Add configuration parameter

Signed-off-by: Peter Verraedt <peter@verraedt.be>

builtin/credential/cert/path_config.go

@@ -17,6 +17,11 @@ func pathConfig(b *backend) *framework.Path {
 				Default:     false,
 				Description: `If set, during renewal, skips the matching of presented client identity with the client identity used during login. Defaults to false.`,
 			},
+			"enable_identity_alias_metadata": {
+				Type:        framework.TypeBool,
+				Default:     false,
+				Description: `If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias. Defaults to false.`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -27,9 +32,11 @@ func pathConfig(b *backend) *framework.Path {
 
 func (b *backend) pathConfigWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	disableBinding := data.Get("disable_binding").(bool)
+	enableIdentityAliasMetadata := data.Get("enable_identity_alias_metadata").(bool)
 
 	entry, err := logical.StorageEntryJSON("config", config{
-		DisableBinding: disableBinding,
+		DisableBinding:              disableBinding,
+		EnableIdentityAliasMetadata: enableIdentityAliasMetadata,
 	})
 	if err != nil {
 		return nil, err
@@ -59,5 +66,6 @@ func (b *backend) Config(ctx context.Context, s logical.Storage) (*config, error
 }
 
 type config struct {
-	DisableBinding bool `json:"disable_binding"`
+	DisableBinding              bool `json:"disable_binding"`
+	EnableIdentityAliasMetadata bool `json:"enable_identity_alias_metadata"`
 }

builtin/credential/cert/path_login.go

@@ -59,6 +59,11 @@ func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Requ
 }
 
 func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	config, err := b.Config(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
 	var matched *ParsedCert
 	if verifyResp, resp, err := b.verifyCredentials(ctx, req, data); err != nil {
 		return nil, err
@@ -111,10 +116,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		DisplayName: matched.Entry.DisplayName,
 		Metadata:    metadata,
 		Alias: &logical.Alias{
-			Name:     clientCerts[0].Subject.CommonName,
-			Metadata: metadata,
+			Name: clientCerts[0].Subject.CommonName,
 		},
 	}
+
+	if config.EnableIdentityAliasMetadata {
+		auth.Alias.Metadata = metadata
+	}
+
 	matched.Entry.PopulateTokenAuth(auth)
 
 	return &logical.Response{