Hi!
Currently, when trusted_hosts is configured, clients connecting to the smart-proxy are authorised based only on the CN presented in the client TLS certificate subject.
See smart-proxy/lib/sinatra/authorization.rb at 200f394695b48d549ddc24840b3f1ee431a2be8a · theforeman/smart-proxy · GitHub
Would it be acceptable to also have the smart proxy check the client certificate SANs?
In my setting, my foreman instances, (the clients in this connection), have client certificates, (their puppet agent certs), with Subject CNs that are not their FQDNs, but their AWS EC2 instance IDs. They all also have SANs including eg. foreman.example.com, and I would like to simply be able to include foreman.example.com in the trusted_hosts configuration.
Perhaps this functionality would need to behind another configuration setting? (eg. a trust_client_sans boolean or similar. Naming things is hard. Or maybe just a separate trusted_sans array setting???)
Let me know what you think, and I could work on a PR.
My alternative at the moment, is a fairly messy Puppet DB lookup to gather all the entries for trusted_hosts.
Thanks,
Alex