Skip to content

Make sure to set uri_sans parameter #3971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 22, 2023
Merged

Make sure to set uri_sans parameter #3971

merged 4 commits into from
Mar 22, 2023

Conversation

hiyosi
Copy link
Contributor

@hiyosi hiyosi commented Mar 13, 2023
edited
Loading

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

Description of change

Fixed a issue in which intermediate certificates issued by the HashiCorp Vault PKI engine do not contain a URI SAN.

Which issue this PR fixes

#3968

@hiyosi hiyosi force-pushed the specify-uri-sans branch 3 times, most recently from 8a7207f to 8daa8ed Compare March 13, 2023 09:50
@amartinezfayo amartinezfayo added this to the 1.6.2 milestone Mar 13, 2023
@hiyosi hiyosi mentioned this pull request Mar 14, 2023
Closed
hiyosi
hiyosi commented Mar 14, 2023
View reviewed changes
pkg/server/plugin/upstreamauthority/vault/vault_test.go
@@ -259,7 +259,7 @@ func TestMintX509CA(t *testing.T) {
},
},
authMethod: TOKEN,
expectX509CA: []string{"spiffe://intermediate-vault", "spiffe://intermediate"},
expectX509CA: []string{"spiffe://intermediate-spire", "spiffe://intermediate-vault"},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before this PR, values of URI SAN are little confusing.

@hiyosi hiyosi force-pushed the specify-uri-sans branch from 372de14 to 03becc4 Compare March 15, 2023 01:09
@amartinezfayo amartinezfayo self-assigned this Mar 15, 2023
amartinezfayo
amartinezfayo reviewed Mar 15, 2023
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @hiyosi for this contribution!
This is in draft mode, are you expecting to add more commits?

@hiyosi
Copy link
Contributor Author

hiyosi commented Mar 15, 2023
edited
Loading

@amartinezfayo
I have only one concern.
I'm not sure a value of URI SAN(SPIFFE ID) must be set or not in X509SVID CA certificates.

@hiyosi hiyosi marked this pull request as ready for review March 15, 2023 22:50
@amartinezfayo
Copy link
Member

I'm not sure a value of URI SAN(SPIFFE ID) must be set or not in X509SVID CA certificates.

While it would be desirable that a signing certificate itself should an SVID, it's not mandatory.
A more strict validation was introduced in SPIRE 1.6 that made this a hard requirement. After discussing this during our last maintainer's sync, we decided that it's better to relax that requirement so the process doesn't fail. There are chances that an upstream authority plugin can't control this, so we will change this to not have an unnecessary limitation there.

We still welcome this change though :)

amartinezfayo
amartinezfayo reviewed Mar 17, 2023
View reviewed changes
pkg/server/plugin/upstreamauthority/vault/vault_client.go Outdated
uris = append(uris, uri.String())
}
if len(uris) == 0 {
return nil, status.Errorf(codes.Internal, "CSR must have least one URIs")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the error is due to an invalid input argument and not an internal failure I think that we should use codes.InvalidArgument.

Suggested change
return nil, status.Errorf(codes.Internal, "CSR must have least one URIs")
return nil, status.Errorf(codes.InvalidArgument, "CSR must have at least one URI")

Copy link
Contributor Author

@hiyosi hiyosi Mar 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed via a0ee7fd

@hiyosi hiyosi force-pushed the specify-uri-sans branch from f9b6103 to a0ee7fd Compare March 17, 2023 22:48
amartinezfayo
amartinezfayo reviewed Mar 21, 2023
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last final thing and we are ready to go. Sorry that I didn't suggest this in the first review.

pkg/server/plugin/upstreamauthority/vault/vault_client.go Outdated
uris = append(uris, uri.String())
}
if len(uris) == 0 {
return nil, status.Errorf(codes.InvalidArgument, "CSR must have least one URIs")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return nil, status.Errorf(codes.InvalidArgument, "CSR must have least one URIs")
return nil, status.Errorf(codes.InvalidArgument, "CSR must have at least one URI")

Copy link
Contributor Author

@hiyosi hiyosi Mar 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed via 6bfee67

@hiyosi hiyosi force-pushed the specify-uri-sans branch from 5a59969 to f34b40b Compare March 21, 2023 22:58
@hiyosi hiyosi force-pushed the specify-uri-sans branch from f34b40b to 6bfee67 Compare March 21, 2023 22:59
amartinezfayo
amartinezfayo approved these changes Mar 22, 2023
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @hiyosi!

@amartinezfayo amartinezfayo merged commit f9c4b87 into spiffe:main Mar 22, 2023
@hiyosi hiyosi deleted the specify-uri-sans branch March 22, 2023 22:56
@amartinezfayo amartinezfayo modified the milestones: 1.6.2, 1.6.3 Apr 5, 2023
Basavaraju-G pushed a commit to Basavaraju-G/spire that referenced this pull request May 3, 2023
@hiyosi @Basavaraju-G
Make sure to set uri_sans parameter (spiffe#3971)
11f0413 
* Make sure to set uri_sans parameter

Signed-off-by: Tomoya Usami <[email protected]>
Signed-off-by: Basavaraju-G <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amartinezfayo amartinezfayo amartinezfayo approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@azdagron azdagron Awaiting requested review from azdagron

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
1.6.3
Development

Successfully merging this pull request may close these issues.
2 participants
@hiyosi @amartinezfayo