Merge pull request #22 from ibuildthecloud/master

Always allow configured SANs regardless of the FilterCN
This commit is contained in:
Darren Shepherd 2020-04-17 19:33:42 -07:00 committed by GitHub
commit 52ede5ec92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -49,7 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
CAKey: caKey,
CN: config.CN,
Organization: config.Organization,
FilterCN: config.FilterCN,
FilterCN: allowDefaultSANs(config.SANs, config.FilterCN),
},
Listener: l,
storage: &nonNil{storage: storage},
@ -81,6 +81,35 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
return tlsListener, dynamicListener.cacheHandler(), nil
}
func allowDefaultSANs(sans []string, next func(...string) []string) func(...string) []string {
if next == nil {
return nil
} else if len(sans) == 0 {
return next
}
sanMap := map[string]bool{}
for _, san := range sans {
sanMap[san] = true
}
return func(s ...string) []string {
var (
good []string
unknown []string
)
for _, s := range s {
if sanMap[s] {
good = append(good, s)
} else {
unknown = append(unknown, s)
}
}
return append(good, next(unknown...)...)
}
}
type cancelClose struct {
cancel func()
net.Listener
@ -338,6 +367,7 @@ func (l *listener) loadCert() (*tls.Certificate, error) {
}
l.cert = &cert
l.version = secret.ResourceVersion
return l.cert, nil
}