status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent
History
Freddy cfd72af36c Require operator:write to get Connect CA config (#9240) 
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
 		2020-11-19 17:15:23 +00:00
..
ae Merge pull request #7948 from hashicorp/dnephin/buffer-test-logs 2020-07-21 19:22:29 +00:00
auto-config Backport: #8523 (#8589) 2020-08-31 16:46:37 -04:00
cache Merge pull request #8548 from edevil/fix_flake 2020-08-28 19:11:24 +00:00
cache-types Merge pull request #8438 from hashicorp/dnephin/1.8.x-backport-ineffassign 2020-08-07 13:04:56 -04:00
checks Merge pull request #7948 from hashicorp/dnephin/buffer-test-logs 2020-07-21 19:22:29 +00:00
config connect: all config entries pick up a meta field (#8596) 2020-09-02 19:22:37 +00:00
connect Merge pull request #9053 from hashicorp/vault-token-lookupself 2020-10-27 21:34:37 +00:00
consul Require operator:write to get Connect CA config (#9240) 2020-11-19 17:15:23 +00:00
debug fix comment typos (#4890) 2018-11-02 12:00:39 -05:00
dns Merge pull request #8528 from hashicorp/dnephin/move-node-name-validation 2020-08-26 17:13:11 -04:00
exec fix go vet issue 2017-10-25 19:30:35 +02:00
local Notify alias checks when aliased service is [de]registered (#8456) 2020-08-12 15:48:23 +00:00
metadata Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4 2020-08-05 13:37:35 -04:00
mock checks: when a service does not exists in an alias, consider it failing (#7384) 2020-06-04 12:51:23 +00:00
pool Merge pull request #8976 from joel0/wrap-eof 2020-11-11 16:51:48 +00:00
proxycfg Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4 2020-08-05 13:37:35 -04:00
router Merge pull request #8685 from pierresouchay/do_not_flood_logs_with_Non-server_in_server-only_area 2020-09-15 21:58:29 +00:00
routine-leak-checker Various go routine leak fixes 2020-06-25 09:36:14 -04:00
structs server: config entry replication now correctly uses namespaces in comparisons (#9024) 2020-10-23 18:42:45 +00:00
systemd
token Add ability for notifications when one of the agent tokens is updated (#8301) 2020-07-14 13:54:38 +00:00
xds connect: update supported envoy point releases to 1.14.5, 1.13.6, 1.12.7, 1.11.2 for 1.8.x (#8999) 2020-10-22 13:26:51 -05:00
acl.go added permission denied error message (#8044) 2020-09-22 18:36:36 +00:00
acl_endpoint.go test: move some test helpers over from enterprise (#7754) 2020-05-01 14:52:15 -05:00
acl_endpoint_legacy.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
acl_endpoint_legacy_test.go ci: Add staticcheck and fix most errors 2020-06-01 10:40:04 -05:00
acl_endpoint_test.go ACL Node Identities (#7970) 2020-06-16 16:55:01 +00:00
acl_test.go Merge pull request #8511 from hashicorp/dnephin/agent-setup 2020-08-26 17:15:12 -04:00
agent.go Merge pull request #8924 from ShimmerGlass/fix-sidecar-deregister-after-restart 2020-10-22 17:27:41 +00:00
agent_endpoint.go agent: expose the list of supported envoy versions on /v1/agent/self (#8566) 2020-08-27 11:33:33 -05:00
agent_endpoint_test.go agent: expose the list of supported envoy versions on /v1/agent/self (#8566) 2020-08-27 11:33:33 -05:00
agent_oss.go Merge pull request #8473 from hashicorp/dnephin/unmethod-consul-config 2020-08-26 17:06:32 -04:00
agent_test.go Merge pull request #8924 from ShimmerGlass/fix-sidecar-deregister-after-restart 2020-10-22 17:27:41 +00:00
bindata_assetfs.go update bindata_assetfs.go 2020-10-23 20:32:13 +00:00
catalog_endpoint.go Make the Agent Cache more Context aware (#8092) 2020-06-15 15:43:32 +00:00
catalog_endpoint_test.go Add api mod support for /catalog/gateway-services (#8278) 2020-07-10 19:02:09 +00:00
check.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
config_endpoint.go Merge pull request #8040 from hashicorp/ingress/expose-cli 2020-06-09 19:11:51 +00:00
config_endpoint_test.go Expect default enterprise metadata in gateway tests (#7664) 2020-04-20 09:02:35 -05:00
connect_auth.go Make the Agent Cache more Context aware (#8092) 2020-06-15 15:43:32 +00:00
connect_ca_endpoint.go Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) 2020-10-09 14:43:59 +00:00
connect_ca_endpoint_test.go Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) 2020-10-09 14:43:59 +00:00
coordinate_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
coordinate_endpoint_test.go Merge pull request #7894 from hashicorp/dnephin/add-linter-staticcheck-1 2020-05-21 17:01:15 +00:00
denylist.go Replace whitelist/blacklist terminology with allowlist/denylist (#7971) 2020-06-01 10:40:14 -05:00
denylist_test.go Replace whitelist/blacklist terminology with allowlist/denylist (#7971) 2020-06-01 10:40:14 -05:00
discovery_chain_endpoint.go Make the Agent Cache more Context aware (#8092) 2020-06-15 15:43:32 +00:00
discovery_chain_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
dns.go Merge pull request #8528 from hashicorp/dnephin/move-node-name-validation 2020-08-26 17:13:11 -04:00
dns_oss.go Merge pull request #7932 from hashicorp/ingress/internal-ui-endpoint-multiple-ports 2020-06-24 22:11:45 +00:00
dns_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 18:21:49 +00:00
enterprise_delegate_oss.go Update to use a consulent build tag instead of just ent (#5759) 2019-05-01 11:11:27 -04:00
event_endpoint.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
event_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
federation_state_endpoint.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
health_endpoint.go Make the Agent Cache more Context aware (#8092) 2020-06-15 15:43:32 +00:00
health_endpoint_test.go Move ingress param to a new endpoint (#8081) 2020-06-10 18:07:41 +00:00
http.go agent-http: cleanup: return nil instead of err (#8043) 2020-06-24 12:29:48 +00:00
http_decode_test.go Remove deadcode 2020-04-22 16:48:28 -04:00
http_oss.go Merge pull request #8169 from hashicorp/config-entry-ns 2020-06-23 11:44:57 -06:00
http_oss_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
http_register.go Merge pull request #8099 from hashicorp/gateway-services-endpoint 2020-06-12 21:15:25 +00:00
http_test.go Merge pull request #8514 from hashicorp/dnephin/testing-improvements-1 2020-08-26 17:11:43 -04:00
intentions_endpoint.go Fix a couple bugs regarding intentions with namespaces (#7169) 2020-01-29 17:30:38 -05:00
intentions_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
keyring.go Merge pull request #8473 from hashicorp/dnephin/unmethod-consul-config 2020-08-26 17:06:32 -04:00
keyring_test.go Merge pull request #8509 from hashicorp/dnephin/use-t.cleanup-in-testagent 2020-08-14 20:34:09 +00:00
kvs_endpoint.go docs: add docs for kv_max_value_size (#7405) 2020-03-09 11:13:40 +01:00
kvs_endpoint_test.go Merge pull request #7894 from hashicorp/dnephin/add-linter-staticcheck-1 2020-05-21 17:01:15 +00:00
nodeid.go Merge pull request #8463 from hashicorp/dnephin/unmethod-make-node-id 2020-08-26 17:05:57 -04:00
nodeid_test.go Merge pull request #8463 from hashicorp/dnephin/unmethod-make-node-id 2020-08-26 17:05:57 -04:00
notify.go Fixes memory leak when blocking on /event/list (#4482) 2018-08-02 14:54:48 +01:00
notify_test.go Fixes memory leak when blocking on /event/list (#4482) 2018-08-02 14:54:48 +01:00
operator_endpoint.go Merge pull request #8471 from hashicorp/local_only 2020-08-12 06:56:10 +00:00
operator_endpoint_test.go Merge pull request #8471 from hashicorp/local_only 2020-08-12 06:56:10 +00:00
prepared_query_endpoint.go Merge pull request #8218 from yurkeen/fix-dns-rcode 2020-07-01 13:13:55 +00:00
prepared_query_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
remote_exec.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
remote_exec_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
retry_join.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
retry_join_test.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
service_checks_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
service_manager.go agent: when enable_central_service_config is enabled ensure agent reload doesn't revert check state to critical (#8747) 2020-09-24 21:24:51 +00:00
service_manager_test.go Merge pull request #8509 from hashicorp/dnephin/use-t.cleanup-in-testagent 2020-08-14 20:34:09 +00:00
session_endpoint.go Fix session backwards incompatibility with 1.6.x and earlier. 2020-03-05 15:34:55 -05:00
session_endpoint_test.go Merge pull request #8514 from hashicorp/dnephin/testing-improvements-1 2020-08-26 17:11:43 -04:00
setup.go Backport: #8523 (#8589) 2020-08-31 16:46:37 -04:00
sidecar_service.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
sidecar_service_test.go Rename NewTestAgentWithFields to StartTestAgent 2020-03-31 17:14:55 -04:00
signal_unix.go cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737) 2018-10-02 15:57:21 -05:00
signal_windows.go cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737) 2018-10-02 15:57:21 -05:00
snapshot_endpoint.go Remove SnapshotRPC passthrough 2020-04-13 12:32:57 -04:00
snapshot_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
status_endpoint.go Allow forwarding of some status RPCs (#6198) 2019-07-25 14:26:22 -04:00
status_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
testagent.go Merge pull request #8511 from hashicorp/dnephin/agent-setup 2020-08-26 17:15:12 -04:00
testagent_test.go Merge pull request #8469 from hashicorp/dnephin/config-source 2020-08-26 17:00:51 -04:00
translate_addr.go Add the v1/catalog/node-services/:node endpoint (#7115) 2020-01-24 09:27:25 -05:00
txn_endpoint.go docs: add docs for kv_max_value_size (#7405) 2020-03-09 11:13:40 +01:00
txn_endpoint_test.go Remove name from NewTestAgent 2020-03-31 16:13:44 -04:00
ui_endpoint.go use service datacenter for dns name (#8704) 2020-09-25 10:41:02 -05:00
ui_endpoint_test.go fix ent error (#8750) 2020-09-25 10:41:18 -05:00
user_event.go agent: ensure that we always use the same settings for msgpack (#7245) 2020-02-07 15:50:24 -06:00
user_event_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 18:21:49 +00:00
util.go agent: ensure that we always use the same settings for msgpack (#7245) 2020-02-07 15:50:24 -06:00
util_test.go Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4 2020-08-05 13:37:35 -04:00
watch_handler.go Merge pull request #8290 from hashicorp/dnephin/watch-decode 2020-07-20 18:41:48 +00:00
watch_handler_test.go Merge pull request #8290 from hashicorp/dnephin/watch-decode 2020-07-20 18:41:48 +00:00