Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Response Structures to PKI Config #18376

Merged
merged 38 commits into from
Feb 15, 2023
Merged

Adding Response Structures to PKI Config #18376

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
7af2481
First response
AnPucel Dec 13, 2022
6af5640
Adding more resposne structures
AnPucel Dec 14, 2022
2f337ec
All config ca response structures
AnPucel Dec 14, 2022
761de13
Format
AnPucel Dec 14, 2022
8b1d9c4
Add response structures
AnPucel Dec 14, 2022
ded7033
Adding path_config_crl
AnPucel Dec 14, 2022
551b128
Formatting & Fixing update/create operations
AnPucel Dec 14, 2022
12bb8df
Removing response structures for update/create
AnPucel Dec 14, 2022
9e2e9a0
Adding path config urls
AnPucel Dec 14, 2022
d8ea655
Adding responses to update & create for config_ca
AnPucel Dec 14, 2022
6862724
Adding response for udpate
AnPucel Dec 14, 2022
841ce1a
Adding response structure to update/create
AnPucel Dec 14, 2022
9c73e85
update/create response struct config_urls
AnPucel Dec 14, 2022
be28b33
Changelog
AnPucel Dec 15, 2022
f4b1b83
Adding last descriptions
AnPucel Dec 15, 2022
090a660
Description change
AnPucel Dec 16, 2022
e9e577e
Add required values
AnPucel Jan 3, 2023
5a1d1f0
Add defaults to config_ca
AnPucel Jan 3, 2023
706942a
Add required fields
AnPucel Jan 3, 2023
2f56d93
tests for config/issuers
AnPucel Jan 25, 2023
4548149
Merge branch 'main' into tmp
AnPucel Jan 27, 2023
7993adb
Unstashing tests
AnPucel Jan 31, 2023
f08416e
removing test
AnPucel Feb 2, 2023
ba80daf
Formatting
AnPucel Feb 2, 2023
46c84a9
Reverting test change
AnPucel Feb 2, 2023
822a48b
Wrong file
AnPucel Feb 2, 2023
1a54ac2
Tests caught this
AnPucel Feb 2, 2023
3a41092
remove comment
AnPucel Feb 2, 2023
b431374
Running go fmt
AnPucel Feb 3, 2023
d5f5983
Merge branch 'main' into anpucel/PKIResponseStructures
AnPucel Feb 3, 2023
195d7d1
config/urls
AnPucel Feb 4, 2023
88bb28a
test config/ca
AnPucel Feb 4, 2023
d70e348
config/cluster test
AnPucel Feb 4, 2023
911aed4
Missed some parameters
AnPucel Feb 4, 2023
fec0a39
more tests
AnPucel Feb 4, 2023
3972a2e
Update tests
AnPucel Feb 6, 2023
05f61f9
Add read check
AnPucel Feb 13, 2023
39b1e5d
Read test
AnPucel Feb 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 89 additions & 3 deletions builtin/logical/pki/path_config_ca.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package pki

import (
"context"
"net/http"

"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
Expand All @@ -21,6 +22,25 @@ secret key and certificate.`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathImportIssuers,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"mapping": {
Type: framework.TypeMap,
AnPucel marked this conversation as resolved.
Show resolved Hide resolved
Description: "A mapping of issuer_id to key_id for all issuers included in this request",
},
"imported_keys": {
Type: framework.TypeCommaStringSlice,
Description: "Net-new keys imported as a part of this request",
},
"imported_issuers": {
Type: framework.TypeCommaStringSlice,
Description: "Net-new issuers imported as a part of this request",
},
},
}},
},
// Read more about why these flags are set in backend.go.
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
Expand Down Expand Up @@ -58,13 +78,42 @@ func pathConfigIssuers(b *backend) *framework.Path {
Default: false,
},
},

Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathCAIssuersRead,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"default": {
Type: framework.TypeString,
Description: `Reference (name or identifier) to the default issuer.`,
},
"default_follows_latest_issuer": {
Type: framework.TypeBool,
Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
},
},
}},
},
},
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathCAIssuersWrite,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"default": {
Type: framework.TypeString,
Description: `Reference (name or identifier) to the default issuer.`,
},
"default_follows_latest_issuer": {
Type: framework.TypeBool,
Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
},
},
}},
},
// Read more about why these flags are set in backend.go.
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
Expand All @@ -90,6 +139,21 @@ func pathReplaceRoot(b *backend) *framework.Path {
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathCAIssuersWrite,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"default": {
Type: framework.TypeString,
Description: `Reference (name or identifier) to the default issuer.`,
},
"default_follows_latest_issuer": {
Type: framework.TypeBool,
Description: `Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.`,
},
},
}},
},
// Read more about why these flags are set in backend.go.
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
Expand Down Expand Up @@ -208,12 +272,34 @@ func pathConfigKeys(b *backend) *framework.Path {

Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathKeyDefaultWrite,
Callback: b.pathKeyDefaultWrite,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"default": {
Type: framework.TypeString,
Description: `Reference (name or identifier) to the default issuer.`,
},
},
}},
},
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
},
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathKeyDefaultRead,
Callback: b.pathKeyDefaultRead,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"default": {
Type: framework.TypeString,
Description: `Reference (name or identifier) to the default issuer.`,
},
},
}},
},
ForwardPerformanceStandby: false,
ForwardPerformanceSecondary: false,
},
Expand Down
41 changes: 41 additions & 0 deletions builtin/logical/pki/path_config_cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package pki
import (
"context"
"fmt"
"net/http"

"github.com/asaskevich/govalidator"
"github.com/hashicorp/vault/sdk/framework"
Expand Down Expand Up @@ -31,9 +32,49 @@ For example: https://pr1.vault.example.com:8200/v1/pki`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathWriteCluster,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"path": {
Type: framework.TypeString,
Description: `Canonical URI to this mount on this performance
replication cluster's external address. This is for resolving AIA URLs and
providing the {{cluster_path}} template parameter but might be used for other
purposes in the future.

This should only point back to this particular PR replica and should not ever
point to another PR cluster. It may point to any node in the PR replica,
including standby nodes, and need not always point to the active node.

For example: https://pr1.vault.example.com:8200/v1/pki`,
},
},
}},
},
},
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathReadCluster,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"path": {
Type: framework.TypeString,
Description: `Canonical URI to this mount on this performance
replication cluster's external address. This is for resolving AIA URLs and
providing the {{cluster_path}} template parameter but might be used for other
purposes in the future.

This should only point back to this particular PR replica and should not ever
point to another PR cluster. It may point to any node in the PR replica,
including standby nodes, and need not always point to the active node.

For example: https://pr1.vault.example.com:8200/v1/pki`,
},
},
}},
},
},
},

Expand Down
91 changes: 91 additions & 0 deletions builtin/logical/pki/path_config_crl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package pki
import (
"context"
"fmt"
"net/http"
"time"

"github.com/hashicorp/vault/sdk/framework"
Expand Down Expand Up @@ -85,9 +86,99 @@ the NextUpdate field); defaults to 12 hours`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathCRLRead,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"expiry": {
Type: framework.TypeString,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[note]
lots of these fields are durations, maybe we can add a format field to framework.FieldSchema eventually to make it more explicit
https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.1.md#data-types
https://pkg.go.dev/github.com/go-openapi/strfmt#section-readme

Copy link
Contributor

@cipherboy cipherboy Dec 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have TypeDurationSecond, but I don't know if the response is formatted correctly for that always?

Sometimes there are also string time.Time value when its a concrete date instead of a duration though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, since we have the tests now, would it be possible to try it out with TypeTime and TypeDurationSecond?

vault/sdk/framework/openapi.go

Lines 805 to 807 in 40f599b

case TypeTime:
ret.baseType = "string"
ret.format = "date-time"

vault/sdk/framework/openapi.go

Lines 785 to 787 in 40f599b

case TypeDurationSecond, TypeSignedDurationSecond:
ret.baseType = "integer"
ret.format = "seconds"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment applies to:

  • auto_rebuild_grace_period
  • ocsp_expiry
  • delta_rebuild_interval
  • expiry

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! I did update this on a few other PRs. So, I forgot to go back and do it here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With regard to this, the user sees these as string, e.g. 15m and then it gets parsed into a duration when it's handled. Shouldn't it reflect what the user sees or should it be a duration?
https://developer.hashicorp.com/vault/api-docs/secret/pki#expiry

Description: `The amount of time the generated CRL should be
valid; defaults to 72 hours`,
Default: "72h",
AnPucel marked this conversation as resolved.
Show resolved Hide resolved
},
"disable": {
Type: framework.TypeBool,
Description: `If set to true, disables generating the CRL entirely.`,
},
"ocsp_disable": {
Type: framework.TypeBool,
Description: `If set to true, ocsp unauthorized responses will be returned.`,
},
"ocsp_expiry": {
Type: framework.TypeString,
Description: `The amount of time an OCSP response will be valid (controls
the NextUpdate field); defaults to 12 hours`,
Default: "1h",
},
"auto_rebuild": {
Type: framework.TypeBool,
Description: `If set to true, enables automatic rebuilding of the CRL`,
},
"auto_rebuild_grace_period": {
Type: framework.TypeString,
Description: `The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.`,
Default: "12h",
},
"enable_delta": {
Type: framework.TypeBool,
Description: `Whether to enable delta CRLs between authoritative CRL rebuilds`,
},
"delta_rebuild_interval": {
Type: framework.TypeString,
Description: `The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.`,
Default: "15m",
},
},
}},
},
},
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathCRLWrite,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"expiry": {
Type: framework.TypeString,
Description: `The amount of time the generated CRL should be
valid; defaults to 72 hours`,
Default: "72h",
},
"disable": {
Type: framework.TypeBool,
Description: `If set to true, disables generating the CRL entirely.`,
},
"ocsp_disable": {
Type: framework.TypeBool,
Description: `If set to true, ocsp unauthorized responses will be returned.`,
},
"ocsp_expiry": {
Type: framework.TypeString,
Description: `The amount of time an OCSP response will be valid (controls
the NextUpdate field); defaults to 12 hours`,
Default: "1h",
},
"auto_rebuild": {
Type: framework.TypeBool,
Description: `If set to true, enables automatic rebuilding of the CRL`,
},
"auto_rebuild_grace_period": {
Type: framework.TypeString,
Description: `The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.`,
Default: "12h",
},
"enable_delta": {
Type: framework.TypeBool,
Description: `Whether to enable delta CRLs between authoritative CRL rebuilds`,
},
"delta_rebuild_interval": {
Type: framework.TypeString,
Description: `The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.`,
Default: "15m",
},
},
}},
},
// Read more about why these flags are set in backend.go.
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
Expand Down
63 changes: 63 additions & 0 deletions builtin/logical/pki/path_config_urls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package pki
import (
"context"
"fmt"
"net/http"
"strings"

"github.com/asaskevich/govalidator"
Expand Down Expand Up @@ -46,9 +47,71 @@ set on all PR Secondary clusters.`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathWriteURL,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"issuing_certificates": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.`,
},
"crl_distribution_points": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.`,
},
"ocsp_servers": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.`,
},
"enable_templating": {
Type: framework.TypeBool,
Description: `Whether or not to enabling templating of the
above AIA fields. When templating is enabled the special values '{{issuer_id}}'
and '{{cluster_path}}' are available, but the addresses are not checked for
URI validity until issuance time. This requires /config/cluster's path to be
set on all PR Secondary clusters.`,
Default: false,
},
},
}},
},
},
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathReadURL,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"issuing_certificates": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.`,
},
"crl_distribution_points": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.`,
},
"ocsp_servers": {
Type: framework.TypeCommaStringSlice,
Description: `Comma-separated list of URLs to be used
for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.`,
},
"enable_templating": {
Type: framework.TypeBool,
Description: `Whether or not to enabling templating of the
AnPucel marked this conversation as resolved.
Show resolved Hide resolved
above AIA fields. When templating is enabled the special values '{{issuer_id}}'
and '{{cluster_path}}' are available, but the addresses are not checked for
URI validity until issuance time. This requires /config/cluster's path to be
set on all PR Secondary clusters.`,
Default: false,
},
},
}},
},
},
},

Expand Down
3 changes: 3 additions & 0 deletions changelog/18376.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
openapi: Add openapi response definitions to pki/config_*.go
```