Fixed up an unintentional extension handling defect, added test to co…

…ver the case.
hashicorp · May 12, 2021 · 61dff11 · 61dff11
1 parent f3065a0
commit 61dff11
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 5 deletions.
diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go
@@ -1475,6 +1475,45 @@ func TestBackend_DefaultExtensionsTemplating(t *testing.T) {
 		t.Fatal("expected an error while attempting to sign a key with invalid permissions")
 	}
 
+	// Write SSH role to test with any extension.
+	_, err = client.Logical().Write("ssh/roles/test_allow_all_extensions", map[string]interface{}{
+		"key_type":                    "ca",
+		"allow_user_certificates":     true,
+		"allowed_users":               "tuber",
+		"default_user":                "tuber",
+		"default_extensions_template": true,
+		"default_extensions": map[string]interface{}{
+			"login@foobar.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Issue SSH certificate with userpassToken, and user-provided extensions
+	userProvidedAnyExtensionPermissions := map[string]string{
+		"login@foobar.com": "not_userpassname",
+		"login@zipzap.com": "some_other_user_name",
+	}
+	resp, err = client.Logical().Write("ssh/sign/test_allow_all_extensions", map[string]interface{}{
+		"public_key": publicKey4096,
+		"extensions": userProvidedAnyExtensionPermissions,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	signedKey = resp.Data["signed_key"].(string)
+	key, _ = base64.StdEncoding.DecodeString(strings.Split(signedKey, " ")[1])
+
+	parsedKey, err = ssh.ParsePublicKey(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = validateSSHCertificate(parsedKey.(*ssh.Certificate), sshKeyID, ssh.UserCert, []string{"tuber"}, map[string]string{}, userProvidedAnyExtensionPermissions, 16*time.Hour)
+	if err != nil {
+		t.Fatal(err)
+	}
 }
 
 func configCaStep(caPublicKey, caPrivateKey string) logicaltest.TestStep {

diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
@@ -361,24 +361,25 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 	extensions := make(map[string]string)
 
 	if len(unparsedExtensions) > 0 {
-		parsedExtensions := convertMapToStringValue(unparsedExtensions)
+		extensions := convertMapToStringValue(unparsedExtensions)
 		if role.AllowedExtensions != "" {
 			notAllowed := []string{}
 			allowedExtensions := strings.Split(role.AllowedExtensions, ",")
 
-			for extensionKey, extensionValue := range parsedExtensions {
+			for extensionKey, _ := range extensions {
 				if !strutil.StrListContains(allowedExtensions, extensionKey) {
 					notAllowed = append(notAllowed, extensionKey)
-				} else {
-					extensions[extensionKey] = extensionValue
 				}
 			}
 
 			if len(notAllowed) != 0 {
 				return nil, fmt.Errorf("extensions %v are not on allowed list", notAllowed)
 			}
 		}
-	} else if role.DefaultExtensionsTemplate {
+		return extensions, nil
+	}
+
+	if role.DefaultExtensionsTemplate {
 		for extensionKey, extensionValue := range role.DefaultExtensions {
 			// Look for templating markers {{ .* }}
 			matched, _ := regexp.MatchString(`^{{.+?}}$`, extensionValue)