New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Subject Name handling for Conjur CA certificates #712
Conversation
6b96146
to
02fcfef
Compare
This code looks solid, but I think we should hold on merging until we run the host name format by a customer or two. I worry it'll be too restrictive. |
5ac9a9c
to
92a46a2
Compare
csr_cert | ||
end | ||
|
||
protected | ||
|
||
def subject(role) | ||
common_name = [ | ||
'conjur', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about pulling this out? I'm not sure I'd love to need to put conjur
into my host naming convention, particularly if all hosts were managed by Conjur. Without it, organizations are free to set account, service_id, and host id as they see fit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm ok with that. I think we had settled on this because it roughly mirrored the SPIFFE ID, but there is no other reason I am aware of at this point. I will change it.
92a46a2
to
493fd67
Compare
70f52fe
to
70456e7
Compare
Code Climate has analyzed commit 70456e7 and detected 5 issues on this pull request. Here's the issue category breakdown:
View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Closes #705
Closes #707
What does this pull request do?
This PR updates the Conjur CA certificates in 2 ways:
The Common Name on the certificate is now given directly from the authenticated role (must be host), and not from the CSR. The common name has the format
<account>:<ca-service-id>:host:<host-id>
. A DNS alternative name is added for the leaf (right-most) portion of the slash separate host identifier. This is to support the existing demo.The certificate now includes a URI subject alternative name containing the SPIFFE Id for the role. This currently takes the form of
spiffe://conjur/<account>/<ca-service-id>/host/<host-id>
.Where should the reviewer start?
The core changes are in
app/domain/ca/certificate_authority.rb
How should this be manually tested?
The API cucumber tests include verification that these IDs are present and correct.
If you want to, you can use the demo (https://github.com/conjurdemos/misc-util/tree/master/demos/certificate-authority/mutual-tls) to generate a certificate. You can then use OpenSSL to view the contents to verify the subject names, e.g.:
Link to build in Jenkins (if appropriate)
https://jenkins.conjur.net/job/cyberark--conjur/job/ca_csr_subject/
Questions: