Overwrite agent leaf cert trust domain on the servers

This commit is contained in:
Matt Keeler 2020-06-30 09:48:42 -04:00
parent 19040f1166
commit 2ddcba00c6
No known key found for this signature in database
GPG Key ID: 04DBAE1857E0081B
1 changed files with 25 additions and 0 deletions

View File

@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"net/url"
"reflect"
"strings"
"time"
@ -427,6 +428,30 @@ func (s *ConnectCA) Sign(
return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+
"we are %s", serviceID.Host, signingID.Host())
}
} else {
// isAgent - if we support more ID types then this would need to be an else if
// here we are just automatically fixing the trust domain. For auto-encrypt and
// auto-config they make certificate requests before learning about the roots
// so they will have a dummy trust domain in the CSR.
trustDomain := signingID.Host()
if agentID.Host != trustDomain {
originalURI := agentID.URI()
agentID.Host = trustDomain
csr.Subject.CommonName = connect.AgentCN(agentID.Agent, trustDomain)
// recreate the URIs list
uris := make([]*url.URL, len(csr.URIs))
for i, uri := range csr.URIs {
if originalURI.String() == uri.String() {
uris[i] = agentID.URI()
} else {
uris[i] = uri
}
}
csr.URIs = uris
}
}
// Verify that the ACL token provided has permission to act as this service