token-server: Make machine token minter config apply to subdomains.

tokenserver/appengine/impl/machinetoken/machinetoken.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 // Package machinetoken implements generation of LUCI machine tokens.
 package machinetoken
 
 import (
         "crypto/x509"
         "encoding/base64"
@@ skipping 53 matching lines @@
 // Validate checks that token minting parameters are allowed.
 func (p *MintParams) Validate() error {
         // Check FDQN.
         if p.FQDN != strings.ToLower(p.FQDN) {
                 return fmt.Errorf("expecting FQDN in lowercase, got %q", p.FQDN)
         }
         chunks := strings.SplitN(p.FQDN, ".", 2)
         if len(chunks) != 2 {
                 return fmt.Errorf("not a valid FQDN %q", p.FQDN)
         }
-        host, domain := chunks[0], chunks[1]
-        if strings.ContainsRune(host, '@') {
-                return fmt.Errorf("forbidden character '@' in hostname %q", host)
-        }
+        domain := chunks[1] // e.g. "us-central1-a.c.project-id.internal"
 
         // Check DomainConfig for given domain.
         domainCfg := domainConfig(p.Config, domain)
         if domainCfg == nil {
                 return fmt.Errorf("the domain %q is not whitelisted in the config", domain)
         }
         if domainCfg.MachineTokenLifetime <= 0 {
                 return fmt.Errorf("machine tokens for machines in domain %q are not allowed", domain)
         }
 
         // Make sure cert serial number fits into uint64. We don't support negative or
         // giant SNs.
         sn := p.Cert.SerialNumber
         if sn.Sign() <= 0 || sn.Cmp(maxUint64) >= 0 {
                 return fmt.Errorf("invalid certificate serial number: %s", sn)
         }
         return nil
 }
 
-// domainConfig returns DomainConfig for a domain.
+// domainConfig returns DomainConfig (part of *.cfg file) for a given domain.
 //
-// Returns nil if there's no such config.
+// It enumerates all domains specified in the config finding first domain that
+// is equal to 'domain' or has it as a subdomain.
+//
+// Returns nil if requested domain is not represented in the config.
 func domainConfig(cfg *admin.CertificateAuthorityConfig, domain string) *admin.DomainConfig {
         for _, domainCfg := range cfg.KnownDomains {
                 for _, domainInCfg := range domainCfg.Domain {
-                        if domainInCfg == domain {
+                        if domainInCfg == domain || strings.HasSuffix(domain, "."+domainInCfg) {
                                 return domainCfg
                         }
                 }
         }
         return nil
 }
 
 // Mint generates a new machine token proto, signs and serializes it.
 //
 // Returns its body as a proto, and as a signed base64-encoded final token.
@@ skipping 73 matching lines @@
                 Lifespan: func(b proto.Message) tokensigning.Lifespan {
                         body := b.(*tokenserver.MachineTokenBody)
                         return tokensigning.Lifespan{
                                 NotBefore: time.Unix(int64(body.IssuedAt), 0),
                                 NotAfter:  time.Unix(int64(body.IssuedAt)+int64(body.Lifetime), 0),
                         }
                 },
         }
         return i.InspectToken(c, tok)
 }