Skip to content

Relaxing validation of allowed_uses in tls_locally_signed_cert and tls_self_signed_cert #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
detro merged 2 commits into from
Apr 7, 2022
Merged

Relaxing validation of allowed_uses in tls_locally_signed_cert and tls_self_signed_cert #184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8e2d325
Relaxing validation of `allowed_uses` in `tls_locally_signed_cert` an…
Apr 7, 2022
5eaafa5
Make linter happy
Apr 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions internal/provider/common_cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,8 +269,8 @@ func setCertificateCommonSchema(s map[string]*schema.Schema) {
Required: true,
ForceNew: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice(supportedKeyUsages(), false),
Type: schema.TypeString,
ValidateDiagFunc: StringInSliceOrWarn(supportedKeyUsages(), false),
},
Description: "List of key usages allowed for the issued certificate. " +
"Values are defined in [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) " +
Expand Down Expand Up @@ -529,3 +529,27 @@ func certificateToMap(cert *x509.Certificate) map[string]interface{} {
"sha1_fingerprint": fmt.Sprintf("%x", sha1.Sum(cert.Raw)),
}
}

// StringInSliceOrWarn returns a SchemaValidateFunc which tests if the provided value
// is of type string and matches the value of an element in the valid slice.
//
// Differently from validation.StringInSlice, if the element is not part of the valid slice,
// a warning is produced.
func StringInSliceOrWarn(valid []string, ignoreCase bool) schema.SchemaValidateDiagFunc {
return validation.ToDiagFunc(func(i interface{}, k string) (warnings []string, errors []error) {
v, ok := i.(string)
if !ok {
errors = append(errors, fmt.Errorf("expected type of %s to be string", k))
return warnings, errors
}

for _, str := range valid {
if v == str || (ignoreCase && strings.EqualFold(v, str)) {
return warnings, errors
}
}

warnings = append(warnings, fmt.Sprintf("expected %s to be one of %v, got %s so will ignored", k, valid, v))
return warnings, errors
})
}
20 changes: 1 addition & 19 deletions internal/provider/resource_self_signed_cert_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,25 +521,6 @@ func TestAccSelfSignedCert_InvalidConfigs(t *testing.T) {
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Config: `
resource "tls_self_signed_cert" "test" {
subject {
common_name = "common test cert"
}
validity_period_hours = 1
allowed_uses = [
"not_valid"
]
set_subject_key_id = true
private_key_pem = "does not matter"
}
output "cert_pem" {
value = tls_self_signed_cert.test.cert_pem
}
`,
ExpectError: regexp.MustCompile(`expected allowed_uses.0 to be one of \[.*\], got not_valid`),
},
{
Config: `
resource "tls_self_signed_cert" "test" {
Expand Down Expand Up @@ -624,6 +605,7 @@ func selfSignedCertConfig(validity, earlyRenewal uint32, setKeyAlgorithm bool) s
"digital_signature",
"server_auth",
"client_auth",
"non_repudiation",
]

%s
Expand Down