Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix creation of vault_pki_secret_backend_root_sign_intermediate resource with zero path length #2253

Merged
merged 2 commits into from
Dec 4, 2024
Merged

Fix creation of vault_pki_secret_backend_root_sign_intermediate resource with zero path length #2253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
30f72e6
fix: Fix zero integer value handling
vaerh May 30, 2024
e22db82
Merge branch 'main' into main
vaerh Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,10 @@ FEATURES:

IMPROVEMENTS:
* return a useful error when delete fails for the `vault_jwt_auth_backend_role` resource: ([#2232](https://github.com/hashicorp/terraform-provider-vault/pull/2232))
BUGS:
* Remove dependency on `github.com/hashicorp/vault` package: ([#2251](https://github.com/hashicorp/terraform-provider-vault/pull/2251))
* Add missing `custom_tags` and `secret_name_template` fields to `vault_secrets_sync_azure_destination` resource ([#2247](https://github.com/hashicorp/terraform-provider-vault/pull/2247))
* Fix handling of 0 value within field `max_path_length` in `vault_pki_secret_backend_root_cert` and `vault_pki_secret_backend_root_sign_intermediate` resources ([#2253](https://github.com/hashicorp/terraform-provider-vault/pull/2253))

## 4.2.0 (Mar 27, 2024)

Expand Down
3 changes: 2 additions & 1 deletion vault/resource_pki_secret_backend_root_cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,8 +394,9 @@ func pkiSecretBackendRootCertCreate(_ context.Context, d *schema.ResourceData, m
}

data := map[string]interface{}{}
rawConfig := d.GetRawConfig()
for _, k := range rootCertAPIFields {
if v, ok := d.GetOk(k); ok {
if v := d.Get(k); !rawConfig.GetAttr(k).IsNull() {
data[k] = v
}
}
Expand Down
2 changes: 2 additions & 0 deletions vault/resource_pki_secret_backend_root_cert_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func TestPkiSecretBackendRootCertificate_basic(t *testing.T) {
resource.TestCheckResourceAttr(resourceName, consts.FieldLocality, "test"),
resource.TestCheckResourceAttr(resourceName, consts.FieldProvince, "test"),
resource.TestCheckResourceAttrSet(resourceName, consts.FieldSerialNumber),
assertCertificateAttributes(resourceName),
}

resource.Test(t, resource.TestCase{
Expand Down Expand Up @@ -263,6 +264,7 @@ resource "vault_pki_secret_backend_root_cert" "test" {
country = "test"
locality = "test"
province = "test"
max_path_length = 0
}
`, path)

Expand Down
3 changes: 2 additions & 1 deletion vault/resource_pki_secret_backend_root_sign_intermediate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,8 +263,9 @@ func pkiSecretBackendRootSignIntermediateCreate(ctx context.Context, d *schema.R
}

data := map[string]interface{}{}
rawConfig := d.GetRawConfig()
for _, k := range intermediateSignAPIFields {
if v, ok := d.GetOk(k); ok {
if v := d.Get(k); !rawConfig.GetAttr(k).IsNull() {
data[k] = v
}
}
Expand Down
47 changes: 47 additions & 0 deletions vault/resource_pki_secret_backend_root_sign_intermediate_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package vault

import (
"crypto/x509"
"encoding/base64"
"encoding/pem"
"fmt"
Expand Down Expand Up @@ -249,6 +250,7 @@ func testCheckPKISecretRootSignIntermediate(res, path, commonName, format string
resource.TestCheckResourceAttrSet(res, "serial_number"),
assertPKICertificateBundle(res, format),
assertPKICAChain(res),
assertCertificateAttributes(res),
)
}

Expand Down Expand Up @@ -315,6 +317,50 @@ func assertPKICAChain(res string) resource.TestCheckFunc {
}
}

func assertCertificateAttributes(res string) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, ok := s.RootModule().Resources[res]
if !ok {
return fmt.Errorf("resource %q not found in the state", res)
}
format := rs.Primary.Attributes["format"]
var rawCert []byte
switch format {
case "pem", "pem_bundle":
pemCert := []byte(rs.Primary.Attributes["certificate"])
b, _ := pem.Decode(pemCert)
if b == nil {
return fmt.Errorf("error decoding PEM certificate")
}

rawCert = b.Bytes
case "der":
certAttr := rs.Primary.Attributes["certificate"]
var err error
rawCert, err = base64.StdEncoding.DecodeString(certAttr)
if err != nil {
return fmt.Errorf("error decoding der certificate: %w", err)
}
}

crt, err := x509.ParseCertificate(rawCert)
if err != nil {
return fmt.Errorf("error parsing certificate: %w", err)
}

expectedMaxPathLen, err := strconv.Atoi(rs.Primary.Attributes["max_path_length"])
if err != nil {
return fmt.Errorf("error parsing max_path_length value as int: %w", err)
}

if expectedMaxPathLen != crt.MaxPathLen {
return fmt.Errorf("expected MaxPathLen %d, actual %d", expectedMaxPathLen, crt.MaxPathLen)
}

return nil
}
}

func testPkiSecretBackendRootSignIntermediateConfig_basic(rootPath, path, format string, revoke bool, issuerRef string) string {
config := fmt.Sprintf(`
resource "vault_mount" "test-root" {
Expand Down Expand Up @@ -368,6 +414,7 @@ resource "vault_pki_secret_backend_root_sign_intermediate" "test" {
locality = "San Francisco"
province = "CA"
revoke = %t
max_path_length = 0
`, rootPath, path, revoke)

if format != "" {
Expand Down
Loading