Skip to content

Commit

Permalink
Fix role writing not allowing key_type of any
Browse files Browse the repository at this point in the history
Fixes #4595
  • Loading branch information
jefferai committed May 19, 2018
1 parent ec24d3d commit a9e2551
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 20 deletions.
45 changes: 27 additions & 18 deletions builtin/logical/pki/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2580,24 +2580,6 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) {
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("root/roles/example", map[string]interface{}{
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
"allow_bare_domains": true,
"allow_subdomains": true,
"max_ttl": "2h",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("int/roles/example", map[string]interface{}{
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
"allow_subdomains": true,
"allow_bare_domains": true,
"max_ttl": "2h",
})
if err != nil {
t.Fatal(err)
}

// Direct issuing from root
_, err = client.Logical().Write("root/root/generate/internal", map[string]interface{}{
Expand Down Expand Up @@ -2625,6 +2607,33 @@ func TestBackend_Permitted_DNS_Domains(t *testing.T) {
argMap[currString] = arg
}
}
// We do this to ensure writing a key type of any is invalid when
// issuing and valid when signing
_, err = client.Logical().Write(path+"roles/example", map[string]interface{}{
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
"allow_subdomains": true,
"allow_bare_domains": true,
"max_ttl": "2h",
"key_type": "any",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write(path+"issue/example", argMap)
if err == nil {
t.Fatal("expected err from key_type any")
}
// Now put it back
_, err = client.Logical().Write(path+"roles/example", map[string]interface{}{
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
"allow_subdomains": true,
"allow_bare_domains": true,
"max_ttl": "2h",
"key_type": "rsa",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write(path+"issue/example", argMap)
switch {
case valid && err != nil:
Expand Down
1 change: 1 addition & 0 deletions builtin/logical/pki/cert_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ func validateKeyTypeLength(keyType string, keyBits int) *logical.Response {
return logical.ErrorResponse(fmt.Sprintf(
"unsupported bit length for EC key: %d", keyBits))
}
case "any":
default:
return logical.ErrorResponse(fmt.Sprintf(
"unknown key type %s", keyType))
Expand Down
8 changes: 6 additions & 2 deletions builtin/logical/pki/path_issue_sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,11 @@ func (b *backend) pathIssue(ctx context.Context, req *logical.Request, data *fra
return nil, err
}
if role == nil {
return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil
return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
}

if role.KeyType == "any" {
return logical.ErrorResponse("role key type \"any\" not allowed for issuing certificates, only signing"), nil
}

return b.pathIssueSignCert(ctx, req, data, role, false, false)
Expand All @@ -105,7 +109,7 @@ func (b *backend) pathSign(ctx context.Context, req *logical.Request, data *fram
return nil, err
}
if role == nil {
return logical.ErrorResponse(fmt.Sprintf("Unknown role: %s", roleName)), nil
return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
}

return b.pathIssueSignCert(ctx, req, data, role, true, false)
Expand Down

0 comments on commit a9e2551

Please sign in to comment.