luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add missing cert auth ocsp read data (#20154) 

* Add missing OCSP cert auth fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure OCSP values are persisted

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-04-13 14:59:09 -04:00 committed by GitHub
parent c0b8a9eddb
commit 10e02aca02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
builtin/credential/cert/backend_test.go
View File

@ -1968,6 +1968,27 @@ func testAccStepCertWithExtraParams(t *testing.T, name string, cert []byte, poli
} }
} }
func testAccStepReadCertPolicy(t *testing.T, name string, expectError bool, expected map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "certs/" + name,
ErrorOk: expectError,
Data: nil,
Check: func(resp *logical.Response) error {
if (resp == nil || len(resp.Data) == 0) && expectError {
return fmt.Errorf("expected error but received nil")
}
for key, expectedValue := range expected {
actualValue := resp.Data[key]
if expectedValue != actualValue {
return fmt.Errorf("Expected to get [%v]=[%v] but read [%v]=[%v] from server for certs/%v: %v", key, expectedValue, key, actualValue, name, resp)
}
}
return nil
},
}
}
func testAccStepCertLease( func testAccStepCertLease(
t *testing.T, name string, cert []byte, policies string, t *testing.T, name string, cert []byte, policies string,
) logicaltest.TestStep { ) logicaltest.TestStep {

5
builtin/credential/cert/path_certs.go
View File

@ -288,6 +288,11 @@ func (b *backend) pathCertRead(ctx context.Context, req *logical.Request, d *fra
"allowed_organizational_units": cert.AllowedOrganizationalUnits, "allowed_organizational_units": cert.AllowedOrganizationalUnits,
"required_extensions": cert.RequiredExtensions, "required_extensions": cert.RequiredExtensions,
"allowed_metadata_extensions": cert.AllowedMetadataExtensions, "allowed_metadata_extensions": cert.AllowedMetadataExtensions,
"ocsp_ca_certificates": cert.OcspCaCertificates,
"ocsp_enabled": cert.OcspEnabled,
"ocsp_servers_override": cert.OcspServersOverride,
"ocsp_fail_open": cert.OcspFailOpen,
"ocsp_query_all_servers": cert.OcspQueryAllServers,
} }
cert.PopulateTokenData(data) cert.PopulateTokenData(data)

1
builtin/credential/cert/path_login_test.go
View File

@ -348,6 +348,7 @@ func TestCert_RoleResolveOCSP(t *testing.T) {
Steps: []logicaltest.TestStep{ Steps: []logicaltest.TestStep{
testAccStepCertWithExtraParams(t, "web", ca, "foo", allowed{dns: "example.com"}, false, testAccStepCertWithExtraParams(t, "web", ca, "foo", allowed{dns: "example.com"}, false,
map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}), map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}),
testAccStepReadCertPolicy(t, "web", false, map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}),
loginStep, loginStep,
resolveStep, resolveStep,
}, },

2
changelog/20154.txt Normal file
View File

@ -0,0 +1,2 @@
```release-note:bug
auth/cert: Include OCSP parameters in read CA certificate role response.