Skip to content

Commit

Permalink
Feat name constraints (GoogleCloudPlatform#7400)
Browse files Browse the repository at this point in the history
  • Loading branch information
gfxcc authored and ericayyliu committed Jul 26, 2023
1 parent 551c8d4 commit 1696057
Show file tree
Hide file tree
Showing 9 changed files with 414 additions and 2 deletions.
73 changes: 73 additions & 0 deletions mmv1/products/privateca/CaPool.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,79 @@ properties:
item_type: Api::Type::Integer
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'publishingOptions'
description: |
Expand Down
165 changes: 165 additions & 0 deletions mmv1/products/privateca/Certificate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,88 @@ properties:
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
output: true
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
output: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
output: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
output: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'configValues'
deprecation_message: Deprecated in favor of `x509_description`.
Expand Down Expand Up @@ -864,6 +946,89 @@ properties:
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
immutable: true
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
immutable: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
immutable: true
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'subjectConfig'
description: |
Expand Down
83 changes: 83 additions & 0 deletions mmv1/products/privateca/CertificateAuthority.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,89 @@ properties:
item_type: Api::Type::Integer
description: |
An ObjectId specifies an object identifier (OID). These provide context and describe types in ASN.1 messages.
- !ruby/object:Api::Type::NestedObject
name: 'nameConstraints'
description: |
Describes the X.509 name constraints extension.
immutable: true
properties:
- !ruby/object:Api::Type::Boolean
name: 'critical'
description: Indicates whether or not the name constraints are marked critical.
immutable: true
required: true
- !ruby/object:Api::Type::Array
name: 'permittedDnsNames'
description: |
Contains permitted DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedDnsNames'
description: |
Contains excluded DNS names. Any DNS name that can be
constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint.
For example, `example.com`, `www.example.com`, `www.sub.example.com`
would satisfy `example.com` while `example1.com` does not.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedIpRanges'
description: |
Contains the permitted IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedIpRanges'
description: |
Contains the excluded IP ranges. For IPv4 addresses, the ranges
are expressed using CIDR notation as specified in RFC 4632.
For IPv6 addresses, the ranges are expressed in similar encoding as IPv4
addresses.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedEmailAddresses'
description: |
Contains the permitted email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedEmailAddresses'
description: |
Contains the excluded email addresses. The value can be a particular
email address, a hostname to indicate all email addresses on that host or
a domain with a leading period (e.g. `.example.com`) to indicate
all email addresses in that domain.
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'permittedUris'
description: |
Contains the permitted URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::Array
name: 'excludedUris'
description: |
Contains the excluded URIs that apply to the host part of the name.
The value can be a hostname or a domain with a
leading period (like `.example.com`)
immutable: true
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: 'subjectConfig'
immutable: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,10 @@ func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d T
}
transformed["additionalExtensions"] = addExts

nameConstraints, err := expandPrivatecaCertificateConfigX509ConfigNameConstraints(original["name_constraints"], d, config)
if err != nil {
return nil, err
}
transformed["nameConstraints"] = nameConstraints
return transformed, nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,7 @@ func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d
flattenPrivatecaCertificateConfigX509ConfigCaOptions(original["caOptions"], d, config)
transformed["key_usage"] =
flattenPrivatecaCertificateConfigX509ConfigKeyUsage(original["keyUsage"], d, config)
transformed["name_constraints"] =
flattenPrivatecaCertificateConfigX509ConfigNameConstraints(original["nameConstraints"], d, config)
return []interface{}{transformed}
}
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,17 @@ resource "google_privateca_ca_pool" "<%= ctx[:primary_resource_id] %>" {
time_stamping = true
}
}
name_constraints {
critical = true
permitted_dns_names = ["*.example1.com", "*.example2.com"]
excluded_dns_names = ["*.deny.example1.com", "*.deny.example2.com"]
permitted_ip_ranges = ["10.0.0.0/8", "11.0.0.0/8"]
excluded_ip_ranges = ["10.1.1.0/24", "11.1.1.0/24"]
permitted_email_addresses = [".example1.com", ".example2.com"]
excluded_email_addresses = [".deny.example1.com", ".deny.example2.com"]
permitted_uris = [".example1.com", ".example2.com"]
excluded_uris = [".deny.example1.com", ".deny.example2.com"]
}
}
}
}
Expand Down
Loading

0 comments on commit 1696057

Please sign in to comment.