Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing ro…

…le (#15543) * Allow role-based sign-verbatim with chosen issuer Signed-off-by: Alexander Scheel <[email protected]> * Add warning with missing requested verbatim role Signed-off-by: Alexander Scheel <[email protected]> * Add changelog Signed-off-by: Alexander Scheel <[email protected]> * Update builtin/logical/pki/backend.go Co-authored-by: Steven Clark <[email protected]> Co-authored-by: Steven Clark <[email protected]>
hashicorp · May 23, 2022 · 4f21baa · 4f21baa
1 parent f793d6c
commit 4f21baa
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go
@@ -267,7 +267,7 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation
 			if err != nil {
 				return nil, err
 			}
-			if role == nil && roleMode == roleRequired {
+			if role == nil && (roleMode == roleRequired || len(roleName) > 0) {
 				return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
 			}
 			labels = []metrics.Label{{"role", roleName}}

diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
@@ -79,7 +79,7 @@ func buildPathSign(b *backend, pattern string) *framework.Path {
 }
 
 func pathIssuerSignVerbatim(b *backend) *framework.Path {
-	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim"
+	pattern := "issuer/" + framework.GenericNameRegex(issuerRefParam) + "/sign-verbatim" + framework.OptionalParamRegex("role")
 	return buildPathIssuerSignVerbatim(b, pattern)
 }
 

diff --git a/changelog/15543.txt b/changelog/15543.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/pki: Err on unknown role during sign-verbatim.
+```