Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move all pki-verification calls from sdk-Verify() to pki-specific #29342

Merged
merged 9 commits into from
Jan 29, 2025
Merged

Move all pki-verification calls from sdk-Verify() to pki-specific #29342

merged 9 commits into from
Jan 29, 2025

Conversation

kitography
Copy link
Contributor

VerifyCertifcate(...); update sdk-Verify to allow multiple chains, but validate that at least one of those chains is valid.

Description

This updates the "Verify" call in the SDK to allow multiple chains, but do more enforcement to check that at least one of those chains is valid.

  • Note that this is used by the sdk call ParsePEMBundle which has usages in:
    -- builtin/logical/database/credentials.go ; line 269
    -- physical/cassandra/cassandra.go ; line 201
    -- plugins/database/influxdb/connection_producer.go ; line 97
    This also updates calls inside the PKI secrets engine to use the configurable VerifyCertificate call rather than the sdk-version which lacks the context that Verify includes.

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
    -- This doesn't change the signature of any function.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.

@kitography kitography added backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/1.18.x backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent labels Jan 10, 2025
@kitography kitography added this to the 1.19.0-rc milestone Jan 10, 2025
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jan 10, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 10, 2025
edited
Loading

CI Results:
All Go tests succeeded! ✅

@kitography kitography force-pushed the kitography/VAULT-32531-Remove-Duplicate-Chain-Verify-Code branch from 5fb330b to a9b832d Compare January 22, 2025 15:11
@kitography kitography marked this pull request as ready for review January 22, 2025 15:11
@kitography kitography requested review from a team as code owners January 22, 2025 15:11
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 22, 2025
edited
Loading

Build Results:
All builds succeeded! ✅

@kitography kitography force-pushed the kitography/VAULT-32531-Remove-Duplicate-Chain-Verify-Code branch from b09467e to 242fd3f Compare January 22, 2025 20:40
victorr
victorr requested changes Jan 23, 2025
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me, just need to clean up the moved function.

builtin/logical/pki/issuing/cert_verify.go Outdated Show resolved Hide resolved
sdk/helper/certutil/helpers.go Outdated Show resolved Hide resolved
@kitography kitography force-pushed the kitography/VAULT-32531-Remove-Duplicate-Chain-Verify-Code branch from b43fa3b to 99b3e3f Compare January 27, 2025 16:30
@kitography kitography requested a review from victorr January 27, 2025 16:32
victorr
victorr previously approved these changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All good!

victorr
victorr previously approved these changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤞 There are no more base branch conflicts.

@kitography kitography enabled auto-merge (squash) January 28, 2025 20:37
victorr
victorr approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@victorr victorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kitography kitography merged commit 371ffc4 into main Jan 29, 2025
91 of 92 checks passed
@kitography kitography deleted the kitography/VAULT-32531-Remove-Duplicate-Chain-Verify-Code branch January 29, 2025 16:05
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorr victorr victorr approved these changes

@angelocordon angelocordon Awaiting requested review from angelocordon angelocordon is a code owner automatically assigned from hashicorp/vault

Assignees
No one assigned
Labels
backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent backport/1.18.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.19.0-rc
Development

Successfully merging this pull request may close these issues.
2 participants
@kitography @victorr