From cd4a2706e5a07e6ca7ede031b3e4a97d5a4fd6f9 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 17 Jun 2022 12:47:06 -0400 Subject: [PATCH] ssh: Fix template regex test for defaultExtensions to allow additional text (#16018) (#16036) * ssh: Fix template regex test for defaultExtensions - The regex to identify if our defaultExtensions contains a template was a little too greedy, requiring the entire field to be just the regex. Allow additional text within the value field to be added * Add cl Co-authored-by: Steven Clark --- builtin/logical/ssh/backend_test.go | 5 ++++- builtin/logical/ssh/path_sign.go | 6 ++++-- changelog/16018.txt | 3 +++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 changelog/16018.txt diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go index 8e33c6b3aaa4..bb4ca0c9c903 100644 --- a/builtin/logical/ssh/backend_test.go +++ b/builtin/logical/ssh/backend_test.go @@ -1361,6 +1361,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) { "default_extensions_template": true, "default_extensions": map[string]interface{}{ "login@foobar.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}", + "login@foobar2.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}, " + + "{{identity.entity.aliases." + userpassAccessor + ".name}}_foobar", }, }) if err != nil { @@ -1386,7 +1388,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) { } defaultExtensionPermissions := map[string]string{ - "login@foobar.com": testUserName, + "login@foobar.com": testUserName, + "login@foobar2.com": fmt.Sprintf("%s, %s_foobar", testUserName, testUserName), } err = validateSSHCertificate(parsedKey.(*ssh.Certificate), sshKeyID, ssh.UserCert, []string{"tuber"}, map[string]string{}, defaultExtensionPermissions, 16*time.Hour) diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go index 7dfe9f37e39c..e3b487218d69 100644 --- a/builtin/logical/ssh/path_sign.go +++ b/builtin/logical/ssh/path_sign.go @@ -36,6 +36,8 @@ type creationBundle struct { Extensions map[string]string } +var containsTemplateRegex = regexp.MustCompile(`{{.+?}}`) + func pathSign(b *backend) *framework.Path { return &framework.Path{ Pattern: "sign/" + framework.GenericNameWithAtRegex("role"), @@ -220,7 +222,7 @@ func (b *backend) calculateValidPrincipals(data *framework.FieldData, req *logic for _, principal := range strutil.RemoveDuplicates(strutil.ParseStringSlice(principalsAllowedByRole, ","), false) { if role.AllowedUsersTemplate { // Look for templating markers {{ .* }} - matched, _ := regexp.MatchString(`{{.+?}}`, principal) + matched := containsTemplateRegex.MatchString(principal) if matched { if req.EntityID != "" { // Retrieve principal based on template + entityID from request. @@ -384,7 +386,7 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re if role.DefaultExtensionsTemplate { for extensionKey, extensionValue := range role.DefaultExtensions { // Look for templating markers {{ .* }} - matched, _ := regexp.MatchString(`^{{.+?}}$`, extensionValue) + matched := containsTemplateRegex.MatchString(extensionValue) if matched { if req.EntityID != "" { // Retrieve extension value based on template + entityID from request. diff --git a/changelog/16018.txt b/changelog/16018.txt new file mode 100644 index 000000000000..31b4929d4acf --- /dev/null +++ b/changelog/16018.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. +```