hashicorp · AnPucel · Feb 15, 2023 · Dec 13, 2022 · Dec 14, 2022 · Dec 14, 2022
@@ -31,6 +31,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
 	"github.com/stretchr/testify/require"
 
 	"github.com/armon/go-metrics"
@@ -551,7 +554,6 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s
 				if err != nil {
 					return err
 				}
-
 				if !reflect.DeepEqual(entries, expected) {
 					return fmt.Errorf("expected urls\n%#v\ndoes not match provided\n%#v\n", expected, entries)
 				}
@@ -1966,6 +1968,7 @@ func TestBackend_PathFetchCertList(t *testing.T) {
 	t.Parallel()
 	// create the backend
 	b, storage := CreateBackendWithStorage(t)
+	paths := []*framework.Path{pathConfigURLs(b)}
 
 	// generate root
 	rootData := map[string]interface{}{
@@ -1980,6 +1983,7 @@ func TestBackend_PathFetchCertList(t *testing.T) {
 		Data:       rootData,
 		MountPoint: "pki/",
 	})
+
 	if resp != nil && resp.IsError() {
 		t.Fatalf("failed to generate root, %#v", resp)
 	}
@@ -2000,6 +2004,8 @@ func TestBackend_PathFetchCertList(t *testing.T) {
 		Data:       urlsData,
 		MountPoint: "pki/",
 	})
+	schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation), resp, true)
+
 	if resp != nil && resp.IsError() {
 		t.Fatalf("failed to config urls, %#v", resp)
 	}
@@ -2366,6 +2372,8 @@ func TestBackend_Root_Idempotency(t *testing.T) {
 	t.Parallel()
 	b, s := CreateBackendWithStorage(t)
 
+	paths := []*framework.Path{pathConfigCA(b)}
+
 	// This is a change within 1.11, we are no longer idempotent across generate/internal calls.
 	resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
 		"common_name": "myvault.com",
@@ -2407,6 +2415,8 @@ func TestBackend_Root_Idempotency(t *testing.T) {
 	resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
 		"pem_bundle": pemBundleRootCA,
 	})
+	schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation), resp, true)
+
 	require.NoError(t, err)
 	require.NotNil(t, resp, "expected ca info")
 	firstImportedKeys := resp.Data["imported_keys"].([]string)
@@ -5979,13 +5989,15 @@ func TestPKI_ListRevokedCerts(t *testing.T) {
 func TestPKI_TemplatedAIAs(t *testing.T) {
 	t.Parallel()
 	b, s := CreateBackendWithStorage(t)
+	paths := []*framework.Path{pathConfigCluster(b)}
 
 	// Setting templated AIAs should succeed.
-	_, err := CBWrite(b, s, "config/cluster", map[string]interface{}{
+	resp, err := CBWrite(b, s, "config/cluster", map[string]interface{}{
 		"path":     "http://localhost:8200/v1/pki",
 		"aia_path": "http://localhost:8200/cdn/pki",
 	})
 	require.NoError(t, err)
+	schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation), resp, true)
 
 	aiaData := map[string]interface{}{
 		"crl_distribution_points": "{{cluster_path}}/issuer/{{issuer_id}}/crl/der",
@@ -6014,7 +6026,7 @@ func TestPKI_TemplatedAIAs(t *testing.T) {
 		"enable_templating":       false,
 	})
 	require.NoError(t, err)
-	resp, err := CBWrite(b, s, "root/generate/internal", rootData)
+	resp, err = CBWrite(b, s, "root/generate/internal", rootData)
 	requireSuccessNonNilResponse(t, resp, err)
 	issuerId := string(resp.Data["issuer_id"].(issuerID))
 

@@ -9,6 +9,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
 	"github.com/hashicorp/vault/api"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -80,6 +83,7 @@ func TestBackend_CRLConfig(t *testing.T) {
 		name := fmt.Sprintf("%s-%t-%t", tc.expiry, tc.disable, tc.ocspDisable)
 		t.Run(name, func(t *testing.T) {
 			b, s := CreateBackendWithStorage(t)
+			paths := []*framework.Path{pathConfigCRL(b)}
 
 			resp, err := CBWrite(b, s, "config/crl", map[string]interface{}{
 				"expiry":                    tc.expiry,
@@ -90,8 +94,11 @@ func TestBackend_CRLConfig(t *testing.T) {
 				"auto_rebuild_grace_period": tc.autoRebuildGracePeriod,
 			})
 			requireSuccessNonNilResponse(t, resp, err)
+			schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation), resp, true)
 
 			resp, err = CBRead(b, s, "config/crl")
+			schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.ReadOperation), resp, true)
+
 			requireSuccessNonNilResponse(t, resp, err)
 			requireFieldsSetInResp(t, resp, "disable", "expiry", "ocsp_disable", "auto_rebuild", "auto_rebuild_grace_period")
 

@@ -11,6 +11,9 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
+
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
 )
@@ -360,6 +363,7 @@ func TestIntegration_CSRGeneration(t *testing.T) {
 func TestIntegration_AutoIssuer(t *testing.T) {
 	t.Parallel()
 	b, s := CreateBackendWithStorage(t)
+	paths := []*framework.Path{pathConfigIssuers(b)}
 
 	// Generate two roots. The first should become default under the existing
 	// behavior; when we update the config and generate a second, it should
@@ -371,6 +375,7 @@ func TestIntegration_AutoIssuer(t *testing.T) {
 		"issuer_name": "root-1",
 		"key_type":    "ec",
 	})
+
 	requireSuccessNonNilResponse(t, resp, err)
 	issuerIdOne := resp.Data["issuer_id"]
 	require.NotEmpty(t, issuerIdOne)
@@ -381,12 +386,15 @@ func TestIntegration_AutoIssuer(t *testing.T) {
 	requireSuccessNonNilResponse(t, resp, err)
 	require.Equal(t, issuerIdOne, resp.Data["default"])
 
+	schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.ReadOperation), resp, true)
+
 	// Enable the new config option.
-	_, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
+	resp, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
 		"default":                       issuerIdOne,
 		"default_follows_latest_issuer": true,
 	})
 	require.NoError(t, err)
+	schema.ValidateResponse(t, schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation), resp, true)
 
 	// Now generate the second root; it should become default.
 	resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{

@@ -2,6 +2,7 @@ package pki
 
 import (
 	"context"
+	"net/http"
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -21,6 +22,28 @@ secret key and certificate.`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathImportIssuers,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"mapping": {
+								Type:        framework.TypeMap,
+								Description: "A mapping of issuer_id to key_id for all issuers included in this request",
+								Required:    true,
+							},
+							"imported_keys": {
+								Type:        framework.TypeCommaStringSlice,
+								Description: "Net-new keys imported as a part of this request",
+								Required:    true,
+							},
+							"imported_issuers": {
+								Type:        framework.TypeCommaStringSlice,
+								Description: "Net-new issuers imported as a part of this request",
+								Required:    true,
+							},
+						},
+					}},
+				},
 				// Read more about why these flags are set in backend.go.
 				ForwardPerformanceStandby:   true,
 				ForwardPerformanceSecondary: true,
@@ -58,13 +81,44 @@ func pathConfigIssuers(b *backend) *framework.Path {
 				Default:     false,
 			},
 		},
-
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathCAIssuersRead,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"default": {
+								Type:        framework.TypeString,
+								Description: `Reference (name or identifier) to the default issuer.`,
+								Required:    true,
+							},
+							"default_follows_latest_issuer": {
+								Type:        framework.TypeBool,
+								Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
+								Required:    true,
+							},
+						},
+					}},
+				},
 			},
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathCAIssuersWrite,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"default": {
+								Type:        framework.TypeString,
+								Description: `Reference (name or identifier) to the default issuer.`,
+							},
+							"default_follows_latest_issuer": {
+								Type:        framework.TypeBool,
+								Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
+							},
+						},
+					}},
+				},
 				// Read more about why these flags are set in backend.go.
 				ForwardPerformanceStandby:   true,
 				ForwardPerformanceSecondary: true,
@@ -90,6 +144,23 @@ func pathReplaceRoot(b *backend) *framework.Path {
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathCAIssuersWrite,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"default": {
+								Type:        framework.TypeString,
+								Description: `Reference (name or identifier) to the default issuer.`,
+								Required:    true,
+							},
+							"default_follows_latest_issuer": {
+								Type:        framework.TypeBool,
+								Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
+								Required:    true,
+							},
+						},
+					}},
+				},
 				// Read more about why these flags are set in backend.go.
 				ForwardPerformanceStandby:   true,
 				ForwardPerformanceSecondary: true,
@@ -208,12 +279,35 @@ func pathConfigKeys(b *backend) *framework.Path {
 
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
-				Callback:                    b.pathKeyDefaultWrite,
+				Callback: b.pathKeyDefaultWrite,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"default": {
+								Type:        framework.TypeString,
+								Description: `Reference (name or identifier) to the default issuer.`,
+								Required:    true,
+							},
+						},
+					}},
+				},
 				ForwardPerformanceStandby:   true,
 				ForwardPerformanceSecondary: true,
 			},
 			logical.ReadOperation: &framework.PathOperation{
-				Callback:                    b.pathKeyDefaultRead,
+				Callback: b.pathKeyDefaultRead,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"default": {
+								Type:        framework.TypeString,
+								Description: `Reference (name or identifier) to the default issuer.`,
+							},
+						},
+					}},
+				},
 				ForwardPerformanceStandby:   false,
 				ForwardPerformanceSecondary: false,
 			},

@@ -3,6 +3,7 @@ package pki
 import (
 	"context"
 	"fmt"
+	"net/http"
 
 	"github.com/asaskevich/govalidator"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -41,9 +42,70 @@ For example: http://cdn.example.com/pr1/pki`,
 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.UpdateOperation: &framework.PathOperation{
 				Callback: b.pathWriteCluster,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"path": {
+								Type: framework.TypeString,
+								Description: `Canonical URI to this mount on this performance
+replication cluster's external address. This is for resolving AIA URLs and
+providing the {{cluster_path}} template parameter but might be used for other
+purposes in the future.
+
+This should only point back to this particular PR replica and should not ever
+point to another PR cluster. It may point to any node in the PR replica,
+including standby nodes, and need not always point to the active node.
+
+For example: https://pr1.vault.example.com:8200/v1/pki`,
+							},
+							"aia_path": {
+								Type: framework.TypeString,
+								Description: `Optional URI to this mount's AIA distribution
+point; may refer to an external non-Vault responder. This is for resolving AIA
+URLs and providing the {{cluster_aia_path}} template parameter and will not
+be used for other purposes. As such, unlike path above, this could safely
+be an insecure transit mechanism (like HTTP without TLS).
+
+For example: http://cdn.example.com/pr1/pki`,
+							},
+						},
+					}},
+				},
 			},
 			logical.ReadOperation: &framework.PathOperation{
 				Callback: b.pathReadCluster,
+				Responses: map[int][]framework.Response{
+					http.StatusOK: {{
+						Description: "OK",
+						Fields: map[string]*framework.FieldSchema{
+							"path": {
+								Type: framework.TypeString,
+								Description: `Canonical URI to this mount on this performance
+replication cluster's external address. This is for resolving AIA URLs and
+providing the {{cluster_path}} template parameter but might be used for other
+purposes in the future.
+
+This should only point back to this particular PR replica and should not ever
+point to another PR cluster. It may point to any node in the PR replica,
+including standby nodes, and need not always point to the active node.
+
+For example: https://pr1.vault.example.com:8200/v1/pki`,
+								Required: true,
+							},
+							"aia_path": {
+								Type: framework.TypeString,
+								Description: `Optional URI to this mount's AIA distribution
+point; may refer to an external non-Vault responder. This is for resolving AIA
+URLs and providing the {{cluster_aia_path}} template parameter and will not
+be used for other purposes. As such, unlike path above, this could safely
+be an insecure transit mechanism (like HTTP without TLS).
+
+For example: http://cdn.example.com/pr1/pki`,
+							},
+						},
+					}},
+				},
 			},
 		},