Request: Implement access controls allowing a user to request certs for any subdomain of ${DOMAIN}

[jsimpso]

Enhancement Proposal

Hi,

I've run into some (at least to me) unexpected behaviour with this charm that I think we can improve for a better overall experience.

It's been established that if a user is allowed to request certs for example.com, this implicitly grants access to request a wildcard cert for *.example.com as the challenge domain is the same for either (see Canonical internal chat link).

What this doesn't do is allow that user to submit requests for any subdomain-specific certs, e.g. test.example.com.

Could we please look into either:

1. Leaning into this implicit access, authorising the user with access to example.com to request a cert for any valid domain matching ^.*\.example\.com$.
2. As we've established that granting access to *.example.com alongside example.com currently does nothing, change the behaviour so that granting access to *.example.com is a method of explicitly allowing the user to request a specific cert for any subdomain of example.com.
3. Adding some other method of explicitly allowing the user to request a certificate for any subdomain of example.com, such as juju run httprequest-lego-provider/0 allow-domains --string-args username=example-user domains='example.com' subdomains='example.com' or allow-subdomains --string-args username=example-user parent-domains='example.com'.

Keen to hear your thoughts.

Thanks!

[jsimpso]

After thinking on this some more I'm actually inclined to suggest that the implicit behavior of allowed-domains=example.com allowing a user to request the wildcard cert for *.example.com should be considered a bug in violation of the principle of least privilege, and should be replaced with a mechanism to explicitly grant access for requesting wildcard certs only where needed and justified.