Use Policy field instead of PolicyIdentifiers in cert templates (spiffe#6074)

Co-authored-by: Marcos Yacob <[email protected]>
Signed-off-by: Sorin Dumitru <[email protected]>

Author: sorindumitru

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.12.2] - 2025-05-19
+
+### Fixed
+
+- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)
+
 ## [1.12.1] - 2025-05-06
 
 ### Added

pkg/server/ca/manager/manager_test.go

@@ -17,13 +17,15 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/coretypes/x509certificate"
 	telemetry_server "github.com/spiffe/spire/pkg/common/telemetry/server"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/pkg/server/ca"
 	"github.com/spiffe/spire/pkg/server/credtemplate"
 	"github.com/spiffe/spire/pkg/server/credvalidator"
 	"github.com/spiffe/spire/pkg/server/datastore"
+	"github.com/spiffe/spire/pkg/server/plugin/credentialcomposer"
 	"github.com/spiffe/spire/pkg/server/plugin/keymanager"
 	"github.com/spiffe/spire/pkg/server/plugin/notifier"
 	"github.com/spiffe/spire/pkg/server/plugin/upstreamauthority"
@@ -153,6 +155,25 @@ func TestGetCurrentX509CASlot(t *testing.T) {
 	})
 }
 
+func TestCAPolicyIdentifiers(t *testing.T) {
+	ctx := context.Background()
+
+	test := setupTest(t)
+	test.initSelfSignedManager()
+	policy, err := x509.ParseOID("1.2.3.4")
+	require.NoError(t, err)
+	test.cc.policies = append(test.cc.policies, policy)
+
+	t.Run("contains policy identifiers", func(t *testing.T) {
+		require.NoError(t, test.m.PrepareX509CA(ctx))
+
+		currentSlot := test.m.GetCurrentX509CASlot()
+		slot := currentSlot.(*x509CASlot)
+		require.NotNil(t, slot.x509CA)
+		require.Equal(t, slot.x509CA.Certificate.Policies, test.cc.policies)
+	})
+}
+
 func TestGetNextX509CASlot(t *testing.T) {
 	ctx := context.Background()
 
@@ -1206,6 +1227,7 @@ type managerTest struct {
 	km      keymanager.KeyManager
 	ds      *fakedatastore.DataStore
 	cat     *fakeservercatalog.Catalog
+	cc      fakeCC
 
 	m *Manager
 }
@@ -1295,10 +1317,11 @@ func (m *managerTest) selfSignedConfig() Config {
 
 func (m *managerTest) selfSignedConfigWithKeyTypes(x509CAKeyType, jwtKeyType keymanager.KeyType) Config {
 	credBuilder, err := credtemplate.NewBuilder(credtemplate.Config{
-		TrustDomain:   testTrustDomain,
-		X509CASubject: pkix.Name{CommonName: "SPIRE"},
-		Clock:         m.clock,
-		X509CATTL:     testCATTL,
+		TrustDomain:         testTrustDomain,
+		X509CASubject:       pkix.Name{CommonName: "SPIRE"},
+		Clock:               m.clock,
+		X509CATTL:           testCATTL,
+		CredentialComposers: []credentialcomposer.CredentialComposer{&m.cc},
 	})
 	require.NoError(m.t, err)
 
@@ -1547,3 +1570,30 @@ func (s *fakeCA) SetJWTKey(jwtKey *ca.JWTKey) {
 func (s *fakeCA) NotifyTaintedX509Authorities(taintedAuthorities []*x509.Certificate) {
 	s.taintedAuthoritiesCh <- taintedAuthorities
 }
+
+type fakeCC struct {
+	catalog.PluginInfo
+
+	policies []x509.OID
+}
+
+func (cc fakeCC) ComposeServerX509CA(_ context.Context, attributes credentialcomposer.X509CAAttributes) (credentialcomposer.X509CAAttributes, error) {
+	attributes.Policies = append(attributes.Policies, cc.policies...)
+	return attributes, nil
+}
+
+func (cc fakeCC) ComposeServerX509SVID(_ context.Context, attributes credentialcomposer.X509SVIDAttributes) (credentialcomposer.X509SVIDAttributes, error) {
+	return attributes, nil
+}
+
+func (cc fakeCC) ComposeAgentX509SVID(_ context.Context, _ spiffeid.ID, _ crypto.PublicKey, attributes credentialcomposer.X509SVIDAttributes) (credentialcomposer.X509SVIDAttributes, error) {
+	return attributes, nil
+}
+
+func (cc fakeCC) ComposeWorkloadX509SVID(_ context.Context, _ spiffeid.ID, _ crypto.PublicKey, attributes credentialcomposer.X509SVIDAttributes) (credentialcomposer.X509SVIDAttributes, error) {
+	return attributes, nil
+}
+
+func (cc fakeCC) ComposeWorkloadJWTSVID(_ context.Context, _ spiffeid.ID, attributes credentialcomposer.JWTSVIDAttributes) (credentialcomposer.JWTSVIDAttributes, error) {
+	return attributes, nil
+}

pkg/server/credtemplate/builder.go

@@ -202,7 +202,7 @@ func (b *Builder) BuildUpstreamSignedX509CACSR(ctx context.Context, params Upstr
 	}
 
 	// Create the CertificateRequest from the Certificate template. The
-	// PolicyIdentifiers field is ignored since that can be applied by the
+	// Policies field is ignored since that can be applied by the
 	// upstream signer and isn't a part of the native CertificateRequest type.
 	// TODO: maybe revisit this if needed and embed the policy identifiers in
 	// the extra extensions.
@@ -458,9 +458,9 @@ func (b *Builder) computeX509SVIDLifetime(parentChain []*x509.Certificate, ttl t
 
 func x509CAAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509CAAttributes {
 	return credentialcomposer.X509CAAttributes{
-		Subject:           tmpl.Subject,
-		PolicyIdentifiers: tmpl.PolicyIdentifiers,
-		ExtraExtensions:   tmpl.ExtraExtensions,
+		Subject:         tmpl.Subject,
+		Policies:        tmpl.Policies,
+		ExtraExtensions: tmpl.ExtraExtensions,
 	}
 }
 func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509SVIDAttributes {
@@ -473,7 +473,7 @@ func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X
 
 func applyX509CAAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509CAAttributes) {
 	tmpl.Subject = attribs.Subject
-	tmpl.PolicyIdentifiers = attribs.PolicyIdentifiers
+	tmpl.Policies = attribs.Policies
 	tmpl.ExtraExtensions = attribs.ExtraExtensions
 }