Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKI Responses Part 4 #18612

Merged
merged 42 commits into from
Mar 14, 2023
Merged

PKI Responses Part 4 #18612

Show file tree
Hide file tree
Changes from 38 commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
dd36bea
First response structures
AnPucel Jan 5, 2023
1695f5e
Root responses
AnPucel Jan 5, 2023
f2f5454
Sign issuers responses
AnPucel Jan 6, 2023
f5c34ad
Tidy responses
AnPucel Jan 9, 2023
59e3d20
path roles pki
AnPucel Jan 9, 2023
d6d705e
Go fmt
AnPucel Jan 9, 2023
c7d817c
formatting
AnPucel Jan 9, 2023
14e5fe0
Changelog
AnPucel Jan 9, 2023
ab5cf29
Fix list
AnPucel Jan 12, 2023
77bdc1b
Fix required for keys
AnPucel Jan 12, 2023
033fd1d
Remove wrong fields from response
AnPucel Jan 12, 2023
66fdde7
Delete --> no content
AnPucel Jan 12, 2023
cc9d9c9
Small delete fixes
AnPucel Jan 12, 2023
d93ca6a
Change to accepted
AnPucel Jan 12, 2023
b967a9f
Change to int
AnPucel Jan 12, 2023
b0d3f72
Change string --> int
AnPucel Jan 12, 2023
b1ed8f4
More string to int
AnPucel Jan 12, 2023
b586dbf
Merge branch 'main' into anpucel/PKIResponse4
AnPucel Feb 6, 2023
02bb5d1
Tests
AnPucel Feb 6, 2023
2934c56
crl/rotate test
AnPucel Feb 6, 2023
3ff152f
Fix revoke
AnPucel Feb 6, 2023
9b13941
missed one
AnPucel Feb 6, 2023
7292f58
Update revocation time
AnPucel Feb 7, 2023
ab83a0f
root/self-signed
AnPucel Feb 7, 2023
5d1f062
tidy-status
AnPucel Feb 7, 2023
6666ccc
config/auto-tidy
AnPucel Feb 7, 2023
fa6e7da
tidy-cancel
AnPucel Feb 7, 2023
95a0370
roles
AnPucel Feb 7, 2023
e941b0c
Remove changelog for single changelog
AnPucel Feb 7, 2023
1532b21
format
AnPucel Feb 7, 2023
68cedd9
Merge branch 'main' into anpucel/PKIResponse4
AnPucel Feb 15, 2023
9f773c8
Missed a few
AnPucel Feb 15, 2023
448e4aa
format
AnPucel Feb 15, 2023
6d55ae9
Fix path
AnPucel Feb 15, 2023
fc7d273
Merge branch 'main' into anpucel/PKIResponse4
AnPucel Feb 22, 2023
048e431
Making fields optional for tidy-cancel
AnPucel Feb 22, 2023
0c987e1
Add tidy test and fixing
AnPucel Feb 22, 2023
101c402
Adding test and fixing some tests
AnPucel Feb 23, 2023
29406c4
Go fmt
AnPucel Feb 23, 2023
61ee66d
Remove http_* fields from responses
AnPucel Mar 14, 2023
145de04
Merge branch 'main' into anpucel/PKIREsponse4
AnPucel Mar 14, 2023
58bc03e
Removing more fields
AnPucel Mar 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions builtin/logical/pki/backend_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2694,6 +2694,7 @@ func TestBackend_SignSelfIssued(t *testing.T) {
},
MountPoint: "pki/",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("root/sign-self-issued"), logical.UpdateOperation), resp, true)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -5247,6 +5248,7 @@ func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
RequestResponseCallback: schema.ResponseValidatingCallback(t),
})
cluster.Start()
defer cluster.Cleanup()
Expand Down Expand Up @@ -5966,6 +5968,7 @@ func TestPKI_ListRevokedCerts(t *testing.T) {

// Test empty cluster
resp, err := CBList(b, s, "certs/revoked")
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("certs/revoked"), logical.ListOperation), resp, true)
requireSuccessNonNilResponse(t, resp, err, "failed listing empty cluster")
require.Empty(t, resp.Data, "response map contained data that we did not expect")

Expand Down
7 changes: 5 additions & 2 deletions builtin/logical/pki/crl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,10 +600,11 @@ func TestPoP(t *testing.T) {
require.NotNil(t, resp)
require.NotEmpty(t, resp.Data["certificate"])

_, err = CBWrite(b, s, "revoke-with-key", map[string]interface{}{
resp, err = CBWrite(b, s, "revoke-with-key", map[string]interface{}{
"certificate": resp.Data["certificate"],
"private_key": resp.Data["private_key"],
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("revoke-with-key"), logical.UpdateOperation), resp, true)
require.NoError(t, err)

// Issue a second leaf, but hold onto it for now.
Expand Down Expand Up @@ -780,7 +781,9 @@ func TestIssuerRevocation(t *testing.T) {
require.NotZero(t, resp.Data["revocation_time"])

// Regenerate the CRLs
_, err = CBRead(b, s, "crl/rotate")
resp, err = CBRead(b, s, "crl/rotate")
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("crl/rotate"), logical.ReadOperation), resp, true)

require.NoError(t, err)

// Ensure the old cert isn't on its own CRL.
Expand Down
4 changes: 2 additions & 2 deletions builtin/logical/pki/path_fetch.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ var pathFetchReadSchema = map[int][]framework.Response{
Required: false,
},
"revocation_time": {
Type: framework.TypeInt,
Type: framework.TypeString,
Description: `Revocation time`,
Required: false,
},
"revocation_time_rfc3339": {
Type: framework.TypeInt,
Type: framework.TypeString,
Description: `Revocation time RFC 3339 formatted`,
Required: false,
},
Expand Down
59 changes: 45 additions & 14 deletions builtin/logical/pki/path_fetch_issuers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,67 +171,87 @@ to be set on all PR secondary clusters.`,
"issuer_id": {
Type: framework.TypeString,
Description: `Issuer Id`,
Required: true,
Required: false,
},
"issuer_name": {
Type: framework.TypeString,
Description: `Issuer Name`,
Required: true,
Required: false,
},
"key_id": {
Type: framework.TypeString,
Description: `Key Id`,
Required: true,
Required: false,
},
"certificate": {
Type: framework.TypeString,
Description: `Certificate`,
Required: true,
Required: false,
},
"manual_chain": {
Type: framework.TypeStringSlice,
Description: `Manual Chain`,
Required: true,
Required: false,
},
"ca_chain": {
Type: framework.TypeStringSlice,
Description: `CA Chain`,
Required: true,
Required: false,
},
"leaf_not_after_behavior": {
Type: framework.TypeString,
Description: `Leaf Not After Behavior`,
Required: true,
Required: false,
},
"usage": {
Type: framework.TypeStringSlice,
Description: `Usage`,
Required: true,
Required: false,
},
"revocation_signature_algorithm": {
Type: framework.TypeString,
Description: `Revocation Signature Alogrithm`,
Required: true,
Required: false,
},
"revoked": {
Type: framework.TypeBool,
Description: `Revoked`,
Required: true,
Required: false,
},
"revocation_time": {
Type: framework.TypeInt,
Required: false,
},
"revocation_time_rfc3339": {
Type: framework.TypeString,
Required: false,
},
"issuing_certificates": {
Type: framework.TypeStringSlice,
Description: `Issuing Certificates`,
Required: true,
Required: false,
},
"crl_distribution_points": {
Type: framework.TypeStringSlice,
Description: `CRL Distribution Points`,
Required: true,
Required: false,
},
"ocsp_servers": {
Type: framework.TypeStringSlice,
Description: `OSCP Servers`,
Required: true,
Required: false,
},
"http_content_type": {
Type: framework.TypeString,
Required: false,
},
"http_raw_body": {
Type: framework.TypeString,
Required: false,
},
"http_status_code": {
Type: framework.TypeString,
Required: false,
},
},
}},
Expand Down Expand Up @@ -1068,7 +1088,18 @@ func buildPathGetIssuerCRL(b *backend, pattern string) *framework.Path {
Fields: map[string]*framework.FieldSchema{
"crl": {
Type: framework.TypeString,
Description: ``,
Required: false,
},
"http_content_type": {
Type: framework.TypeString,
Required: false,
},
"http_raw_body": {
Type: framework.TypeString,
Required: false,
},
"http_status_code": {
Type: framework.TypeString,
AnPucel marked this conversation as resolved.
Show resolved Hide resolved
Required: false,
},
},
Expand Down
3 changes: 3 additions & 0 deletions builtin/logical/pki/path_ocsp_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
"testing"
"time"

"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"

vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/vault"

Expand Down Expand Up @@ -197,6 +199,7 @@ func TestOcsp_UnknownIssuerIdWithDefaultHavingOcspUsageRemoved(t *testing.T) {
resp, err := CBWrite(b, s, "revoke", map[string]interface{}{
"serial_number": serial,
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("revoke"), logical.UpdateOperation), resp, true)
requireSuccessNonNilResponse(t, resp, err, "revoke")

// Twiddle the entry so that the issuer id is no longer valid.
Expand Down
25 changes: 25 additions & 0 deletions builtin/logical/pki/path_resign_crls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"errors"
"fmt"
"math/big"
"net/http"
"strconv"
"strings"
"time"
Expand Down Expand Up @@ -77,6 +78,18 @@ base64 encoded. Defaults to "pem".`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathUpdateResignCrlsHandler,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"crl": {
Type: framework.TypeString,
Description: `CRL`,
Required: true,
},
},
}},
},
},
},

Expand Down Expand Up @@ -133,6 +146,18 @@ value (string)`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathUpdateSignRevocationListHandler,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"crl": {
Type: framework.TypeString,
Description: `CRL`,
Required: true,
},
},
}},
},
},
},

Expand Down
4 changes: 4 additions & 0 deletions builtin/logical/pki/path_resign_crls_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ import (
"testing"
"time"

"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"

"github.com/hashicorp/vault/api"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/vault"
Expand Down Expand Up @@ -55,6 +57,7 @@ func TestResignCrls_NormalCrl(t *testing.T) {
"format": "pem",
"crls": []string{crl1, crl2},
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b1.Route("issuer/default/resign-crls"), logical.UpdateOperation), resp, true)
requireSuccessNonNilResponse(t, resp, err)
requireFieldsSetInResp(t, resp, "crl")
pemCrl := resp.Data["crl"].(string)
Expand Down Expand Up @@ -351,6 +354,7 @@ func TestSignRevocationList_NoRevokedCerts(t *testing.T) {
"next_update": "12h",
"format": "pem",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/default/sign-revocation-list"), logical.UpdateOperation), resp, true)
requireSuccessNonNilResponse(t, resp, err)
requireFieldsSetInResp(t, resp, "crl")
pemCrl := resp.Data["crl"].(string)
Expand Down
Loading