Workload Identity: Add ability to template Subject distinguished name…

… for X509 SVIDs (#51130) * Add protos for DN template * Hook up to templating engine * Add tests and wire up cert template * Simplify by removing optionality * Update terraform resource
gravitational · Jan 21, 2025 · 5edf794 · 5edf794
1 parent 7721d8c
commit 5edf794
Show file tree

Hide file tree

Showing 8 changed files with 589 additions and 66 deletions.
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
diff --git a/api/proto/teleport/workloadidentity/v1/resource.proto b/api/proto/teleport/workloadidentity/v1/resource.proto
@@ -94,13 +94,36 @@ message WorkloadIdentityRules {
   repeated WorkloadIdentityRule allow = 1;
 }
 
+// Template for an X509 Distinguished Name (DN).
+// Each field is optional, and, if provided, supports templating using attributes.
+message X509DistinguishedNameTemplate {
+  // Common Name (CN) - 2.5.4.3
+  // If empty, the RDN will be omitted from the DN.
+  string common_name = 1;
+  // Organization (O) - 2.5.4.10
+  // If empty, the RDN will be omitted from the DN.
+  string organization = 2;
+  // Organizational Unit (OU) - 2.5.4.11
+  // If empty, the RDN will be omitted from the DN.
+  string organizational_unit = 3;
+}
+
 // Configuration specific to the issuance of X509-SVIDs.
 message WorkloadIdentitySPIFFEX509 {
   // The DNS Subject Alternative Names (SANs) that should be included in an
   // X509-SVID issued using this WorkloadIdentity.
   //
   // Each entry in this list supports templating using attributes.
   repeated string dns_sans = 1;
+
+  // Used to configure the Subject Distinguished Name (DN) of the X509-SVID.
+  //
+  // In most circumstances, it is recommended to prefer relying on the SPIFFE ID
+  // encoded in the URI SAN. However, the Subject DN may be needed to support
+  // legacy systems designed for X509 and not SPIFFE/WIMSE.
+  //
+  // If not provided, the X509-SVID will be issued with an empty Subject DN.
+  X509DistinguishedNameTemplate subject_template = 2;
 }
 
 // Configuration pertaining to the issuance of SPIFFE-compatible workload

diff --git a/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx b/docs/pages/reference/terraform-provider/data-sources/workload_identity.mdx
@@ -104,4 +104,13 @@ Optional:
 Optional:
 
 - `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity.  Each entry in this list supports templating using attributes.
+- `subject_template` (Attributes) Used to configure the Subject Distinguished Name (DN) of the X509-SVID.  In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE.  If not provided, the X509-SVID will be issued with an empty Subject DN. (see [below for nested schema](#nested-schema-for-specspiffex509subject_template))
+
+### Nested Schema for `spec.spiffe.x509.subject_template`
+
+Optional:
+
+- `common_name` (String) Common Name (CN) - 2.5.4.3 If empty, the RDN will be omitted from the DN.
+- `organization` (String) Organization (O) - 2.5.4.10 If empty, the RDN will be omitted from the DN.
+- `organizational_unit` (String) Organizational Unit (OU) - 2.5.4.11 If empty, the RDN will be omitted from the DN.
 
diff --git a/docs/pages/reference/terraform-provider/resources/workload_identity.mdx b/docs/pages/reference/terraform-provider/resources/workload_identity.mdx
@@ -131,4 +131,13 @@ Optional:
 Optional:
 
 - `dns_sans` (List of String) The DNS Subject Alternative Names (SANs) that should be included in an X509-SVID issued using this WorkloadIdentity.  Each entry in this list supports templating using attributes.
+- `subject_template` (Attributes) Used to configure the Subject Distinguished Name (DN) of the X509-SVID.  In most circumstances, it is recommended to prefer relying on the SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed to support legacy systems designed for X509 and not SPIFFE/WIMSE.  If not provided, the X509-SVID will be issued with an empty Subject DN. (see [below for nested schema](#nested-schema-for-specspiffex509subject_template))
+
+### Nested Schema for `spec.spiffe.x509.subject_template`
+
+Optional:
+
+- `common_name` (String) Common Name (CN) - 2.5.4.3 If empty, the RDN will be omitted from the DN.
+- `organization` (String) Organization (O) - 2.5.4.10 If empty, the RDN will be omitted from the DN.
+- `organizational_unit` (String) Organizational Unit (OU) - 2.5.4.11 If empty, the RDN will be omitted from the DN.
 
diff --git a/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go b/integrations/terraform/tfschema/workloadidentity/v1/resource_terraform.go
diff --git a/lib/auth/machineid/workloadidentityv1/decision.go b/lib/auth/machineid/workloadidentityv1/decision.go
@@ -83,6 +83,41 @@ func decide(
 		d.templatedWorkloadIdentity.Spec.Spiffe.X509.DnsSans[i] = templated
 	}
 
+	st := wi.GetSpec().GetSpiffe().GetX509().GetSubjectTemplate()
+	if st != nil {
+		dst := d.templatedWorkloadIdentity.Spec.Spiffe.X509.SubjectTemplate
+
+		templated, err = templateString(st.CommonName, attrs)
+		if err != nil {
+			d.reason = trace.Wrap(
+				err,
+				"templating spec.spiffe.x509.subject_template.common_name",
+			)
+			return d
+		}
+		dst.CommonName = templated
+
+		templated, err = templateString(st.Organization, attrs)
+		if err != nil {
+			d.reason = trace.Wrap(
+				err,
+				"templating spec.spiffe.x509.subject_template.organization",
+			)
+			return d
+		}
+		dst.Organization = templated
+
+		templated, err = templateString(st.OrganizationalUnit, attrs)
+		if err != nil {
+			d.reason = trace.Wrap(
+				err,
+				"templating spec.spiffe.x509.subject_template.organizational_unit",
+			)
+			return d
+		}
+		dst.OrganizationalUnit = templated
+	}
+
 	// Yay - made it to the end!
 	d.shouldIssue = true
 	return d
@@ -141,6 +176,10 @@ func getFieldStringValue(attrs *workloadidentityv1pb.Attrs, attr string) (string
 // TODO(noah): In a coming PR, this will be replaced by evaluating the values
 // within the handlebars as expressions.
 func templateString(in string, attrs *workloadidentityv1pb.Attrs) (string, error) {
+	if len(in) == 0 {
+		return in, nil
+	}
+
 	re := regexp.MustCompile(`\{\{([^{}]+?)\}\}`)
 	matches := re.FindAllStringSubmatch(in, -1)
 

diff --git a/lib/auth/machineid/workloadidentityv1/issuer_service.go b/lib/auth/machineid/workloadidentityv1/issuer_service.go
@@ -349,8 +349,9 @@ func x509Template(
 	notAfter time.Time,
 	spiffeID spiffeid.ID,
 	dnsSANs []string,
+	subjectTemplate *workloadidentityv1pb.X509DistinguishedNameTemplate,
 ) *x509.Certificate {
-	return &x509.Certificate{
+	c := &x509.Certificate{
 		SerialNumber: serialNumber,
 		NotBefore:    notBefore,
 		NotAfter:     notAfter,
@@ -379,6 +380,19 @@ func x509Template(
 		URIs:     []*url.URL{spiffeID.URL()},
 		DNSNames: dnsSANs,
 	}
+	if subjectTemplate != nil {
+		c.Subject.CommonName = subjectTemplate.CommonName
+		if subjectTemplate.Organization != "" {
+			c.Subject.Organization = []string{
+				subjectTemplate.Organization,
+			}
+		}
+		if subjectTemplate.OrganizationalUnit != "" {
+			c.Subject.OrganizationalUnit = []string{subjectTemplate.OrganizationalUnit}
+		}
+	}
+
+	return c
 }
 
 func (s *IssuanceService) getX509CA(
@@ -484,6 +498,7 @@ func (s *IssuanceService) issueX509SVID(
 			notAfter,
 			spiffeID,
 			wid.GetSpec().GetSpiffe().GetX509().GetDnsSans(),
+			wid.GetSpec().GetSpiffe().GetX509().GetSubjectTemplate(),
 		),
 		ca.Cert,
 		pubKey,