Type: New Feature
Affects Version/s: None
Fix Version/s: PE 2016.2.0
tk-auth should allow auth rules that match on CSR attributes (aka SSL Extensions) instead of just certname. tk-auth's service should accept a mapping of OID to short names that can be used to define the auth rules.
- Ability to provide the tk-auth service with a map of OID -> shortname
- Ability to set an :allow or :deny stanza to use a map of shortnames (or raw OIDs) to values instead of just a hostname
- Extracting a certificate's extensions as part of tk-auth middleware and translating them from OID -> shortname using the provided mapping
- Affordance for an empty mapping
- Failing fast if a given extension key in the auth rules can't be found as a shortname in the OID -> shortname mapping AND isn't a valid OID
- Supporting any shortnames outside of what tk-auth's service gets in the passed mapping. This includes puppet's shortnames. Such things should be passed into consumers of tk-auth (like puppet server)
- Wildcard/pattern matching on extension values
There is still dead code detritus leftover from when tk-auth was originally adopted from the community. This should be cleaned up as needed to implement this new functionality.
The following are all valid values for allow or deny in the auth conf.
Please note that the puppet shortnames used are not supported by tk-auth
natively but must be passed in.