Commit graph

9 commits

Author SHA1 Message Date
Alexander Scheel 411705d723
More wrapped errors - PKI, SSH, Transit (#19631)
* Add missing wrapped errors in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing wrapped errors in SSH

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing wrapped errors in Transit

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-03-20 16:00:49 +00:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Ben Roberts d710f8e8dc
Evaluate ssh validprincipals user template before splitting (#16622)
The SSH secrets engine previously split the `validPrincipals` field
on comma, then if user templating is enabled, evaluated the
templates on each substring. This meant the identity template was only
ever allowed to return a single principal. There are use cases
where it would be helpful for identity metadata to contain a list
of valid principals and for the identity template to be able to inject
all of those as valid principals.

This change inverts the order of processing. First the template
is evaluated, and then the resulting string is split on commas.
This allows the identity template to return a single comma-separated
string with multiple permitted principals.

There is a potential security implication here, that if a user is
allowed to update their own identity metadata, they may be able to
elevate privileges where previously this was not possible.

Fixes #11038
2022-10-13 17:34:36 -05:00
Alexander Scheel 11e4f2600e
Add warning on missing entity information (#17428)
When requesting a SSH certificate with default_extension templating
enabled, if the request lacks entity information and a particular
extension requires templating, just these extensions will be elided.
Other extensions (if present) will still be on the final certificate.

Add a warning in the event of missing entity information and at least
one extension that was skipped as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 14:00:56 -04:00
Jakob Beckmann 21a10e09b6
fix bug with allowed_users_template and add allowed_domains_template for SSH role (#16056)
* impr(ssh): fix bug with allowed_users_template and add allowed_domains_template field in SSH role configuration, closes #10943

* chore: add changelog entry
2022-08-16 14:59:29 -05:00
Steven Clark 639fa64ce5
secret/ssh: Return errors for bad templates in roles as we did previously (#16505) 2022-07-29 15:18:22 +01:00
Ian Ferguson dc603b4f7f
Allow identity templates in ssh backend default_user field (#16351)
* Allow identity templates in ssh backend `default_user` field

* use correct test expected value

* include api docs for `default_user_template` field
2022-07-29 09:45:52 -04:00
Steven Clark 8f118fcefb
ssh: Fix template regex test for defaultExtensions to allow additional text (#16018)
* ssh: Fix template regex test for defaultExtensions

 - The regex to identify if our defaultExtensions contains a template was
   a little too greedy, requiring the entire field to be just the regex. Allow
   additional text within the value field to be added

* Add cl
2022-06-17 11:06:17 -04:00
Gabriel Santos 57eeb33faa
SSH secrets engine - Enabled creation of key pairs (CA Mode) (#15561)
* Handle func

* Update - check if key_type and key_bits are allowed

* Update - fields

* Generating keys based on provided key_type and key_bits

* Returning signed key

* Refactor

* Refactor update to common logic function

* Descriptions

* Tests added

* Suggested changes and tests added and refactored

* Suggested changes and fmt run

* File refactoring

* Changelog file

* Update changelog/15561.txt

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Suggested changes - consistent returns and additional info to test messages

* ssh issue key pair documentation

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-06-10 09:48:19 -04:00