Skip to content

fix: Use rsa2048 as the default AWS signature type#347

Open
minhtule wants to merge 4 commits into
masterfrom
feat/mt/vault-ec2-auth
Open

fix: Use rsa2048 as the default AWS signature type#347
minhtule wants to merge 4 commits into
masterfrom
feat/mt/vault-ec2-auth

Conversation

@minhtule

Copy link
Copy Markdown
Contributor

Related Tickets & Documents

Changes

  • Default the AWS signature type to rsa2048 (SHA-256) when signatureType is unset.
  • Emit a deprecation warning when pkcs7 is explicitly configured.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Vault AWS EC2 auth integration to default the signature type to rsa2048 (SHA-256) when signatureType is unset, and emits a deprecation warning when pkcs7 is explicitly configured, aligning behavior with issue #346 and avoiding SHA-1 defaults.

Changes:

  • Default AWS EC2 signatureType to rsa2048 via SSHCAVaultAWSConfig.GetSignatureType().
  • Emit a WARN log when signatureType=pkcs7 is configured for EC2 auth.
  • Add/adjust unit tests to cover the new defaulting behavior and deprecation warning.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
internal/sshhandler/vault.go Plumbs logger into Vault auth creation, defaults EC2 signature behavior to rsa2048, and logs pkcs7 deprecation.
internal/sshhandler/vault_test.go Updates auth method tests for new logger parameter and adds a test asserting the pkcs7 deprecation warning is emitted.
internal/config/config.go Introduces defaultAWSSignatureType and adds GetSignatureType() to default to rsa2048 when unset.
internal/config/config_test.go Adds unit tests validating GetSignatureType() defaulting/preservation behavior.
Comments suppressed due to low confidence (1)

internal/sshhandler/vault.go:76

  • newAWSAuthMethod now depends on a non-nil logger (it calls logger.Warn for the pkcs7 deprecation path). If a nil logger is passed, this will panic during Vault auth initialization when signatureType=pkcs7. Consider defensively defaulting to zap.NewNop() when logger is nil.
func newAWSAuthMethod(awsConfig *gatewayconfig.SSHCAVaultAWSConfig, logger *zap.Logger) (*aws.AWSAuth, error) {
	opts := []aws.LoginOption{
		aws.WithRole(awsConfig.Role),
		aws.WithMountPath(awsConfig.GetMount()),
	}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov

codecov Bot commented Jun 28, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 90.90909% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 86.29%. Comparing base (175c913) to head (2fd8db1).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
internal/sshhandler/vault.go 85.71% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #347      +/-   ##
==========================================
+ Coverage   86.06%   86.29%   +0.23%     
==========================================
  Files          40       40              
  Lines        2828     2832       +4     
==========================================
+ Hits         2434     2444      +10     
+ Misses        269      263       -6     
  Partials      125      125              
Flag Coverage Δ
integration 55.00% <18.18%> (+0.10%) ⬆️
unit 78.60% <81.81%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/config/config.go 88.97% <100.00%> (+0.17%) ⬆️
internal/sshhandler/vault.go 80.00% <85.71%> (+2.72%) ⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@minhtule minhtule marked this pull request as ready for review June 28, 2026 22:12

@clement0010 clement0010 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏻

@minhtule minhtule requested a review from sghiocel June 30, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants