Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let allowed_users template mix templated and non-templated parts #10886

Merged
merged 5 commits into from
Oct 19, 2021

Conversation

phihos
Copy link
Contributor

@phihos phihos commented Feb 10, 2021

As outlined in #10388 the regex checking for templates tags in allowed_users when signing SSH certs could be more liberal. By removing ^ and $ templates like username-{{ identity.entity.name }} are also allowed.

@hashicorp-cla
Copy link

hashicorp-cla commented Feb 10, 2021

CLA assistant check
All committers have signed the CLA.

@vercel vercel bot temporarily deployed to Preview – vault February 10, 2021 16:15 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook February 10, 2021 16:15 Inactive
@phihos
Copy link
Contributor Author

phihos commented Feb 10, 2021

I also would like to provide a test, but I could not find out how to create a new entity and acquire a token for it with the logicaltest.TestCase. I you could point me in the right direction I will gladly write a test for that.

@candlerb
Copy link
Contributor

candlerb commented Mar 3, 2021

A quick scan suggested these may be helpful:

@vercel vercel bot temporarily deployed to Preview – vault March 5, 2021 22:41 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook March 5, 2021 22:41 Inactive
@phihos
Copy link
Contributor Author

phihos commented Mar 5, 2021

@candlerb Thanks for the pointer. I implemented a test now, but I must admit that I am not fully satisfied with the result. logicaltest.TestCase would have been perfect because it is structured nicely, but since it does not allow to declare both a LogicalFactory and a CredentialFactory I was forced to create a Vault instance with NewTestCluster. The test turned out way more verbose than I intended. Maybe you or somebody else knows how to improve this without writing a new vault testing framework.

expectedValidPrincipal := "ssh-" + testSshUsername

// Setup Vault cluster with a preexisting entity.
coreConfig := &vault.CoreConfig{
Copy link
Contributor

@pmmukh pmmukh Sep 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to rewrite the setup code in this test to reuse getSshCaTestCluster ? I think if so, that might address the verbosity issue you've pointed out above.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, that is exactly what I needed. I changed it accordingly.

@pmmukh
Copy link
Contributor

pmmukh commented Sep 14, 2021

Another thing, I think it might be nice to add a test that checks just the currently supported {{..}} format. This is really only cause I noticed the prior PR did not have tests in them, so a test similar to what you currently have but for the existing format might be nice, to show there's no regression with this change. But also, I totally understand if that feels a bit out of scope for this PR and am fine skipping this too!

@pmmukh
Copy link
Contributor

pmmukh commented Oct 12, 2021

Hi @phihos ! If you're still looking to get this PR merged in, could you please take a look at the couple comments I dropped? This is a change we're pretty interested in getting merged in, so would be great if you can!

@phihos
Copy link
Contributor Author

phihos commented Oct 13, 2021

Hi @pmmukh. Sorry for the late reply, I was pretty caught up in work lately. I will try to implement your comments today or this weekend should that fail. I am happy to hear about your interest to merge this PR.

@vercel vercel bot temporarily deployed to Preview – vault October 17, 2021 17:52 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 17, 2021 17:52 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 17, 2021 17:55 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 17, 2021 17:55 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 17, 2021 18:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 17, 2021 18:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 17, 2021 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 17, 2021 18:03 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 17, 2021 18:19 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 17, 2021 18:19 Inactive
@phihos
Copy link
Contributor Author

phihos commented Oct 17, 2021

@pmmukh I changed the existing test and added a second one that tests the old functionality. I extracted the common test code into an additional function.

Copy link
Contributor

@pmmukh pmmukh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test changes look great, thanks for the followup and especially for adding the test on the current functionality! Have a couple small nits, but more importantly, this change needs a changelog, with a changelog added this should be good to go!

builtin/logical/ssh/backend_test.go Outdated Show resolved Hide resolved
builtin/logical/ssh/backend_test.go Outdated Show resolved Hide resolved
@pmmukh
Copy link
Contributor

pmmukh commented Oct 19, 2021

Just another point that I thought of, could you maybe add a line about this behavior here https://www.vaultproject.io/api-docs/secret/ssh#allowed_users ? Maybe something like, "when allowed_users_template is set, this field can contain an identity template, with any prefix or suffix, like ssh-{identity.entity.id}-user" ? Feel free to word it how you want btw, just a suggestion.

@phihos phihos requested a review from taoism4504 as a code owner October 19, 2021 19:05
@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 19:06 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 19:06 Inactive
@phihos
Copy link
Contributor Author

phihos commented Oct 19, 2021

I added the doc line you suggested. I am not sure if I did in the correct location though. @pmmukh Can you confirm that I did it correctly?

@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 19:14 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 19:14 Inactive
@phihos phihos requested a review from pmmukh October 19, 2021 19:14
Copy link
Contributor

@pmmukh pmmukh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just one note, lgtm!

website/content/api-docs/secret/ssh.mdx Show resolved Hide resolved
@pmmukh pmmukh merged commit 4203253 into hashicorp:main Oct 19, 2021
@phihos phihos deleted the fix-10388 branch October 20, 2021 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants