Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing role (#15543)

* Allow role-based sign-verbatim with chosen issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning with missing requested verbatim role

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-05-23 13:09:18 -04:00 committed by GitHub
parent 36c981bfe4
commit 3166d1ff78
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 5 additions and 2 deletions

View File

@ -267,7 +267,7 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation
if err != nil { if err != nil {
return nil, err return nil, err
} }
if role == nil && roleMode == roleRequired { if role == nil && (roleMode == roleRequired || len(roleName) > 0) {
return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
} }
labels = []metrics.Label{{"role", roleName}} labels = []metrics.Label{{"role", roleName}}

View File

@ -79,7 +79,7 @@ func buildPathSign(b *backend, pattern string) *framework.Path {
} }
func pathIssuerSignVerbatim(b *backend) *framework.Path { func pathIssuerSignVerbatim(b *backend) *framework.Path {
pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role")
return buildPathIssuerSignVerbatim(b, pattern) return buildPathIssuerSignVerbatim(b, pattern)
} }

3
changelog/15543.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:change
secrets/pki: Err on unknown role during sign-verbatim.
```