luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Approle: Fix CIDR validation for /32 masks on Token Bound CIDRs (#18145) 

* Fix CIDR validation for /32 masks

* run go fmt

* add changelog
This commit is contained in:
davidadeleon 2022-12-16 12:09:05 -05:00 committed by GitHub
parent 74f5a44684
commit 51b1b6d446
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
builtin/credential/approle/path_role_test.go
View File

@ -619,6 +619,65 @@ func TestAppRole_CIDRSubset(t *testing.T) {
} }
} }
func TestAppRole_TokenBoundCIDRSubset32Mask(t *testing.T) {
var resp *logical.Response
var err error
b, storage := createBackendWithStorage(t)
roleData := map[string]interface{}{
"role_id": "role-id-123",
"policies": "a,b",
"token_bound_cidrs": "127.0.0.1/32",
}
roleReq := &logical.Request{
Operation: logical.CreateOperation,
Path: "role/testrole1",
Storage: storage,
Data: roleData,
}
resp, err = b.HandleRequest(context.Background(), roleReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v resp: %#v", err, resp)
}
secretIDData := map[string]interface{}{
"token_bound_cidrs": "127.0.0.1/32",
}
secretIDReq := &logical.Request{
Operation: logical.UpdateOperation,
Storage: storage,
Path: "role/testrole1/secret-id",
Data: secretIDData,
}
resp, err = b.HandleRequest(context.Background(), secretIDReq)
if err != nil {
t.Fatalf("err: %v resp: %#v", err, resp)
}
secretIDData = map[string]interface{}{
"token_bound_cidrs": "127.0.0.1/24",
}
secretIDReq = &logical.Request{
Operation: logical.UpdateOperation,
Storage: storage,
Path: "role/testrole1/secret-id",
Data: secretIDData,
}
resp, err = b.HandleRequest(context.Background(), secretIDReq)
if resp != nil {
t.Fatalf("resp:%#v", resp)
}
if err == nil {
t.Fatal("expected an error")
}
}
func TestAppRole_RoleConstraints(t *testing.T) { func TestAppRole_RoleConstraints(t *testing.T) {
var resp *logical.Response var resp *logical.Response
var err error var err error

9
builtin/credential/approle/validation.go
View File

@ -6,6 +6,7 @@ import (
"crypto/sha256" "crypto/sha256"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"strings"
"time" "time"
uuid "github.com/hashicorp/go-uuid" uuid "github.com/hashicorp/go-uuid"
@ -77,6 +78,14 @@ func verifyCIDRRoleSecretIDSubset(secretIDCIDRs []string, roleBoundCIDRList []st
// If there are no CIDR blocks on the role, then the subset // If there are no CIDR blocks on the role, then the subset
// requirement would be satisfied // requirement would be satisfied
if len(roleBoundCIDRList) != 0 { if len(roleBoundCIDRList) != 0 {
// Address blocks with /32 mask do not get stored with the CIDR mask
// Check if there are any /32 addresses and append CIDR mask
for i, block := range roleBoundCIDRList {
if !strings.Contains(block, "/") {
roleBoundCIDRList[i] = fmt.Sprint(block, "/32")
}
}
subset, err := cidrutil.SubsetBlocks(roleBoundCIDRList, secretIDCIDRs) subset, err := cidrutil.SubsetBlocks(roleBoundCIDRList, secretIDCIDRs)
if !subset || err != nil { if !subset || err != nil {
return fmt.Errorf( return fmt.Errorf(

3
changelog/18145.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
auth/approle: Fix `token_bound_cidrs` validation when using /32 blocks for role and secret ID
```