Merge pull request #1235 from openziti/issue_1219

Issue 1219 ZITI_EDGE_CTRL_IP_OVERRIDE not in SANs
openziti · Aug 11, 2023 · afa3523 · afa3523
2 parents 87b74c1 + 7fe7f77
commit afa3523
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -193,6 +193,7 @@ However, newer Edge Routers should be able to join older network in some circums
     * [Issue #65](https://github.com/openziti/ziti/issues/65) - Add ECDSA support to PKI subcmd
     * [Issue #1212](https://github.com/openziti/ziti/issues/1212) - getZiti fails on Mac OS
     * [Issue #1220](https://github.com/openziti/ziti/issues/1220) - Fixed getZiti function not respecting user input for custom path
+    * [Issue #1219](https://github.com/openziti/ziti/issues/1219) - Added check for IPs provided as a DNS SANs entry, IPs will be ignored and not added as a DNS entry in the expressInstall PKI or router config generation.
 
 # Release 0.29.0
 

diff --git a/quickstart/docker/image/ziti-cli-functions.sh b/quickstart/docker/image/ziti-cli-functions.sh
@@ -92,6 +92,17 @@ function _dedupe_list {
   echo "${list}" | tr "'${delimiter}'" '\n' | sort -u | xargs | tr ' ' ','
 }
 
+# Checks if a value is likely an IP address
+function _is_ip {
+  local param pattern
+  param="${1}"
+  pattern="^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$"
+  if [[ "${param}" =~ $pattern ]]; then
+    return 0
+  fi
+  return 1
+}
+
 function _pki_client_server {
   local retVal dns_allow_list ZITI_CA_NAME_local ip_allow_list file_name
   _check_env_variable ZITI_PKI ZITI_BIN_DIR
@@ -709,7 +720,7 @@ function getZiti {
 
 # Create a custom PKI
 function createPki {
-  local retVal pki_allow_list_dns pki_allow_list_ip ZITI_SPURIOUS_INTERMEDIATE
+  local retVal pki_allow_list pki_allow_list_ip ZITI_SPURIOUS_INTERMEDIATE
   _check_env_variable ZITI_PKI_CTRL_ROOTCA_NAME ZITI_PKI_CTRL_EDGE_ROOTCA_NAME ZITI_PKI_SIGNER_ROOTCA_NAME \
                       ZITI_PKI_SIGNER_INTERMEDIATE_NAME ZITI_PKI_CTRL_INTERMEDIATE_NAME \
                       ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME
@@ -730,12 +741,39 @@ function createPki {
   _pki_create_intermediate "${ZITI_SPURIOUS_INTERMEDIATE}" "${ZITI_PKI_SIGNER_INTERMEDIATE_NAME}" 1
 
   echo " "
-  pki_allow_list="${ZITI_CTRL_ADVERTISED_ADDRESS},localhost,${ZITI_NETWORK}"
+  pki_allow_list="localhost,${ZITI_NETWORK}"
+  if [[ "${ZITI_CTRL_ADVERTISED_ADDRESS-}" != "" ]]; then
+    if ! _is_ip "${ZITI_CTRL_ADVERTISED_ADDRESS-}"; then
+      pki_allow_list="${pki_allow_list},${ZITI_CTRL_ADVERTISED_ADDRESS}"
+    else
+      echo -e "$(YELLOW "ZITI_CTRL_ADVERTISED_ADDRESS seems to be an IP address, it will not be added to the SANs DNS list.") "
+    fi
+  fi
+  if [[ "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS-}" != "" ]]; then
+    if ! _is_ip "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS-}"; then
+      pki_allow_list="${pki_allow_list},${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"
+    else
+      echo -e "$(YELLOW "ZITI_CTRL_EDGE_ADVERTISED_ADDRESS seems to be an IP address, it will not be added to the SANs DNS list.") "
+    fi
+  fi
   pki_allow_list_ip="127.0.0.1"
+  if [[ "${ZITI_CTRL_EDGE_IP_OVERRIDE-}" != "" ]]; then
+    pki_allow_list_ip="${pki_allow_list_ip},${ZITI_CTRL_EDGE_IP_OVERRIDE}"
+  fi
   _pki_client_server "${pki_allow_list}" "${ZITI_PKI_CTRL_INTERMEDIATE_NAME}" "${pki_allow_list_ip}" "${ZITI_CTRL_ADVERTISED_ADDRESS}"
 
-  pki_allow_list="${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS},localhost,${ZITI_NETWORK}"
+  pki_allow_list="localhost,${ZITI_NETWORK}"
+  if [[ "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS-}" != "" ]]; then
+    if ! _is_ip "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS-}"; then
+      pki_allow_list="${pki_allow_list},${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"
+    else
+      echo -e "$(YELLOW "ZITI_CTRL_EDGE_ADVERTISED_ADDRESS seems to be an IP address, it will not be added to the SANs DNS list.") "
+    fi
+  fi
   pki_allow_list_ip="127.0.0.1"
+  if [[ "${ZITI_CTRL_EDGE_IP_OVERRIDE-}" != "" ]]; then
+    pki_allow_list_ip="${pki_allow_list_ip},${ZITI_CTRL_EDGE_IP_OVERRIDE}"
+  fi
   _pki_client_server "${pki_allow_list}" "${ZITI_PKI_CTRL_EDGE_INTERMEDIATE_NAME}" "${pki_allow_list_ip}" "${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS}"
 
   echo -e "$(GREEN "PKI generated successfully")"

diff --git a/ziti/cmd/config_templates/controller.yml b/ziti/cmd/config_templates/controller.yml
@@ -14,9 +14,9 @@ identity:
   server_cert: "{{ .Controller.Identity.ServerCert }}"
   key:         "{{ .Controller.Identity.Key }}"
   ca:          "{{ .Controller.Identity.Ca }}"
-  {{ .Controller.Web.Identity.AltCertsEnabled }}alt_server_certs:
-  {{ .Controller.Web.Identity.AltCertsEnabled }}  - server_cert:  "{{ .Controller.Web.Identity.AltServerCert }}"
-  {{ .Controller.Web.Identity.AltCertsEnabled }}    server_key:   "{{ .Controller.Web.Identity.AltServerKey }}"
+  {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}alt_server_certs:
+  {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}  - server_cert:  "{{ .Controller.Web.Identity.AltServerCert }}"
+  {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}    server_key:   "{{ .Controller.Web.Identity.AltServerKey }}"
 
 # Network Configuration
 #
@@ -168,9 +168,9 @@ web:
       key:         "{{ .Controller.Web.Identity.Key }}"
       server_cert: "{{ .Controller.Web.Identity.ServerCert }}"
       cert:        "{{ .Controller.Web.Identity.Cert }}"
-      {{ .Controller.Web.Identity.AltCertsEnabled }}alt_server_certs:
-      {{ .Controller.Web.Identity.AltCertsEnabled }}- server_cert: "{{ .Controller.Web.Identity.AltServerCert }}"
-      {{ .Controller.Web.Identity.AltCertsEnabled }}  server_key:  "{{ .Controller.Web.Identity.AltServerKey }}"
+      {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}alt_server_certs:
+      {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}- server_cert: "{{ .Controller.Web.Identity.AltServerCert }}"
+      {{ if not .Controller.Web.Identity.AltCertsEnabled }}#{{ end }}  server_key:  "{{ .Controller.Web.Identity.AltServerKey }}"
 
     # options - optional
     # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are

diff --git a/ziti/cmd/config_templates/router.yml b/ziti/cmd/config_templates/router.yml
@@ -1,19 +1,20 @@
-{{/*
+{{- /*
  Config Format Version
 
  Whenever a breaking change is made to the semantics of this configuration file, the configuration version
  expected by the router will be incremented. When the controller tries to load a configuration file with
  an incompatible version, it will abort with a message prompting the operator to seek out the breaking changes
- documentation.*/}}v: 3
+ documentation.*/ -}}
+v: 3
 
 identity:
   cert:             "{{ .Router.IdentityCert }}"
   server_cert:      "{{ .Router.IdentityServerCert }}"
   key:              "{{ .Router.IdentityKey }}"
   ca:               "{{ .Router.IdentityCA }}"
-  {{ .Router.AltCertsEnabled }}alt_server_certs:
-  {{ .Router.AltCertsEnabled }}  - server_cert:  "{{ .Router.AltServerCert }}"
-  {{ .Router.AltCertsEnabled }}    server_key:   "{{ .Router.AltServerKey }}"
+  {{ if not .Router.AltCertsEnabled }}#{{ end }}alt_server_certs:
+  {{ if not .Router.AltCertsEnabled }}#{{ end }}  - server_cert:  "{{ .Router.AltServerCert }}"
+  {{ if not .Router.AltCertsEnabled }}#{{ end }}    server_key:   "{{ .Router.AltServerKey }}"
 
 ctrl:
   endpoint:             tls:{{ .Controller.Ctrl.AdvertisedAddress }}:{{ .Controller.Ctrl.AdvertisedPort }}
@@ -50,8 +51,9 @@ csr:
   organizationalUnit: Ziti
   sans:
     dns:
-      - {{ .Router.Edge.AdvertisedHost }}
       - localhost
+{{ if .Router.Edge.CsrSans }}      - {{ .Router.Edge.CsrSans }}{{ end }}
+{{ if ne .Router.Edge.CsrSans .Hostname }}      - {{ .Hostname }}{{ end }}
     ip:
       - "127.0.0.1"
 {{ if .Router.Edge.IPOverride }}      - "{{ .Router.Edge.IPOverride }}"{{ end }}
@@ -65,8 +67,9 @@ edge:
     organizationalUnit: {{ .Router.Edge.CsrOU }}
     sans:
       dns:
-        - {{ .Router.Edge.CsrSans }}
         - localhost
+{{ if .Router.Edge.CsrSans }}        - {{ .Router.Edge.CsrSans }}{{ end }}
+{{ if ne .Router.Edge.CsrSans .Hostname }}        - {{ .Hostname }}{{ end }}
       ip:
         - "127.0.0.1"
 {{ if .Router.Edge.IPOverride }}        - "{{ .Router.Edge.IPOverride }}"{{ end }}
@@ -84,13 +87,13 @@ edge:
 {{ if not .Router.IsWss }}#{{ end }}    enableCompression: {{ .Router.Wss.EnableCompression }}
 {{ if not .Router.IsWss }}#{{ end }}    server_cert: {{ .Router.IdentityServerCert }}
 {{ if not .Router.IsWss }}#{{ end }}    key: {{ .Router.IdentityKey }}
-{{ .Router.AltCertsEnabled }}alt_server_certs:
-{{ .Router.AltCertsEnabled }}  - server_cert:  "{{ .Router.AltServerCert }}"
-{{ .Router.AltCertsEnabled }}    server_key:   "{{ .Router.AltServerKey }}"
+{{ if not .Router.AltCertsEnabled }}#{{ end }}alt_server_certs:
+{{ if not .Router.AltCertsEnabled }}#{{ end }}  - server_cert:  "{{ .Router.AltServerCert }}"
+{{ if not .Router.AltCertsEnabled }}#{{ end }}    server_key:   "{{ .Router.AltServerKey }}"
 forwarder:
   latencyProbeInterval: {{ .Router.Forwarder.LatencyProbeInterval.Seconds }}
   xgressDialQueueLength: {{ .Router.Forwarder.XgressDialQueueLength }}
   xgressDialWorkerCount: {{ .Router.Forwarder.XgressDialWorkerCount }}
   linkDialQueueLength: {{ .Router.Forwarder.LinkDialQueueLength }}
   linkDialWorkerCount: {{ .Router.Forwarder.LinkDialWorkerCount }}
-  
+
diff --git a/ziti/cmd/create_config.go b/ziti/cmd/create_config.go
@@ -20,7 +20,7 @@ import (
 	"github.com/openziti/ziti/ziti/cmd/common"
 	cmdHelper "github.com/openziti/ziti/ziti/cmd/helpers"
 	"github.com/openziti/ziti/ziti/constants"
-	"os"
+	"regexp"
 	"time"
 
 	"github.com/openziti/channel/v2"
@@ -117,7 +117,7 @@ type IdentityValues struct {
 	Cert            string
 	AltServerCert   string
 	AltServerKey    string
-	AltCertsEnabled string //a string containing either nothing "" or "#"
+	AltCertsEnabled bool
 }
 
 type WebOptionsValues struct {
@@ -149,7 +149,7 @@ type RouterTemplateValues struct {
 	IdentityCA         string
 	AltServerCert      string
 	AltServerKey       string
-	AltCertsEnabled    string //a string containing either nothing "" or "#"
+	AltCertsEnabled    bool
 	Edge               EdgeRouterTemplateValues
 	Wss                WSSRouterTemplateValues
 	Forwarder          RouterForwarderTemplateValues
@@ -230,15 +230,13 @@ func (options *CreateConfigOptions) addCreateFlags(cmd *cobra.Command) {
 func (data *ConfigTemplateValues) populateConfigValues() {
 
 	// Get and add hostname to the params
-	hostname, err := os.Hostname()
-	handleVariableError(err, "hostname")
+	data.Hostname = cmdHelper.HostnameOrNetworkName()
 
 	// Get and add ziti home to the params
 	zitiHome, err := cmdHelper.GetZitiHome()
 	handleVariableError(err, constants.ZitiHomeVarName)
 
 	data.ZitiHome = zitiHome
-	data.Hostname = hostname
 	// ************* Controller Values ************
 	// Identities are handled in create_config_controller
 	// ctrl:
@@ -290,6 +288,12 @@ func (data *ConfigTemplateValues) populateConfigValues() {
 	data.Router.Edge.CsrO = cmdHelper.GetZitiEdgeRouterO()
 	data.Router.Edge.CsrOU = cmdHelper.GetZitiEdgeRouterOU()
 	data.Router.Edge.CsrSans = cmdHelper.GetRouterSans()
+	// If CSR SANs is an IP, ignore it by setting it blank
+	result, _ := regexp.MatchString("^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$", data.Router.Edge.CsrSans)
+	if result {
+		logrus.Warnf("DNS provided (%s) appears to be an IP, ignoring for DNS entry", data.Router.Edge.CsrSans)
+		data.Router.Edge.CsrSans = ""
+	}
 	data.Router.Listener.GetSessionTimeout = constants.DefaultGetSessionTimeout
 
 	data.Router.Wss.WriteTimeout = foundation.DefaultWsWriteTimeout

diff --git a/ziti/cmd/create_config_controller.go b/ziti/cmd/create_config_controller.go
@@ -279,7 +279,7 @@ func SetWebIdentityCA(c *ControllerTemplateValues) {
 }
 
 func SetCtrlAltServerCerts(c *ControllerTemplateValues) {
-	c.Web.Identity.AltCertsEnabled = "#"
+	c.Web.Identity.AltCertsEnabled = false
 	altServerCert := os.Getenv(constants.PkiAltServerCertVarName)
 	if altServerCert == "" {
 		return //exit unless both vars are set
@@ -288,7 +288,7 @@ func SetCtrlAltServerCerts(c *ControllerTemplateValues) {
 	if altServerKey == "" {
 		return //exit unless both vars are set
 	}
-	c.Web.Identity.AltCertsEnabled = ""
+	c.Web.Identity.AltCertsEnabled = true
 	c.Web.Identity.AltServerCert = helpers2.NormalizePath(altServerCert)
 	c.Web.Identity.AltServerKey = helpers2.NormalizePath(altServerKey)
 }
diff --git a/ziti/cmd/create_config_router_common.go b/ziti/cmd/create_config_router_common.go
@@ -94,7 +94,7 @@ func validateRouterName(name string) string {
 }
 
 func SetRouterAltServerCerts(c *RouterTemplateValues) {
-	c.AltCertsEnabled = "#"
+	c.AltCertsEnabled = false
 	altServerCert := os.Getenv(constants.PkiAltServerCertVarName)
 	if altServerCert == "" {
 		return //exit unless both vars are set
@@ -103,7 +103,7 @@ func SetRouterAltServerCerts(c *RouterTemplateValues) {
 	if altServerKey == "" {
 		return //exit unless both vars are set
 	}
-	c.AltCertsEnabled = ""
+	c.AltCertsEnabled = true
 	c.AltServerCert = helpers2.NormalizePath(altServerCert)
 	c.AltServerKey = helpers2.NormalizePath(altServerKey)
 }
diff --git a/ziti/cmd/create_config_router_test.go b/ziti/cmd/create_config_router_test.go
@@ -296,15 +296,15 @@ func TestAltServerCerts(t *testing.T) {
 	SetZitiRouterIdentity(rtv, "routerTest")
 
 	//with only ZITI_ALT_SERVER_CERT set, should be false/blank
-	assert.Equal(t, "#", rtv.AltCertsEnabled)
+	assert.False(t, rtv.AltCertsEnabled)
 	assert.Equal(t, "", rtv.AltServerCert)
 	assert.Equal(t, "", rtv.AltServerKey)
 
 	_ = os.Setenv("ZITI_PKI_ALT_SERVER_KEY", keyPath)
 	rtv = &RouterTemplateValues{}
 	SetZitiRouterIdentity(rtv, "routerTest")
 
-	assert.Equal(t, "", rtv.AltCertsEnabled)
+	assert.True(t, rtv.AltCertsEnabled)
 	assert.Equal(t, certPath, rtv.AltServerCert)
 	assert.Equal(t, keyPath, rtv.AltServerKey)
 }