Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing role (#15543)

* Allow role-based sign-verbatim with chosen issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning with missing requested verbatim role

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

builtin/logical/pki/backend.go

@@ -267,7 +267,7 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation
 			if err != nil {
 				return nil, err
 			}
-			if role == nil && roleMode == roleRequired {
+			if role == nil && (roleMode == roleRequired || len(roleName) > 0) {
 				return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
 			}
 			labels = []metrics.Label{{"role", roleName}}

builtin/logical/pki/path_issue_sign.go

@@ -79,7 +79,7 @@ func buildPathSign(b *backend, pattern string) *framework.Path {
 }
 
 func pathIssuerSignVerbatim(b *backend) *framework.Path {
-	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim"
+	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role")
 	return buildPathIssuerSignVerbatim(b, pattern)
 }
 

changelog/15543.txt

@@ -0,0 +1,3 @@
+```release-note:change
+secrets/pki: Err on unknown role during sign-verbatim.
+```