Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: Implement access controls allowing a user to request certs for any subdomain of ${DOMAIN} #77

Open
jsimpso opened this issue Oct 22, 2024 · 6 comments
Open

Request: Implement access controls allowing a user to request certs for any subdomain of ${DOMAIN} #77

jsimpso opened this issue Oct 22, 2024 · 6 comments
Assignees
@arturo-seijas

Comments

@jsimpso
Copy link

jsimpso commented Oct 22, 2024

Enhancement Proposal

Hi,

I've run into some (at least to me) unexpected behaviour with this charm that I think we can improve for a better overall experience.

It's been established that if a user is allowed to request certs for example.com, this implicitly grants access to request a wildcard cert for *.example.com as the challenge domain is the same for either (see Canonical internal chat link).

What this doesn't do is allow that user to submit requests for any subdomain-specific certs, e.g. test.example.com.

Could we please look into either:

  1. Leaning into this implicit access, authorising the user with access to example.com to request a cert for any valid domain matching ^.*\.example\.com$.
  2. As we've established that granting access to *.example.com alongside example.com currently does nothing, change the behaviour so that granting access to *.example.com is a method of explicitly allowing the user to request a specific cert for any subdomain of example.com.
  3. Adding some other method of explicitly allowing the user to request a certificate for any subdomain of example.com, such as juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user domains='example.com' subdomains='example.com' or allow-subdomains --string-args username=example-user parent-domains='example.com'.

Keen to hear your thoughts.

Thanks!
@jsimpso
Copy link
Author

jsimpso commented Oct 23, 2024

After thinking on this some more I'm actually inclined to suggest that the implicit behavior of allowed-domains=example.com allowing a user to request the wildcard cert for *.example.com should be considered a bug in violation of the principle of least privilege, and should be replaced with a mechanism to explicitly grant access for requesting wildcard certs only where needed and justified.

@cbartz
Copy link
Contributor

cbartz commented Nov 5, 2024

@arturo-seijas Can you have a look, please?

@arturo-seijas
Copy link
Collaborator

After thinking on this some more I'm actually inclined to suggest that the implicit behavior of allowed-domains=example.com allowing a user to request the wildcard cert for *.example.com should be considered a bug in violation of the principle of least privilege, and should be replaced with a mechanism to explicitly grant access for requesting wildcard certs only where needed and justified.

Hi @jsimpso, what is that you have in mind and how would it look like from a user's perspective?

@amandahla
Copy link

@jsimpso friendly ping

@jsimpso
Copy link
Author

jsimpso commented Dec 12, 2024

Apologies for the delayed response.

After thinking on this some more I'm actually inclined to suggest that the implicit behavior of allowed-domains=example.com allowing a user to request the wildcard cert for *.example.com should be considered a bug in violation of the principle of least privilege, and should be replaced with a mechanism to explicitly grant access for requesting wildcard certs only where needed and justified.

Hi @jsimpso, what is that you have in mind and how would it look like from a user's perspective?

On the topic of wildcard certificates, I think that if we grant access to example-user to request certificates for example.com:

juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user domains='example.com'

The permission granted should be limited what is explicitly stated: example-user should be allowed to request a certificate for "example.com".

If we want to allow that user to request requests for wildcard certificates, that should be an explicit action. From the perspective of the administrator making that access request, I could see this working one of two ways:

  1. Requiring the string "*.example.com" to be allowed in order to generate a wildcard certificate for *.example.com
juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user domains='*.example.com'
  1. Requiring a separate argument altogether to control access to generate wildcard certificates:
juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user wildcard_domains='example.com'

On the topic of subdomains, I think it would be useful to have an access control option allowing users to request any specific subdomain of a given domain rather than using a wildcard certificate. For example:

  1. Allowing example-user to request certificates for any specific subdomain of example.com, but not a wildcard certificate, and not a certificate for *.example.com itself.
juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user subdomains='example.com'
  1. Allowing example-user to request certificates for example.com, any specific subdomain of example.com, but not a wildcard certificate for *.example.com:
juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user domains='example.com' subdomains='example.com'

Hopefully that makes sense, please let me know if not! Thanks :)

@arturo-seijas
Copy link
Collaborator

@gregory-schiano , what do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arturo-seijas arturo-seijas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cbartz @jsimpso @amandahla @arturo-seijas