So I’m trying to use the cert auth method and assign a policy to clients that authenticate with it. All of the valid certs I want to work should have a specific required_extension, and I would like to have access to those extensions to insert into a policy.
I know there are are metadata attributes available in identity.entity.aliases.<mount accessor>.metadata.<metadata key> But there doesn’t appear to be any other data populated into the entities created from my TLS cert auth.
Is there a general approach for this that I am missing?
Using certs that are generate and signed by a puppet server’s CA with the PP_ENVIRONMENT (oid: 1.3.6.1.4.1.34380.1.1.12) extension embedded.
After authenticating with a valid cert I want to only allow it to read from a specific kv backend path. Something like this (Replace {{environment}} with the PP_ENVIRONMENT value embedded in the cert):
#Access to certname specific data
path "secret/puppet/{{environment}}/certname/{{identity.entity.aliases.<mount accessor>.name}}/*" {
capabilities = [ "read", "list" ]
}
#Access to environment specific data
path "secret/puppet/{{environment}}/environment/*" {
capabilities = [ "read" ]
}
#Access to general data
path "secret/puppet/common/*" {
capabilities = [ "read" ]
}
What’s available there is what the auth method actually writes into metadata; I do not believe the contents of OID extensions is one of those values. It potentially could be – you could propose a PR on the issue tracker and see if that change would be accepted.
@absltkaos did you find a solution to your problem? I would like to do a similar thing…
And looking at the code this is the place it should go:
As the OID extensions aren’t generic there will is some converting needed. e.g. the oid into a string representation. Also, how to decided which ones to add to the metadata. Or just all of them?
…