search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.12k stars 4.21k forks source link

Unable to use email address with "allowed_domains_template" for PKI Roles #12694

Closed ropnop closed 3 years ago

ropnop commented 3 years ago

Describe the bug It is currently not possible to use allowed_domains_template to create dynamic email address CNs from a PKI Role. I would like to be to use the allowed_domains_template to let users request certificates with a CN of an email address based on their current entity, but due to the way email addresses are split up before being verified against the domain template, it always failes.

To Reproduce Steps to reproduce the behavior:

  1. Enable a PKI endpoint with a policy like this:

    {
"allowed_domains": ["{{identity.entity.aliases.auth_userpass_80888708.name}}@example.com"],
"max_ttl": "24h",
"key_usage": "DigitalSignature",
"ext_key_usgae": "ClientAuth",
"organization": "Example",
"ou": "Example",
"allow_bare_domains": true,
"client_flag": true,
"allowed_domains_template": true,
"enforce_hostnames": false
}

  2. Request a certificate from the endpoint with @example.com: vault write pki_int/issue/example common_name="ropnop@example.com"

  3. Issuing fails:

* common name ropnop@example.com not allowed by this role

Expected behavior I would expect the validation check at https://github.com/hashicorp/vault/blob/main/builtin/logical/pki/cert_util.go#L331-L335 to pass by having sanitizedName be the fully provided email address. Currently, it compares the currDomain, which is correctly expanded via the template to ropnop@example.com, to the emailDomain ("example.com") because isEmail is true.

Additional context The current logic assumes we need to validate the domain suffix of the email only, but when using the template we want to validate the complete email address (i.e. only allow someone to issue a cert matching their username). I could probably get away putting the email address in a SAN after https://github.com/hashicorp/vault/pull/10249 gets merged in, but wanted to start a discussion around how to validate email addresses in CNs here.

Happy to open a PR if we agree on an approach?

ropnop commented 3 years ago

Doing more research, this seems very related to this stale issue reported here: https://github.com/hashicorp/vault/issues/5991

It appears it's currently impossible to limit PKI certificate issuing/signing to specific email addresses in either CNs or SANs. You have to allow the entire bare domain, which lets users request certificates for any email address and the bare domain itself

hghaf099 commented 3 years ago

This issue is a duplicate of #12336, and has been addressed in https://github.com/hashicorp/vault/pull/12716 Going to close this issue.