From 8f01bdec65fb82355c4375b5f1ceec26cfe1991c Mon Sep 17 00:00:00 2001
From: Andrew Harding <azdagron@gmail.com>
Date: Mon, 10 Jun 2024 06:52:08 -0600
Subject: [PATCH] Remove deprecated exclude_sn_from_ca_subject configurable

This flag has been deprecated since 1.9.0 and is ready for removal.

Signed-off-by: Andrew Harding <azdagron@gmail.com>
---
 cmd/spire-server/cli/run/run.go         |  8 ------
 conf/server/server_full.conf            |  3 ---
 doc/spire_server.md                     |  1 -
 pkg/server/config.go                    |  3 ---
 pkg/server/credtemplate/builder.go      | 25 +++++++++---------
 pkg/server/credtemplate/builder_test.go | 35 ++++++-------------------
 pkg/server/server.go                    | 17 ++++++------
 7 files changed, 28 insertions(+), 64 deletions(-)

diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go
index 1042838e6b..4f4e9ed628 100644
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@@ -84,8 +84,6 @@ type serverConfig struct {
 	RateLimit          rateLimitConfig    `hcl:"ratelimit"`
 	SocketPath         string             `hcl:"socket_path"`
 	TrustDomain        string             `hcl:"trust_domain"`
-	// Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-	ExcludeSNFromCASubject bool `hcl:"exclude_sn_from_ca_subject"`
 
 	ConfigPath string
 	ExpandEnv  bool
@@ -639,12 +637,6 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 		sc.CASubject = credtemplate.DefaultX509CASubject()
 	}
 
-	sc.ExcludeSNFromCASubject = c.Server.ExcludeSNFromCASubject
-	// TODO: remove exclude_sn_from_ca_subject in SPIRE v1.10.0
-	if sc.ExcludeSNFromCASubject {
-		sc.Log.Warn("The deprecated exclude_sn_from_ca_subject configurable will be removed in a future release")
-	}
-
 	sc.PluginConfigs, err = catalog.PluginConfigsFromHCLNode(c.Plugins)
 	if err != nil {
 		return nil, err
diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf
index 14c647ffa6..0e73c1a5a0 100644
--- a/conf/server/server_full.conf
+++ b/conf/server/server_full.conf
@@ -33,9 +33,6 @@ server {
         common_name = ""
     }
 
-    # Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-    # exclude_sn_from_ca_subject = false
-
     # ca_ttl: The default CA/signing key TTL. Default: 24h.
     # ca_ttl = "24h"
 
diff --git a/doc/spire_server.md b/doc/spire_server.md
index db40dfb2c2..7c2d16094e 100644
--- a/doc/spire_server.md
+++ b/doc/spire_server.md
@@ -81,7 +81,6 @@ This may be useful for templating configuration files, for example across differ
 | `ratelimit`                  | Rate limiting configurations, usually used when the server is behind a load balancer (see below)                                                                                                                                                    |                                                                |
 | `socket_path`                | Path to bind the SPIRE Server API socket to (Unix only)                                                                                                                                                                                             | /tmp/spire-server/private/api.sock                             |
 | `trust_domain`               | The trust domain that this server belongs to (should be no more than 255 characters)                                                                                                                                                                |                                                                |
-| `exclude_sn_from_ca_subject` | Do not include certificate serial number in the subject field                                                                                                                                                                                       | false                                                          |
 
 | ca_subject                  | Description                    | Default        |
 |:----------------------------|--------------------------------|----------------|
diff --git a/pkg/server/config.go b/pkg/server/config.go
index bd92697c3f..e806f47cfa 100644
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@@ -113,9 +113,6 @@ type Config struct {
 	// AdminIDs are a list of fixed IDs that when presented by a caller in an
 	// X509-SVID, are granted admin rights.
 	AdminIDs []spiffeid.ID
-
-	// Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
-	ExcludeSNFromCASubject bool
 }
 
 type ExperimentalConfig struct {
diff --git a/pkg/server/credtemplate/builder.go b/pkg/server/credtemplate/builder.go
index df55a5c1ba..6f13693cad 100644
--- a/pkg/server/credtemplate/builder.go
+++ b/pkg/server/credtemplate/builder.go
@@ -99,18 +99,17 @@ type WorkloadJWTSVIDParams struct {
 }
 
 type Config struct {
-	TrustDomain            spiffeid.TrustDomain
-	Clock                  clock.Clock
-	X509CASubject          pkix.Name
-	X509CATTL              time.Duration
-	X509SVIDSubject        pkix.Name
-	X509SVIDTTL            time.Duration
-	JWTSVIDTTL             time.Duration
-	JWTIssuer              string
-	AgentSVIDTTL           time.Duration
-	CredentialComposers    []credentialcomposer.CredentialComposer
-	NewSerialNumber        func() (*big.Int, error)
-	ExcludeSNFromCASubject bool
+	TrustDomain         spiffeid.TrustDomain
+	Clock               clock.Clock
+	X509CASubject       pkix.Name
+	X509CATTL           time.Duration
+	X509SVIDSubject     pkix.Name
+	X509SVIDTTL         time.Duration
+	JWTSVIDTTL          time.Duration
+	JWTIssuer           string
+	AgentSVIDTTL        time.Duration
+	CredentialComposers []credentialcomposer.CredentialComposer
+	NewSerialNumber     func() (*big.Int, error)
 }
 
 type Builder struct {
@@ -367,7 +366,7 @@ func (b *Builder) buildX509CATemplate(publicKey crypto.PublicKey, parentChain []
 	}
 
 	tmpl.Subject = b.config.X509CASubject
-	if tmpl.Subject.SerialNumber == "" && !b.config.ExcludeSNFromCASubject {
+	if tmpl.Subject.SerialNumber == "" {
 		tmpl.Subject.SerialNumber = tmpl.SerialNumber.String()
 	}
 	tmpl.NotBefore, tmpl.NotAfter = b.computeX509CALifetime(parentChain, ttl)
diff --git a/pkg/server/credtemplate/builder_test.go b/pkg/server/credtemplate/builder_test.go
index 442326ea59..b913190b7e 100644
--- a/pkg/server/credtemplate/builder_test.go
+++ b/pkg/server/credtemplate/builder_test.go
@@ -76,15 +76,14 @@ func TestNewBuilderSetsDefaults(t *testing.T) {
 	config.NewSerialNumber = nil
 
 	assert.Equal(t, credtemplate.Config{
-		TrustDomain:            td,
-		X509CASubject:          credtemplate.DefaultX509CASubject(),
-		X509CATTL:              credtemplate.DefaultX509CATTL,
-		X509SVIDSubject:        credtemplate.DefaultX509SVIDSubject(),
-		X509SVIDTTL:            credtemplate.DefaultX509SVIDTTL,
-		JWTSVIDTTL:             credtemplate.DefaultJWTSVIDTTL,
-		JWTIssuer:              "",
-		AgentSVIDTTL:           credtemplate.DefaultX509SVIDTTL,
-		ExcludeSNFromCASubject: false,
+		TrustDomain:     td,
+		X509CASubject:   credtemplate.DefaultX509CASubject(),
+		X509CATTL:       credtemplate.DefaultX509CATTL,
+		X509SVIDSubject: credtemplate.DefaultX509SVIDSubject(),
+		X509SVIDTTL:     credtemplate.DefaultX509SVIDTTL,
+		JWTSVIDTTL:      credtemplate.DefaultJWTSVIDTTL,
+		JWTIssuer:       "",
+		AgentSVIDTTL:    credtemplate.DefaultX509SVIDTTL,
 	}, config)
 }
 
@@ -150,15 +149,6 @@ func TestBuildSelfSignedX509CATemplate(t *testing.T) {
 				expected.NotAfter = now.Add(time.Minute * 23)
 			},
 		},
-		{
-			desc: "exclude serial number from subject",
-			overrideConfig: func(config *credtemplate.Config) {
-				config.ExcludeSNFromCASubject = true
-			},
-			overrideExpected: func(expected *x509.Certificate) {
-				expected.Subject = pkix.Name{Country: []string{"US"}, Organization: []string{"SPIFFE"}}
-			},
-		},
 		{
 			desc: "override X509CASubject",
 			overrideConfig: func(config *credtemplate.Config) {
@@ -274,15 +264,6 @@ func TestBuildUpstreamSignedX509CACSR(t *testing.T) {
 			},
 			expectErr: "x509: unsupported public key type: <nil>",
 		},
-		{
-			desc: "exclude serial number from subject",
-			overrideConfig: func(config *credtemplate.Config) {
-				config.ExcludeSNFromCASubject = true
-			},
-			overrideExpected: func(expected *x509.CertificateRequest) {
-				expected.Subject = pkix.Name{Country: []string{"US"}, Organization: []string{"SPIFFE"}}
-			},
-		},
 		{
 			desc: "override X509CASubject",
 			overrideConfig: func(config *credtemplate.Config) {
diff --git a/pkg/server/server.go b/pkg/server/server.go
index d860b286bb..8b5276ba35 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -295,15 +295,14 @@ func (s *Server) loadCatalog(ctx context.Context, metrics telemetry.Metrics, ide
 
 func (s *Server) newCredBuilder(cat catalog.Catalog) (*credtemplate.Builder, error) {
 	return credtemplate.NewBuilder(credtemplate.Config{
-		TrustDomain:            s.config.TrustDomain,
-		X509CASubject:          s.config.CASubject,
-		X509CATTL:              s.config.CATTL,
-		AgentSVIDTTL:           s.config.AgentTTL,
-		X509SVIDTTL:            s.config.X509SVIDTTL,
-		JWTSVIDTTL:             s.config.JWTSVIDTTL,
-		JWTIssuer:              s.config.JWTIssuer,
-		ExcludeSNFromCASubject: s.config.ExcludeSNFromCASubject,
-		CredentialComposers:    cat.GetCredentialComposers(),
+		TrustDomain:         s.config.TrustDomain,
+		X509CASubject:       s.config.CASubject,
+		X509CATTL:           s.config.CATTL,
+		AgentSVIDTTL:        s.config.AgentTTL,
+		X509SVIDTTL:         s.config.X509SVIDTTL,
+		JWTSVIDTTL:          s.config.JWTSVIDTTL,
+		JWTIssuer:           s.config.JWTIssuer,
+		CredentialComposers: cat.GetCredentialComposers(),
 	})
 }