-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow specifying multiple allowed SSH key lengths (#13991)
* Allow specifying multiple allowed SSH key lengths In the ssh secrets engine, only a single allowed key length was allowed for each algorithm type. However, many algorithms have multiple safe values (such as RSA and ECDSA); allowing a single role to have multiple values for a single algorithm is thus helpful. On creation or update, roles can now specify multiple types using a list or comma separated string of allowed values: allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}} Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> * Break out ssh upgrade logic into separate function Signed-off-by: Alexander Scheel <[email protected]> * Update parseutil for optional lists of integers go get -u github.com/hashicorp/go-secure-stdlib/parseutil go mod tidy Signed-off-by: Alexander Scheel <[email protected]> * Simplify parse logic using new parseutil The newly introduced parseutil.ParseIntSlice handles the more complicated optional int-like slice logic for us. Signed-off-by: Alexander Scheel <[email protected]>
- Loading branch information
Showing
8 changed files
with
188 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,12 +4,10 @@ import ( | |
"bytes" | ||
"context" | ||
"encoding/base64" | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"net" | ||
"reflect" | ||
"strconv" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
@@ -76,6 +74,8 @@ oOyBJU/HMVvBfv4g+OVFLVgSwwm6owwsouZ0+D/LasbuHqYyqYqdyPJQYzWA2Y+F | |
publicKey2 = `AAAAB3NzaC1yc2EAAAADAQABAAABAQDArgK0ilRRfk8E7HIsjz5l3BuxmwpDd8DHRCVfOhbZ4gOSVxjEOOqBwWGjygdboBIZwFXmwDlU6sWX0hBJAgpQz0Cjvbjxtq/NjkvATrYPgnrXUhTaEn2eQO0PsqRNSFH46SK/oJfTp0q8/WgojxWJ2L7FUV8PO8uIk49DzqAqPV7WXU63vFsjx+3WQOX/ILeQvHCvaqs3dWjjzEoDudRWCOdUqcHEOshV9azIzPrXlQVzRV3QAKl6u7pC+/Secorpwt6IHpMKoVPGiR0tMMuNOVH8zrAKzIxPGfy2WmNDpJopbXMTvSOGAqNcp49O4SKOQl9Fzfq2HEevJamKLrMB | ||
` | ||
|
||
publicKey3072 = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlsMr3K1d0nzE1TjUULPRuVjEGETmOqHtWq4gVPq3HiuNVHE/e/BJnkXc40BoClQ2Z5ZZPJZ6izF9PnlzNDjpq8DrILUrn/6KrzCHvRwnkYMAXbfM/Br09z5QGptbOe1EMLeVe0b/udmUicbYAGPxMruZk+ljyr4vXkO+gOAIrxeSIQSdMVLU4g0pCPQuDCOx5IQpDYSlOB3091frpN8npfMueKPflNYzxnqqYgAVeDKAIqMCGOMOHUeIZJ7A7HuynEAVOsOkJwC9nesy9D6ppdWNduGl42IkzlwVdDMZtUAEznMUT/dnHNG1Krx9SuNZ/S9fGjxGVsT+jzUmizrWB9/6XIEHDxPBzcqlWFuwYTGz1OL8bfZ+HldOGPcnqZn9hKntWwjUc3whcvWt+NCmXpHSVLSxf+WN8pdmfEsCqn8mpvo2MXa+iJrtAVPX4i0u8AQUuqC3NuXHv4Cn0LNwtziBT544UjgbWkAZqzFZJREYA09OHscc3akEIrTnPehk= [email protected]` | ||
|
||
publicKey4096 = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC54Oj4YCFDYxYv69Q9KfU6rWYtUB1eByQdUW0nXFi/vr98QUIV77sEeUVhaQzZcuCojAi/GrloW7ta0Z2DaEv5jOQMAnGpXBcqLJsz3KdrHbpvl93MPNdmNaGPU0GnUEsjBVuDVn9HdIUa8CNrxShvPu7/VqoaRHKLqphGgzFb37vi4qvnQ+5VYAO/TzyVYMD6qJX6I/9Pw8d74jCfEdOh2yGKkP7rXWOghreyIl8H2zTJKg9KoZuPq9F5M8nNt7Oi3rf+DwQiYvamzIqlDP4s5oFVTZW0E9lwWvYDpyiJnUrkQqksebBK/rcyfiFG3onb4qLo2WVWXeK3si8IhGik/TEzprScyAWIf9RviT8O+l5hTA2/c+ctn3MVCLRNfez2lKpdxCoprv1MbIcySGWblTJEcY6RA+aauVJpu7FMtRxHHtZKtMpep8cLu8GKbiP6Ifq2JXBtXtNxDeIgo2MkNoMh/NHAsACJniE/dqV/+u9HvhvgrTbJ69ell0nE4ivzA7O4kZgbR/4MHlLgLFvaqC8RrWRLY6BdFagPIMxghWha7Qw16zqoIjRnolvRzUWvSXanJVg8Z6ua1VxwgirNaAH1ivmJhUh2+4lNxCX6jmZyR3zjJsWY03gjJTairvI762opjjalF8fH6Xrs15mB14JiAlNbk6+5REQcvXlGqw== [email protected]` | ||
|
||
testCAPrivateKey = `-----BEGIN RSA PRIVATE KEY----- | ||
|
@@ -1198,7 +1198,7 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) { | |
"key_type": "ca", | ||
"allow_user_certificates": true, | ||
"allowed_user_key_lengths": map[string]interface{}{ | ||
"rsa": json.Number(strconv.FormatInt(4096, 10)), | ||
"rsa": 4096, | ||
}, | ||
}), | ||
{ | ||
|
@@ -1219,7 +1219,7 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) { | |
"key_type": "ca", | ||
"allow_user_certificates": true, | ||
"allowed_user_key_lengths": map[string]interface{}{ | ||
"rsa": json.Number(strconv.FormatInt(2048, 10)), | ||
"rsa": 2048, | ||
}, | ||
}), | ||
// Pass with 2048 key | ||
|
@@ -1245,6 +1245,44 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) { | |
return nil | ||
}, | ||
}, | ||
createRoleStep("multikey", map[string]interface{}{ | ||
"key_type": "ca", | ||
"allow_user_certificates": true, | ||
"allowed_user_key_lengths": map[string]interface{}{ | ||
"rsa": []int{2048, 4096}, | ||
}, | ||
}), | ||
// Pass with 2048-bit key | ||
{ | ||
Operation: logical.UpdateOperation, | ||
Path: "sign/multikey", | ||
Data: map[string]interface{}{ | ||
"public_key": testCAPublicKey, | ||
}, | ||
}, | ||
// Pass with 4096-bit key | ||
{ | ||
Operation: logical.UpdateOperation, | ||
Path: "sign/multikey", | ||
Data: map[string]interface{}{ | ||
"public_key": publicKey4096, | ||
}, | ||
}, | ||
// Fail with 3072-bit key | ||
{ | ||
Operation: logical.UpdateOperation, | ||
Path: "sign/multikey", | ||
Data: map[string]interface{}{ | ||
"public_key": publicKey3072, | ||
}, | ||
ErrorOk: true, | ||
Check: func(resp *logical.Response) error { | ||
if resp.Data["error"] != "public_key failed to meet the key requirements: key is of an invalid size: 3072" { | ||
return errors.New("a larger key (3072) was allowed, when the size was set for 2048") | ||
} | ||
return nil | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
secrets/ssh: Allow specifying multiple approved key lengths for a single algorithm | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.