Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use dnsNamesSubsetValidator for IID provisioners #2044

Merged
merged 5 commits into from
Oct 25, 2024
Merged

Use dnsNamesSubsetValidator for IID provisioners #2044

merged 5 commits into from
Oct 25, 2024

Conversation

dopey
Copy link
Contributor

@dopey dopey commented Oct 25, 2024

... when disableCustomSANs is set to 'true'.

The DNS names in the certificate request must be a subset of the authorized set of DNS names (from the IID token). The previous functionality required that the DNS names in the certificate request exactly matched the authorized DNS names.

@dopey
Use dnsNamesSubsetValidator for IID provisioners
d9a3cc6 
... when disableCustomSANs is set to 'true'.

The DNS names in the certificate request must be a subset of the
authorized set of DNS names (from the IID token). The previous
functionality required that the DNS names in the certificate request
exactly matched the authorized DNS names.
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Oct 25, 2024
hslatman
hslatman reviewed Oct 25, 2024
View reviewed changes
authority/provisioner/sign_options.go Outdated
Comment on lines 202 to 207
allowed := make(map[string]bool)
for _, s := range v {
allowed[s] = true
}
for _, s := range req.DNSNames {
if _, ok := allowed[s]; !ok {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can probably become map[string]struct, and its capacity can be set to len(v), so something like make(map[string]struct, 0, len(v))

@hslatman hslatman added this to the v0.27.6 milestone Oct 25, 2024
maraino
maraino reviewed Oct 25, 2024
View reviewed changes
Copy link
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Herman's comments make sense, fix them and I'll approve it

@dopey dopey requested a review from maraino October 25, 2024 17:28
@dopey dopey merged commit 88443dd into master Oct 25, 2024
14 checks passed
@dopey dopey deleted the max/dnsNamesSubsetValidator branch October 25, 2024 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hslatman hslatman hslatman left review comments

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.28.0
Development

Successfully merging this pull request may close these issues.
3 participants
@dopey @maraino @hslatman