scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-31 18:48:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use hash_algorithm parameter on Transit's verify HMAC requests. (#27211)

Browse Source 
Use hash_algorithm parameter on Transit's verify HMAC requests.

Parameter 'algorithm' has been deprecated in favour of 'hash_algorithm', so
update the pathHMACVerify() handler to use it when it is present.
This commit is contained in:
Victor Rodriguez
2024-05-24 11:12:23 -04:00
committed by GitHub
parent f528036e45
commit 417376341a
3 changed files with 48 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
builtin/logical/transit/path_hmac.go
View File

@@ -257,7 +257,19 @@ func (b *backend) pathHMACVerify(ctx context.Context, req *logical.Request, d *f
name := d.Get("name").(string) name := d.Get("name").(string)
algorithm := d.Get("urlalgorithm").(string) algorithm := d.Get("urlalgorithm").(string)
if algorithm == "" { if algorithm == "" {
algorithm = d.Get("algorithm").(string) hashAlgorithmRaw, hasHashAlgorithm := d.GetOk("hash_algorithm")
algorithmRaw, hasAlgorithm := d.GetOk("algorithm")
// As `algorithm` is deprecated, make sure we only read it if
// `hash_algorithm` is not present.
switch {
case hasHashAlgorithm:
algorithm = hashAlgorithmRaw.(string)
case hasAlgorithm:
algorithm = algorithmRaw.(string)
default:
algorithm = d.Get("hash_algorithm").(string)
}
} }
// Get the policy // Get the policy

29
builtin/logical/transit/path_hmac_test.go
View File

@@ -94,8 +94,9 @@ func TestTransit_HMAC(t *testing.T) {
} }
// Now verify // Now verify
req.Path = strings.ReplaceAll(req.Path, "hmac", "verify") verify := func() {
req.Data["hmac"] = value.(string) t.Helper()
resp, err = b.HandleRequest(context.Background(), req) resp, err = b.HandleRequest(context.Background(), req)
if err != nil { if err != nil {
t.Fatalf("%v: %v", err, resp) t.Fatalf("%v: %v", err, resp)
@@ -103,8 +104,30 @@ func TestTransit_HMAC(t *testing.T) {
if resp == nil { if resp == nil {
t.Fatal("expected non-nil response") t.Fatal("expected non-nil response")
} }
if errStr, ok := resp.Data["error"]; ok {
t.Fatalf("error validating hmac: %s", errStr)
}
if resp.Data["valid"].(bool) == false { if resp.Data["valid"].(bool) == false {
panic(fmt.Sprintf("error validating hmac;\nreq:\n%#v\nresp:\n%#v", *req, *resp)) t.Fatalf(fmt.Sprintf("error validating hmac;\nreq:\n%#v\nresp:\n%#v", *req, *resp))
}
}
req.Path = strings.ReplaceAll(req.Path, "hmac", "verify")
req.Data["hmac"] = value.(string)
verify()
// If `algorithm` parameter is used, try with `hash_algorithm` as well
if algorithm, ok := req.Data["algorithm"]; ok {
// Note that `hash_algorithm` takes precedence over `algorithm`, since the
// latter is deprecated.
req.Data["hash_algorithm"] = algorithm
req.Data["algorithm"] = "xxx"
defer func() {
// Restore the req fields, since it is re-used by the tests below
delete(req.Data, "hash_algorithm")
req.Data["algorithm"] = algorithm
}()
verify()
} }
} }

3
changelog/27211.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter.
```