Fix reading issuer's enable_aia_url_templating value (#20354)
* Add enable_aia_url_templating to read issuer This field was elided from read issuer responses, though the value otherwise persisted correctly. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add comprehensive test for patching issuers Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add missing OpenAPI scheme definition Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
a32342507f
commit
3a995707b5
|
@ -6919,6 +6919,123 @@ func TestProperAuthing(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPatchIssuer(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
type TestCase struct {
|
||||||
|
Field string
|
||||||
|
Before interface{}
|
||||||
|
Patched interface{}
|
||||||
|
}
|
||||||
|
testCases := []TestCase{
|
||||||
|
{
|
||||||
|
Field: "issuer_name",
|
||||||
|
Before: "root",
|
||||||
|
Patched: "root-new",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "leaf_not_after_behavior",
|
||||||
|
Before: "err",
|
||||||
|
Patched: "permit",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "usage",
|
||||||
|
Before: "crl-signing,issuing-certificates,ocsp-signing,read-only",
|
||||||
|
Patched: "issuing-certificates,read-only",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "revocation_signature_algorithm",
|
||||||
|
Before: "ECDSAWithSHA256",
|
||||||
|
Patched: "ECDSAWithSHA384",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "issuing_certificates",
|
||||||
|
Before: []string{"http://localhost/v1/pki-1/ca"},
|
||||||
|
Patched: []string{"http://localhost/v1/pki/ca"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "crl_distribution_points",
|
||||||
|
Before: []string{"http://localhost/v1/pki-1/crl"},
|
||||||
|
Patched: []string{"http://localhost/v1/pki/crl"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "ocsp_servers",
|
||||||
|
Before: []string{"http://localhost/v1/pki-1/ocsp"},
|
||||||
|
Patched: []string{"http://localhost/v1/pki/ocsp"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "enable_aia_url_templating",
|
||||||
|
Before: false,
|
||||||
|
Patched: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Field: "manual_chain",
|
||||||
|
Before: []string(nil),
|
||||||
|
Patched: []string{"self"},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for index, testCase := range testCases {
|
||||||
|
t.Logf("index: %v / tc: %v", index, testCase)
|
||||||
|
|
||||||
|
b, s := CreateBackendWithStorage(t)
|
||||||
|
|
||||||
|
// 1. Setup root issuer.
|
||||||
|
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||||||
|
"common_name": "Vault Root CA",
|
||||||
|
"key_type": "ec",
|
||||||
|
"ttl": "7200h",
|
||||||
|
"issuer_name": "root",
|
||||||
|
})
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
|
||||||
|
id := string(resp.Data["issuer_id"].(issuerID))
|
||||||
|
|
||||||
|
// 2. Enable Cluster paths
|
||||||
|
resp, err = CBWrite(b, s, "config/urls", map[string]interface{}{
|
||||||
|
"path": "https://localhost/v1/pki",
|
||||||
|
"aia_path": "http://localhost/v1/pki",
|
||||||
|
})
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed updating AIA config")
|
||||||
|
|
||||||
|
// 3. Add AIA information
|
||||||
|
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
|
||||||
|
"issuing_certificates": "http://localhost/v1/pki-1/ca",
|
||||||
|
"crl_distribution_points": "http://localhost/v1/pki-1/crl",
|
||||||
|
"ocsp_servers": "http://localhost/v1/pki-1/ocsp",
|
||||||
|
})
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed setting up issuer")
|
||||||
|
|
||||||
|
// 4. Read the issuer before.
|
||||||
|
resp, err = CBRead(b, s, "issuer/default")
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer before")
|
||||||
|
require.Equal(t, testCase.Before, resp.Data[testCase.Field], "bad expectations")
|
||||||
|
|
||||||
|
// 5. Perform modification.
|
||||||
|
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
|
||||||
|
testCase.Field: testCase.Patched,
|
||||||
|
})
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed patching root issuer")
|
||||||
|
|
||||||
|
if testCase.Field != "manual_chain" {
|
||||||
|
require.Equal(t, testCase.Patched, resp.Data[testCase.Field], "failed persisting value")
|
||||||
|
} else {
|
||||||
|
// self->id
|
||||||
|
require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
|
||||||
|
}
|
||||||
|
|
||||||
|
// 6. Ensure it stuck
|
||||||
|
resp, err = CBRead(b, s, "issuer/default")
|
||||||
|
requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer after")
|
||||||
|
|
||||||
|
if testCase.Field != "manual_chain" {
|
||||||
|
require.Equal(t, testCase.Patched, resp.Data[testCase.Field])
|
||||||
|
} else {
|
||||||
|
// self->id
|
||||||
|
require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
initTest sync.Once
|
initTest sync.Once
|
||||||
rsaCAKey string
|
rsaCAKey string
|
||||||
|
|
|
@ -286,6 +286,11 @@ to be set on all PR secondary clusters.`,
|
||||||
Description: `OSCP Servers`,
|
Description: `OSCP Servers`,
|
||||||
Required: false,
|
Required: false,
|
||||||
},
|
},
|
||||||
|
"enable_aia_url_templating": {
|
||||||
|
Type: framework.TypeBool,
|
||||||
|
Description: `Whether or not templating is enabled for AIA fields`,
|
||||||
|
Required: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}},
|
}},
|
||||||
}
|
}
|
||||||
|
@ -458,6 +463,7 @@ func respondReadIssuer(issuer *issuerEntry) (*logical.Response, error) {
|
||||||
data["issuing_certificates"] = issuer.AIAURIs.IssuingCertificates
|
data["issuing_certificates"] = issuer.AIAURIs.IssuingCertificates
|
||||||
data["crl_distribution_points"] = issuer.AIAURIs.CRLDistributionPoints
|
data["crl_distribution_points"] = issuer.AIAURIs.CRLDistributionPoints
|
||||||
data["ocsp_servers"] = issuer.AIAURIs.OCSPServers
|
data["ocsp_servers"] = issuer.AIAURIs.OCSPServers
|
||||||
|
data["enable_aia_url_templating"] = issuer.AIAURIs.EnableTemplating
|
||||||
}
|
}
|
||||||
|
|
||||||
response := &logical.Response{
|
response := &logical.Response{
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint.
|
||||||
|
```
|
Loading…
Reference in New Issue