Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: organization field in vault_pki_secret_backend_root_cert is mismatched with subject filed in certificate generated byVault HTTP API if the value has a comma #2381

Open
mitsutaka opened this issue Dec 12, 2024 · 0 comments
Open

[Bug]: organization field in vault_pki_secret_backend_root_cert is mismatched with subject filed in certificate generated byVault HTTP API if the value has a comma #2381

mitsutaka opened this issue Dec 12, 2024 · 0 comments
Labels
bug

Comments

@mitsutaka
Copy link

mitsutaka commented Dec 12, 2024
edited
Loading

Terraform Core Version

1.10.2

Terraform Vault Provider Version

4.1.0

Vault Server Version

1.18.2

Affected Resource(s)

https://developer.hashicorp.com/vault/api-docs/secret/pki#organization

specifies the O (Organization) values in the subject field of the resulting certificate. This is a comma-separated string or JSON array.

organization parameter in Vault HTTP API accepths either comma-separated string or JSON array. For example, If we set "Company, Inc.", Subject in the generated root certificate will have O=Inc. and O=Company.

terraform-provider-vault/vault/resource_pki_secret_backend_cert_test.go

Line 311 in 78f2eda

func testCapturePKICert(resourceName string, store *testPKICertStore) resource.TestCheckFunc {

Als, we should test a generated subject fields is matched with requested terraform resource fields.

Expected Behavior

Organization in generated certificate should have O="Company, Inc." instead of splitted organizations.

Actual Behavior

Organization in generated certificate has multiple organization(O) fields if a organization field has a comma. such as O="Inc.", O="Company".

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "vault_pki_secret_backend_root_cert" "test" {
...
  organization         = "Company, Inc."
...
}

Steps to Reproduce

terraform init
terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

As Vault HTTP endpoints accepts JSON array in organization parameter, we can create a correct comma-included organization by using single JSON array. but TFVP can't handle the JSON format because it parses as string

terraform-provider-vault/vault/resource_pki_secret_backend_root_cert.go

Line 232 in 78f2eda

Type: schema.TypeString, 

curl -s -H "X-Vault-Token: $(vault print token)" http://127.0.0.1:8200/v1/pki/issuers/generate/root/existing -d'{"organization": ["Company, Inc."]}' | jq -r .data.certificate | openssl x509 -noout -subject
subject=O = "Company, Inc."

References

No response

Would you like to implement a fix?

None
@mitsutaka mitsutaka added the bug label Dec 12, 2024
@mitsutaka mitsutaka changed the title [Bug]: organization field in vault_pki_secret_backend_root_cert is mismatched with Vault HTTP API that splits it to multiple "O"s if the value has a comma [Bug]: organization field in vault_pki_secret_backend_root_cert is mismatched with subject filed in certificate generated byVault HTTP API if the value has a comma Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mitsutaka