Merge b763dd5 into 322b43a

README.md

@@ -93,3 +93,4 @@ For License information, see [LICENSE](LICENSE).
 ## Related Projects
 See all [Keyfactor EJBCA GitHub projects](https://github.com/orgs/Keyfactor/repositories?q=ejbca). 
 
+

backend.go

@@ -18,6 +18,7 @@ import (
 	"sync"
 
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -138,6 +139,13 @@ func (sc *storageContext) getClient() (*ejbcaClient, error) {
 	return sc.Backend.client, nil
 }
 
+func (b *ejbcaBackend) isRunningOnPerformanceStandby() bool {
+    if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
+        return true
+	}
+    return false
+}
+
 // backendHelp should contain help information for the backend
 const backendHelp = `
 The EJBCA backend dynamically generates X.509 certificates and private keys.

certs_util.go

@@ -245,14 +245,15 @@ func (b *issueSignResponseBuilder) Config(sc *storageContext, path string, data
 // and signs it using the configured CA.
 func (b *issueSignResponseBuilder) IssueCertificate() (*logical.Response, error) {
 	logger := b.storageContext.Backend.Logger().Named("issueSignResponseBuilder.IssueCertificate")
-	logger.Debug("Issuing certificate")
 
 	logger.Trace("Setting role for certificate issuance")
 	err := b.helper.SetRole()
 	if err != nil {
 		return nil, err
 	}
 
+	logger.Debug("Issuing certificate")
+
 	// Issue methods create the private key and CSR according to the role configuration
 	logger.Trace("Creating CSR")
 	csr, err := b.helper.CreateCsr()

path_issue_sign.go

@@ -419,19 +419,45 @@ RSA key-type issuer. Defaults to false.`,
 }
 
 func (b *ejbcaBackend) pathIssue(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	b.Logger().Named("ejbcaBackend.pathIssue").Debug("Issue path called")
+    logger := b.Logger().Named("ejbcaBackend.pathIssue")
+    logger.Debug("Issue path called")
+
+    if b.isRunningOnPerformanceStandby() {
+        // If we're running on performance standby, read requests are the only valid request.
+        // Forward the request to the primary node.
+        return nil, logical.ErrReadOnly 
+    }
+
 	builder := &issueSignResponseBuilder{}
 	return builder.Config(b.makeStorageContext(ctx, req.Storage), req.Path, data).IssueCertificate()
 }
 
 func (b *ejbcaBackend) pathSign(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	b.Logger().Named("ejbcaBackend.pathSign").Debug("Sign path called")
+    logger := b.Logger().Named("ejbcaBackend.pathSign")
+    logger.Debug("Sign path called")
+
+    if b.isRunningOnPerformanceStandby() {
+        logger.Debug("Running on performance standby - forwarding request to active node")
+        // If we're running on performance standby, read requests are the only valid request.
+        // Forward the request to the primary node.
+        return nil, logical.ErrReadOnly 
+    }
+
 	builder := &issueSignResponseBuilder{}
 	return builder.Config(b.makeStorageContext(ctx, req.Storage), req.Path, data).SignCertificate()
 }
 
 func (b *ejbcaBackend) pathSignVerbatim(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	b.Logger().Named("ejbcaBackend.pathSignVerbatim").Debug("Sign Verbatim path called")
+    logger := b.Logger().Named("ejbcaBackend.pathSignVerbatim")
+    logger.Debug("Sign Verbatim path called")
+
+    if b.isRunningOnPerformanceStandby() {
+        logger.Debug("Running on performance standby - forwarding request to active node")
+        // If we're running on performance standby, read requests are the only valid request.
+        // Forward the request to the primary node.
+        return nil, logical.ErrReadOnly 
+    }
+
 	builder := &issueSignResponseBuilder{}
 	return builder.Config(b.makeStorageContext(ctx, req.Storage), req.Path, data).SignCertificate()
 }

path_revoke.go

@@ -141,7 +141,16 @@ func pathRevokeWithKey(b *ejbcaBackend) []*framework.Path {
 }
 
 func (b *ejbcaBackend) revokeCertificate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	b.Logger().Named("ejbcaBackend.revokeCertificate").Debug("Path Revoke called")
+    logger := b.Logger().Named("ejbcaBackend.revokeCertificate")
+    logger.Debug("Path Revoke called")
+
+    if b.isRunningOnPerformanceStandby() {
+        logger.Debug("Running on performance standby - forwarding request to active node")
+        // If we're running on performance standby, read requests are the only valid request.
+        // Forward the request to the primary node.
+        return nil, logical.ErrReadOnly 
+    }
+
 	builder := &revokeBuilder{}
 	return builder.Config(b.makeStorageContext(ctx, req.Storage), req.Path, data).RevokeCertificate()
 }