spiffe: correct trust domain checking

Fixes an incorrect trust domain check to ensure that issuers are a subdomain of the spiffe id trust domain. Signed-off-by: Nathan Smith <nathan@chainguard.dev>
sigstore · May 16, 2022 · bce3a8c · bce3a8c
1 parent fdaedd6
commit bce3a8c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go
@@ -456,7 +456,7 @@ func isSpiffeIDAllowed(host, spiffeID string) bool {
 	if u.Hostname() == host {
 		return true
 	}
-	return strings.Contains(u.Hostname(), "."+host)
+	return strings.HasSuffix(u.Hostname(), "."+host)
 }
 
 // isURISubjectAllowed compares the subject and issuer URIs,

diff --git a/pkg/challenges/challenges_test.go b/pkg/challenges/challenges_test.go
@@ -302,7 +302,23 @@ func Test_isSpiffeIDAllowed(t *testing.T) {
 		host:     "foobar.com",
 		spiffeID: "spiffe://foofoobar.com/stuff",
 		want:     false,
+	}, {
+		name:     "cross domain substring",
+		host:     "foo.com",
+		spiffeID: "spiffe://baz.foo.com.bar.com/stuff",
+		want:     false,
+	}, {
+		name:     "bad scheme",
+		host:     "foo.com",
+		spiffeID: "https://bar.com/baz",
+		want:     false,
+	}, {
+		name:     "invalid url",
+		host:     "foo.com",
+		spiffeID: "\nfoo",
+		want:     false,
 	}}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := isSpiffeIDAllowed(tt.host, tt.spiffeID); got != tt.want {