Fix role writing not allowing key_type of any (#4596)

Fixes #4595
hashicorp · May 19, 2018 · 157a14e · 157a14e
1 parent ec24d3d
commit 157a14e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 20 deletions.
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -2580,24 +2580,6 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = client.Logical().Write("root/roles/example", map[string]interface{}{
-		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
-		"allow_bare_domains": true,
-		"allow_subdomains":   true,
-		"max_ttl":            "2h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = client.Logical().Write("int/roles/example", map[string]interface{}{
-		"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
-		"allow_subdomains":   true,
-		"allow_bare_domains": true,
-		"max_ttl":            "2h",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
 
 	// Direct issuing from root
 	_, err = client.Logical().Write("root/root/generate/internal", map[string]interface{}{
@@ -2625,6 +2607,33 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) {
 				argMap[currString] = arg
 			}
 		}
+		// We do this to ensure writing a key type of any is invalid when
+		// issuing and valid when signing
+		_, err = client.Logical().Write(path+"roles/example", map[string]interface{}{
+			"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
+			"allow_subdomains":   true,
+			"allow_bare_domains": true,
+			"max_ttl":            "2h",
+			"key_type":           "any",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, err = client.Logical().Write(path+"issue/example", argMap)
+		if err == nil {
+			t.Fatal("expected err from key_type any")
+		}
+		// Now put it back
+		_, err = client.Logical().Write(path+"roles/example", map[string]interface{}{
+			"allowed_domains":    "foobar.com,zipzap.com,abc.com,xyz.com",
+			"allow_subdomains":   true,
+			"allow_bare_domains": true,
+			"max_ttl":            "2h",
+			"key_type":           "rsa",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
 		_, err = client.Logical().Write(path+"issue/example", argMap)
 		switch {
 		case valid && err != nil:

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -153,6 +153,7 @@ func validateKeyTypeLength(keyType string, keyBits int) *logical.Response {
 			return logical.ErrorResponse(fmt.Sprintf(
 				"unsupported bit length for EC key: %d", keyBits))
 		}
+	case "any":
 	default:
 		return logical.ErrorResponse(fmt.Sprintf(
 			"unknown key type %s", keyType))

diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
@@ -88,7 +88,11 @@ func (b *backend) pathIssue(ctx context.Context, req *logical.Request, data *fra
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil
+		return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
+	}
+
+	if role.KeyType == "any" {
+		return logical.ErrorResponse("role key type \"any\" not allowed for issuing certificates, only signing"), nil
 	}
 
 	return b.pathIssueSignCert(ctx, req, data, role, false, false)
@@ -105,7 +109,7 @@ func (b *backend) pathSign(ctx context.Context, req *logical.Request, data *fram
 		return nil, err
 	}
 	if role == nil {
-		return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil
+		return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
 	}
 
 	return b.pathIssueSignCert(ctx, req, data, role, true, false)