From 6cd89fa72a89054c8769d6031804c00257b5e3eb Mon Sep 17 00:00:00 2001
From: Michael Hobbs <mh@expa.com>
Date: Thu, 15 Jan 2015 10:34:14 -0800
Subject: [PATCH] support extracting SANs from SSL certificates and adding them
 to nginx config

---
 plugins/nginx-vhosts/commands  |  10 +++++++---
 tests/unit/nginx-vhosts.bats   |  31 ++++++++++++++++++++++++++++++-
 tests/unit/server_ssl_sans.tar | Bin 0 -> 10240 bytes
 tests/unit/test_helper.bash    |   7 +++++++
 4 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 tests/unit/server_ssl_sans.tar

diff --git a/plugins/nginx-vhosts/commands b/plugins/nginx-vhosts/commands
index 099b38cf4..3ec06faa5 100755
--- a/plugins/nginx-vhosts/commands
+++ b/plugins/nginx-vhosts/commands
@@ -51,10 +51,14 @@ EOF
 
         SSL_HOSTNAME=$(openssl x509 -in $SSL_INUSE/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-)
         SSL_HOSTNAME=$(echo "$SSL_HOSTNAME" | sed 's|\.|\\.|g' | sed 's/\*/\.\*/g')
-
         [[ -z "$(egrep ^"$SSL_HOSTNAME"$ $VHOST_PATH)" ]] && echo "$SSL_HOSTNAME" | sed 's/\\./\./g' >> $VHOST_PATH
-        SSL_VHOSTS=$(egrep ^"$SSL_HOSTNAME"$ $VHOST_PATH || exit 0)
-        NONSSL_VHOSTS=$(egrep -v ^"$SSL_HOSTNAME"$ $VHOST_PATH || exit 0)
+
+        SSL_HOSTNAME_ALT=$(openssl x509 -in $SSL_INUSE/server.crt -noout -text | grep --after-context=1 '509v3 Subject Alternative Name:' | tail -n 1 | sed -e "s/[[:space:]]*DNS://g"  | tr ',' '\n' || true)
+        SSL_HOSTNAME_ALT=$(echo "$SSL_HOSTNAME_ALT" | sed 's|\.|\\.|g' | sed 's/\*/\.\*/g')
+        [[ -z "$(egrep ^"$SSL_HOSTNAME_ALT"$ $VHOST_PATH)" ]] && echo "$SSL_HOSTNAME_ALT" | sed 's/\\./\./g' >> $VHOST_PATH
+
+        SSL_VHOSTS=$(egrep "^${SSL_HOSTNAME}$|^${SSL_HOSTNAME_ALT}$" $VHOST_PATH || exit 0)
+        NONSSL_VHOSTS=$(egrep -v "^${SSL_HOSTNAME}$|^${SSL_HOSTNAME_ALT}$" $VHOST_PATH || exit 0)
 
         while read line; do
           echo "-----> Configuring SSL for $line..."
diff --git a/tests/unit/nginx-vhosts.bats b/tests/unit/nginx-vhosts.bats
index bd1b1f285..0c6f09db1 100644
--- a/tests/unit/nginx-vhosts.bats
+++ b/tests/unit/nginx-vhosts.bats
@@ -25,10 +25,39 @@ teardown() {
 @test "nginx:build-config (with SSL CN mismatch)" {
   setup_test_tls
   deploy_app
-  run /bin/bash -c "dokku domains $TEST_APP | grep node-js-app.dokku.me"
+  run /bin/bash -c "dokku domains $TEST_APP | egrep ^node-js-app\.dokku\.me$"
   echo "output: "$output
   echo "status: "$status
   assert_output "node-js-app.dokku.me"
+  run bash -c "response=\"$(curl -LkSs node-js-app.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
+  echo "output: "$output
+  echo "status: "$status
+  assert_success
+}
+
+@test "nginx:build-config (with SSL and Multiple SANs)" {
+  setup_test_tls_with_sans
+  deploy_app
+  run /bin/bash -c "dokku domains $TEST_APP | egrep ^test\.dokku\.me$"
+  echo "output: "$output
+  echo "status: "$status
+  assert_output "test.dokku.me"
+  run /bin/bash -c "dokku domains $TEST_APP | grep ^www\.test\.dokku\.me$"
+  echo "output: "$output
+  echo "status: "$status
+  assert_output "www.test.dokku.me"
+  run bash -c "response=\"$(curl -LkSs test.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
+  echo "output: "$output
+  echo "status: "$status
+  assert_success
+  run bash -c "response=\"$(curl -LkSs www.test.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
+  echo "output: "$output
+  echo "status: "$status
+  assert_success
+  run bash -c "response=\"$(curl -LkSs www.test.app.dokku.me)\"; echo \$response; test \"\$response\" == \"nodejs/express\""
+  echo "output: "$output
+  echo "status: "$status
+  assert_success
 }
 
 @test "nginx:build-config (no global VHOST and domains:add)" {
diff --git a/tests/unit/server_ssl_sans.tar b/tests/unit/server_ssl_sans.tar
new file mode 100644
index 0000000000000000000000000000000000000000..ae50b7a9a4695e2767274b31c6f55db085ad6fa1
GIT binary patch
literal 10240
zcmeH}#}cDR5{CQCQ}mtK!Gk#Lq3{SJyg)aM1j0K3;^~*}Uehz{W;bFF8=*RgQ2j|o
z>dRF9`3o}L$K^i$l8*D2|ItE^MU&*0<AE_0`t$Rfgp(Bg1v@?|hG8h?&@lp|h%aB!
z|4}}_I`%cq@%Z)YmnF`}xc%o0{+<4-L;rui{NdZ;L|HYz@}lFZlF9>5{Jskrsw(s)
z&x4N6!K!i~SI@wVbG+ACe?&tApfc|cva2S9V2d1Q`@oR9jo-nU%gq4dK;(fs@C?UT
zMLQA#+g1h83(<A!Zw>oSnz}HYXqCWsO%VX*MOQL++H;XKW)G#fx%?EM9|2;5&tv9t
z=FMGmPuzr`bm7p^TWF$s<18^gW02lpwZW00;E9+ah@0t&gz2T5QFq_=i0^yCU-#Cy
z6m<hsGQfP1D-0eA0%H?*;C%Z%2LOYw%p#HNCLzwR_$qEv3H%>gY6!uhJvljTq*sL3
zdxW1h=x+g&A^1PiQbnxRdCu@e<EH}*LkOKZCG6KtX2+QDU&+;9p*$C#za<S0(tuPs
zVFl}<YoI%-WAj^9tNT+P{qi1~*m&^-`q@GaI=Rl<*Oc!0CQaNOg<f_XrGyb);O`P6
z$7C;&nea??#<J!(z;Dy32z=8+hRldth-P0(Wm%Z-HjgRE;)xnYv6J6E*Ll)9g4cK{
z8QX-fGMY4&<c~SSHiE3!25B%?frHSEK3^^Ispnb1W!?QEZ__>&=}@<e=khpq-&ER@
zUh(@q+%DGJ>VrJGvb*;PeV)}x=p3=WQI-6>+B`t5m`w{4y^e~Xbf#?haWcT1Q`E`)
z9(i=5*y}!kNqW|`RNC28u2BCVS7P%qY|=p<$*!ak1YMlbK!eShi^iQY^`##Jt?O=M
zWZaB^V)d5kLyNukVLn1f={W%8(%U)n&kd4^M>YlkE59D?>!8+A0s-V<ZV1M=2FgU+
zo(z8A#V{kF>`ncuHNSOcUIau&q_0d4_Kc^BQ~|%Ly<kUYt-Gnkl9~{(MTxV4aMYUv
zO1J})@9==~d1bQ+8Y6sT#ubqjE`(f)72nFjB&__KL9*%2lQafdua;mV)3Zf`aoZP%
zJDkcHWc2JzG91JQZ;HxWyojycr|+w<D|FCf?P{+}x^klZg2><^oSCVz^|58u_i7&!
za13#}Yd*Y33p@nzHb>4}BX(u5g*ua^^uB5WNN2Tk5h#5Ly7tWsIHG6_weCm$^t`&9
z+|~<AG$^+jSDY-ove6Sob7a)!vwL`=NZB<sKHDMRMwu=zExJjozApJF6CV?kYfmIf
zlM`y$uT-|w{Dx=cD{<8e)ieSSfUIM3a~`D~qER?ZOidh@V3*IRbT$G(W>WTk>bSVX
zFEc0p5&C}niKg)PH{$=#z5aVM{pBzIU)|ro_nrSV?wiT~3;!o@jQN}Y)65V5r#}Aw
zpK|_h;=lL$5C3;u@YQnE;PC&ini&0c1`vC2xC_wu;|2m#cykT17%-Kn_blG474CX!
z*2OBV`GQubmylJ%N;{SBkjQe_*V-2Mt$AtAU9riQhxeVi)>)HSY7huMLbsmW!%I?7
z!p;U_-!d|B9WU{)Y1~wU7!tQsTlHb@U{rY2#Vk|h7HH%Jx#e4d3K!vm<!ff#pFz2)
zPf`i&FjmT9N(`C|wf+V%D4Nf6IJuW<OPXmK8m~N+bP&nXlA;8LfyIUSs}%@mbsbX?
z<fecxq3UJQuwgO{2~H`=4ZY-kbh|R?u+GN)5lnQhb5VbDB2-D#lNQ2;c?!%d;a64W
zs=}RFxN|efU7#|tui6RrT!xM@chKY*7i3SmKU@l?gB=NmfYjDwG_nErXDcsXr{ON)
zPY3O9I&`AVYz~NW8S3V2+7oG^)Hw<J-f>C~Ew_}JG593h`nr-X^VD9eJv`&b|0-Kr
zczJXXZMk=P#F!3`Y424KxX`>^%V>;{oVX>YY~F?YYLD~76fKrqy%4F#TOpPJdCwP4
zg2rpNlwP?kB1YZrayAT{U~Z~n<;qSO0&OhM^z4;LxjchWW}CUuCDf@h@rgZ1n=YU@
zZq=uy)u$V1h`C2C`1*LSj`)6s+p7YspT~~BvQNvyZ>tk@)w4G)Jhvk|AfC&JLyZ%X
zk6AxiRAH5mCTwg?N=5zTlg%xkIGn+3Br3orpTb<hxe}qDwV>h6qthRBdjXK~j(Cg4
z55h7BF0RDsj}gw&hvBW4K=rL+V52h%2Tx=@?E!m17<#vaIFJ?<>*e+eN!?t)_uPP&
zK}qMAn<_h!Ra`ASD_jEl+t`JAE&OM3!pHXu2oF?m`_4TkrejViL=8%;$Z5*7qlMdu
zNM0juId0K(*H!c6yMx35*Q8&DJK*L8IWy__4pN52eq?MUCiGxVVo^$?X$FD?__JGD
zKG~l;qFOKqzL&&Abmx1C$bi6-sE`(xOPlKhX}j(jn{EaTbG6H}(LdtWC(lc7b&q+B
zvfG2eTMKs^oO+<<&h&fd)C)XP$my6g2&6?vqxWPuhl(&dJ63F$u605pY70w;+O;l|
zmn#~KRyY-LkF?ZyKn9k+O2@?3R0eoFPkdtMoec%2a8eAObP|}+Z!aZw@S60jc*X@d
zB8PNGhmIccD4C>yC;FH29_|-ss$RncueH2Fi@)xdg%J~XVw0mkSB0wH!F53l%M5MO
zb;$*m2WDu_E8dlgPFy9n$1U7z>OQjZ3^G%G(C15?T(Q?WsCGVHp1msadBkzIp(fZA
zwYCc?HjHv^a6uyE$<%S}tu<*71g|@Ex)q1w>gn3eUFTXmo~RCc@3gGtapi?-XUnaS
z7jr@V^Kqg$dJd<JIeaUa)0RF|NV#Q;x-L@HU%EVvZrg^7R(FrDt|gj*_HK@m48=ea
zPU)C<oZ7vsKDo6j{nlyhtt*iI2o}TExZLLXHWvFKy2I2lFs<9f8kfaU2&{T&f{{i6
zkWZ1H&YAicw)1`Ud(T>1Xi9qwdD;>z463;qEpNJYaPBo_!v%4k#2`CoN<YHnOEa;{
zgJ(M=Sqr3pjP^dJSr6G-SMgk)xbiu;gIpr0>_l#e#mOkAbuTG{rwQ~E72z($aG({L
zO_lOL{xn?uL%aEJEbQ~nhroxxhroxxhroxxhroxxhroxxhroxxhroxxhroxxhroxx
PhroxxhroxxZwUMeqYnAT

literal 0
HcmV?d00001

diff --git a/tests/unit/test_helper.bash b/tests/unit/test_helper.bash
index 763574a8c..37db58b5c 100644
--- a/tests/unit/test_helper.bash
+++ b/tests/unit/test_helper.bash
@@ -109,3 +109,10 @@ setup_test_tls() {
   tar xf $BATS_TEST_DIRNAME/server_ssl.tar -C $TLS
   sudo chown -R dokku:dokku $TLS
 }
+
+setup_test_tls_with_sans() {
+  TLS="/home/dokku/$TEST_APP/tls"
+  mkdir -p $TLS
+  tar xf $BATS_TEST_DIRNAME/server_ssl_sans.tar -C $TLS
+  sudo chown -R dokku:dokku $TLS
+}