open-consul/agent/connect_ca_endpoint.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package agent

import (
	"fmt"
	"net/http"
	"strconv"

	"github.com/hashicorp/consul/agent/consul"
	"github.com/hashicorp/consul/agent/structs"
)

// GET /v1/connect/ca/roots
func (s *HTTPHandlers) ConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	var args structs.DCSpecificRequest
	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
		return nil, nil
	}

	pemResponse := false
	if pemParam := req.URL.Query().Get("pem"); pemParam != "" {
		val, err := strconv.ParseBool(pemParam)
		if err != nil {
			return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "The 'pem' query parameter must be a boolean value"}
		}
		pemResponse = val
	}

	var reply structs.IndexedCARoots
	defer setMeta(resp, &reply.QueryMeta)
	if err := s.agent.RPC(req.Context(), "ConnectCA.Roots", &args, &reply); err != nil {
		return nil, err
	}

	if !pemResponse {
		return reply, nil
	}

	// defined in RFC 8555 and registered with the IANA
	resp.Header().Set("Content-Type", "application/pem-certificate-chain")

	for _, root := range reply.Roots {
		if _, err := resp.Write([]byte(root.RootCert)); err != nil {
			return nil, err
		}
		for _, intermediate := range root.IntermediateCerts {
			if _, err := resp.Write([]byte(intermediate)); err != nil {
				return nil, err
			}
		}
	}
	return nil, nil
}

// /v1/connect/ca/configuration
func (s *HTTPHandlers) ConnectCAConfiguration(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	switch req.Method {
	case "GET":
		return s.ConnectCAConfigurationGet(resp, req)

	case "PUT":
		return s.ConnectCAConfigurationSet(req)

	default:
		return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}
	}
}

// GET /v1/connect/ca/configuration
func (s *HTTPHandlers) ConnectCAConfigurationGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	// Method is tested in ConnectCAConfiguration
	var args structs.DCSpecificRequest
	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
		return nil, nil
	}

	var reply structs.CAConfiguration
	err := s.agent.RPC(req.Context(), "ConnectCA.ConfigurationGet", &args, &reply)
	if err != nil {
		return nil, err
	}

	return reply, nil
}

// PUT /v1/connect/ca/configuration
func (s *HTTPHandlers) ConnectCAConfigurationSet(req *http.Request) (interface{}, error) {
	// Method is tested in ConnectCAConfiguration

	var args structs.CARequest
	s.parseDC(req, &args.Datacenter)
	s.parseToken(req, &args.Token)
	if err := decodeBody(req.Body, &args.Config); err != nil {
		return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Request decode failed: %v", err)}
	}

	var reply interface{}
	err := s.agent.RPC(req.Context(), "ConnectCA.ConfigurationSet", &args, &reply)
	if err != nil && err.Error() == consul.ErrStateReadOnly.Error() {
		return nil, HTTPError{
			StatusCode: http.StatusBadRequest,
			Reason: "Provider State is read-only. It must be omitted" +
				" or identical to the current value",
		}
	}
	return nil, err
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`package agent`

			`import (`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`"fmt"`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`"net/http"`
Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) Co-authored-by: R.B. Boyer <rb@hashicorp.com> 2020-10-09 14:43:33 +00:00			`"strconv"`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00
connect: Add AWS PCA provider (#6795) * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups 2019-11-21 17:40:29 +00:00			`"github.com/hashicorp/consul/agent/consul"`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`// GET /v1/connect/ca/roots`
api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions. 2020-09-04 18:42:15 +00:00			`func (s HTTPHandlers) ConnectCARoots(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`var args structs.DCSpecificRequest`
			`if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {`
			`return nil, nil`
			`}`

Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) Co-authored-by: R.B. Boyer <rb@hashicorp.com> 2020-10-09 14:43:33 +00:00			`pemResponse := false`
			`if pemParam := req.URL.Query().Get("pem"); pemParam != "" {`
			`val, err := strconv.ParseBool(pemParam)`
			`if err != nil {`
Unify various status errors into one HTTP error type. (#12594) Replaces specific error types for HTTP Status codes with a generic HTTPError type. Co-authored-by: Chris S. Kim <ckim@hashicorp.com> 2022-04-29 17:42:49 +00:00			`return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "The 'pem' query parameter must be a boolean value"}`
Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) Co-authored-by: R.B. Boyer <rb@hashicorp.com> 2020-10-09 14:43:33 +00:00			`}`
			`pemResponse = val`
			`}`

agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`var reply structs.IndexedCARoots`
			`defer setMeta(resp, &reply.QueryMeta)`
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700) 2022-12-14 15:24:22 +00:00			`if err := s.agent.RPC(req.Context(), "ConnectCA.Roots", &args, &reply); err != nil {`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`return nil, err`
			`}`

Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) Co-authored-by: R.B. Boyer <rb@hashicorp.com> 2020-10-09 14:43:33 +00:00			`if !pemResponse {`
			`return reply, nil`
			`}`

			`// defined in RFC 8555 and registered with the IANA`
			`resp.Header().Set("Content-Type", "application/pem-certificate-chain")`
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-01 00:48:29 +00:00
Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774) Co-authored-by: R.B. Boyer <rb@hashicorp.com> 2020-10-09 14:43:33 +00:00			`for _, root := range reply.Roots {`
			`if _, err := resp.Write([]byte(root.RootCert)); err != nil {`
			`return nil, err`
			`}`
			`for _, intermediate := range root.IntermediateCerts {`
			`if _, err := resp.Write([]byte(intermediate)); err != nil {`
			`return nil, err`
			`}`
			`}`
			`}`
			`return nil, nil`
agent: /v1/connect/ca/roots 2018-03-17 04:39:26 +00:00			`}`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00
			`// /v1/connect/ca/configuration`
api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions. 2020-09-04 18:42:15 +00:00			`func (s HTTPHandlers) ConnectCAConfiguration(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`switch req.Method {`
Update the CA config endpoint to enable GETs 2018-04-09 04:59:08 +00:00			`case "GET":`
			`return s.ConnectCAConfigurationGet(resp, req)`

agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`case "PUT":`
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-01 00:48:29 +00:00			`return s.ConnectCAConfigurationSet(req)`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00
			`default:`
			`return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}`
			`}`
			`}`

add root_cert_ttl option for consul connect, vault ca providers (#11428) * add root_cert_ttl option for consul connect, vault ca providers Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * add changelog, pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11428.txt, more docs Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/agent/options.mdx Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> 2021-11-02 18:02:10 +00:00			`// GET /v1/connect/ca/configuration`
api: rename HTTPServer to HTTPHandlers Resolves a TODO about naming. This type is a set of handlers for an http.Server, it is not itself a Server. It provides http.Handler functions. 2020-09-04 18:42:15 +00:00			`func (s HTTPHandlers) ConnectCAConfigurationGet(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
Update the CA config endpoint to enable GETs 2018-04-09 04:59:08 +00:00			`// Method is tested in ConnectCAConfiguration`
			`var args structs.DCSpecificRequest`
			`if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {`
			`return nil, nil`
			`}`

			`var reply structs.CAConfiguration`
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700) 2022-12-14 15:24:22 +00:00			`err := s.agent.RPC(req.Context(), "ConnectCA.ConfigurationGet", &args, &reply)`
Re-use uint8ToString 2018-05-25 17:28:18 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`return reply, nil`
Update the CA config endpoint to enable GETs 2018-04-09 04:59:08 +00:00			`}`

agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`// PUT /v1/connect/ca/configuration`
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-01 00:48:29 +00:00			`func (s HTTPHandlers) ConnectCAConfigurationSet(req http.Request) (interface{}, error) {`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`// Method is tested in ConnectCAConfiguration`

Update the CA config endpoint to enable GETs 2018-04-09 04:59:08 +00:00			`var args structs.CARequest`
			`s.parseDC(req, &args.Datacenter)`
			`s.parseToken(req, &args.Token)`
Use encoding/json as JSON decoder instead of mapstructure (#6680) Fixes #6147 2019-10-29 18:13:36 +00:00			`if err := decodeBody(req.Body, &args.Config); err != nil {`
Unify various status errors into one HTTP error type. (#12594) Replaces specific error types for HTTP Status codes with a generic HTTPError type. Co-authored-by: Chris S. Kim <ckim@hashicorp.com> 2022-04-29 17:42:49 +00:00			`return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Request decode failed: %v", err)}`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`}`

			`var reply interface{}`
Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700) 2022-12-14 15:24:22 +00:00			`err := s.agent.RPC(req.Context(), "ConnectCA.ConfigurationSet", &args, &reply)`
connect: Add AWS PCA provider (#6795) * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups 2019-11-21 17:40:29 +00:00			`if err != nil && err.Error() == consul.ErrStateReadOnly.Error() {`
Unify various status errors into one HTTP error type. (#12594) Replaces specific error types for HTTP Status codes with a generic HTTPError type. Co-authored-by: Chris S. Kim <ckim@hashicorp.com> 2022-04-29 17:42:49 +00:00			`return nil, HTTPError{`
			`StatusCode: http.StatusBadRequest,`
connect: Add AWS PCA provider (#6795) * Update AWS SDK to use PCA features. * Add AWS PCA provider * Add plumbing for config, config validation tests, add test for inheriting existing CA resources created by user * Unparallel the tests so we don't exhaust PCA limits * Merge updates * More aggressive polling; rate limit pass through on sign; Timeout on Sign and CA create * Add AWS PCA docs * Fix Vault doc typo too * Doc typo * Apply suggestions from code review Co-Authored-By: R.B. Boyer <rb@hashicorp.com> Co-Authored-By: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> * Doc fixes; tests for erroring if State is modified via API * More review cleanup * Uncomment tests! * Minor suggested clean ups 2019-11-21 17:40:29 +00:00			`Reason: "Provider State is read-only. It must be omitted" +`
			`" or identical to the current value",`
			`}`
			`}`
agent: /v1/connect/ca/configuration PUT for setting configuration 2018-03-21 19:42:42 +00:00			`return nil, err`
			`}`