open-vault/builtin/logical/pki/path_config_urls.go

package pki

import (
	"context"
	"fmt"

	"github.com/asaskevich/govalidator"
	"github.com/fatih/structs"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/certutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func pathConfigURLs(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: "config/urls",
		Fields: map[string]*framework.FieldSchema{
			"issuing_certificates": {
				Type: framework.TypeCommaStringSlice,
				Description: `Comma-separated list of URLs to be used
for the issuing certificate attribute`,
			},

			"crl_distribution_points": {
				Type: framework.TypeCommaStringSlice,
				Description: `Comma-separated list of URLs to be used
for the CRL distribution points attribute`,
			},

			"ocsp_servers": {
				Type: framework.TypeCommaStringSlice,
				Description: `Comma-separated list of URLs to be used
for the OCSP servers attribute`,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: b.pathWriteURL,
			logical.ReadOperation:   b.pathReadURL,
		},

		HelpSynopsis:    pathConfigURLsHelpSyn,
		HelpDescription: pathConfigURLsHelpDesc,
	}
}

func validateURLs(urls []string) string {
	for _, curr := range urls {
		if !govalidator.IsURL(curr) {
			return curr
		}
	}

	return ""
}

func getURLs(ctx context.Context, req *logical.Request) (*certutil.URLEntries, error) {
	entry, err := req.Storage.Get(ctx, "urls")
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}

	var entries certutil.URLEntries
	if err := entry.DecodeJSON(&entries); err != nil {
		return nil, err
	}

	return &entries, nil
}

func writeURLs(ctx context.Context, req *logical.Request, entries *certutil.URLEntries) error {
	entry, err := logical.StorageEntryJSON("urls", entries)
	if err != nil {
		return err
	}
	if entry == nil {
		return fmt.Errorf("unable to marshal entry into JSON")
	}

	err = req.Storage.Put(ctx, entry)
	if err != nil {
		return err
	}

	return nil
}

func (b *backend) pathReadURL(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	entries, err := getURLs(ctx, req)
	if err != nil {
		return nil, err
	}
	if entries == nil {
		return nil, nil
	}

	resp := &logical.Response{
		Data: structs.New(entries).Map(),
	}

	return resp, nil
}

func (b *backend) pathWriteURL(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	entries, err := getURLs(ctx, req)
	if err != nil {
		return nil, err
	}
	if entries == nil {
		entries = &certutil.URLEntries{
			IssuingCertificates:   []string{},
			CRLDistributionPoints: []string{},
			OCSPServers:           []string{},
		}
	}

	if urlsInt, ok := data.GetOk("issuing_certificates"); ok {
		entries.IssuingCertificates = urlsInt.([]string)
		if badURL := validateURLs(entries.IssuingCertificates); badURL != "" {
			return logical.ErrorResponse(fmt.Sprintf(
				"invalid URL found in issuing certificates: %s", badURL)), nil
		}
	}
	if urlsInt, ok := data.GetOk("crl_distribution_points"); ok {
		entries.CRLDistributionPoints = urlsInt.([]string)
		if badURL := validateURLs(entries.CRLDistributionPoints); badURL != "" {
			return logical.ErrorResponse(fmt.Sprintf(
				"invalid URL found in CRL distribution points: %s", badURL)), nil
		}
	}
	if urlsInt, ok := data.GetOk("ocsp_servers"); ok {
		entries.OCSPServers = urlsInt.([]string)
		if badURL := validateURLs(entries.OCSPServers); badURL != "" {
			return logical.ErrorResponse(fmt.Sprintf(
				"invalid URL found in OCSP servers: %s", badURL)), nil
		}
	}

	return nil, writeURLs(ctx, req, entries)
}

const pathConfigURLsHelpSyn = `
Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.
`

const pathConfigURLsHelpDesc = `
This path allows you to set the issuing CA, CRL distribution points, and
OCSP server URLs that will be encoded into issued certificates. If these
values are not set, no such information will be encoded in the issued
certificates. To delete URLs, simply re-set the appropriate value with an
empty string.

Multiple URLs can be specified for each type; use commas to separate them.
`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`package pki`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`"fmt"`

Update validator function for URIs. Change example of entering a CA to a root cert generation. Other minor documentation updates. Fix private key output in issue/sign. 2015-11-19 16:32:18 +00:00			`"github.com/asaskevich/govalidator"`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`"github.com/fatih/structs"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/framework"`
Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`"github.com/hashicorp/vault/sdk/helper/certutil"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`)`

			`func pathConfigURLs(b backend) framework.Path {`
			`return &framework.Path{`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			`Pattern: "config/urls",`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`Fields: map[string]*framework.FieldSchema{`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"issuing_certificates": {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`Type: framework.TypeCommaStringSlice,`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			Description: `Comma-separated list of URLs to be used
			for the issuing certificate attribute`,
			`},`

Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"crl_distribution_points": {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`Type: framework.TypeCommaStringSlice,`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			Description: `Comma-separated list of URLs to be used
			for the CRL distribution points attribute`,
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`},`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"ocsp_servers": {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`Type: framework.TypeCommaStringSlice,`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			Description: `Comma-separated list of URLs to be used
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			for the OCSP servers attribute`,
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`logical.UpdateOperation: b.pathWriteURL,`
Some minor linting 2016-07-19 17:54:18 +00:00			`logical.ReadOperation: b.pathReadURL,`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`},`

			`HelpSynopsis: pathConfigURLsHelpSyn,`
			`HelpDescription: pathConfigURLsHelpDesc,`
			`}`
			`}`

Update validator function for URIs. Change example of entering a CA to a root cert generation. Other minor documentation updates. Fix private key output in issue/sign. 2015-11-19 16:32:18 +00:00			`func validateURLs(urls []string) string {`
Add URL validation 2015-11-16 19:19:10 +00:00			`for _, curr := range urls {`
Update validator function for URIs. Change example of entering a CA to a root cert generation. Other minor documentation updates. Fix private key output in issue/sign. 2015-11-19 16:32:18 +00:00			`if !govalidator.IsURL(curr) {`
			`return curr`
Add URL validation 2015-11-16 19:19:10 +00:00			`}`
			`}`

Update validator function for URIs. Change example of entering a CA to a root cert generation. Other minor documentation updates. Fix private key output in issue/sign. 2015-11-19 16:32:18 +00:00			`return ""`
Add URL validation 2015-11-16 19:19:10 +00:00			`}`

Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`func getURLs(ctx context.Context, req logical.Request) (certutil.URLEntries, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := req.Storage.Get(ctx, "urls")`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`

Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`var entries certutil.URLEntries`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err := entry.DecodeJSON(&entries); err != nil {`
			`return nil, err`
			`}`

			`return &entries, nil`
			`}`

Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`func writeURLs(ctx context.Context, req logical.Request, entries certutil.URLEntries) error {`
Add path length paths and unit tests to verify same. 2015-10-14 19:53:57 +00:00			`entry, err := logical.StorageEntryJSON("urls", entries)`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err != nil {`
			`return err`
			`}`
			`if entry == nil {`
Errwrap everywhere (#4252) * package api * package builtin/credential * package builtin/logical * package command * package helper * package http and logical * package physical * package shamir * package vault * package vault * address feedback * more fixes 2018-04-05 15:49:21 +00:00			`return fmt.Errorf("unable to marshal entry into JSON")`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err = req.Storage.Put(ctx, entry)`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathReadURL(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entries, err := getURLs(ctx, req)`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entries == nil {`
			`return nil, nil`
			`}`

			`resp := &logical.Response{`
			`Data: structs.New(entries).Map(),`
			`}`

			`return resp, nil`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func (b backend) pathWriteURL(ctx context.Context, req logical.Request, data framework.FieldData) (logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entries, err := getURLs(ctx, req)`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`if entries == nil {`
Refactor cert util (#6676) Break dataBundle into two pieces: inputBundle, which contains data that is specific to the pki backend, and creationBundle, which is a more generic bundle of validated inputs given to certificate creation/signing routines. Move functions that only take creationBundle to certutil and make them public. 2019-05-09 15:43:11 +00:00			`entries = &certutil.URLEntries{`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			`IssuingCertificates: []string{},`
			`CRLDistributionPoints: []string{},`
			`OCSPServers: []string{},`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`}`
			`}`

Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			`if urlsInt, ok := data.GetOk("issuing_certificates"); ok {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`entries.IssuingCertificates = urlsInt.([]string)`
Some minor linting 2016-07-19 17:54:18 +00:00			`if badURL := validateURLs(entries.IssuingCertificates); badURL != "" {`
Add URL validation 2015-11-16 19:19:10 +00:00			`return logical.ErrorResponse(fmt.Sprintf(`
Some minor linting 2016-07-19 17:54:18 +00:00			`"invalid URL found in issuing certificates: %s", badURL)), nil`
Add URL validation 2015-11-16 19:19:10 +00:00			`}`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			`}`
			`if urlsInt, ok := data.GetOk("crl_distribution_points"); ok {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`entries.CRLDistributionPoints = urlsInt.([]string)`
Some minor linting 2016-07-19 17:54:18 +00:00			`if badURL := validateURLs(entries.CRLDistributionPoints); badURL != "" {`
Add URL validation 2015-11-16 19:19:10 +00:00			`return logical.ErrorResponse(fmt.Sprintf(`
Some minor linting 2016-07-19 17:54:18 +00:00			`"invalid URL found in CRL distribution points: %s", badURL)), nil`
Add URL validation 2015-11-16 19:19:10 +00:00			`}`
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-10-14 18:48:51 +00:00			`}`
			`if urlsInt, ok := data.GetOk("ocsp_servers"); ok {`
Allow entering PKI URLs as arrays. (#3409) Fixes #3407 2017-10-03 20:13:57 +00:00			`entries.OCSPServers = urlsInt.([]string)`
Some minor linting 2016-07-19 17:54:18 +00:00			`if badURL := validateURLs(entries.OCSPServers); badURL != "" {`
Add URL validation 2015-11-16 19:19:10 +00:00			`return logical.ErrorResponse(fmt.Sprintf(`
Some minor linting 2016-07-19 17:54:18 +00:00			`"invalid URL found in OCSP servers: %s", badURL)), nil`
Add URL validation 2015-11-16 19:19:10 +00:00			`}`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`return nil, writeURLs(ctx, req, entries)`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00			`}`

			const pathConfigURLsHelpSyn = `
			`Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.`
			`

			const pathConfigURLsHelpDesc = `
			`This path allows you to set the issuing CA, CRL distribution points, and`
			`OCSP server URLs that will be encoded into issued certificates. If these`
Add path length paths and unit tests to verify same. 2015-10-14 19:53:57 +00:00			`values are not set, no such information will be encoded in the issued`
			`certificates. To delete URLs, simply re-set the appropriate value with an`
			`empty string.`
Add config/urls CRUD operations to get and set the URLs encoded into certificates for the issuing certificate URL, CRL distribution points, and OCSP servers. 2015-10-14 01:13:40 +00:00
			`Multiple URLs can be specified for each type; use commas to separate them.`
			`