cleanup

joevanwanzeeleKF · joevanwanzeeleKF · commit 0fb49c3a4932 · 2024-03-21T17:04:07.000-04:00
diff --git a/path_certs.go b/path_certs.go
@@ -329,12 +329,13 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 	var valid bool
 	var hasSuffix bool
 
+	// check the allowed domains for a match.
 	for _, v := range role.AllowedDomains {
 		b.Logger().Warn(v)
-		if strings.HasSuffix(cn.(string), v) {
+		if strings.HasSuffix(cn.(string), v) { // if it has the suffix..
 			hasSuffix = true
-			if cn.(string) == v || role.AllowSubdomains {
-				valid = true
+			if cn.(string) == v || role.AllowSubdomains { // and there is an exact match, or subdomains are allowed..
+				valid = true // then it is valid
 			}
 		}
 	}
@@ -350,9 +351,6 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 		return nil, err_resp
 	}
 
-	b.Logger().Warn("role.AllowedBaseDomain = " + role.AllowedBaseDomain)
-	b.Logger().Warn("domain for cert = " + cn.(string))
-
 	for u := range dns_sans {
 		if !strings.Contains(dns_sans[u], role.AllowedBaseDomain) || strings.Contains(dns_sans[u], role.AllowedBaseDomain) && !role.AllowSubdomains {
 			return nil, fmt.Errorf("Subject Alternative Name " + dns_sans[u] + " not allowed for provided role")

Original file line number	Diff line number	Diff line change
`@@ -329,12 +329,13 @@ func (b keyfactorBackend) pathIssueSignCert(ctx context.Context, req logical.R`
`329`	`329`	`var valid bool`
`330`	`330`	`var hasSuffix bool`
`331`	`331`
	`332`	`+ // check the allowed domains for a match.`
`332`	`333`	`for _, v := range role.AllowedDomains {`
`333`	`334`	`b.Logger().Warn(v)`
`334`		`- if strings.HasSuffix(cn.(string), v) {`
	`335`	`+ if strings.HasSuffix(cn.(string), v) { // if it has the suffix..`
`335`	`336`	`hasSuffix = true`
`336`		`- if cn.(string) == v \|\| role.AllowSubdomains {`
`337`		`- valid = true`
	`337`	`+ if cn.(string) == v \|\| role.AllowSubdomains { // and there is an exact match, or subdomains are allowed..`
	`338`	`+ valid = true // then it is valid`
`338`	`339`	`}`
`339`	`340`	`}`
`340`	`341`	`}`
`@@ -350,9 +351,6 @@ func (b keyfactorBackend) pathIssueSignCert(ctx context.Context, req logical.R`
`350`	`351`	`return nil, err_resp`
`351`	`352`	`}`
`352`	`353`
`353`		`- b.Logger().Warn("role.AllowedBaseDomain = " + role.AllowedBaseDomain)`
`354`		`- b.Logger().Warn("domain for cert = " + cn.(string))`
`355`		`-`
`356`	`354`	`for u := range dns_sans {`
`357`	`355`	`if !strings.Contains(dns_sans[u], role.AllowedBaseDomain) \|\| strings.Contains(dns_sans[u], role.AllowedBaseDomain) && !role.AllowSubdomains {`
`358`	`356`	`return nil, fmt.Errorf("Subject Alternative Name " + dns_sans[u] + " not allowed for provided role")`