From 3166d1ff783145b7b630fb39c44118aef0b608ae Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Mon, 23 May 2022 13:09:18 -0400
Subject: [PATCH] Allow issuer/:issuer_ref/sign-verbatim/:role, add error on
 missing role (#15543)

* Allow role-based sign-verbatim with chosen issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning with missing requested verbatim role

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---
 builtin/logical/pki/backend.go         | 2 +-
 builtin/logical/pki/path_issue_sign.go | 2 +-
 changelog/15543.txt                    | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 changelog/15543.txt

diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go
index 3878b8995..dfd1b138b 100644
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@@ -267,7 +267,7 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation
 			if err != nil {
 				return nil, err
 			}
-			if role == nil && roleMode == roleRequired {
+			if role == nil && (roleMode == roleRequired || len(roleName) > 0) {
 				return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
 			}
 			labels = []metrics.Label{{"role", roleName}}
diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
index 8b669c69a..17cdc93d8 100644
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@@ -79,7 +79,7 @@ func buildPathSign(b *backend, pattern string) *framework.Path {
 }
 
 func pathIssuerSignVerbatim(b *backend) *framework.Path {
-	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim"
+	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role")
 	return buildPathIssuerSignVerbatim(b, pattern)
 }
 
diff --git a/changelog/15543.txt b/changelog/15543.txt
new file mode 100644
index 000000000..43c2c7419
--- /dev/null
+++ b/changelog/15543.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/pki: Err on unknown role during sign-verbatim.
+```