Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trap errors related to vault pki list-intermediate issuer reading #19165

Merged
merged 4 commits into from
Feb 14, 2023
Merged

Trap errors related to vault pki list-intermediate issuer reading #19165

merged 4 commits into from
Feb 14, 2023

Conversation

stevendpclark
Copy link
Contributor

Description

Discovered during testing if an invalid parent issuer url was provided to the list-intermediate pki sub-command we would get a nil exception.

What was modified

  • Factor out reading issuers into a common method that will parse and validate the response (certificate, key_id, ca chain)
  • Leverage some of the existing methods from the pki healthcheck to parse the issuer response
  • Change the list-intermediate command to load the parent issuer only once, instead of every child issuer.

Encountered error being addressed

❯ vault pki list-intermediates pki
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x53035a4]

goroutine 1 [running]:
github.com/hashicorp/vault/command.verifySignBetween(0xc00151a280, {0x7ff7bfeff99d, 0x3}, {0xc0006e8660, 0x2f})
        /Users/sclark/git-repos/vault-oss/command/pki_verify_sign_command.go:115 +0x144
github.com/hashicorp/vault/command.(*PKIListIntermediateCommand).Run(0xc0012ee180, {0xc0000720b0, 0x1, 0x1})
        /Users/sclark/git-repos/vault-oss/command/pki_list_intermediate_command.go:192 +0x7e5
github.com/mitchellh/cli.(*CLI).Run(0xc000304000)
        /Users/sclark/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x5f8
github.com/hashicorp/vault/command.RunCustom({0xc000072090?, 0x3?, 0x3?}, 0xc0000061a0?)
        /Users/sclark/git-repos/vault-oss/command/main.go:238 +0xa65
github.com/hashicorp/vault/command.Run(...)
        /Users/sclark/git-repos/vault-oss/command/main.go:142
main.main()
        /Users/sclark/git-repos/vault-oss/main.go:16 +0x50

@stevendpclark
Rename files to match test suite and existing pattern
4d4f663
@stevendpclark
Factor out issuer loading into a dedicated function
5599e5c 
 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates
@stevendpclark
Read parent issuer once instead of reloading it for every child
19f2390 
 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user
@stevendpclark stevendpclark added this to the 1.13.0-rc1 milestone Feb 13, 2023
@stevendpclark stevendpclark modified the milestones: 1.13.0-rc1, 1.13.1 Feb 13, 2023
kitography
kitography reviewed Feb 13, 2023
View reviewed changes
command/pki_reissue_intermediate.go Outdated
intermediateMount := sanitizePath(args[2])

templateCertificateResp, err := client.Logical().Read(sanitizePath(args[1]))
issuerBundle, err := readIssuer(client, templateIssuer)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we rename this templateIssuerBundle? I'm worried that this is quite a bit confusing with the parent issuer also being one of the arguments.

kitography
kitography approved these changes Feb 13, 2023
View reviewed changes
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, and solves the issue :)
It might be worth standardizing the check in issue too - the thing that parses the parentIssuer in reissue (but that is already confirmed to be an issuer there, just not in this way)

@stevendpclark
PR Feedback
7e7c1b9 
 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed
cipherboy
cipherboy approved these changes Feb 14, 2023
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a nice, balanced approach :-)

@stevendpclark stevendpclark merged commit 7d9dd37 into main Feb 14, 2023
Merged
stevendpclark added a commit that referenced this pull request Feb 14, 2023
@stevendpclark
Trap errors related to vault pki list-intermediate issuer reading (#1…
0eb59e5 
…9165)

* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed
stevendpclark added a commit that referenced this pull request Feb 14, 2023
@hc-github-team-secure-vault-core @stevendpclark
Trap errors related to vault pki list-intermediate issuer reading (#1…
02bc254 
…9165) (#19177)

* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
@stevendpclark stevendpclark deleted the stevendpclark/vault-13588-cli-command-input branch February 14, 2023 15:33
@fopina-ci fopina-ci mentioned this pull request Apr 27, 2023
Closed
@fopina-ci fopina-ci mentioned this pull request Jun 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kitography kitography kitography approved these changes

@cipherboy cipherboy cipherboy approved these changes

Assignees
No one assigned
Labels
pr/no-changelog
Projects
None yet
Milestone
1.13.1
Development

Successfully merging this pull request may close these issues.
3 participants
@stevendpclark @kitography @cipherboy