TLS Certificate Auth Method support for filtering on UID field

[HT154]

My org has a central PKI system that issues client certs with three relevant fields set:

• CN: the user-supplied CN set in the CSR
• OU: the group that manages the certificate
• UID: the group "identity" of the certificate

I'd like to use these certs to authenticate with Vault, which requires check that both OU and UID are set to allowed value. As far as I can tell, it's possible for Vault to filter on CN and OU, but not UID.

Please add support for setting an allowed_uids key in a CA Certificate Role.

I'm not sure if there's a use case here, but it could make sense to more generally handle all X.509 fields since PKIs can vary a lot.

[palsaurabh2005]

I had submitted a PR on this very same requirement a while back.
#5453
Unfortunately I do not have inputs from maintainers yet.
If you wish, please comment, verify and involve other developers. I have added enough test case and have this setup tested over an extended period.

@bluecmd @michaelansel @vishalnayak @joemiller @armon @traviscosgrave

[jefferai]

Duplicate of #5453.

@palsaurabh2005 You don't need to keep tagging random people in comments. Only one of the people you tagged is actually a Vault developer anyways.

[palsaurabh2005]

Thanks @jefferai for your attention on this.
The tagged folks are not random gitid’s, and the intention is not to bother you.
The PR had requests for comment for over 5 months so I tagged folks who are either Vault maintainers or developers who have submitted PRs or filed feature requests for Cert auth based on subject field validation.

[jefferai]

Please move discussion over to the PR.