Add support for deleting all keys, issuers

The old DELETE /root code must now delete all keys and issuers for backwards compatibility. We strongly suggest calling individual delete methods (DELETE /key/:key_ref or DELETE /issuer/:issuer_ref) instead, for finer control. In the process, we detect whether the deleted key/issuers was set as the default. This will allow us to warn (from the single key/deletion issuer code) whether or not the default was deleted (while allowing the operation to succeed). Signed-off-by: Alexander Scheel <[email protected]>
hashicorp · Apr 12, 2022 · b2b84e5 · b2b84e5
1 parent f7422e1
commit b2b84e5
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 6 deletions.
diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go
@@ -3,6 +3,7 @@ package pki
 import (
 	"context"
 	"encoding/pem"
+	"fmt"
 	"regexp"
 	"strings"
 
@@ -222,7 +223,18 @@ func (b *backend) pathDeleteIssuer(ctx context.Context, req *logical.Request, da
 		return logical.ErrorResponse("unable to resolve issuer id for reference: " + issuerName), nil
 	}
 
-	return nil, deleteIssuer(ctx, req.Storage, ref)
+	wasDefault, err := deleteIssuer(ctx, req.Storage, ref)
+	if err != nil {
+		return nil, err
+	}
+
+	var response *logical.Response
+	if wasDefault {
+		response = &logical.Response{}
+		response.AddWarning(fmt.Sprintf("Deleted issuer %v (via issuer_ref %v); this was configured as the default issuer. Operations without an explicit issuer will not work until a new default is configured.", ref, issuerName))
+	}
+
+	return response, nil
 }
 
 const (

diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
@@ -49,7 +49,39 @@ func pathDeleteRoot(b *backend) *framework.Path {
 }
 
 func (b *backend) pathCADeleteRoot(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	return nil, req.Storage.Delete(ctx, "config/ca_bundle")
+	issuers, err := listIssuers(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	keys, err := listKeys(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+
+	// Delete all issuers and keys. Ignore deleting the default since we're
+	// explicitly deleting everything.
+	for _, issuer := range issuers {
+		if _, err = deleteIssuer(ctx, req.Storage, issuer); err != nil {
+			return nil, err
+		}
+	}
+	for _, key := range keys {
+		if _, err = deleteKey(ctx, req.Storage, key); err != nil {
+			return nil, err
+		}
+	}
+
+	// Delete legacy CA bundle; but don't error if it doesn't exist.
+	if err := req.Storage.Delete(ctx, legacyCertBundlePath); err != nil {
+		return nil, err
+	}
+
+	// Return a warning about preferring to delete issuers and keys
+	// explicitly versus deleting everything.
+	resp := &logical.Response{}
+	resp.AddWarning("DELETE /root deletes all keys and issuers; prefer the new DELETE /key/:key_ref and DELETE /issuer/:issuer_ref for finer granularity, unless removal of all keys and issuers is desired.")
+	return resp, nil
 }
 
 func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

diff --git a/builtin/logical/pki/storage.go b/builtin/logical/pki/storage.go
@@ -117,8 +117,23 @@ func writeKey(ctx context.Context, s logical.Storage, key key) error {
 	return s.Put(ctx, json)
 }
 
-func deleteKey(ctx context.Context, s logical.Storage, id keyId) error {
-	return s.Delete(ctx, keyPrefix+id.String())
+func deleteKey(ctx context.Context, s logical.Storage, id keyId) (bool, error) {
+	wasDefault := false
+
+	config, err := getKeysConfig(ctx, s)
+	if err != nil {
+		return wasDefault, err
+	}
+
+	if config.DefaultKeyId == id {
+		wasDefault = true
+		config.DefaultKeyId = keyId("")
+		if err := setKeysConfig(ctx, s, config); err != nil {
+			return wasDefault, err
+		}
+	}
+
+	return wasDefault, s.Delete(ctx, keyPrefix+id.String())
 }
 
 func importKey(ctx context.Context, s logical.Storage, keyValue string, keyName string) (*key, bool, error) {
@@ -331,8 +346,23 @@ func writeIssuer(ctx context.Context, s logical.Storage, issuer *issuer) error {
 	return s.Put(ctx, json)
 }
 
-func deleteIssuer(ctx context.Context, s logical.Storage, id issuerId) error {
-	return s.Delete(ctx, issuerPrefix+id.String())
+func deleteIssuer(ctx context.Context, s logical.Storage, id issuerId) (bool, error) {
+	wasDefault := false
+
+	config, err := getIssuersConfig(ctx, s)
+	if err != nil {
+		return wasDefault, err
+	}
+
+	if config.DefaultIssuerId == id {
+		wasDefault = true
+		config.DefaultIssuerId = issuerId("")
+		if err := setIssuersConfig(ctx, s, config); err != nil {
+			return wasDefault, err
+		}
+	}
+
+	return wasDefault, s.Delete(ctx, issuerPrefix+id.String())
 }
 
 func importIssuer(ctx context.Context, s logical.Storage, certValue string, issuerName string) (*issuer, bool, error) {