Skip to content

Commit

Permalink
PKI Response Structures Part 2 (hashicorp#18479)
Browse files Browse the repository at this point in the history 
Response structures from intermediate --> manage_keys
  • Loading branch information
@AnPucel
AnPucel committed Feb 15, 2023
1 parent d09e02a commit 8651d6d
Show file tree
Hide file tree
Showing 7 changed files with 413 additions and 4 deletions.
11 changes: 10 additions & 1 deletion builtin/logical/pki/backend_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,9 +130,10 @@ func TestPKI_RequireCN(t *testing.T) {

// Issue a cert with require_cn set to true and with common name supplied.
// It should succeed.
_, err = CBWrite(b, s, "issue/example", map[string]interface{}{
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
"common_name": "foobar.com",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issue/example"), logical.UpdateOperation), resp, true)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -2194,6 +2195,8 @@ func runTestSignVerbatim(t *testing.T, keyType string) {
Data: signVerbatimData,
MountPoint: "pki/",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign-verbatim"), logical.UpdateOperation), resp, true)

if resp != nil && resp.IsError() {
t.Fatalf("failed to sign-verbatim basic CSR: %#v", *resp)
}
Expand Down Expand Up @@ -2510,6 +2513,8 @@ func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
resp, err := CBWrite(b_int, s_int, "intermediate/generate/internal", map[string]interface{}{
"common_name": "myint.com",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b_root.Route("intermediate/generate/internal"), logical.UpdateOperation), resp, true)

if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -4789,6 +4794,7 @@ func TestRootWithExistingKey(t *testing.T) {
"key_type": "rsa",
"issuer_name": "my-issuer1",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/root/internal"), logical.UpdateOperation), resp, true)
require.NoError(t, err)
require.NotNil(t, resp.Data["certificate"])
myIssuerId1 := resp.Data["issuer_id"]
Expand Down Expand Up @@ -4904,6 +4910,7 @@ func TestIntermediateWithExistingKey(t *testing.T) {
"common_name": "root myvault.com",
"key_type": "rsa",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/generate/intermediate/internal"), logical.UpdateOperation), resp, true)
require.NoError(t, err)
// csr1 := resp.Data["csr"]
myKeyId1 := resp.Data["key_id"]
Expand Down Expand Up @@ -5192,6 +5199,7 @@ TgM7RZnmEjNdeaa4M52o7VY=
resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
"pem_bundle": customBundleWithoutCRLBits,
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuers/import/bundle"), logical.UpdateOperation), resp, true)
require.NoError(t, err)
require.NotNil(t, resp)
require.NotEmpty(t, resp.Data)
Expand Down Expand Up @@ -6377,6 +6385,7 @@ func TestUserIDsInLeafCerts(t *testing.T) {
resp, err = CBWrite(b, s, "sign/testing", map[string]interface{}{
"csr": csrPem,
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("sign/testing"), logical.UpdateOperation), resp, true)
requireSuccessNonNilResponse(t, resp, err, "failed issuing leaf cert")
requireSubjectUserIDAttr(t, resp.Data["certificate"].(string), "humanoid")

Expand Down
8 changes: 7 additions & 1 deletion builtin/logical/pki/crl_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -771,6 +771,8 @@ func TestIssuerRevocation(t *testing.T) {

// Revoke it.
resp, err = CBWrite(b, s, "issuer/root2/revoke", map[string]interface{}{})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/root2/revoke"), logical.UpdateOperation), resp, true)

require.NoError(t, err)
require.NotNil(t, resp)
require.NotZero(t, resp.Data["revocation_time"])
Expand Down Expand Up @@ -801,7 +803,7 @@ func TestIssuerRevocation(t *testing.T) {
require.NoError(t, err)

// Issue a leaf cert and ensure it fails (because the issuer is revoked).
_, err = CBWrite(b, s, "issuer/root2/issue/local-testing", map[string]interface{}{
resp, err = CBWrite(b, s, "issuer/root2/issue/local-testing", map[string]interface{}{
"common_name": "testing",
})
require.Error(t, err)
Expand All @@ -827,6 +829,8 @@ func TestIssuerRevocation(t *testing.T) {
resp, err = CBWrite(b, s, "intermediate/set-signed", map[string]interface{}{
"certificate": intCert,
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("intermediate/set-signed"), logical.UpdateOperation), resp, true)

require.NoError(t, err)
require.NotNil(t, resp)
require.NotEmpty(t, resp.Data["imported_issuers"])
Expand All @@ -842,6 +846,8 @@ func TestIssuerRevocation(t *testing.T) {
resp, err = CBWrite(b, s, "issuer/int1/issue/local-testing", map[string]interface{}{
"common_name": "testing",
})
schema.ValidateResponse(t, schema.GetResponseSchema(t, b.Route("issuer/int1/issue/local-testing"), logical.UpdateOperation), resp, true)

require.NoError(t, err)
require.NotNil(t, resp)
require.NotEmpty(t, resp.Data["certificate"])
Expand Down
23 changes: 23 additions & 0 deletions builtin/logical/pki/path_intermediate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"encoding/base64"
"fmt"
"net/http"

"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/errutil"
Expand Down Expand Up @@ -31,6 +32,28 @@ appended to the bundle.`,
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathImportIssuers,
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"mapping": {
Type: framework.TypeMap,
Description: "A mapping of issuer_id to key_id for all issuers included in this request",
Required: true,
},
"imported_keys": {
Type: framework.TypeCommaStringSlice,
Description: "Net-new keys imported as a part of this request",
Required: true,
},
"imported_issuers": {
Type: framework.TypeCommaStringSlice,
Description: "Net-new issuers imported as a part of this request",
Required: true,
},
},
}},
},
// Read more about why these flags are set in backend.go
ForwardPerformanceStandby: true,
ForwardPerformanceSecondary: true,
Expand Down
127 changes: 127 additions & 0 deletions builtin/logical/pki/path_issue_sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"encoding/base64"
"encoding/pem"
"fmt"
"net/http"
"strings"
"time"

Expand Down Expand Up @@ -34,6 +35,48 @@ func buildPathIssue(b *backend, pattern string) *framework.Path {
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.metricsWrap("issue", roleRequired, b.pathIssue),
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"certificate": {
Type: framework.TypeString,
Description: `Certificate`,
Required: true,
},
"issuing_ca": {
Type: framework.TypeString,
Description: `Issuing Certificate Authority`,
Required: true,
},
"ca_chain": {
Type: framework.TypeCommaStringSlice,
Description: `Certificate Chain`,
Required: false,
},
"serial_number": {
Type: framework.TypeString,
Description: `Serial Number`,
Required: false,
},
"expiration": {
Type: framework.TypeString,
Description: `Time of expiration`,
Required: false,
},
"private_key": {
Type: framework.TypeString,
Description: `Private key`,
Required: false,
},
"private_key_type": {
Type: framework.TypeString,
Description: `Private key type`,
Required: false,
},
},
}},
},
},
},

Expand Down Expand Up @@ -62,6 +105,48 @@ func buildPathSign(b *backend, pattern string) *framework.Path {
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.metricsWrap("sign", roleRequired, b.pathSign),
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"certificate": {
Type: framework.TypeString,
Description: `Certificate`,
Required: true,
},
"issuing_ca": {
Type: framework.TypeString,
Description: `Issuing Certificate Authority`,
Required: true,
},
"ca_chain": {
Type: framework.TypeCommaStringSlice,
Description: `Certificate Chain`,
Required: false,
},
"serial_number": {
Type: framework.TypeString,
Description: `Serial Number`,
Required: true,
},
"expiration": {
Type: framework.TypeString,
Description: `Time of expiration`,
Required: true,
},
"private_key": {
Type: framework.TypeString,
Description: `Private key`,
Required: false,
},
"private_key_type": {
Type: framework.TypeString,
Description: `Private key type`,
Required: false,
},
},
}},
},
},
},

Expand Down Expand Up @@ -98,6 +183,48 @@ func buildPathIssuerSignVerbatim(b *backend, pattern string) *framework.Path {
Operations: map[logical.Operation]framework.OperationHandler{
logical.UpdateOperation: &framework.PathOperation{
Callback: b.metricsWrap("sign-verbatim", roleOptional, b.pathSignVerbatim),
Responses: map[int][]framework.Response{
http.StatusOK: {{
Description: "OK",
Fields: map[string]*framework.FieldSchema{
"certificate": {
Type: framework.TypeString,
Description: `Certificate`,
Required: true,
},
"issuing_ca": {
Type: framework.TypeString,
Description: `Issuing Certificate Authority`,
Required: true,
},
"ca_chain": {
Type: framework.TypeCommaStringSlice,
Description: `Certificate Chain`,
Required: false,
},
"serial_number": {
Type: framework.TypeString,
Description: `Serial Number`,
Required: false,
},
"expiration": {
Type: framework.TypeString,
Description: `Time of expiration`,
Required: false,
},
"private_key": {
Type: framework.TypeString,
Description: `Private key`,
Required: false,
},
"private_key_type": {
Type: framework.TypeString,
Description: `Private key type`,
Required: false,
},
},
}},
},
},
},

Expand Down
Loading

0 comments on commit 8651d6d

Please sign in to comment.