Fix OpenBao route pattern used to sign/verify with a given OpenBao entity

touilleMan · Max-7 · commit beea01b29085 · 2026-01-29T14:49:39.000Z
diff --git a/libparsec/crates/openbao/src/lib.rs b/libparsec/crates/openbao/src/lib.rs
@@ -88,7 +88,7 @@ impl OpenBaoCmds {
     }
 
     /// This signing system relies on the fact OpenBao is configured to only
-    /// allow POST `/transit/sign/user-{entity_id}` (i.e. the signing API) to
+    /// allow POST `/transit/sign/entity-{entity_id}` (i.e. the signing API) to
     /// the user referenced in OpenBao by this entity ID.
     ///
     /// This way the verify operation knows the entity ID of the author, and can
diff --git a/libparsec/crates/openbao/src/sign.rs b/libparsec/crates/openbao/src/sign.rs
@@ -13,7 +13,7 @@ enum SignOutcome {
 }
 
 fn generate_sign_key_name(openbao_entity_id: &str) -> String {
-    format!("user-{}", openbao_entity_id)
+    format!("entity-{}", openbao_entity_id)
 }
 
 pub async fn sign(cmds: &OpenBaoCmds, payload: &[u8]) -> Result<String, OpenBaoSignError> {
diff --git a/server/parsec/cli/testbed.py b/server/parsec/cli/testbed.py
@@ -530,7 +530,7 @@ async def test_openbao_create_key(request: Request, key_name: str):
     if not entity_id:
         return Response(status_code=403)
 
-    if key_name != f"user-{entity_id}":
+    if key_name != f"entity-{entity_id}":
         return Response(status_code=403)
 
     # See https://openbao.org/api-docs/secret/transit/#create-key
@@ -592,7 +592,7 @@ async def test_openbao_sign(request: Request, key_name: str):
     if not entity_id:
         return Response(status_code=403)
 
-    if key_name != f"user-{entity_id}":
+    if key_name != f"entity-{entity_id}":
         return Response(status_code=403)
 
     # See https://openbao.org/api-docs/secret/transit/#sign-data
@@ -640,7 +640,7 @@ async def test_openbao_verify(request: Request, key_name: str):
     if not entity_id:
         return Response(status_code=403)
 
-    author_entity_id = key_name.removeprefix("user-")
+    author_entity_id = key_name.removeprefix("entity-")
 
     # See https://openbao.org/api-docs/secret/transit/#verify-signed-data
 

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ impl OpenBaoCmds {`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`/// This signing system relies on the fact OpenBao is configured to only`
`91`		- /// allow POST `/transit/sign/user-{entity_id}` (i.e. the signing API) to
	`91`	+ /// allow POST `/transit/sign/entity-{entity_id}` (i.e. the signing API) to
`92`	`92`	`/// the user referenced in OpenBao by this entity ID.`
`93`	`93`	`///`
`94`	`94`	`/// This way the verify operation knows the entity ID of the author, and can`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ enum SignOutcome {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`fn generate_sign_key_name(openbao_entity_id: &str) -> String {`
`16`		`- format!("user-{}", openbao_entity_id)`
	`16`	`+ format!("entity-{}", openbao_entity_id)`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`pub async fn sign(cmds: &OpenBaoCmds, payload: &[u8]) -> Result<String, OpenBaoSignError> {`