From be83d4197517917a3ed62a5b72d45f14d011c519 Mon Sep 17 00:00:00 2001
From: Steve Clark <steven.clark@hashicorp.com>
Date: Mon, 4 Oct 2021 10:59:11 -0400
Subject: [PATCH 1/2] Fix 1.8 regression preventing email addresses being used
 as common name within pki certs (#12336)

---
 builtin/logical/pki/cert_util.go      |  4 +-
 builtin/logical/pki/cert_util_test.go | 71 ++++++++++++++++++++++-----
 2 files changed, 62 insertions(+), 13 deletions(-)

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 52f0a33e0c812..b129fc2834cbe 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -330,7 +330,9 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 				// is enabled
 				if data.role.AllowBareDomains &&
 					(strings.EqualFold(sanitizedName, currDomain) ||
-						(isEmail && strings.EqualFold(emailDomain, currDomain))) {
+						(isEmail && strings.EqualFold(emailDomain, currDomain)) ||
+							// Handle the use case of AllowedDomain being an email address
+							(isEmail && strings.EqualFold(name, currDomain))) {
 					valid = true
 					break
 				}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index b1f815d1a11c3..d27cb7d6d27aa 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -164,7 +164,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
 
 	cases := map[string]struct {
 		input    *inputBundle
-		expected []string
+		expectedDnsNames []string
+		expectedEmails []string
 	}{
 		"base valid case": {
 			input: &inputBundle{
@@ -181,7 +182,8 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					EnforceHostnames: true,
 				},
 			},
-			expected: []string{"example.com."},
+			expectedDnsNames: []string{"example.com."},
+			expectedEmails: []string{},
 		},
 		"case insensitivity validation": {
 			input: &inputBundle{
@@ -199,20 +201,65 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					MaxTTL:           3600,
 				},
 			},
-			expected: []string{"Example.Net", "eXaMPLe.COM"},
+			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
+			expectedEmails: []string{},
+		},
+		"case email as AllowedDomain with bare domains": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "test@testemail.com",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"test@testemail.com"},
+					AllowBareDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{},
+			expectedEmails: []string{"test@testemail.com"},
+		},
+		"case email common name with bare domains": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "test@testemail.com",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"testemail.com"},
+					AllowBareDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{},
+			expectedEmails: []string{"test@testemail.com"},
 		},
 	}
 
-	for _, testCase := range cases {
-		cb, err := generateCreationBundle(&b, testCase.input, nil, nil)
-		if err != nil {
-			t.Fatalf("Error: %v", err)
-		}
+	for name, testCase := range cases {
+		t.Run(name, func(t *testing.T) {
+			cb, err := generateCreationBundle(&b, testCase.input, nil, nil)
+			if err != nil {
+				t.Fatalf("Error: %v", err)
+			}
 
-		actual := cb.Params.DNSNames
+			actualDnsNames := cb.Params.DNSNames
 
-		if !reflect.DeepEqual(testCase.expected, actual) {
-			t.Fatalf("Expected %v, got %v", testCase.expected, actual)
-		}
+			if !reflect.DeepEqual(testCase.expectedDnsNames, actualDnsNames) {
+				t.Fatalf("Expected dns names %v, got %v", testCase.expectedDnsNames, actualDnsNames)
+			}
+
+			actualEmails := cb.Params.EmailAddresses
+
+			if !reflect.DeepEqual(testCase.expectedEmails, actualEmails) {
+				t.Fatalf("Expected email addresses %v, got %v", testCase.expectedEmails, actualEmails)
+			}
+		})
 	}
 }

From d032b53bb14a470a56e8a32800014dd35a8506b5 Mon Sep 17 00:00:00 2001
From: Steve Clark <steven.clark@hashicorp.com>
Date: Mon, 4 Oct 2021 12:44:51 -0400
Subject: [PATCH 2/2] Add changelog

---
 changelog/12716.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/12716.txt

diff --git a/changelog/12716.txt b/changelog/12716.txt
new file mode 100644
index 0000000000000..9a41d313ce3ff
--- /dev/null
+++ b/changelog/12716.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+pki: Fix regression preventing email addresses being used as a common name within certificates
+```