vault Backport of Approle: Fix CIDR validation for /32 masks on Token Bound CIDRs into release/1.12.x

Backport of Approle: Fix CIDR validation for /32 masks on Token Bound CIDRs into release/1.12.x

Open hc-github-team-secure-vault-core opened this issue 2 years ago • 0 comments

Backport

This PR is auto-generated from #18145 to be assessed for backporting due to the inclusion of the label backport/1.12.x.

The below text is copied from the body of the original PR.

This PR fixes an issue when attempting to use /32 CIDR blocks for Token Bound CIDR restrictions and Secret ID CIDR restrictions. When setting token_bound_cidrs on a role definition containing a CIDR block with the /32 mask, the block gets stored as a single IP address string. When setting token_bound_cidrs when generating a new Secret ID, Vault validates that the blocks defined in the Secret ID configuration are a subset of the CIDR blocks defined on the role. In the case of a /32 mask, since we store it as a single IP without the mask, this validation fails. This change checks for any blocks that may exist in the token_bound_cidrs configuration on the role definition that do not have a mask, and append a /32 to the block to allow for proper validation.

Overview of commits

49d234dd5c595775575b92c3022b2cee26eef347

Dec 16 '22 17:12 hc-github-team-secure-vault-core

vault vault copied to clipboard

Backport of Approle: Fix CIDR validation for /32 masks on Token Bound CIDRs into release/1.12.x

Backport

vault
vault copied to clipboard