topdown/crypto: Add RawURIs field to JSON certs

This is being added to make it easier to write policy on the contents of certificate URI SANs. This is where information like SPIFFE IDs etc are contained and it's helpful to Rego authors to have access to these values without rebuilding the URI from the parsed data under URIs. Fixes #6416 Signed-off-by: Charlie Egan <[email protected]>
open-policy-agent · Nov 21, 2023 · f71330c · f71330c
1 parent d46bc9d
commit f71330c
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/...cases/testdata/cryptox509parsecertificates/test-cryptox509parsecertificates-raw-uris.yaml b/...cases/testdata/cryptox509parsecertificates/test-cryptox509parsecertificates-raw-uris.yaml
@@ -0,0 +1,14 @@
+cases:
+- data:
+  modules:
+  - |
+    package generated
+
+    certs = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIxekNDQVh5Z0F3SUJBZ0lJZGxpT1dVY1NXM3N3Q2dZSUtvWkl6ajBFQXdJd1BURUxNQWtHQTFVRUJoTUMKUjBJeEVEQU9CZ05WQkFvVEIwVjRZVzF3YkdVeEhEQWFCZ05WQkFVVEV6RTFPREV4TnpnNU56UTJPRFkxTmpneQpOalF3SUJjTk1qTXhNVEl3TVRZMU5USTRXaGdQTWpFeU1qRXdNamN4TmpVMU1qaGFNRDB4Q3pBSkJnTlZCQVlUCkFrZENNUkF3RGdZRFZRUUtFd2RGZUdGdGNHeGxNUnd3R2dZRFZRUUZFeE00TlRJM056SXlOREE0TlRJeE5qVXoKTVRFMU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRXp0UDNrQnNpQXY4UUF5eWxUalJZSFlWegpjWTB5YmpBdC9VbWpZb3Fxb0o4SEtIdXF1ckRaUmVwa05qUXdwV3pmZndZZ0xaNk42SisyVUlPdlZ0TDZEcU5rCk1HSXdEZ1lEVlIwUEFRSC9CQVFEQWdlQU1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0QKQVRBTUJnTlZIUk1CQWY4RUFqQUFNQ01HQTFVZEVRUWNNQnFHR0hOd2FXWm1aVG92TDJWNFlXMXdiR1V1WTI5dApMMjl3WVRBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXlRNDhPd25lTHkzMjZqYitEUjd5RjJhcS94Wnl1cW9qCitUU3ZLVVB5NEU0Q0lRQ0VMUlp3K0dWTjhJR0drVGV4MGxxTDNxY21mWldJbm15VitrbnQ0d3p3L3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+
+    uri_strings = crypto.x509.parse_certificates(certs)[0].URIStrings
+  note: cryptox509parsecertificates/invalid DER or PEM data, string
+  query: data.generated.uri_strings = x
+  want_result:
+    - x:
+        - spiffe://example.com/opa
diff --git a/topdown/crypto.go b/topdown/crypto.go
@@ -56,14 +56,36 @@ func builtinCryptoX509ParseCertificates(_ BuiltinContext, operands []*ast.Term,
 		return err
 	}
 
-	v, err := ast.InterfaceToValue(certs)
+	v, err := ast.InterfaceToValue(extentCertificates(certs))
 	if err != nil {
 		return err
 	}
 
 	return iter(ast.NewTerm(v))
 }
 
+// extendedCert is a wrapper around x509.Certificate that adds additional fields for JSON serialization.
+type extendedCert struct {
+	x509.Certificate
+	URIStrings []string `json:"uri_strings,omitempty"`
+}
+
+func extentCertificates(certs []*x509.Certificate) []extendedCert {
+	// add a field to certs containing the URIs as strings
+	processedCerts := make([]extendedCert, len(certs))
+
+	for i, cert := range certs {
+		processedCerts[i].Certificate = *cert
+		if cert.URIs != nil {
+			processedCerts[i].URIStrings = make([]string, len(cert.URIs))
+			for j, uri := range cert.URIs {
+				processedCerts[i].URIStrings[j] = uri.String()
+			}
+		}
+	}
+	return processedCerts
+}
+
 func builtinCryptoX509ParseAndVerifyCertificates(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error {
 
 	a := operands[0].Value
@@ -87,7 +109,7 @@ func builtinCryptoX509ParseAndVerifyCertificates(_ BuiltinContext, operands []*a
 		return iter(invalid)
 	}
 
-	value, err := ast.InterfaceToValue(verified)
+	value, err := ast.InterfaceToValue(extentCertificates(verified))
 	if err != nil {
 		return err
 	}