ssh: Fix template regex test for defaultExtensions to allow additional text (#16018)

stevendpclark · stevendpclark · commit a7a891f3d039 · 2022-06-17T11:25:11.000-04:00
* ssh: Fix template regex test for defaultExtensions

 - The regex to identify if our defaultExtensions contains a template was
   a little too greedy, requiring the entire field to be just the regex. Allow
   additional text within the value field to be added

* Add cl
diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go
@@ -1480,6 +1480,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) {
 		"default_extensions_template": true,
 		"default_extensions": map[string]interface{}{
 			"login@foobar.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}",
+			"login@foobar2.com": "{{identity.entity.aliases." + userpassAccessor + ".name}}, " +
+				"{{identity.entity.aliases." + userpassAccessor + ".name}}_foobar",
 		},
 	})
 	if err != nil {
@@ -1505,7 +1507,8 @@ func TestBackend_DefExtTemplatingEnabled(t *testing.T) {
 	}
 
 	defaultExtensionPermissions := map[string]string{
-		"login@foobar.com": testUserName,
+		"login@foobar.com":  testUserName,
+		"login@foobar2.com": fmt.Sprintf("%s, %s_foobar", testUserName, testUserName),
 	}
 
 	err = validateSSHCertificate(parsedKey.(*ssh.Certificate), sshKeyID, ssh.UserCert, []string{"tuber"}, map[string]string{}, defaultExtensionPermissions, 16*time.Hour)
diff --git a/builtin/logical/ssh/path_sign.go b/builtin/logical/ssh/path_sign.go
@@ -36,6 +36,8 @@ type creationBundle struct {
 	Extensions      map[string]string
 }
 
+var containsTemplateRegex = regexp.MustCompile(`{{.+?}}`)
+
 func pathSign(b *backend) *framework.Path {
 	return &framework.Path{
 		Pattern: "sign/" + framework.GenericNameWithAtRegex("role"),
@@ -220,7 +222,7 @@ func (b *backend) calculateValidPrincipals(data *framework.FieldData, req *logic
 	for _, principal := range strutil.RemoveDuplicates(strutil.ParseStringSlice(principalsAllowedByRole, ","), false) {
 		if role.AllowedUsersTemplate {
 			// Look for templating markers {{ .* }}
-			matched, _ := regexp.MatchString(`{{.+?}}`, principal)
+			matched := containsTemplateRegex.MatchString(principal)
 			if matched {
 				if req.EntityID != "" {
 					// Retrieve principal based on template + entityID from request.
@@ -384,7 +386,7 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 	if role.DefaultExtensionsTemplate {
 		for extensionKey, extensionValue := range role.DefaultExtensions {
 			// Look for templating markers {{ .* }}
-			matched, _ := regexp.MatchString(`^{{.+?}}$`, extensionValue)
+			matched := containsTemplateRegex.MatchString(extensionValue)
 			if matched {
 				if req.EntityID != "" {
 					// Retrieve extension value based on template + entityID from request.
diff --git a/changelog/16018.txt b/changelog/16018.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields.
+```

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:improvement
	`2`	`+secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields.`
	`3`	+```