From fc46bb647fb9fe223108e2f90ef99b44d67d8c6c Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 20 Jun 2022 10:48:24 -0400 Subject: [PATCH] ssh: Fix template regex test for defaultExtensions to allow additional text (#16018) (#16038) * ssh: Fix template regex test for defaultExtensions - The regex to identify if our defaultExtensions contains a template was a little too greedy, requiring the entire field to be just the regex. Allow additional text within the value field to be added * Add cl Co-authored-by: Steven Clark Co-authored-by: Alexander Scheel --- builtin/logical/ssh/backend_test.go | 5 ++++- builtin/logical/ssh/path_sign.go | 6 ++++-- changelog/16018.txt | 3 +++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 changelog/16018.txt diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go index d830103e82f8..2664f6225c21 100644 --- a/builtin/logical/ssh/backend_test.go +++ b/builtin/logical/ssh/backend_test.go @@ -1480,6 +1480,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) { "default_extensions_template": true, "default_extensions": map[string]interface{}{ "login@foobar.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}", + "login@foobar2.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}, " + + "{{identity.entity.aliases." + userpassAccessor + ".name}}_foobar", }, }) if err != nil { @@ -1505,7 +1507,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) { } defaultExtensionPermissions := map[string]string{ - "login@foobar.com": testUserName, + "login@foobar.com": testUserName, + "login@foobar2.com": fmt.Sprintf("%s, %s_foobar", testUserName, testUserName), } err = validateSSHCertificate(parsedKey.(*ssh.Certificate), sshKeyID, ssh.UserCert, []string{"tuber"}, map[string]string{}, defaultExtensionPermissions, 16*time.Hour) diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go index 39d384055c12..8e21ad1e7e7f 100644 --- a/builtin/logical/ssh/path_sign.go +++ b/builtin/logical/ssh/path_sign.go @@ -36,6 +36,8 @@ type creationBundle struct { Extensions map[string]string } +var containsTemplateRegex = regexp.MustCompile(`{{.+?}}`) + func pathSign(b *backend) *framework.Path { return &framework.Path{ Pattern: "sign/" + framework.GenericNameWithAtRegex("role"), @@ -220,7 +222,7 @@ func (b *backend) calculateValidPrincipals(data *framework.FieldData, req *logic for _, principal := range strutil.RemoveDuplicates(strutil.ParseStringSlice(principalsAllowedByRole, ","), false) { if role.AllowedUsersTemplate { // Look for templating markers {{ .* }} - matched, _ := regexp.MatchString(`{{.+?}}`, principal) + matched := containsTemplateRegex.MatchString(principal) if matched { if req.EntityID != "" { // Retrieve principal based on template + entityID from request. @@ -384,7 +386,7 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re if role.DefaultExtensionsTemplate { for extensionKey, extensionValue := range role.DefaultExtensions { // Look for templating markers {{ .* }} - matched, _ := regexp.MatchString(`^{{.+?}}$`, extensionValue) + matched := containsTemplateRegex.MatchString(extensionValue) if matched { if req.EntityID != "" { // Retrieve extension value based on template + entityID from request. diff --git a/changelog/16018.txt b/changelog/16018.txt new file mode 100644 index 000000000000..31b4929d4acf --- /dev/null +++ b/changelog/16018.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. +```