-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let allowed_users template mix templated and non-templated parts #10886
Conversation
I also would like to provide a test, but I could not find out how to create a new entity and acquire a token for it with the |
A quick scan suggested these may be helpful:
|
@candlerb Thanks for the pointer. I implemented a test now, but I must admit that I am not fully satisfied with the result. |
builtin/logical/ssh/backend_test.go
Outdated
expectedValidPrincipal := "ssh-" + testSshUsername | ||
|
||
// Setup Vault cluster with a preexisting entity. | ||
coreConfig := &vault.CoreConfig{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to rewrite the setup code in this test to reuse getSshCaTestCluster
? I think if so, that might address the verbosity issue you've pointed out above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, that is exactly what I needed. I changed it accordingly.
Another thing, I think it might be nice to add a test that checks just the currently supported |
Hi @phihos ! If you're still looking to get this PR merged in, could you please take a look at the couple comments I dropped? This is a change we're pretty interested in getting merged in, so would be great if you can! |
Hi @pmmukh. Sorry for the late reply, I was pretty caught up in work lately. I will try to implement your comments today or this weekend should that fail. I am happy to hear about your interest to merge this PR. |
@pmmukh I changed the existing test and added a second one that tests the old functionality. I extracted the common test code into an additional function. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test changes look great, thanks for the followup and especially for adding the test on the current functionality! Have a couple small nits, but more importantly, this change needs a changelog, with a changelog added this should be good to go!
Just another point that I thought of, could you maybe add a line about this behavior here https://www.vaultproject.io/api-docs/secret/ssh#allowed_users ? Maybe something like, "when allowed_users_template is set, this field can contain an identity template, with any prefix or suffix, like ssh-{identity.entity.id}-user" ? Feel free to word it how you want btw, just a suggestion. |
I added the doc line you suggested. I am not sure if I did in the correct location though. @pmmukh Can you confirm that I did it correctly? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just one note, lgtm!
As outlined in #10388 the regex checking for templates tags in allowed_users when signing SSH certs could be more liberal. By removing
^
and$
templates likeusername-{{ identity.entity.name }}
are also allowed.