luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent
History
Freddy e4e306210a
Require operator:write to get Connect CA config (#9240) 
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
 		2020-11-19 10:14:48 -07:00
..
ae testutil: NewLogBuffer - buffer logs until a test fails 2020-07-21 12:50:40 -04:00
auto-config ci: go-test-race switch to exclude list 2020-11-11 14:44:57 -05:00
cache finish adding static server metrics 2020-11-13 16:26:08 -08:00
cache-types cache-type: use namespace in tests 2020-10-30 15:07:04 -04:00
checks Return grpc serving status in health check errors 2020-09-22 21:16:58 +03:00
config Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
connect stream: Use a no-op event publisher if streaming is disabled 2020-10-28 13:54:19 -04:00
consul Require operator:write to get Connect CA config (#9240) 2020-11-19 10:14:48 -07:00
debug chore: upgrade to gopsutil/v3 (#9118) 2020-11-06 20:48:38 -05:00
dns config: move NodeName validation to config validation 2020-08-17 17:25:02 -04:00
exec
grpc trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
local trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
metadata Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
mock checks: when a service does not exists in an alias, consider it failing (#7384) 2020-06-04 14:50:52 +02:00
pool Merge pull request #9149 from joel0/wrap-errors 2020-11-10 18:27:08 -05:00
proxycfg Fix text type assertion 2020-09-14 16:28:40 -06:00
router agent/router: refactor calculation of delay between rebalances. 2020-10-15 15:59:36 -04:00
routine-leak-checker agent: enable enable_central_service_config by default (#8746) 2020-10-01 09:19:14 -05:00
rpc/subscribe stream: document that Payload must be immutable 2020-11-06 13:00:33 -05:00
rpcclient/health streaming: disable streaming when requesting connect events 2020-10-26 11:55:49 -04:00
structs Refactor to call non-voting servers read replicas (#9191) 2020-11-17 10:53:57 -05:00
submatview streaming: improve godoc for cache-type 2020-10-06 13:52:02 -04:00
systemd
token token: OSS support for enterprise tokens 2020-08-31 15:10:15 -04:00
uiserver auto-updated agent/uiserver/bindata_assetfs.go from commit 687ce1f9c 2020-11-19 16:13:04 +00:00
xds Add DC and NS support for Envoy metrics (#9207) 2020-11-16 16:37:19 -07:00
acl.go added permission denied error message (#8044) 2020-09-22 20:36:07 +02:00
acl_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
acl_endpoint_legacy.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
acl_endpoint_legacy_test.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
acl_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
acl_test.go agent/token: Move token persistence out of agent 2020-08-31 15:00:34 -04:00
agent.go agent: fix bug with multiple listeners 2020-11-18 13:03:29 -05:00
agent_endpoint.go push prometheus sink definiitons into prometheus.PrometheusOpts 2020-11-16 12:44:47 -08:00
agent_endpoint_test.go agent: enable enable_central_service_config by default (#8746) 2020-10-01 09:19:14 -05:00
agent_oss.go agent/token: Move token persistence out of agent 2020-08-31 15:00:34 -04:00
agent_test.go Use freeport 2020-11-18 16:07:34 -05:00
apiserver.go agent: fix bug with multiple listeners 2020-11-18 13:03:29 -05:00
apiserver_test.go agent: add apiServers type for managing HTTP servers 2020-09-03 13:40:12 -04:00
catalog_endpoint.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
catalog_endpoint_test.go Add api mod support for /catalog/gateway-services (#8278) 2020-07-10 13:01:45 -06:00
check.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
config_endpoint.go connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) 2020-10-06 13:24:05 -05:00
config_endpoint_test.go Expect default enterprise metadata in gateway tests (#7664) 2020-04-20 09:02:35 -05:00
connect_auth.go Return intention info in svc topology endpoint (#8853) 2020-10-07 18:35:34 -06:00
connect_ca_endpoint.go Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) 2020-10-09 10:43:33 -04:00
connect_ca_endpoint_test.go Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) 2020-10-09 10:43:33 -04:00
coordinate_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
coordinate_endpoint_test.go Fix a number of problems found by staticcheck 2020-05-19 16:50:14 -04:00
denylist.go Replace whitelist/blacklist terminology with allowlist/denylist (#7971) 2020-05-29 14:19:16 -04:00
denylist_test.go Replace whitelist/blacklist terminology with allowlist/denylist (#7971) 2020-05-29 14:19:16 -04:00
discovery_chain_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
discovery_chain_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
dns.go trim help strings to save a few bytes 2020-11-16 11:02:11 -08:00
dns_oss.go Update gateway-services-nodes API endpoint to allow multiple addresses 2020-06-24 16:35:23 -05:00
dns_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 14:05:01 -04:00
enterprise_delegate_oss.go Update to use a consulent build tag instead of just ent (#5759) 2019-05-01 11:11:27 -04:00
event_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
event_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
federation_state_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
health_endpoint.go health: change the name of UseStreamingBackend config 2020-10-23 17:47:01 -04:00
health_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
http.go merge master 2020-11-16 10:46:53 -08:00
http_decode_test.go Fix GRPCUseTLS flag HTTP API mapping 2020-09-29 18:29:56 +03:00
http_oss.go uiserver: upstream refactors done elsewhere (#8891) 2020-10-09 08:32:39 -05:00
http_oss_test.go agent/http: un-embed the HTTPServer 2020-07-02 17:21:12 -04:00
http_register.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
http_test.go agent: return the default ACL policy to callers as a header (#9101) 2020-11-12 10:38:32 -06:00
intentions_endpoint.go agent: allow the /v1/connect/intentions/match endpoint to use the agent cache (#8875) 2020-10-08 14:51:53 -05:00
intentions_endpoint_oss_test.go connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) 2020-06-26 16:59:15 -05:00
intentions_endpoint_test.go agent: allow the /v1/connect/intentions/match endpoint to use the agent cache (#8875) 2020-10-08 14:51:53 -05:00
keyring.go agent: Move setupKeyring functions to keyring.go 2020-08-13 11:58:21 -04:00
keyring_test.go testing: Remove all the defer os.Removeall 2020-08-14 19:58:53 -04:00
kvs_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
kvs_endpoint_test.go Fix a number of problems found by staticcheck 2020-05-19 16:50:14 -04:00
nodeid.go chore: upgrade to gopsutil/v3 (#9118) 2020-11-06 20:48:38 -05:00
nodeid_test.go testing: Remove all the defer os.Removeall 2020-08-14 19:58:53 -04:00
notify.go
notify_test.go
operator_endpoint.go Switch to using the external autopilot module 2020-11-09 09:22:11 -05:00
operator_endpoint_oss.go Add a CLI command for retrieving the autopilot configuration. (#9142) 2020-11-11 13:19:02 -05:00
operator_endpoint_test.go Add a CLI command for retrieving the autopilot configuration. (#9142) 2020-11-11 13:19:02 -05:00
prepared_query_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
prepared_query_endpoint_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
reload.go Refactor uiserver to separate package, cleaner Reloading 2020-10-01 11:32:25 +01:00
remote_exec.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
remote_exec_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
retry_join.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
retry_join_test.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
service_checks_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
service_manager.go agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) 2020-09-24 16:24:04 -05:00
service_manager_test.go agent: enable enable_central_service_config by default (#8746) 2020-10-01 09:19:14 -05:00
session_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
session_endpoint_test.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
setup.go use the MetricsPrefix to set the service name and provide as slice literal to avoid bugs from append modifying its first arg 2020-11-16 14:01:12 -08:00
sidecar_service.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
sidecar_service_test.go Enable gofmt simplify 2020-06-16 13:21:11 -04:00
signal_unix.go
signal_windows.go
snapshot_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
snapshot_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
status_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
status_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
testagent.go Refactor uiserver to separate package, cleaner Reloading 2020-10-01 11:32:25 +01:00
testagent_test.go config: Make Source an interface 2020-08-10 12:46:28 -04:00
translate_addr.go Add the v1/catalog/node-services/:node endpoint (#7115) 2020-01-24 09:27:25 -05:00
txn_endpoint.go api: rename HTTPServer to HTTPHandlers 2020-09-18 17:38:23 -04:00
txn_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
ui_endpoint.go agent: protect the ui metrics proxy endpoint behind ACLs (#9099) 2020-11-04 12:50:03 -06:00
ui_endpoint_oss_test.go agent: protect the ui metrics proxy endpoint behind ACLs (#9099) 2020-11-04 12:50:03 -06:00
ui_endpoint_test.go agent: introduce path allow list for requests going through the metrics proxy (#9059) 2020-10-30 16:49:54 -05:00
user_event.go subscribe: Add steps to rpc/subscribe tests 2020-10-08 15:38:01 -04:00
user_event_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 14:05:01 -04:00
util.go agent: ensure that we always use the same settings for msgpack (#7245) 2020-02-07 15:50:24 -06:00
util_test.go testing: use t.Cleanup in testutil.TempFile 2020-08-14 20:06:01 -04:00
watch_handler.go watch: Allow args from different types 2020-07-10 17:18:32 -04:00
watch_handler_test.go watch: Allow args from different types 2020-07-10 17:18:32 -04:00