Retrigger CSR when subject org and ou doesn't match. (#377)

Signed-off-by: GitHub <noreply@github.com>
2026-05-22 17:14:10 +00:00 · 2024-03-14 16:44:16 +08:00
parent 1c0c0156e7
commit edef33de92
3 changed files with 70 additions and 14 deletions
--- a/pkg/registration/clientcert/certificate.go
+++ b/pkg/registration/clientcert/certificate.go
@@ -2,9 +2,11 @@ package clientcert

 import (
 	"context"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
+	"reflect"
 	"time"

 	"github.com/openshift/library-go/pkg/operator/events"
@@ -92,17 +94,37 @@ func IsCertificateValid(logger klog.Logger, certData []byte, subject *pkix.Name)
 	}

 	// check subject of certificates
+	// if the subject is specified, make sure at least one cert in the certificate chain matches the subject
 	for _, cert := range certs {
-		if cert.Subject.CommonName != subject.CommonName {
-			continue
+		if certMatchSubject(cert, subject) {
+			return true, nil
 		}
-		return true, nil
 	}

-	logger.V(4).Info("Certificate is not issued for subject", "commonName", subject.CommonName)
+	logger.V(4).Info("Certificate is not issued for subject", "commonName", subject.CommonName, "organization",
+		subject.Organization, "organizationalUnit", subject.OrganizationalUnit)
 	return false, nil
 }

+func certMatchSubject(cert *x509.Certificate, subject *pkix.Name) bool {
+	// check commonName
+	if cert.Subject.CommonName != subject.CommonName {
+		return false
+	}
+
+	// check groups(origanization)
+	if !reflect.DeepEqual(cert.Subject.Organization, subject.Organization) {
+		return false
+	}
+
+	// check originzation unit
+	if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, subject.OrganizationalUnit) {
+		return false
+	}
+
+	return true
+}
+
 // getCertValidityPeriod returns the validity period of the client certificate in the secret
 func getCertValidityPeriod(secret *corev1.Secret) (*time.Time, *time.Time, error) {
 	if secret.Data == nil {
--- a/pkg/registration/clientcert/certificate_test.go
+++ b/pkg/registration/clientcert/certificate_test.go
@@ -162,12 +162,42 @@ func TestIsCertificateValid(t *testing.T) {
 			},
 		},
 		{
-			name: "valid cert",
+			name: "invalid organization",
 			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{
-				CommonName: "test",
+				CommonName:   "test",
+				Organization: []string{"org_foo"},
 			}, 60*time.Second),
 			subject: &pkix.Name{
-				CommonName: "test",
+				CommonName:   "test",
+				Organization: []string{"org_bar"},
+			},
+			isValid: false,
+		},
+		{
+			name: "invalid organization unit",
+			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou_foo"},
+			}, 60*time.Second),
+			subject: &pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou_bar"},
+			},
+			isValid: false,
+		},
+		{
+			name: "valid cert",
+			testCert: testinghelpers.NewTestCertWithSubject(pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou"},
+			}, 60*time.Second),
+			subject: &pkix.Name{
+				CommonName:         "test",
+				Organization:       []string{"org"},
+				OrganizationalUnit: []string{"ou"},
 			},
 			isValid: true,
 		},