open-vault/builtin/logical/pkiext/pkiext_binary/pki_mount.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package pkiext_binary

import (
	"context"
	"fmt"

	"github.com/hashicorp/vault/api"
)

type VaultPkiMount struct {
	*VaultPkiCluster
	mount string
}

func (vpm *VaultPkiMount) UpdateClusterConfig(config map[string]interface{}) error {
	defaultPath := "https://" + vpm.cluster.ClusterNodes[0].ContainerIPAddress + ":8200/v1/" + vpm.mount
	defaults := map[string]interface{}{
		"path":     defaultPath,
		"aia_path": defaultPath,
	}

	_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/config/cluster", mergeWithDefaults(config, defaults))
	return err
}

func (vpm *VaultPkiMount) UpdateClusterConfigLocalAddr() (string, error) {
	basePath := fmt.Sprintf("https://%s/v1/%s", vpm.GetActiveContainerHostPort(), vpm.mount)
	return basePath, vpm.UpdateClusterConfig(map[string]interface{}{
		"path": basePath,
	})
}

func (vpm *VaultPkiMount) UpdateAcmeConfig(enable bool, config map[string]interface{}) error {
	defaults := map[string]interface{}{
		"enabled": enable,
	}

	_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/config/acme", mergeWithDefaults(config, defaults))
	return err
}

func (vpm *VaultPkiMount) GenerateRootInternal(props map[string]interface{}) (*api.Secret, error) {
	defaults := map[string]interface{}{
		"common_name": "root-test.com",
		"key_type":    "ec",
		"issuer_name": "root",
	}

	return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/root/generate/internal", mergeWithDefaults(props, defaults))
}

func (vpm *VaultPkiMount) GenerateIntermediateInternal(props map[string]interface{}) (*api.Secret, error) {
	defaults := map[string]interface{}{
		"common_name": "intermediary-test.com",
		"key_type":    "ec",
		"issuer_name": "intermediary",
	}

	return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/intermediate/generate/internal", mergeWithDefaults(props, defaults))
}

func (vpm *VaultPkiMount) SignIntermediary(signingIssuer string, csr interface{}, props map[string]interface{}) (*api.Secret, error) {
	defaults := map[string]interface{}{
		"csr": csr,
	}

	return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/issuer/"+signingIssuer+"/sign-intermediate",
		mergeWithDefaults(props, defaults))
}

func (vpm *VaultPkiMount) ImportBundle(pemBundle interface{}, props map[string]interface{}) (*api.Secret, error) {
	defaults := map[string]interface{}{
		"pem_bundle": pemBundle,
	}

	return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/issuers/import/bundle", mergeWithDefaults(props, defaults))
}

func (vpm *VaultPkiMount) UpdateDefaultIssuer(issuerId string, props map[string]interface{}) error {
	defaults := map[string]interface{}{
		"default": issuerId,
	}

	_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/config/issuers", mergeWithDefaults(props, defaults))

	return err
}

func (vpm *VaultPkiMount) UpdateIssuer(issuerRef string, props map[string]interface{}) error {
	defaults := map[string]interface{}{}

	_, err := vpm.GetActiveNode().Logical().JSONMergePatch(context.Background(),
		vpm.mount+"/issuer/"+issuerRef, mergeWithDefaults(props, defaults))

	return err
}

func (vpm *VaultPkiMount) UpdateRole(roleName string, config map[string]interface{}) error {
	defaults := map[string]interface{}{}

	_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),
		vpm.mount+"/roles/"+roleName, mergeWithDefaults(config, defaults))

	return err
}

func mergeWithDefaults(config map[string]interface{}, defaults map[string]interface{}) map[string]interface{} {
	myConfig := config
	if myConfig == nil {
		myConfig = map[string]interface{}{}
	}
	for key, value := range defaults {
		if origVal, exists := config[key]; !exists {
			myConfig[key] = value
		} else {
			myConfig[key] = origVal
		}
	}

	return myConfig
}
Refactor ACME PKI binary tests to run against a single Vault Cluster (#20419) * Initial refactoring of ACME PKI binary tests - Rework test suite to use a single Vault cluster with different mounts. - Refactor convenience methods to write PKI tests. * Add ACME test cases for mixed IP and DNS, along with IP only identifier requests * Parallelize the Vault PKI test suite 2023-05-01 16:01:24 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package pkiext_binary`

			`import (`
			`"context"`
Add DNS wildcard tests to ACME test suite (#20486) * Refactor setting local addresses Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Validate wildcard domains in ACME test suite Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add locking to DNS resolver Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better removal semantics for records Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2023-05-03 20:23:44 +00:00			`"fmt"`
Refactor ACME PKI binary tests to run against a single Vault Cluster (#20419) * Initial refactoring of ACME PKI binary tests - Rework test suite to use a single Vault cluster with different mounts. - Refactor convenience methods to write PKI tests. * Add ACME test cases for mixed IP and DNS, along with IP only identifier requests * Parallelize the Vault PKI test suite 2023-05-01 16:01:24 +00:00
			`"github.com/hashicorp/vault/api"`
			`)`

			`type VaultPkiMount struct {`
			`*VaultPkiCluster`
			`mount string`
			`}`

			`func (vpm *VaultPkiMount) UpdateClusterConfig(config map[string]interface{}) error {`
			`defaultPath := "https://" + vpm.cluster.ClusterNodes[0].ContainerIPAddress + ":8200/v1/" + vpm.mount`
			`defaults := map[string]interface{}{`
			`"path": defaultPath,`
			`"aia_path": defaultPath,`
			`}`

			`_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/config/cluster", mergeWithDefaults(config, defaults))`
			`return err`
			`}`

Add DNS wildcard tests to ACME test suite (#20486) * Refactor setting local addresses Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Validate wildcard domains in ACME test suite Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add locking to DNS resolver Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Better removal semantics for records Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2023-05-03 20:23:44 +00:00			`func (vpm *VaultPkiMount) UpdateClusterConfigLocalAddr() (string, error) {`
			`basePath := fmt.Sprintf("https://%s/v1/%s", vpm.GetActiveContainerHostPort(), vpm.mount)`
			`return basePath, vpm.UpdateClusterConfig(map[string]interface{}{`
			`"path": basePath,`
			`})`
			`}`

Refactor ACME PKI binary tests to run against a single Vault Cluster (#20419) * Initial refactoring of ACME PKI binary tests - Rework test suite to use a single Vault cluster with different mounts. - Refactor convenience methods to write PKI tests. * Add ACME test cases for mixed IP and DNS, along with IP only identifier requests * Parallelize the Vault PKI test suite 2023-05-01 16:01:24 +00:00			`func (vpm *VaultPkiMount) UpdateAcmeConfig(enable bool, config map[string]interface{}) error {`
			`defaults := map[string]interface{}{`
			`"enabled": enable,`
			`}`

			`_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/config/acme", mergeWithDefaults(config, defaults))`
			`return err`
			`}`

			`func (vpm VaultPkiMount) GenerateRootInternal(props map[string]interface{}) (api.Secret, error) {`
			`defaults := map[string]interface{}{`
			`"common_name": "root-test.com",`
			`"key_type": "ec",`
			`"issuer_name": "root",`
			`}`

			`return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/root/generate/internal", mergeWithDefaults(props, defaults))`
			`}`

			`func (vpm VaultPkiMount) GenerateIntermediateInternal(props map[string]interface{}) (api.Secret, error) {`
			`defaults := map[string]interface{}{`
			`"common_name": "intermediary-test.com",`
			`"key_type": "ec",`
			`"issuer_name": "intermediary",`
			`}`

			`return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/intermediate/generate/internal", mergeWithDefaults(props, defaults))`
			`}`

			`func (vpm VaultPkiMount) SignIntermediary(signingIssuer string, csr interface{}, props map[string]interface{}) (api.Secret, error) {`
			`defaults := map[string]interface{}{`
			`"csr": csr,`
			`}`

			`return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/issuer/"+signingIssuer+"/sign-intermediate",`
			`mergeWithDefaults(props, defaults))`
			`}`

			`func (vpm VaultPkiMount) ImportBundle(pemBundle interface{}, props map[string]interface{}) (api.Secret, error) {`
			`defaults := map[string]interface{}{`
			`"pem_bundle": pemBundle,`
			`}`

			`return vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/issuers/import/bundle", mergeWithDefaults(props, defaults))`
			`}`

			`func (vpm *VaultPkiMount) UpdateDefaultIssuer(issuerId string, props map[string]interface{}) error {`
			`defaults := map[string]interface{}{`
			`"default": issuerId,`
			`}`

			`_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/config/issuers", mergeWithDefaults(props, defaults))`

			`return err`
			`}`

			`func (vpm *VaultPkiMount) UpdateIssuer(issuerRef string, props map[string]interface{}) error {`
			`defaults := map[string]interface{}{}`

			`_, err := vpm.GetActiveNode().Logical().JSONMergePatch(context.Background(),`
			`vpm.mount+"/issuer/"+issuerRef, mergeWithDefaults(props, defaults))`

			`return err`
			`}`

			`func (vpm *VaultPkiMount) UpdateRole(roleName string, config map[string]interface{}) error {`
			`defaults := map[string]interface{}{}`

			`_, err := vpm.GetActiveNode().Logical().WriteWithContext(context.Background(),`
			`vpm.mount+"/roles/"+roleName, mergeWithDefaults(config, defaults))`

			`return err`
			`}`

			`func mergeWithDefaults(config map[string]interface{}, defaults map[string]interface{}) map[string]interface{} {`
			`myConfig := config`
			`if myConfig == nil {`
			`myConfig = map[string]interface{}{}`
			`}`
			`for key, value := range defaults {`
			`if origVal, exists := config[key]; !exists {`
			`myConfig[key] = value`
			`} else {`
			`myConfig[key] = origVal`
			`}`
			`}`

			`return myConfig`
			`}`