Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix creation of vault_pki_secret_backend_root_sign_intermediate resource with zero path length #2253

Merged
merged 2 commits into from
Dec 4, 2024

Conversation

vaerh
Copy link
Contributor

@vaerh vaerh commented May 30, 2024

Description

When filling the data map, values are incorrectly evaluated using the GetOk function, so zero integer values are discarded. For this reason it is not possible to set the max_path_length = 0 restriction for a certificate.

Checklist

  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestPkiSecretBackendRootSignIntermediate*'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestPkiSecretBackendRootSignIntermediate* -timeout 30m ./...
?       github.com/hashicorp/terraform-provider-vault   [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/coverage      [no test files]
?       github.com/hashicorp/terraform-provider-vault/cmd/generate      [no test files]
?       github.com/hashicorp/terraform-provider-vault/helper    [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/consts   [no test files]
ok      github.com/hashicorp/terraform-provider-vault/codegen   (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/internal/identity/entity  (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/mfa     [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/identity/group   [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/pki      [no test files]
?       github.com/hashicorp/terraform-provider-vault/internal/sync     [no test files]
?       github.com/hashicorp/terraform-provider-vault/schema    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/internal/provider (cached) [no tests to run]
?       github.com/hashicorp/terraform-provider-vault/util/mountutil    [no test files]
ok      github.com/hashicorp/terraform-provider-vault/testutil  (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/util      (cached) [no tests to run]
ok      github.com/hashicorp/terraform-provider-vault/vault     48.623s
...

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Copy link

hashicorp-cla-app bot commented May 30, 2024

CLA assistant check
All committers have signed the CLA.

Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@rismalrv
Copy link

rismalrv commented Jun 7, 2024

+1

@rismalrv
Copy link

sorry to bother, any timeline it get merge?

@stevendpclark
Copy link
Contributor

Hi @vaerh, would you mind signing the CLA? I'm not exactly sure what is going on as there are conflicting messages in this PR, perhaps the email used on the commit didn't match the Github user (just a guess)?

@vaerh
Copy link
Contributor Author

vaerh commented Nov 26, 2024

I was surprised by two posts myself. I signed the CLA back in May when I created the PR. I have two email addresses in my profile and will check a little later to see what's going on.

@stevendpclark
Copy link
Contributor

Thanks @vaerh! If possible could you look into adding a test case for the field so we protect against further regressions? If time is an issue, please let me know and I can look into it.

@vaerh
Copy link
Contributor Author

vaerh commented Nov 26, 2024

No problem. It'll take a little time

@vaerh vaerh requested a review from a team as a code owner December 4, 2024 07:46
@vaerh vaerh requested a review from rebwill December 4, 2024 07:46
@vaerh
Copy link
Contributor Author

vaerh commented Dec 4, 2024

@stevendpclark Completed.

Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @vaerh,

Thanks for adding the test! I've spotted a few issues in the test that was added

  • Currently the test fails TestPkiSecretBackendRootSignIntermediate_basic_der as the certificate is not PEM encoded but a base64 encoded der
  • I believe the reflect.DeepEqual needs to be negated but it is also comparing a string and an int which I don't believe will ever work.
  • I just noticed that we have the same issue of max_path_length within vault_pki_secret_backend_root_cert
  • We are missing a changelog entry for this bug.

That was a lot of different feedback, if you wish I've codified it all within this gist as a patch. I didn't feel comfortable pushing this to your main branch on this PR so feel free to apply it.

Thanks again!

@vaerh
Copy link
Contributor Author

vaerh commented Dec 4, 2024

I apologize for my inattention here. I'll fix it!
I suggest not to create a new PR and solve the problem in this one...

When filling the data map, values are incorrectly evaluated using the `GetOk` function, so zero integer values are discarded. For this reason it is not possible to set the `max_path_length = 0` restriction for a certificate.

Co-authored-by: Steven Clark <[email protected]>
@vaerh
Copy link
Contributor Author

vaerh commented Dec 4, 2024

@stevendpclark Thank you very much for your help!

A little offtopic, do you know if there are any plans to add the ability to change keyUsage for root and intermediate certificates?

@stevendpclark
Copy link
Contributor

Hey @vaerh,

Thanks for fixing that up, there seems to be a conflict on the changelog file, would you mind fixing that up and I can merge this in.

A little offtopic, do you know if there are any plans to add the ability to change keyUsage for root and intermediate certificates?

If you are referring to Vault itself, I believe you can now do that on 1.18.x. If it is in regard to syncing up that functionality within TFVP it's on the to do list but I'd be happy to review any submission if you'd be interested in contributing.

Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @vaerh for the contribution!

@vaerh
Copy link
Contributor Author

vaerh commented Dec 4, 2024

You're welcome, it was a pleasure working with you!

Some time ago I needed to create a PKI specifying keyUsage, but the existing TFVP option didn't work as expected and diving into the Vault code I couldn't find any parameters that could be affected.
I'll have to look again to see what has changed recently.

@stevendpclark stevendpclark merged commit fabb0ac into hashicorp:main Dec 4, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants