From 64f92b40fc5858e1dee68a1be6eddfda859f5698 Mon Sep 17 00:00:00 2001
From: Kushneryk Pavel <levelup.kpi@gmail.com>
Date: Wed, 2 Aug 2023 18:09:10 +0300
Subject: [PATCH] =?UTF-8?q?bug(20562):=20allowed=5Fdomains=20are=20compare?=
 =?UTF-8?q?d=20case-sensitive=20if=20they=20use=20g=E2=80=A6=20(#22126)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* bug(20562): allowed_domains are compared case-sensitive if they use glob patterns

* bug(20562): review fixes
---
 builtin/logical/pki/cert_util.go      |  2 +-
 builtin/logical/pki/cert_util_test.go | 18 ++++++++++++++++++
 changelog/22126.txt                   |  3 +++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 changelog/22126.txt

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 185488a7a1..e991006578 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -659,7 +659,7 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 
 				if data.role.AllowGlobDomains &&
 					strings.Contains(currDomain, "*") &&
-					glob.Glob(currDomain, name) {
+					glob.Glob(strings.ToLower(currDomain), strings.ToLower(name)) {
 					valid = true
 					break
 				}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index 7fb811cb8f..82a4f2a50b 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -174,6 +174,24 @@ func TestPki_PermitFQDNs(t *testing.T) {
 			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
 			expectedEmails:   []string{},
 		},
+		"case insensitivity subdomain validation": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "SUB.EXAMPLE.COM",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"example.com", "*.Example.com"},
+					AllowGlobDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{"SUB.EXAMPLE.COM"},
+			expectedEmails:   []string{},
+		},
 		"case email as AllowedDomain with bare domains": {
 			input: &inputBundle{
 				apiData: &framework.FieldData{
diff --git a/changelog/22126.txt b/changelog/22126.txt
new file mode 100644
index 0000000000..e6633ec3a0
--- /dev/null
+++ b/changelog/22126.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns
+```
\ No newline at end of file