Allow * to be set for allowed_users

2016-05-30 03:12:43 -04:00 · 2016-05-30 03:12:43 -04:00 · 30fa7f304b
parent 971b2cb7b7
commit 30fa7f304b
3 changed files with 30 additions and 1 deletions
--- a/builtin/logical/ssh/backend_test.go
+++ b/builtin/logical/ssh/backend_test.go
@ -200,6 +200,23 @@ func TestBackend_allowed_users(t *testing.T) {
 	if err != nil || resp == nil || (resp != nil && !resp.IsError()) {
 		t.Fatalf("expected failure: resp:%#v err:%s", resp, err)
 	}
+
+	roleData["allowed_users"] = "*"
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) || resp != nil {
+		t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
+	}
+
+	resp, err = b.HandleRequest(credsReq)
+	if err != nil || (resp != nil && resp.IsError()) || resp == nil {
+		t.Fatalf("failed to create role: resp:%#v err:%s", resp, err)
+	}
+	if resp.Data["key"] == "" ||
+		resp.Data["key_type"] != "otp" ||
+		resp.Data["ip"] != "52.207.235.245" ||
+		resp.Data["username"] != "test" {
+		t.Fatalf("failed to create credential: resp:%#v", resp)
+	}
 }

 func testingFactory(conf *logical.BackendConfig) (logical.Backend, error) {
--- a/builtin/logical/ssh/path_creds_create.go
+++ b/builtin/logical/ssh/path_creds_create.go
@ -287,12 +287,22 @@ func validateIP(ip, roleName, cidrList, excludeCidrList string, zeroAddressRoles
 // Checks if the username supplied by the user is present in the list of
 // allowed users registered which creation of role.
 func validateUsername(username, allowedUsers string) error {
+	if allowedUsers == "" {
+		return fmt.Errorf("username not in allowed users list")
+	}
+
+	// Role was explicitly configured to allow any username.
+	if allowedUsers == "*" {
+		return nil
+	}
+
 	userList := strings.Split(allowedUsers, ",")
 	for _, user := range userList {
-		if user == username {
+		if strings.TrimSpace(user) == username {
 			return nil
 		}
 	}
+
 	return fmt.Errorf("username not in allowed users list")
 }

--- a/website/source/docs/secrets/ssh/index.html.md
+++ b/website/source/docs/secrets/ssh/index.html.md
@ -440,6 +440,8 @@ username@ip:~$
 	      If this option is not specified, credentials can be created only for
              `default_user` at the remote host. If this field is set, credentials
              can be created only for the users in this list and for the `default_user`.
+              If this option is explicitly set to `*`, then credentials can be created
+              for any username.
      </li>
      <li>
        <span class="param">key_option_specs</span>