fix: dedupe SAN entries before checking algorithm uniqueness#9472
fix: dedupe SAN entries before checking algorithm uniqueness#9472dmavrodiev wants to merge 3 commits into
Conversation
Dedupe the certificate's domains with sets.New before checking them against the shared pkaSecretSet map, so a repeated SAN no longer conflicts with itself, while a genuine conflict across two different certificates for the same domain and algorithm is still caught. Add test cases to TestValidateTLSSecretsData: - valid-rsa-duplicate-san-domain: reproduces the bug against a new rsa-cert-dup-san.pem / rsa-pkcs8-dup-san.key fixture. - conflicting-rsa-algorithm-same-domain-different-secrets: guard rail confirming genuine cross-secret conflicts are still rejected. Fixes envoyproxy#9471 Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2a797798f6
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9472 +/- ##
==========================================
+ Coverage 75.28% 75.45% +0.17%
==========================================
Files 252 252
Lines 41536 41664 +128
==========================================
+ Hits 31269 31439 +170
+ Misses 8143 8100 -43
- Partials 2124 2125 +1 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| } | ||
|
|
||
| // Check uniqueness for each domain in the certificate with this algorithm | ||
| seenDomains := sets.New[string]() |
There was a problem hiding this comment.
can we add a comment linking the RFC section here
Link the SANs RFC section in the comments. Signed-off-by: Dimitar Mavrodiev <dmavrodiev@gmail.com>
Dedupe the certificate's domains with sets.New before checking them against the shared pkaSecretSet map, so a repeated SAN no longer conflicts with itself, while a genuine conflict across two different certificates for the same domain and algorithm is still caught.
Add test cases to TestValidateTLSSecretsData:
Fixes #9471
PR Checklist
git commit -s). See DCO: Sign your work./api), the API was discussed and agreed before the implementation. The API change can be in a separate PR, or in the same PR, but the API must be agreed before implementation. N/A if this PR does not contain API changes.make generate gen-check,make lint, and the unit-test/coverage build pass. (Flaky e2e failures are not considered breakages, butgen-check,lint, and coverage MUST pass.)release-notes/current/<section>/<pr-number>-<slug>.md(seerelease-notes/current/README.mdfor sections and naming). N/A if this PR does not contain non-trivial changes.make gen-checkand committed the result if API/helm charts/modules changed.release-notes/current/breaking_changes/.