luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-consul/agent/consul
History
Freddy e4e306210a
Require operator:write to get Connect CA config (#9240) 
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 10:14:48 -07:00
..
authmethod Fix a bunch of unparam lint issues 2020-06-24 13:00:14 -04:00
discoverychain Revert EnvoyConfig nesting 2020-09-11 09:21:43 -06:00
fsm trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
prepared_query Enable gofmt simplify 2020-06-16 13:21:11 -04:00
state Merge pull request #9114 from hashicorp/dnephin/filtering-in-stream 2020-11-16 14:20:07 -05:00
stream stream: document that Payload must be immutable 2020-11-06 13:00:33 -05:00
testdata Fix support for RSA CA keys in Connect. (#6638) 2019-11-01 13:20:26 +00:00
usagemetrics trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
wanfed wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
acl.go add the service name in the agent rather than in the definitions themselves 2020-11-13 13:18:04 -08:00
acl_authmethod.go ACL Node Identities (#7970) 2020-06-16 12:54:27 -04:00
acl_authmethod_oss.go acl: add auth method for JWTs (#7846) 2020-05-11 20:59:29 -05:00
acl_authmethod_test.go acl: refactor the authmethod.Validator interface (#7760) 2020-05-01 17:35:28 -05:00
acl_client.go Add per-agent reconnect timeouts (#8781) 2020-10-08 15:02:19 -04:00
acl_endpoint.go add the service name in the agent rather than in the definitions themselves 2020-11-13 13:18:04 -08:00
acl_endpoint_legacy.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
acl_endpoint_oss.go acl: add auth method for JWTs (#7846) 2020-05-11 20:59:29 -05:00
acl_endpoint_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
acl_oss.go Allow the PolicyResolve and RoleResolve endpoints to process na… (#7296) 2020-02-13 14:55:27 -05:00
acl_oss_test.go Update the ACL Resolver to allow for Consul Enterprise specific hooks. (#6687) 2019-10-25 11:06:16 -04:00
acl_replication.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
acl_replication_legacy.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
acl_replication_legacy_test.go AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
acl_replication_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
acl_replication_types.go testing: Fix govet errors 2020-08-21 18:01:55 +01:00
acl_server.go Add per-agent reconnect timeouts (#8781) 2020-10-08 15:02:19 -04:00
acl_server_oss.go Allow the bootstrap endpoint to be disabled in enterprise. (#7614) 2020-04-14 11:45:39 -04:00
acl_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
acl_token_exp.go Remove ACLsEnabled from delegate interface 2020-07-03 17:00:20 -04:00
acl_token_exp_test.go acl: adding support for kubernetes auth provider login (#5600) 2019-04-26 14:49:25 -05:00
auto_config_endpoint.go Agent Auto Config: Implement Certificate Generation (#8360) 2020-07-28 15:31:48 -04:00
auto_config_endpoint_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
auto_encrypt_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-08 11:05:44 -04:00
auto_encrypt_endpoint_test.go Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394) 2020-07-30 10:15:12 -04:00
autopilot.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
autopilot_oss.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
autopilot_test.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
catalog_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
catalog_endpoint_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 14:05:01 -04:00
client.go add the service name in the agent rather than in the definitions themselves 2020-11-13 13:18:04 -08:00
client_serf.go Add per-agent reconnect timeouts (#8781) 2020-10-08 15:02:19 -04:00
client_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
cluster_test.go A couple testing helper updates (#7694) 2020-04-27 12:17:38 -04:00
config.go Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
config_endpoint.go merge master 2020-11-16 10:46:53 -08:00
config_endpoint_test.go connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
config_replication.go server: config entry replication now correctly uses namespaces in comparisons (#9024) 2020-10-23 13:41:54 -05:00
config_replication_test.go server: config entry replication now correctly uses namespaces in comparisons (#9024) 2020-10-23 13:41:54 -05:00
connect_ca_endpoint.go Require operator:write to get Connect CA config (#9240) 2020-11-19 10:14:48 -07:00
connect_ca_endpoint_test.go Require operator:write to get Connect CA config (#9240) 2020-11-19 10:14:48 -07:00
consul_ca_delegate.go connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011) 2020-01-09 16:32:19 +01:00
coordinate_endpoint.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 11:23:52 -04:00
coordinate_endpoint_test.go Replace goe/verify.Values with testify/require.Equal (#7993) 2020-06-02 12:41:25 -04:00
discovery_chain_endpoint.go Add method for downstreams from disco chain 2020-10-05 10:24:50 -06:00
discovery_chain_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
enterprise_client_oss.go Sync some feature flag support from enterprise (#7167) 2020-01-29 13:21:38 -05:00
enterprise_config_oss.go Add EnterpriseConfig stubs (#6566) 2019-10-01 14:34:55 -04:00
enterprise_server_oss.go connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) 2020-06-26 16:59:15 -05:00
federation_state_endpoint.go add the service name in the agent rather than in the definitions themselves 2020-11-13 13:18:04 -08:00
federation_state_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
federation_state_replication.go testing: Fix govet errors 2020-08-21 18:01:55 +01:00
federation_state_replication_test.go fix flaky TestReplication_FederationStates test due to race conditions (#7612) 2020-04-09 15:42:41 -05:00
filter.go Updates to the Txn API for namespaces (#7172) 2020-01-30 13:12:26 -05:00
filter_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
flood.go agent: refactor to use a single addrFn 2020-05-05 21:08:10 +02:00
gateway_locator.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-08 11:05:44 -04:00
gateway_locator_test.go stream: Use a no-op event publisher if streaming is disabled 2020-10-28 13:54:19 -04:00
health_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-08 11:05:44 -04:00
health_endpoint_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 14:05:01 -04:00
helper_test.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
intention_endpoint.go merge master 2020-11-16 10:46:53 -08:00
intention_endpoint_test.go connect: support defining intentions using layer 7 criteria (#8839) 2020-10-06 17:09:13 -05:00
internal_endpoint.go Add protocol to the topology endpoint response (#8868) 2020-10-08 17:31:54 -06:00
internal_endpoint_test.go Add HasExact to topology endpoint (#9010) 2020-10-23 10:45:41 -06:00
issue_test.go stream: Use a no-op event publisher if streaming is disabled 2020-10-28 13:54:19 -04:00
kvs_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
kvs_endpoint_test.go ci: Enabled SA2002 staticcheck check 2020-06-05 17:50:11 -04:00
leader.go Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
leader_connect.go Stop intermediate renew routine on leader stop 2020-10-09 12:30:57 -07:00
leader_connect_test.go Fix intermediate refresh test comments 2020-10-09 08:53:33 -07:00
leader_federation_state_ae.go testing: Fix govet errors 2020-08-21 18:01:55 +01:00
leader_federation_state_ae_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
leader_intentions.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_intentions_oss.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_intentions_oss_test.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_intentions_test.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_routine_manager.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_routine_manager_test.go server: skip deleted and deleting namespaces when migrating intentions to config entries (#9186) 2020-11-13 13:56:41 -06:00
leader_test.go Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
logging.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
logging_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
merge.go agent: don't let left nodes hold onto their node-id (#7747) 2020-05-04 18:39:08 +02:00
merge_test.go
operator_autopilot_endpoint.go Prevent panic if autopilot health is requested prior to leader establishment finishing. (#9204) 2020-11-16 17:08:17 -05:00
operator_autopilot_endpoint_test.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
operator_endpoint.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
operator_raft_endpoint.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
operator_raft_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
options.go subscribe: add a stateless subscribe service for the gRPC server 2020-10-06 12:49:35 -04:00
prepared_query_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
prepared_query_endpoint_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
raft_rpc.go
replication.go lib/retry: Refactor to reduce the interface surface 2020-10-04 18:12:42 -04:00
replication_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
rpc.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
rpc_test.go Fix a bunch of linter warnings 2020-11-09 09:22:12 -05:00
rtt.go
rtt_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
segment_oss.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
serf_test.go
server.go first pass on agent-configured prometheusDefs and adding defs for every consul metric 2020-11-12 18:12:12 -08:00
server_connect.go Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) 2020-07-24 10:00:51 -04:00
server_lookup.go Fix ACL mode advertisement and detection (#7451) 2020-03-16 12:54:45 -04:00
server_lookup_test.go ci: enable SA4006 staticcheck check 2020-06-16 13:10:11 -04:00
server_oss.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
server_register.go server: remove config entry CAS in legacy intention API bridge code (#9151) 2020-11-13 14:42:21 -06:00
server_serf.go Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
server_test.go Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
session_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
session_endpoint_test.go ci: update to Go 1.15.4 and alpine:3.12 (#9036) 2020-11-13 13:02:59 -05:00
session_timers.go
session_timers_test.go
session_ttl.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
session_ttl_test.go OSS Modifications necessary for sessions namespacing 2019-11-25 12:07:04 -05:00
snapshot_endpoint.go pool: remove timeout parameter 2020-05-29 08:21:28 +02:00
snapshot_endpoint_test.go pool: remove useTLS and ForceTLS 2020-05-29 08:21:24 +02:00
stats_fetcher.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
stats_fetcher_test.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
status_endpoint.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
status_endpoint_test.go pool: remove useTLS and ForceTLS 2020-05-29 08:21:24 +02:00
subscribe_backend.go state: use enterprise meta for creating events 2020-10-30 14:34:04 -04:00
system_metadata.go connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
system_metadata_test.go connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
txn_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
txn_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
util.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 11:23:52 -04:00
util_test.go Remove bytesToUint64 from agent/consul 2020-06-18 12:45:43 -04:00