From b2e1ff5b7a43f08bc1ae93b7409ff07393934cf7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Thu, 13 Apr 2023 14:59:09 -0400
Subject: [PATCH] Add missing cert auth ocsp read data (#20154)

* Add missing OCSP cert auth fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure OCSP values are persisted

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/credential/cert/backend_test.go    | 21 +++++++++++++++++++++
 builtin/credential/cert/path_certs.go      |  5 +++++
 builtin/credential/cert/path_login_test.go |  1 +
 changelog/20154.txt                        |  2 ++
 4 files changed, 29 insertions(+)
 create mode 100644 changelog/20154.txt

diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go
index 6f2b79a9aaa0..47d7ae05d544 100644
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@@ -1968,6 +1968,27 @@ func testAccStepCertWithExtraParams(t *testing.T, name string, cert []byte, poli
 	}
 }
 
+func testAccStepReadCertPolicy(t *testing.T, name string, expectError bool, expected map[string]interface{}) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.ReadOperation,
+		Path:      "certs/" + name,
+		ErrorOk:   expectError,
+		Data:      nil,
+		Check: func(resp *logical.Response) error {
+			if (resp == nil || len(resp.Data) == 0) && expectError {
+				return fmt.Errorf("expected error but received nil")
+			}
+			for key, expectedValue := range expected {
+				actualValue := resp.Data[key]
+				if expectedValue != actualValue {
+					return fmt.Errorf("Expected to get [%v]=[%v] but read [%v]=[%v] from server for certs/%v: %v", key, expectedValue, key, actualValue, name, resp)
+				}
+			}
+			return nil
+		},
+	}
+}
+
 func testAccStepCertLease(
 	t *testing.T, name string, cert []byte, policies string,
 ) logicaltest.TestStep {
diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go
index 36e274a52a66..0e7b7cfa0314 100644
--- a/builtin/credential/cert/path_certs.go
+++ b/builtin/credential/cert/path_certs.go
@@ -288,6 +288,11 @@ func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *fra
 		"allowed_organizational_units": cert.AllowedOrganizationalUnits,
 		"required_extensions":          cert.RequiredExtensions,
 		"allowed_metadata_extensions":  cert.AllowedMetadataExtensions,
+		"ocsp_ca_certificates":         cert.OcspCaCertificates,
+		"ocsp_enabled":                 cert.OcspEnabled,
+		"ocsp_servers_override":        cert.OcspServersOverride,
+		"ocsp_fail_open":               cert.OcspFailOpen,
+		"ocsp_query_all_servers":       cert.OcspQueryAllServers,
 	}
 	cert.PopulateTokenData(data)
 
diff --git a/builtin/credential/cert/path_login_test.go b/builtin/credential/cert/path_login_test.go
index e2fde0157fa6..d86bd31bd92e 100644
--- a/builtin/credential/cert/path_login_test.go
+++ b/builtin/credential/cert/path_login_test.go
@@ -348,6 +348,7 @@ func TestCert_RoleResolveOCSP(t *testing.T) {
 				Steps: []logicaltest.TestStep{
 					testAccStepCertWithExtraParams(t, "web", ca, "foo", allowed{dns: "example.com"}, false,
 						map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}),
+					testAccStepReadCertPolicy(t, "web", false, map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}),
 					loginStep,
 					resolveStep,
 				},
diff --git a/changelog/20154.txt b/changelog/20154.txt
new file mode 100644
index 000000000000..7bda3624fba1
--- /dev/null
+++ b/changelog/20154.txt
@@ -0,0 +1,2 @@
+```release-note:bug
+auth/cert: Include OCSP parameters in read CA certificate role response.