Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Venafi PKI role allowed_domains parameter not being enforced #133

Open
jeffwhite06 opened this issue Oct 16, 2023 · 1 comment
Open

Venafi PKI role allowed_domains parameter not being enforced #133

jeffwhite06 opened this issue Oct 16, 2023 · 1 comment

Comments

@jeffwhite06
Copy link

jeffwhite06 commented Oct 16, 2023
edited
Loading

PROBLEM SUMMARY
When specifying allowed_domains parameter on the role, the role should only issue certificates within the provided allowed domains.

This may be one of many constraints not being enforced. I also tested allow_wildcard_certificates = false and was also able to create a wildcard certificate.

According to the documentation: https://developer.hashicorp.com/vault/docs/secrets/venafi
These constraints should be enforced.

STEPS TO REPRODUCE
Run terraform code provisioning the Venafi mount and role. Include the allowed_domains in the role creation. Attempt to issue a certificate using the role, with a domain name that is outside of the allowed domains.

resource "vault_mount" "venafi" {
  path        = "venafi"
  type        = "venafi-pki-backend"
  description = "Venafi PKI Secrets Engine"
}

resource "vault_generic_endpoint" "venafi" {
  path = "${vault_mount.venafi.path}/venafi/tpp"

  data_json = jsonencode({
    url          = <venafi_url>
    access_token = <access_token>
    zone         = <venafi_zone>
  })
}

resource "vault_generic_endpoint" "role" {
  path = "venafi/roles/tpp"

  data_json = jsonencode({
    venafi_secret    = "tpp"
    chain_option     = "last"
    generate_lease   = true
    store_by         = "cn"
    store_pkey       = true
    allowed_domains  = ["example.com"]
    allow_subdomains = true
  })

  depends_on = [vault_generic_endpoint.venafi]
}

resource "vault_pki_secret_backend_cert" "issue" {
  backend = vault_mount.venafi.path
  name    = "tpp"

  common_name = "test.otherdomain.com"

  depends_on = [vault_generic_endpoint.role]
}

EXPECTED RESULTS
We expect that the creation of this certificate would be denied because the common_name domain requested is not within the allowed_domains on the role.

ACTUAL RESULTS
The certificate gets created:

  # vault_generic_endpoint.role will be created
  + resource "vault_generic_endpoint" "role" {
      + data_json            = (sensitive value)
      + disable_delete       = false
      + disable_read         = false
      + id                   = (known after apply)
      + ignore_absent_fields = false
      + path                 = "venafi/roles/tpp"
      + write_data           = (known after apply)
      + write_data_json      = (known after apply)
    }

  # vault_generic_endpoint.venafi will be created
  + resource "vault_generic_endpoint" "venafi" {
      + data_json            = (sensitive value)
      + disable_delete       = false
      + disable_read         = false
      + id                   = (known after apply)
      + ignore_absent_fields = false
      + path                 = "venafi/venafi/tpp"
      + write_data           = (known after apply)
      + write_data_json      = (known after apply)
    }

  # vault_mount.venafi will be created
  + resource "vault_mount" "venafi" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + description                  = "Venafi PKI Secrets Engine"
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "venafi"
      + seal_wrap                    = (known after apply)
      + type                         = "venafi-pki-backend"
    }

  # vault_pki_secret_backend_cert.issue will be created
  + resource "vault_pki_secret_backend_cert" "issue" {
      + auto_renew            = false
      + backend               = "venafi"
      + ca_chain              = (known after apply)
      + certificate           = (known after apply)
      + common_name           = "test.otherdomain.com"
      + expiration            = (known after apply)
      + format                = "pem"
      + id                    = (known after apply)
      + issuing_ca            = (known after apply)
      + min_seconds_remaining = 604800
      + name                  = "tpp"
      + private_key           = (sensitive value)
      + private_key_format    = "der"
      + private_key_type      = (known after apply)
      + renew_pending         = (known after apply)
      + revoke                = false
      + serial_number         = (known after apply)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_mount.venafi: Creating...
vault_mount.venafi: Creation complete after 1s [id=venafi]
vault_generic_endpoint.venafi: Creating...
vault_generic_endpoint.venafi: Creation complete after 0s [id=venafi/venafi/tpp]
vault_generic_endpoint.role: Creating...
vault_generic_endpoint.role: Creation complete after 0s [id=venafi/roles/tpp]
vault_pki_secret_backend_cert.issue: Creating...
vault_pki_secret_backend_cert.issue: Still creating... [10s elapsed]
vault_pki_secret_backend_cert.issue: Creation complete after 16s [id=venafi/tpp/test.otherdomain.com]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

ENVIRONMENT DETAILS
HCP Vault v1.14.3
Terraform 1.6.1
Terraform Vault provider v3.21.0

COMMENTS/WORKAROUNDS
@jeffwhite06 jeffwhite06 added the bug Something isn't working label Oct 16, 2023
@luispresuelVenafi
Copy link
Contributor

luispresuelVenafi commented Oct 16, 2023
edited
Loading

Hi @jeffwhite06 , thank you for reaching out!

This is not bug, this is intended, let me quote a colleague:

the allowed_domains and allow_subdomains parameters are silently ignored the same as any invalid parameter would be. The documentation was written with a focus on showing how easy it is to transition away from the native Vault PKI to our secrets engine (i.e. just add the venafi_secret and you can keep the rest of the parameters the way they are—we’ll just ignore them if they don’t apply any longer). Now that we know most people are adopting our secrets engine from the beginning as opposed to transitioning from the native Vault PKI, I think we can remove those parameters from the README so there isn’t any confusion.

And this make sense, because we want you to manage policies or do policy enforcement within the Venafi Control Plane (either you are using TLSPC, previously know as VaaS or TLSPDC, previously know as TPP).

This is more of a issue in our README but not a bug in the code, so I'll remove it. We do need to update our documentation.

Thank you for raising the concern!

@luispresuelVenafi luispresuelVenafi removed the bug Something isn't working label Oct 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffwhite06 @luispresuelVenafi