Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat name constraints #7400

Merged
merged 4 commits into from
Mar 10, 2023
Merged

Feat name constraints #7400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e73d62d
wip
gfxcc Mar 2, 2023
b8a5a99
ready for review
gfxcc Mar 3, 2023
ffe9ba4
mark nameConstraints.critical as required
gfxcc Mar 10, 2023
8ab029c
Update name constraints in CaPool example to includes multiple values
gfxcc Mar 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions mmv1/products/privateca/CaPool.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,79 @@ properties:
item_type: Api::Type::Integer
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
item_type: Api::Type::String
Comment on lines +355 to +418
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Can we test multiple entries for these values? Just want to make sure if the API returns the elements the same order they've been configured to make sure if they're list or set.

  • Do we know if API will return values for these fields if they're not explicitly specified? My assumption is no, but just want to make sure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Can we test multiple entries for these values? Just want to make sure if the API returns the elements the same order they've been configured to make sure if they're list or set.

Done.

  • Do we know if API will return values for these fields if they're not explicitly specified? My assumption is no, but just want to make sure.

No.

- !ruby/object:Api::Type::NestedObject
name: 'publishingOptions'
description: |
Expand Down
165 changes: 165 additions & 0 deletions mmv1/products/privateca/Certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,88 @@ properties:
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
output: true
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
output: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
output: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'configValues'
deprecation_message: Deprecated in favor of `x509_description`.
Expand Down Expand Up @@ -864,6 +946,89 @@ properties:
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
immutable: true
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
immutable: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
immutable: true
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'subjectConfig'
description: |
Expand Down
83 changes: 83 additions & 0 deletions mmv1/products/privateca/CertificateAuthority.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,89 @@ properties:
item_type: Api::Type::Integer
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
immutable: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
immutable: true
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'subjectConfig'
immutable: true
Expand Down
5 changes: 5 additions & 0 deletions mmv1/templates/terraform/custom_expand/privateca_certificate_509_config.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,10 @@ func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d T
}
transformed["additionalExtensions"] = addExts

nameConstraints, err := expandPrivatecaCertificateConfigX509ConfigNameConstraints(original["name_constraints"], d, config)
if err != nil {
return nil, err
}
transformed["nameConstraints"] = nameConstraints
return transformed, nil
}
2 changes: 2 additions & 0 deletions mmv1/templates/terraform/custom_flatten/privateca_certificate_509_config.go.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,7 @@ func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d
flattenPrivatecaCertificateConfigX509ConfigCaOptions(original["caOptions"], d, config)
transformed["key_usage"] =
flattenPrivatecaCertificateConfigX509ConfigKeyUsage(original["keyUsage"], d, config)
transformed["name_constraints"] =
flattenPrivatecaCertificateConfigX509ConfigNameConstraints(original["nameConstraints"], d, config)
return []interface{}{transformed}
}
11 changes: 11 additions & 0 deletions mmv1/templates/terraform/examples/privateca_capool_all_fields.tf.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,17 @@ resource "google_privateca_ca_pool" "<%= ctx[:primary_resource_id] %>" {
time_stamping = true
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.example1.com", "*.example2.com"]
excluded_dns_names = ["*.deny.example1.com", "*.deny.example2.com"]
permitted_ip_ranges = ["10.0.0.0/8", "11.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24", "11.1.1.0/24"]
permitted_email_addresses = [".example1.com", ".example2.com"]
excluded_email_addresses = [".deny.example1.com", ".deny.example2.com"]
permitted_uris = [".example1.com", ".example2.com"]
excluded_uris = [".deny.example1.com", ".deny.example2.com"]
}
}
}
}
Expand Down
Loading