Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.15.x: revert bound audiences behavior change #308

Merged
merged 7 commits into from
Jun 13, 2024

Conversation

fairclothjm
Copy link
Contributor

@fairclothjm fairclothjm commented Jun 13, 2024

Description

This PR proposes to revert the change made in #295 to address CVE-2024-5798.

We add a new test TestLoginBoundAudiences to test the behavior expectations.

Background

#295 fixed a bug where the login JWT's aud claim is ignored if it is a single string. The net effect is that the role's bound_audiences parameter must match at least one of the JWT's aud claims if the token has an aud claim.

Since the behavior change is a breaking change, we are reverting the change in the Vault versions after 1.15.10 and 1.16.4. However, the behavior change will go into effect in Vault 1.17 and later.

Relates

@fairclothjm fairclothjm requested a review from thyton June 13, 2024 15:06
@@ -269,69 +445,6 @@ func testLogin_JWT(t *testing.T, jwks bool) {
}
}

// Test bound audiences unset, claims "aud" set
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case is captured in the new test

Comment on lines +100 to +102
fmt.Println()
fmt.Println(authURL)
fmt.Println()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fmt.Println()
fmt.Println(authURL)
fmt.Println()
fmt.Println()
fmt.Println(authURL)
fmt.Println()

Copy link
Contributor

@thyton thyton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice tests!

Comment on lines +100 to +102
fmt.Println()
fmt.Println(authURL)
fmt.Println()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fmt.Println()
fmt.Println(authURL)
fmt.Println()

@fairclothjm fairclothjm merged commit 09c5396 into release/v0.17.x Jun 13, 2024
4 checks passed
@fairclothjm fairclothjm deleted the revert/release/1.15.x/bound-aud branch June 13, 2024 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants