status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-11 14:24:39 +00:00
Code Issues Projects Releases Wiki Activity

Overwrite agent leaf cert trust domain on the servers

Browse Source
This commit is contained in:
Matt Keeler 2020-06-30 09:48:42 -04:00
parent 19040f1166
commit 2ddcba00c6
No known key found for this signature in database
GPG Key ID: 04DBAE1857E0081B
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
agent/consul/connect_ca_endpoint.go
View File

@ -4,6 +4,7 @@ import (
"context" "context"
"errors" "errors"
"fmt" "fmt"
"net/url"
"reflect" "reflect"
"strings" "strings"
"time" "time"
@ -427,6 +428,30 @@ func (s *ConnectCA) Sign(
return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+ return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+
"we are %s", serviceID.Host, signingID.Host()) "we are %s", serviceID.Host, signingID.Host())
} }
} else {
// isAgent - if we support more ID types then this would need to be an else if
// here we are just automatically fixing the trust domain. For auto-encrypt and
// auto-config they make certificate requests before learning about the roots
// so they will have a dummy trust domain in the CSR.
trustDomain := signingID.Host()
if agentID.Host != trustDomain {
originalURI := agentID.URI()
agentID.Host = trustDomain
csr.Subject.CommonName = connect.AgentCN(agentID.Agent, trustDomain)
// recreate the URIs list
uris := make([]*url.URL, len(csr.URIs))
for i, uri := range csr.URIs {
if originalURI.String() == uri.String() {
uris[i] = agentID.URI()
} else {
uris[i] = uri
}
}
csr.URIs = uris
}
} }
// Verify that the ACL token provided has permission to act as this service // Verify that the ACL token provided has permission to act as this service