Switch to using regular expressions as per @simo5 review comments.

ramr · ramr · commit 06615ab69e44 · 2018-07-10T16:28:01.000-07:00
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -235,16 +235,16 @@ frontend fe_sni
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH_FILTER") }}
   # If a mutual TLS auth subject filter environment variable is set, we deny
   # requests if the DN field in the client certificate doesn't match that value.
-  # Please note that this match is a subset (substring) match.
+  # Please note that this match is a regular expression match.
   # Example: For DN set to: /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3,
   #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test"   OR
   #             ROUTER_MUTUAL_TLS_AUTH_FILTER="head"          OR
-  #             ROUTER_MUTUAL_TLS_AUTH_FILTER="/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3" /* exact match example */
+  #             ROUTER_MUTUAL_TLS_AUTH_FILTER="^/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3$" /* exact match example */
   #             the filter would match the DN field (substring or exact match)
   #             and the request will be passed on to the backend.
   #          B. ROUTER_MUTUAL_TLS_AUTH_FILTER="legacy-web-client", the request
   #             will be rejected.
-  acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
+  acl cert_cn_matches ssl_c_s_dn -m reg {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
 
@@ -304,9 +304,9 @@ frontend fe_no_sni
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH_FILTER") }}
   # If a mutual TLS auth subject filter environment variable is set, we deny
   # requests if the DN field in the client certificate doesn't match that value.
-  # Please note that this match is a subset (substring) match.
+  # Please note that this match is a regular expression match.
   # See the config section 'frontend fe_sni' for examples.
-  acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
+  acl cert_cn_matches ssl_c_s_dn -m reg {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
 
diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
@@ -337,7 +337,7 @@ func NewCmdRouter(f kcmdutil.Factory, parentName, name string, out, errout io.Wr
 	cmd.Flags().StringVar(&cfg.MutualTLSAuth, "mutual-tls-auth", cfg.MutualTLSAuth, "Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCA, "mutual-tls-auth-ca", cfg.MutualTLSAuthCA, "Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCRL, "mutual-tls-auth-crl", cfg.MutualTLSAuthCRL, "Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.")
-	cmd.Flags().StringVar(&cfg.MutualTLSAuthFilter, "mutual-tls-auth-filter", cfg.MutualTLSAuthFilter, "Optional value to filter the client certificates. If the client certificate subject field does _not_ contain (substring match) this value, requests will be rejected by the router.")
+	cmd.Flags().StringVar(&cfg.MutualTLSAuthFilter, "mutual-tls-auth-filter", cfg.MutualTLSAuthFilter, "Optional regular expression to filter the client certificates. If the client certificate subject field does _not_ match this regular expression, requests will be rejected by the router.")
 
 	cfg.Action.BindForOutput(cmd.Flags())
 	cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
