vault
vault copied to clipboard
hashicorp
Backport of Approle: Fix CIDR validation for /32 masks on Token Bound CIDRs into release/1.11.x
Backport
This PR is auto-generated from #18145 to be assessed for backporting due to the inclusion of the label backport/1.11.x.
The below text is copied from the body of the original PR.
This PR fixes an issue when attempting to use /32 CIDR blocks for Token Bound CIDR restrictions and Secret ID CIDR restrictions. When setting token_bound_cidrs on a role definition containing a CIDR block with the /32 mask, the block gets stored as a single IP address string. When setting token_bound_cidrs when generating a new Secret ID, Vault validates that the blocks defined in the Secret ID configuration are a subset of the CIDR blocks defined on the role. In the case of a /32 mask, since we store it as a single IP without the mask, this validation fails. This change checks for any blocks that may exist in the token_bound_cidrs configuration on the role definition that do not have a mask, and append a /32 to the block to allow for proper validation.
Overview of commits
- 49d234dd5c595775575b92c3022b2cee26eef347
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated |
|---|---|---|---|
| vault | 🔄 Building (Inspect) | Dec 21, 2022 at 4:19PM (UTC) |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}