Add globbing support to the PKI backend's allowed_domains list

builtin/logical/pki/backend_test.go

@@ -1549,6 +1549,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
 		Wildcard             bool `structs:"*.example.com"`
 		SubSubdomain         bool `structs:"foo.bar.example.com"`
 		SubSubdomainWildcard bool `structs:"*.bar.example.com"`
+		GlobDomain           bool `structs:"fooexample.com"`
 		NonHostname          bool `structs:"daɪˈɛrɨsɨs"`
 		AnyHost              bool `structs:"porkslap.beer"`
 	}
@@ -1755,6 +1756,11 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
 		commonNames.BareDomain = true
 		addCnTests()
 
+		roleVals.AllowedDomains = "foobar.com,*example.com"
+		roleVals.AllowGlobDomains = true
+		commonNames.GlobDomain = true
+		addCnTests()
+
 		roleVals.AllowAnyName = true
 		roleVals.EnforceHostnames = true
 		commonNames.AnyHost = true

builtin/logical/pki/cert_util.go

@@ -21,6 +21,7 @@ import (
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
+	"github.com/ryanuber/go-glob"
 )
 
 type certExtKeyUsage int
@@ -361,6 +362,13 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) string
 						break
 					}
 				}
+
+				if role.AllowGlobDomains &&
+					strings.Contains(currDomain, "*") &&
+					glob.Glob(currDomain, name) {
+					valid = true
+					break
+				}
 			}
 			if valid {
 				continue

builtin/logical/pki/path_roles.go

@@ -84,6 +84,14 @@ including wildcard subdomains. See the documentation for
 more information.`,
 			},
 
+			"allow_glob_domains": &framework.FieldSchema{
+				Type:    framework.TypeBool,
+				Default: false,
+				Description: `If set, domains specified in "allowed_domains"
+can include glob patterns, e.g. "ftp*.example.com". See
+the documentation for more information.`,
+			},
+
 			"allow_any_name": &framework.FieldSchema{
 				Type:    framework.TypeBool,
 				Default: false,
@@ -369,6 +377,7 @@ func (b *backend) pathRoleCreate(
 		AllowedDomains:      data.Get("allowed_domains").(string),
 		AllowBareDomains:    data.Get("allow_bare_domains").(bool),
 		AllowSubdomains:     data.Get("allow_subdomains").(bool),
+		AllowGlobDomains:    data.Get("allow_glob_domains").(bool),
 		AllowAnyName:        data.Get("allow_any_name").(bool),
 		EnforceHostnames:    data.Get("enforce_hostnames").(bool),
 		AllowIPSANs:         data.Get("allow_ip_sans").(bool),
@@ -488,6 +497,7 @@ type roleEntry struct {
 	AllowBareDomains      bool   `json:"allow_bare_domains" structs:"allow_bare_domains" mapstructure:"allow_bare_domains"`
 	AllowTokenDisplayName bool   `json:"allow_token_displayname" structs:"allow_token_displayname" mapstructure:"allow_token_displayname"`
 	AllowSubdomains       bool   `json:"allow_subdomains" structs:"allow_subdomains" mapstructure:"allow_subdomains"`
+	AllowGlobDomains      bool   `json:"allow_glob_domains" structs:"allow_glob_domains" mapstructure:"allow_glob_domains"`
 	AllowAnyName          bool   `json:"allow_any_name" structs:"allow_any_name" mapstructure:"allow_any_name"`
 	EnforceHostnames      bool   `json:"enforce_hostnames" structs:"enforce_hostnames" mapstructure:"enforce_hostnames"`
 	AllowIPSANs           bool   `json:"allow_ip_sans" structs:"allow_ip_sans" mapstructure:"allow_ip_sans"`

vendor/vendor.json

@@ -1116,6 +1116,12 @@
 			"revision": "ddeb643de91b4ee0d9d87172c931a4ea3d81d49a",
 			"revisionTime": "2017-02-08T17:17:27Z"
 		},
+		{
+			"checksumSHA1": "6JP37UqrI0H80Gpk0Y2P+KXgn5M=",
+			"path": "github.com/ryanuber/go-glob",
+			"revision": "256dc444b735e061061cf46c809487313d5b0065",
+			"revisionTime": "2017-01-28T01:21:29Z"
+		},
 		{
 			"checksumSHA1": "5SYLEhADhdBVZAGPVHWggQl7H8k=",
 			"path": "github.com/samuel/go-zookeeper/zk",

website/source/api/secret/pki/index.html.md

@@ -613,12 +613,13 @@ $ curl \
 
 ## Create/Update Role
 
-This endpoint ceates or updates the role definition. Note that the
-`allowed_domains`, `allow_subdomains`, and `allow_any_name` attributes are
-additive; between them nearly and across multiple roles nearly any issuing
-policy can be accommodated. `server_flag`, `client_flag`, and
-`code_signing_flag` are additive as well. If a client requests a certificate
-that is not allowed by the CN policy in the role, the request is denied.
+This endpoint creates or updates the role definition. Note that the
+`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
+`allow_any_name` attributes are additive; between them nearly and across
+multiple roles nearly any issuing policy can be accommodated. `server_flag`,
+`client_flag`, and `code_signing_flag` are additive as well. If a client
+requests a certificate that is not allowed by the CN policy in the role, the
+request is denied.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
@@ -659,6 +660,11 @@ that is not allowed by the CN policy in the role, the request is denied.
   allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. This
   is redundant when using the `allow_any_name` option.
 
+- `allow_glob_domains` `(bool: false)` - Allows names specified in
+  `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
+  will be allowed to request certificates with names matching the glob
+  patterns.
+
 - `allow_any_name` `(bool: false)` – Specifies if clients can request any CN.
   Useful in some circumstances, but make sure you understand whether it is
   appropriate for your installation before enabling it.