PKI Responses Part 4 (#18612)

hashicorp · Mar 14, 2023 · 4ecb18b · 4ecb18b
1 parent 5581c26
commit 4ecb18b
Show file tree

Hide file tree

Showing 14 changed files with 1,002 additions and 26 deletions.
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -2694,6 +2694,7 @@ func TestBackend_SignSelfIssued(t *testing.T) {
 		},
 		MountPoint: "pki/",
 	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("root/sign-self-issued"), logical.UpdateOperation), resp, true)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -5246,7 +5247,8 @@ func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
 		},
 	}
 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
-		HandlerFunc: vaulthttp.Handler,
+		HandlerFunc:             vaulthttp.Handler,
+		RequestResponseCallback: schema.ResponseValidatingCallback(t),
 	})
 	cluster.Start()
 	defer cluster.Cleanup()
@@ -5966,6 +5968,7 @@ func TestPKI_ListRevokedCerts(t *testing.T) {
 
 	// Test empty cluster
 	resp, err := CBList(b, s, "certs/revoked")
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("certs/revoked"), logical.ListOperation), resp, true)
 	requireSuccessNonNilResponse(t, resp, err, "failed listing empty cluster")
 	require.Empty(t, resp.Data, "response map contained data that we did not expect")
 

diff --git a/builtin/logical/pki/crl_test.go b/builtin/logical/pki/crl_test.go
@@ -600,10 +600,11 @@ func TestPoP(t *testing.T) {
 	require.NotNil(t, resp)
 	require.NotEmpty(t, resp.Data["certificate"])
 
-	_, err = CBWrite(b, s, "revoke-with-key", map[string]interface{}{
+	resp, err = CBWrite(b, s, "revoke-with-key", map[string]interface{}{
 		"certificate": resp.Data["certificate"],
 		"private_key": resp.Data["private_key"],
 	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("revoke-with-key"), logical.UpdateOperation), resp, true)
 	require.NoError(t, err)
 
 	// Issue a second leaf, but hold onto it for now.
@@ -780,7 +781,9 @@ func TestIssuerRevocation(t *testing.T) {
 	require.NotZero(t, resp.Data["revocation_time"])
 
 	// Regenerate the CRLs
-	_, err = CBRead(b, s, "crl/rotate")
+	resp, err = CBRead(b, s, "crl/rotate")
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("crl/rotate"), logical.ReadOperation), resp, true)
+
 	require.NoError(t, err)
 
 	// Ensure the old cert isn't on its own CRL.

diff --git a/builtin/logical/pki/path_fetch.go b/builtin/logical/pki/path_fetch.go
@@ -25,12 +25,12 @@ var pathFetchReadSchema = map[int][]framework.Response{
 				Required:    false,
 			},
 			"revocation_time": {
-				Type:        framework.TypeInt,
+				Type:        framework.TypeString,
 				Description: `Revocation time`,
 				Required:    false,
 			},
 			"revocation_time_rfc3339": {
-				Type:        framework.TypeInt,
+				Type:        framework.TypeString,
 				Description: `Revocation time RFC 3339 formatted`,
 				Required:    false,
 			},

diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go
@@ -171,67 +171,75 @@ to be set on all PR secondary clusters.`,
 				"issuer_id": {
 					Type:        framework.TypeString,
 					Description: `Issuer Id`,
-					Required:    true,
+					Required:    false,
 				},
 				"issuer_name": {
 					Type:        framework.TypeString,
 					Description: `Issuer Name`,
-					Required:    true,
+					Required:    false,
 				},
 				"key_id": {
 					Type:        framework.TypeString,
 					Description: `Key Id`,
-					Required:    true,
+					Required:    false,
 				},
 				"certificate": {
 					Type:        framework.TypeString,
 					Description: `Certificate`,
-					Required:    true,
+					Required:    false,
 				},
 				"manual_chain": {
 					Type:        framework.TypeStringSlice,
 					Description: `Manual Chain`,
-					Required:    true,
+					Required:    false,
 				},
 				"ca_chain": {
 					Type:        framework.TypeStringSlice,
 					Description: `CA Chain`,
-					Required:    true,
+					Required:    false,
 				},
 				"leaf_not_after_behavior": {
 					Type:        framework.TypeString,
 					Description: `Leaf Not After Behavior`,
-					Required:    true,
+					Required:    false,
 				},
 				"usage": {
 					Type:        framework.TypeStringSlice,
 					Description: `Usage`,
-					Required:    true,
+					Required:    false,
 				},
 				"revocation_signature_algorithm": {
 					Type:        framework.TypeString,
 					Description: `Revocation Signature Alogrithm`,
-					Required:    true,
+					Required:    false,
 				},
 				"revoked": {
 					Type:        framework.TypeBool,
 					Description: `Revoked`,
-					Required:    true,
+					Required:    false,
+				},
+				"revocation_time": {
+					Type:     framework.TypeInt,
+					Required: false,
+				},
+				"revocation_time_rfc3339": {
+					Type:     framework.TypeString,
+					Required: false,
 				},
 				"issuing_certificates": {
 					Type:        framework.TypeStringSlice,
 					Description: `Issuing Certificates`,
-					Required:    true,
+					Required:    false,
 				},
 				"crl_distribution_points": {
 					Type:        framework.TypeStringSlice,
 					Description: `CRL Distribution Points`,
-					Required:    true,
+					Required:    false,
 				},
 				"ocsp_servers": {
 					Type:        framework.TypeStringSlice,
 					Description: `OSCP Servers`,
-					Required:    true,
+					Required:    false,
 				},
 			},
 		}},
@@ -1067,9 +1075,8 @@ func buildPathGetIssuerCRL(b *backend, pattern string) *framework.Path {
 						Description: "OK",
 						Fields: map[string]*framework.FieldSchema{
 							"crl": {
-								Type:        framework.TypeString,
-								Description: ``,
-								Required:    false,
+								Type:     framework.TypeString,
+								Required: false,
 							},
 						},
 					}},

diff --git a/builtin/logical/pki/path_ocsp_test.go b/builtin/logical/pki/path_ocsp_test.go
@@ -14,6 +14,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/vault"
 
@@ -197,6 +199,7 @@ func TestOcsp_UnknownIssuerIdWithDefaultHavingOcspUsageRemoved(t *testing.T) {
 	resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
 		"serial_number": serial,
 	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("revoke"), logical.UpdateOperation), resp, true)
 	requireSuccessNonNilResponse(t, resp, err, "revoke")
 
 	// Twiddle the entry so that the issuer id is no longer valid.

diff --git a/builtin/logical/pki/path_resign_crls.go b/builtin/logical/pki/path_resign_crls.go
@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
+	"net/http"
 	"strconv"
 	"strings"
 	"time"
@@ -77,6 +78,18 @@ base64 encoded. Defaults to "pem".`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathUpdateResignCrlsHandler,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"crl": {
+								Type:        framework.TypeString,
+								Description: `CRL`,
+								Required:    true,
+							},
+						},
+					}},
+				},
 			},
 		},
 
@@ -133,6 +146,18 @@ value (string)`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathUpdateSignRevocationListHandler,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"crl": {
+								Type:        framework.TypeString,
+								Description: `CRL`,
+								Required:    true,
+							},
+						},
+					}},
+				},
 			},
 		},
 

diff --git a/builtin/logical/pki/path_resign_crls_test.go b/builtin/logical/pki/path_resign_crls_test.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
 	"github.com/hashicorp/vault/api"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/vault"
@@ -55,6 +57,7 @@ func TestResignCrls_NormalCrl(t *testing.T) {
 		"format":      "pem",
 		"crls":        []string{crl1, crl2},
 	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b1.Route("issuer/default/resign-crls"), logical.UpdateOperation), resp, true)
 	requireSuccessNonNilResponse(t, resp, err)
 	requireFieldsSetInResp(t, resp, "crl")
 	pemCrl := resp.Data["crl"].(string)
@@ -351,6 +354,7 @@ func TestSignRevocationList_NoRevokedCerts(t *testing.T) {
 		"next_update": "12h",
 		"format":      "pem",
 	})
+	schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/default/sign-revocation-list"), logical.UpdateOperation), resp, true)
 	requireSuccessNonNilResponse(t, resp, err)
 	requireFieldsSetInResp(t, resp, "crl")
 	pemCrl := resp.Data["crl"].(string)