assert.Len(t, 0, v.KeyValuePairs)
|
assert.Len(t, 0, v.KeyValuePairs)
|
||||||
|
case *forceCNOption:
|
||||||
|
assert.Equals(t, v.ForceCN, tc.p.ForceCN)
|
||||||
case profileDefaultDuration:
|
case profileDefaultDuration:
|
||||||
assert.Equals(t, time.Duration(v), tc.p.claimer.DefaultTLSCertDuration())
|
assert.Equals(t, time.Duration(v), tc.p.claimer.DefaultTLSCertDuration())
|
||||||
case defaultPublicKeyValidator:
|
case defaultPublicKeyValidator:
|
||||||
|
|
|
@ -316,6 +316,32 @@ type stepProvisionerASN1 struct {
|
||||||
KeyValuePairs []string `asn1:"optional,omitempty"`
|
KeyValuePairs []string `asn1:"optional,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type forceCNOption struct {
|
||||||
|
ForceCN bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func newForceCNOption(forceCN bool) *forceCNOption {
|
||||||
|
return &forceCNOption{forceCN}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (o *forceCNOption) Option(Options) x509util.WithOption {
|
||||||
|
return func(p x509util.Profile) error {
|
||||||
|
if !o.ForceCN {
|
||||||
|
// Forcing CN is disabled, do nothing to certificate
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
crt := p.Subject()
|
||||||
|
if crt.Subject.CommonName == "" {
|
||||||
|
if len(crt.DNSNames) > 0 {
|
||||||
|
crt.Subject.CommonName = crt.DNSNames[0]
|
||||||
|
} else {
|
||||||
|
return errors.New("Cannot force CN, DNSNames is empty")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
type provisionerExtensionOption struct {
|
type provisionerExtensionOption struct {
|
||||||
Type int
|
Type int
|
||||||
Name string
|
Name string
|
||||||
|
|
|
@ -344,6 +344,88 @@ func Test_validityValidator_Valid(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_forceCN_Option(t *testing.T) {
|
||||||
|
type test struct {
|
||||||
|
so Options
|
||||||
|
fcn forceCNOption
|
||||||
|
cert *x509.Certificate
|
||||||
|
valid func(*x509.Certificate)
|
||||||
|
err error
|
||||||
|
}
|
||||||
|
|
||||||
|
tests := map[string]func() test{
|
||||||
|
"ok/CN-not-forced": func() test {
|
||||||
|
return test{
|
||||||
|
fcn: forceCNOption{false},
|
||||||
|
so: Options{},
|
||||||
|
cert: &x509.Certificate{
|
||||||
|
Subject: pkix.Name{},
|
||||||
|
DNSNames: []string{"acme.example.com", "step.example.com"},
|
||||||
|
},
|
||||||
|
valid: func(cert *x509.Certificate) {
|
||||||
|
assert.Equals(t, cert.Subject.CommonName, "")
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/CN-forced-and-set": func() test {
|
||||||
|
return test{
|
||||||
|
fcn: forceCNOption{true},
|
||||||
|
so: Options{},
|
||||||
|
cert: &x509.Certificate{
|
||||||
|
Subject: pkix.Name{
|
||||||
|
CommonName: "Some Common Name",
|
||||||
|
},
|
||||||
|
DNSNames: []string{"acme.example.com", "step.example.com"},
|
||||||
|
},
|
||||||
|
valid: func(cert *x509.Certificate) {
|
||||||
|
assert.Equals(t, cert.Subject.CommonName, "Some Common Name")
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/CN-forced-and-not-set": func() test {
|
||||||
|
return test{
|
||||||
|
fcn: forceCNOption{true},
|
||||||
|
so: Options{},
|
||||||
|
cert: &x509.Certificate{
|
||||||
|
Subject: pkix.Name{},
|
||||||
|
DNSNames: []string{"acme.example.com", "step.example.com"},
|
||||||
|
},
|
||||||
|
valid: func(cert *x509.Certificate) {
|
||||||
|
assert.Equals(t, cert.Subject.CommonName, "acme.example.com")
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"fail/CN-forced-and-empty-DNSNames": func() test {
|
||||||
|
return test{
|
||||||
|
fcn: forceCNOption{true},
|
||||||
|
so: Options{},
|
||||||
|
cert: &x509.Certificate{
|
||||||
|
Subject: pkix.Name{},
|
||||||
|
DNSNames: []string{},
|
||||||
|
},
|
||||||
|
err: errors.New("Cannot force CN, DNSNames is empty"),
|
||||||
|
}
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for name, run := range tests {
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
tt := run()
|
||||||
|
prof := &x509util.Leaf{}
|
||||||
|
prof.SetSubject(tt.cert)
|
||||||
|
if err := tt.fcn.Option(tt.so)(prof); err != nil {
|
||||||
|
if assert.NotNil(t, tt.err) {
|
||||||
|
assert.HasPrefix(t, err.Error(), tt.err.Error())
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if assert.Nil(t, tt.err) {
|
||||||
|
tt.valid(prof.Subject())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func Test_profileDefaultDuration_Option(t *testing.T) {
|
func Test_profileDefaultDuration_Option(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
so Options
|
so Options
|
||||||
|
|
Loading…
Reference in a new issue