Retrigger CSR when subject org and ou doesn't match.

Signed-off-by: GitHub <noreply@github.com>
open-cluster-management-io · Mar 14, 2024 · 3016c19 · 3016c19
1 parent b4bf3d0
commit 3016c19
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 4 deletions.
diff --git a/pkg/registration/clientcert/certificate.go b/pkg/registration/clientcert/certificate.go
@@ -2,9 +2,11 @@ package clientcert
 
 import (
 	"context"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
+	"reflect"
 	"time"
 
 	"github.com/openshift/library-go/pkg/operator/events"
@@ -92,17 +94,37 @@ func IsCertificateValid(logger klog.Logger, certData []byte, subject *pkix.Name)
 	}
 
 	// check subject of certificates
+	// if the subject is specified, make sure at least one cert in the certificate chain matches the subject
 	for _, cert := range certs {
-		if cert.Subject.CommonName != subject.CommonName {
-			continue
+		if certMatchSubject(cert, subject) {
+			return true, nil
 		}
-		return true, nil
 	}
 
-	logger.V(4).Info("Certificate is not issued for subject", "commonName", subject.CommonName)
+	logger.V(4).Info("Certificate is not issued for subject", "commonName", subject.CommonName, "organization",
+		subject.Organization, "organizationalUnit", subject.OrganizationalUnit)
 	return false, nil
 }
 
+func certMatchSubject(cert *x509.Certificate, subject *pkix.Name) bool {
+	// check commonName
+	if cert.Subject.CommonName != subject.CommonName {
+		return false
+	}
+
+	// check groups(origanization)
+	if !reflect.DeepEqual(cert.Subject.Organization, subject.Organization) {
+		return false
+	}
+
+	// check originzation unit
+	if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, subject.OrganizationalUnit) {
+		return false
+	}
+
+	return true
+}
+
 // getCertValidityPeriod returns the validity period of the client certificate in the secret
 func getCertValidityPeriod(secret *corev1.Secret) (*time.Time, *time.Time, error) {
 	if secret.Data == nil {

diff --git a/pkg/registration/clientcert/certificate_test.go b/pkg/registration/clientcert/certificate_test.go
@@ -161,6 +161,32 @@ func TestIsCertificateValid(t *testing.T) {
 				CommonName: "wrong-common-name",
 			},
 		},
+		{
+			name: "invalid organization",
+			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{
+				CommonName:   "test",
+				Organization: []string{"org_foo"},
+			}, 60*time.Second),
+			subject: &pkix.Name{
+				CommonName:   "test",
+				Organization: []string{"org_bar"},
+			},
+			isValid: false,
+		},
+		{
+			name: "invalid organization unit",
+			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou_foo"},
+			}, 60*time.Second),
+			subject: &pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou_bar"},
+			},
+			isValid: false,
+		},
 		{
 			name: "valid cert",
 			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{