consul/agent/consul
Freddy cfd72af36c Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:23 +00:00
..
authmethod Replace whitelist/blacklist terminology with allowlist/denylist (#7971) 2020-06-01 10:40:14 -05:00
autopilot Merge pull request #7894 from hashicorp/dnephin/add-linter-staticcheck-1 2020-05-21 17:01:15 +00:00
discoverychain Construct a default destination if one does not exist for service-router (#7783) 2020-05-05 10:49:50 -05:00
fsm fsm: Fix snapshot bug with restoring node/service/check indexes 2020-08-11 14:22:42 -07:00
prepared_query Merge pull request #7894 from hashicorp/dnephin/add-linter-staticcheck-1 2020-05-21 17:01:15 +00:00
state Backport #9156 to 1.8.x (#9164) 2020-11-11 15:12:10 -05:00
testdata Fix support for RSA CA keys in Connect. (#6638) 2019-11-01 13:20:26 +00:00
wanfed wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
acl.go Merge pull request #8546 from edevil/fix_vet 2020-08-24 18:39:56 +00:00
acl_authmethod.go ACL Node Identities (#7970) 2020-06-16 16:55:01 +00:00
acl_authmethod_oss.go acl: add auth method for JWTs (#7846) 2020-05-11 20:59:29 -05:00
acl_authmethod_test.go acl: refactor the authmethod.Validator interface (#7760) 2020-05-01 17:35:28 -05:00
acl_client.go Fix identity resolution on clients and in secondary dcs (#7862) 2020-05-13 13:00:08 -04:00
acl_endpoint.go Merge pull request #8546 from edevil/fix_vet 2020-08-24 18:39:56 +00:00
acl_endpoint_legacy.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
acl_endpoint_oss.go acl: add auth method for JWTs (#7846) 2020-05-11 20:59:29 -05:00
acl_endpoint_test.go Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4 2020-08-05 13:37:35 -04:00
acl_oss.go Allow the PolicyResolve and RoleResolve endpoints to process na… (#7296) 2020-02-13 14:55:27 -05:00
acl_oss_test.go Update the ACL Resolver to allow for Consul Enterprise specific hooks. (#6687) 2019-10-25 11:06:16 -04:00
acl_replication.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
acl_replication_legacy.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
acl_replication_legacy_test.go AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
acl_replication_test.go AuthMethod updates to support alternate namespace logins (#7029) 2020-01-14 10:09:29 -05:00
acl_replication_types.go Merge pull request #8546 from edevil/fix_vet 2020-08-24 18:39:56 +00:00
acl_server.go auto_config implies connect (#8433) 2020-08-07 10:02:30 +00:00
acl_server_oss.go Allow the bootstrap endpoint to be disabled in enterprise. (#7614) 2020-04-14 11:45:39 -04:00
acl_test.go Merge pull request #8548 from edevil/fix_flake 2020-08-28 19:11:24 +00:00
acl_token_exp.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
acl_token_exp_test.go acl: adding support for kubernetes auth provider login (#5600) 2019-04-26 14:49:25 -05:00
auto_config_endpoint.go Agent Auto Config: Implement Certificate Generation (#8360) 2020-07-28 19:32:22 +00:00
auto_config_endpoint_test.go Agent Auto Config: Implement Certificate Generation (#8360) 2020-07-28 19:32:22 +00:00
auto_encrypt_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
auto_encrypt_endpoint_test.go Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394) 2020-07-30 14:16:15 +00:00
autopilot.go Remove failed nodes from serfWAN (#6028) 2019-06-28 12:40:07 -05:00
autopilot_oss.go Update to use a consulent build tag instead of just ent (#5759) 2019-05-01 11:11:27 -04:00
autopilot_test.go Merge pull request #8461 from hashicorp/dnephin/remove-notify-shutdown 2020-08-26 17:04:03 -04:00
catalog_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
catalog_endpoint_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 18:21:49 +00:00
client.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
client_serf.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
client_test.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
cluster_test.go A couple testing helper updates (#7694) 2020-04-27 12:17:38 -04:00
config.go Merge pull request #8461 from hashicorp/dnephin/remove-notify-shutdown 2020-08-26 17:04:03 -04:00
config_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
config_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
config_replication.go server: config entry replication now correctly uses namespaces in comparisons (#9024) 2020-10-23 18:42:45 +00:00
config_replication_test.go server: config entry replication now correctly uses namespaces in comparisons (#9024) 2020-10-23 18:42:45 +00:00
connect_ca_endpoint.go Require operator:write to get Connect CA config (#9240) 2020-11-19 17:15:23 +00:00
connect_ca_endpoint_test.go Require operator:write to get Connect CA config (#9240) 2020-11-19 17:15:23 +00:00
consul_ca_delegate.go connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011) 2020-01-09 16:32:19 +01:00
coordinate_endpoint.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
coordinate_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
discovery_chain_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
discovery_chain_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
enterprise_client_oss.go Sync some feature flag support from enterprise (#7167) 2020-01-29 13:21:38 -05:00
enterprise_config_oss.go Add EnterpriseConfig stubs (#6566) 2019-10-01 14:34:55 -04:00
enterprise_server_oss.go Fix ACL mode advertisement and detection (#7451) 2020-03-16 12:54:45 -04:00
federation_state_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
federation_state_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
federation_state_replication.go Merge pull request #8546 from edevil/fix_vet 2020-08-24 18:39:56 +00:00
federation_state_replication_test.go fix flaky TestReplication_FederationStates test due to race conditions (#7612) 2020-04-09 15:42:41 -05:00
filter.go Updates to the Txn API for namespaces (#7172) 2020-01-30 13:12:26 -05:00
filter_test.go OSS KV Modifications to Support Namespaces 2019-11-25 12:57:35 -05:00
flood.go agent: refactor to use a single addrFn 2020-05-05 21:08:10 +02:00
gateway_locator.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
gateway_locator_test.go agent: handle re-bootstrapping in a secondary datacenter when WAN federation via mesh gateways is configured (#7931) 2020-05-27 16:32:22 +00:00
health_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
health_endpoint_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 18:21:49 +00:00
helper_test.go A couple testing helper updates (#7694) 2020-04-27 12:17:38 -04:00
intention_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
intention_endpoint_test.go ACL Node Identities (#7970) 2020-06-16 16:55:01 +00:00
internal_endpoint.go add primary keys to list keyring (#8522) 2020-08-18 07:51:22 +00:00
internal_endpoint_test.go test: update tags for database service registrations and queries (#8693) 2020-09-16 18:21:49 +00:00
issue_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
kvs_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
kvs_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
leader.go gossip: Ensure that metadata of Consul Service is updated (#7903) 2020-06-17 10:17:33 +00:00
leader_connect.go Merge pull request #8784 from hashicorp/renew-intermediate-primary 2020-10-09 12:26:49 -07:00
leader_connect_test.go Merge pull request #8784 from hashicorp/renew-intermediate-primary 2020-10-09 12:26:49 -07:00
leader_federation_state_ae.go Merge pull request #8546 from edevil/fix_vet 2020-08-24 18:39:56 +00:00
leader_federation_state_ae_test.go wan federation via mesh gateways (#6884) 2020-03-09 15:59:02 -05:00
leader_routine_manager.go Merge pull request #7894 from hashicorp/dnephin/add-linter-staticcheck-1 2020-05-21 17:01:15 +00:00
leader_routine_manager_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
leader_test.go Merge pull request #8461 from hashicorp/dnephin/remove-notify-shutdown 2020-08-26 17:04:03 -04:00
logging.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
logging_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
merge.go agent: don't let left nodes hold onto their node-id (#7747) 2020-05-04 18:39:08 +02:00
merge_test.go Skips unique node ID check for old versions of Consul. 2017-09-05 22:57:29 -07:00
operator_autopilot_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
operator_autopilot_endpoint_test.go Set MinQuorum variable in Autopilot (#6654) 2019-10-29 09:04:41 -05:00
operator_endpoint.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
operator_raft_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
operator_raft_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
options.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
prepared_query_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
prepared_query_endpoint_test.go Merge pull request #8218 from yurkeen/fix-dns-rcode 2020-07-01 13:13:55 +00:00
raft_rpc.go agent: move conn pool for muxed connections into separate pkg 2017-06-21 05:42:39 +02:00
replication.go server: don't activate federation state replication or anti-entropy until all servers are running 1.8.0+ (#8014) 2020-06-04 21:05:49 +00:00
replication_test.go Allow users to configure either unstructured or JSON logging (#7130) 2020-01-28 17:50:41 -06:00
rpc.go Merge pull request #8471 from hashicorp/local_only 2020-08-12 06:56:10 +00:00
rpc_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
rtt.go Added Coordinate.Node rpc endpoint and client api method 2017-10-26 19:16:40 -07:00
rtt_test.go Fix more unstable tests in agent and command 2018-09-12 14:49:27 +01:00
segment_oss.go Fix spelling of deregister (#7804) 2020-05-08 10:03:45 -04:00
serf_test.go pkg refactor 2017-06-10 18:52:45 +02:00
server.go Merge pull request #8784 from hashicorp/renew-intermediate-primary 2020-10-09 12:26:49 -07:00
server_connect.go Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) 2020-07-24 14:01:58 +00:00
server_lookup.go Fix ACL mode advertisement and detection (#7451) 2020-03-16 12:54:45 -04:00
server_lookup_test.go Merge pull request #8034 from hashicorp/dnephin/add-linter-staticcheck-4 2020-08-05 13:37:35 -04:00
server_oss.go Merge pull request #8099 from hashicorp/gateway-services-endpoint 2020-06-12 21:15:25 +00:00
server_serf.go Merge pull request #7966 from hashicorp/pool_improvements 2020-06-05 19:03:24 +00:00
server_test.go Merge pull request #8461 from hashicorp/dnephin/remove-notify-shutdown 2020-08-26 17:04:03 -04:00
session_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
session_endpoint_test.go acl: remove the deprecated `acl_enforce_version_8` option (#7991) 2020-06-01 10:40:22 -05:00
session_timers.go address review comments 2017-07-07 09:22:34 +02:00
session_timers_test.go rpc: refactor sessionTimers and fix racy tests 2017-07-07 09:22:34 +02:00
session_ttl.go agent: add server raft.{last,applied}_index gauges (#6694) 2020-02-11 10:50:18 +01:00
session_ttl_test.go OSS Modifications necessary for sessions namespacing 2019-11-25 12:07:04 -05:00
snapshot_endpoint.go Merge pull request #7966 from hashicorp/pool_improvements 2020-06-05 19:03:24 +00:00
snapshot_endpoint_test.go Merge pull request #7966 from hashicorp/pool_improvements 2020-06-05 19:03:24 +00:00
stats_fetcher.go Merge pull request #7966 from hashicorp/pool_improvements 2020-06-05 19:03:24 +00:00
stats_fetcher_test.go ci: Add staticcheck and fix most errors 2020-06-01 10:40:04 -05:00
status_endpoint.go Allow forwarding of some status RPCs (#6198) 2019-07-25 14:26:22 -04:00
status_endpoint_test.go Merge pull request #7966 from hashicorp/pool_improvements 2020-06-05 19:03:24 +00:00
txn_endpoint.go Rename (*Server).forward to (*Server).ForwardRPC 2020-07-09 10:38:16 -04:00
txn_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
util.go Move RPC router from Client/Server and into BaseDeps (#8559) 2020-08-27 15:24:25 +00:00
util_test.go Agent Auto Configuration: Configuration Syntax Updates (#8003) 2020-06-16 19:03:59 +00:00