Merge pull request #449 from inteon/fix_config

BUGFIX: cloud toPolicy SAN regex processing
Venafi · Apr 30, 2024 · 86272e1 · 86272e1
2 parents 53a2ecb + c16e398
commit 86272e1
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 4 deletions.
diff --git a/pkg/venafi/cloud/certificatePolicies.go b/pkg/venafi/cloud/certificatePolicies.go
@@ -94,29 +94,43 @@ func (ct certificateTemplate) toPolicy() (p endpoint.Policy) {
 		return s
 	}
 	addStartEndToArray := func(ss []string) []string {
+		// if the array is nil, return nil
+		if ss == nil {
+			return nil
+		}
+
 		a := make([]string, len(ss))
 		for i, s := range ss {
 			a[i] = addStartEnd(s)
 		}
 		return a
 	}
-	if len(ct.SubjectCValues) == 0 {
-		ct.SubjectCValues = []string{".*"}
-	}
+
 	p.SubjectCNRegexes = addStartEndToArray(ct.SubjectCNRegexes)
 	p.SubjectOURegexes = addStartEndToArray(ct.SubjectOURegexes)
-	p.SubjectCRegexes = addStartEndToArray(ct.SubjectCValues)
+	p.SubjectCRegexes = addStartEndToArray(ct.SubjectCValues) // For some reason, the API field is named subjectCValues instead of subjectCRegexes
 	p.SubjectSTRegexes = addStartEndToArray(ct.SubjectSTRegexes)
 	p.SubjectLRegexes = addStartEndToArray(ct.SubjectLRegexes)
 	p.SubjectORegexes = addStartEndToArray(ct.SubjectORegexes)
+
 	p.DnsSanRegExs = addStartEndToArray(ct.SANRegexes)
+	p.IpSanRegExs = addStartEndToArray(ct.SanIpAddressRegexes)
+	p.EmailSanRegExs = addStartEndToArray(ct.SanRfc822NameRegexes)
+	p.UriSanRegExs = addStartEndToArray(ct.SanUniformResourceIdentifierRegexes)
+	p.UpnSanRegExs = nil // UPN regexes are not provided by the API
+
 	p.AllowKeyReuse = ct.KeyReuse
 	allowWildCards := false
 	for _, s := range p.SubjectCNRegexes {
 		if strings.HasPrefix(s, `^.*`) {
 			allowWildCards = true
 		}
 	}
+	for _, s := range p.DnsSanRegExs {
+		if strings.HasPrefix(s, `^.*`) {
+			allowWildCards = true
+		}
+	}
 	p.AllowWildcards = allowWildCards
 
 	for _, kt := range ct.KeyTypes {

diff --git a/pkg/venafi/cloud/cloud_test.go b/pkg/venafi/cloud/cloud_test.go
@@ -22,6 +22,8 @@ import (
 	"testing"
 
 	"github.com/Venafi/vcert/v5/pkg/certificate"
+	"github.com/Venafi/vcert/v5/pkg/endpoint"
+	"github.com/stretchr/testify/require"
 )
 
 var (
@@ -68,6 +70,102 @@ func TestParseZoneResponse(t *testing.T) {
 	}
 }
 
+func Test_toPolicy(t *testing.T) {
+	for _, test := range []struct {
+		certTempl *certificateTemplate
+		expPolicy endpoint.Policy
+	}{
+		{
+			certTempl: &certificateTemplate{},
+			expPolicy: endpoint.Policy{},
+		},
+		{
+			certTempl: &certificateTemplate{
+				SubjectCNRegexes: []string{"cn1", "cn2"},
+				SubjectORegexes:  []string{"o1", "o2"},
+				SubjectOURegexes: []string{"ou1", "ou2"},
+				SubjectSTRegexes: []string{"st1", "st2"},
+				SubjectLRegexes:  []string{"l1", "l2"},
+				SubjectCValues:   []string{"c1", "c2"},
+
+				SANRegexes:                          []string{"dns1", "dns2"},
+				SanRfc822NameRegexes:                []string{"email1", "email2"},
+				SanIpAddressRegexes:                 []string{"ip1", "ip2"},
+				SanUniformResourceIdentifierRegexes: []string{"uri1", "uri2"},
+			},
+			expPolicy: endpoint.Policy{
+				SubjectCNRegexes: []string{"^cn1$", "^cn2$"},
+				SubjectORegexes:  []string{"^o1$", "^o2$"},
+				SubjectOURegexes: []string{"^ou1$", "^ou2$"},
+				SubjectSTRegexes: []string{"^st1$", "^st2$"},
+				SubjectLRegexes:  []string{"^l1$", "^l2$"},
+				SubjectCRegexes:  []string{"^c1$", "^c2$"},
+
+				DnsSanRegExs:   []string{"^dns1$", "^dns2$"},
+				EmailSanRegExs: []string{"^email1$", "^email2$"},
+				IpSanRegExs:    []string{"^ip1$", "^ip2$"},
+				UriSanRegExs:   []string{"^uri1$", "^uri2$"},
+				UpnSanRegExs:   nil,
+			},
+		},
+		{
+			certTempl: &certificateTemplate{
+				KeyReuse:   true,
+				SANRegexes: []string{".*example.com"},
+			},
+			expPolicy: endpoint.Policy{
+				DnsSanRegExs: []string{"^.*example.com$"},
+
+				AllowKeyReuse:  true,
+				AllowWildcards: true,
+			},
+		},
+		{
+			certTempl: &certificateTemplate{
+				KeyTypes: []allowedKeyType{
+					{
+						KeyType:    "RSA",
+						KeyLengths: []int{88888},
+					},
+				},
+			},
+			expPolicy: endpoint.Policy{
+				AllowedKeyConfigurations: []endpoint.AllowedKeyConfiguration{
+					{
+						KeyType:  certificate.KeyTypeRSA,
+						KeySizes: []int{88888},
+					},
+				},
+			},
+		},
+		{
+			certTempl: &certificateTemplate{
+				KeyTypes: []allowedKeyType{
+					{
+						KeyType:   "EC",
+						KeyCurves: []string{"P256", "P-384", "ED25519"},
+					},
+				},
+			},
+			expPolicy: endpoint.Policy{
+				AllowedKeyConfigurations: []endpoint.AllowedKeyConfiguration{
+					{
+						KeyType: certificate.KeyTypeECDSA,
+						KeyCurves: []certificate.EllipticCurve{
+							certificate.EllipticCurveP256,
+							certificate.EllipticCurveP384,
+							certificate.EllipticCurveED25519,
+						},
+					},
+				},
+			},
+		},
+	} {
+		policy := test.certTempl.toPolicy()
+		require.Equal(t, test.expPolicy, policy)
+	}
+}
+
 func TestUpdateRequest(t *testing.T) {
 	req := certificate.Request{}
 	req.Subject.CommonName = "vcert.test.vfidev.com"