Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Trap errors related to vault pki list-intermediate issuer reading into release/1.13.x #19177

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #19165 to be assessed for backporting due to the inclusion of the label backport/1.13.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: POST https://api.github.com/repos/hashicorp/vault/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


Description

Discovered during testing if an invalid parent issuer url was provided to the list-intermediate pki sub-command we would get a nil exception.

What was modified

  • Factor out reading issuers into a common method that will parse and validate the response (certificate, key_id, ca chain)
  • Leverage some of the existing methods from the pki healthcheck to parse the issuer response
  • Change the list-intermediate command to load the parent issuer only once, instead of every child issuer.

Encountered error being addressed

❯ vault pki list-intermediates pki
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x53035a4]

goroutine 1 [running]:
github.com/hashicorp/vault/command.verifySignBetween(0xc00151a280, {0x7ff7bfeff99d, 0x3}, {0xc0006e8660, 0x2f})
        /Users/sclark/git-repos/vault-oss/command/pki_verify_sign_command.go:115 +0x144
github.com/hashicorp/vault/command.(*PKIListIntermediateCommand).Run(0xc0012ee180, {0xc0000720b0, 0x1, 0x1})
        /Users/sclark/git-repos/vault-oss/command/pki_list_intermediate_command.go:192 +0x7e5
github.com/mitchellh/cli.(*CLI).Run(0xc000304000)
        /Users/sclark/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x5f8
github.com/hashicorp/vault/command.RunCustom({0xc000072090?, 0x3?, 0x3?}, 0xc0000061a0?)
        /Users/sclark/git-repos/vault-oss/command/main.go:238 +0xa65
github.com/hashicorp/vault/command.Run(...)
        /Users/sclark/git-repos/vault-oss/command/main.go:142
main.main()
        /Users/sclark/git-repos/vault-oss/main.go:16 +0x50

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/stevendpclark/vault-13588-cli-command-input/uniformly-busy-griffon branch from a73fead to dbdbe95 Compare February 14, 2023 13:52
@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/stevendpclark/vault-13588-cli-command-input/uniformly-busy-griffon branch from dbdbe95 to a73fead Compare February 14, 2023 13:52
@hashicorp-cla
Copy link

hashicorp-cla commented Feb 14, 2023

CLA assistant check
All committers have signed the CLA.

…9165)

* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed
@stevendpclark stevendpclark force-pushed the backport/stevendpclark/vault-13588-cli-command-input/uniformly-busy-griffon branch from e1b622f to 0eb59e5 Compare February 14, 2023 14:25
@stevendpclark stevendpclark marked this pull request as ready for review February 14, 2023 14:41
@stevendpclark stevendpclark enabled auto-merge (squash) February 14, 2023 14:49
@stevendpclark stevendpclark merged commit 02bc254 into release/1.13.x Feb 14, 2023
@stevendpclark stevendpclark deleted the backport/stevendpclark/vault-13588-cli-command-input/uniformly-busy-griffon branch February 14, 2023 15:31
@stevendpclark stevendpclark self-assigned this Feb 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants