Skip to content

Improve URI policy configuration and matching #1105

New issue
New issue
Open
Open
Improve URI policy configuration and matching#1105
Labels
enhancementneeds triageWaiting for discussion / prioritization by team
Milestone
Backlog
@hslatman

Description

@hslatman
hslatman
opened on Oct 12, 2022

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Policy rules for URIs can currently only be configured with an allowed domain. Other parts of the URI in a CSR can be anything, because no policy is enforced on the other parts. It is thus not possible to only allow a certificate to be signed with https:// as the URI scheme.

It would be good to be able to configure URI rules that also include the other parts of the URI, including the scheme, path, query and fragment, so that users can configure the URI rule with more details, resulting in more control over the certificates to be signed.

A couple considerations:

  • For scheme, a match on normalized format (lowercase) will be performed. It could take an explicit wildcard (*). Not providing a scheme is like providing a wildcard.
  • For path, a string match keeping the case intact can be performed. It could take an explicit wildcard (*). Not providing a path is like providing a wildcard.
  • For query, a match on the same contents can be performed. It can be made independent of order. It could take an explicit wildcard (*). Not providing a query is like providing a wildcard.
  • For fragment, a match on the contents can be performed. It could take an explicit wildcard (*). Not providing a fragment is like providing a wildcard.
  • Not all parts are case-insensitive, so that needs to be accounted for.
  • Check if wildcard character (*) makes sense.
  • Supporting a regex match might be a nice fit for URIs. They're harder to reason about, though.

Why is this needed?

To be able to enforce a specificscheme, path, query or fragment in a URI, so that certificates not adhering to the requirements won't be signed.

A related issue is #1093, in which https://token.actions.githubusercontent.com#repo:tashian/oidctest:ref:refs/heads/main is requested as a URI SAN. In this case, it would've been nice to only allow the #repo:tashian/oidctest:ref:refs/heads/main fragment, for example.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementneeds triageWaiting for discussion / prioritization by team

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions