agent/connect: support SpiffeIDSigning

2025-01-22 03:29:43 +00:00 · 2018-03-24 08:46:12 -10:00 · 2018-03-24 08:46:12 -10:00 · 75bf0e1638
commit 75bf0e1638
parent 17ca8ad083
3 changed files with 40 additions and 6 deletions
--- a/agent/connect/testing_ca.go
+++ b/agent/connect/testing_ca.go
@ -53,18 +53,15 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
 	}

 	// The URI (SPIFFE compatible) for the cert
-	uri, err := url.Parse(fmt.Sprintf("spiffe://%s.consul", testClusterID))
-	if err != nil {
-		t.Fatalf("error parsing CA URI: %s", err)
-	}
+	id := &SpiffeIDSigning{ClusterID: testClusterID, Domain: "consul"}

 	// Create the CA cert
 	template := x509.Certificate{
 		SerialNumber: sn,
 		Subject:      pkix.Name{CommonName: result.Name},
-		URIs:         []*url.URL{uri},
+		URIs:         []*url.URL{id.URI()},
 		PermittedDNSDomainsCritical: true,
-		PermittedDNSDomains:         []string{uri.Hostname()},
+		PermittedDNSDomains:         []string{id.URI().Hostname()},
 		BasicConstraintsValid:       true,
 		KeyUsage: x509.KeyUsageCertSign |
 			x509.KeyUsageCRLSign |
--- a/agent/connect/uri.go
+++ b/agent/connect/uri.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/url"
 	"regexp"
+	"strings"
 )

 // CertURI represents a Connect-valid URI value for a TLS certificate.
@ -38,6 +39,17 @@ func ParseCertURI(input *url.URL) (CertURI, error) {
 		}, nil
 	}

+	// Test for signing ID
+	if input.Path == "" {
+		idx := strings.Index(input.Host, ".")
+		if idx > 0 {
+			return &SpiffeIDSigning{
+				ClusterID: input.Host[:idx],
+				Domain:    input.Host[idx+1:],
+			}, nil
+		}
+	}
+
 	return nil, fmt.Errorf("SPIFFE ID is not in the expected format")
 }

@ -58,3 +70,18 @@ func (id *SpiffeIDService) URI() *url.URL {
 		id.Namespace, id.Datacenter, id.Service)
 	return &result
 }
+
+// SpiffeIDSigning is the structure to represent the SPIFFE ID for a
+// signing certificate (not a leaf service).
+type SpiffeIDSigning struct {
+	ClusterID string // Unique cluster ID
+	Domain    string // The domain, usually "consul"
+}
+
+// URI returns the *url.URL for this SPIFFE ID.
+func (id *SpiffeIDSigning) URI() *url.URL {
+	var result url.URL
+	result.Scheme = "spiffe"
+	result.Host = fmt.Sprintf("%s.%s", id.ClusterID, id.Domain)
+	return &result
+}
--- a/agent/connect/uri_test.go
+++ b/agent/connect/uri_test.go
@ -33,6 +33,16 @@ var testCertURICases = []struct {
 		},
 		"",
 	},
+
+	{
+		"signing ID",
+		"spiffe://1234.consul",
+		&SpiffeIDSigning{
+			ClusterID: "1234",
+			Domain:    "consul",
+		},
+		"",
+	},
 }

 func TestParseCertURI(t *testing.T) {