Fix reading issuer's enable_aia_url_templating value (#20354)

* Add enable_aia_url_templating to read issuer

This field was elided from read issuer responses, though the value
otherwise persisted correctly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add comprehensive test for patching issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing OpenAPI scheme definition

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-04-25 16:48:05 -04:00 committed by GitHub
parent a32342507f
commit 3a995707b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 126 additions and 0 deletions

View File

@ -6919,6 +6919,123 @@ func TestProperAuthing(t *testing.T) {
} }
} }
func TestPatchIssuer(t *testing.T) {
t.Parallel()
type TestCase struct {
Field string
Before interface{}
Patched interface{}
}
testCases := []TestCase{
{
Field: "issuer_name",
Before: "root",
Patched: "root-new",
},
{
Field: "leaf_not_after_behavior",
Before: "err",
Patched: "permit",
},
{
Field: "usage",
Before: "crl-signing,issuing-certificates,ocsp-signing,read-only",
Patched: "issuing-certificates,read-only",
},
{
Field: "revocation_signature_algorithm",
Before: "ECDSAWithSHA256",
Patched: "ECDSAWithSHA384",
},
{
Field: "issuing_certificates",
Before: []string{"http://localhost/v1/pki-1/ca"},
Patched: []string{"http://localhost/v1/pki/ca"},
},
{
Field: "crl_distribution_points",
Before: []string{"http://localhost/v1/pki-1/crl"},
Patched: []string{"http://localhost/v1/pki/crl"},
},
{
Field: "ocsp_servers",
Before: []string{"http://localhost/v1/pki-1/ocsp"},
Patched: []string{"http://localhost/v1/pki/ocsp"},
},
{
Field: "enable_aia_url_templating",
Before: false,
Patched: true,
},
{
Field: "manual_chain",
Before: []string(nil),
Patched: []string{"self"},
},
}
for index, testCase := range testCases {
t.Logf("index: %v / tc: %v", index, testCase)
b, s := CreateBackendWithStorage(t)
// 1. Setup root issuer.
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
"common_name": "Vault Root CA",
"key_type": "ec",
"ttl": "7200h",
"issuer_name": "root",
})
requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
id := string(resp.Data["issuer_id"].(issuerID))
// 2. Enable Cluster paths
resp, err = CBWrite(b, s, "config/urls", map[string]interface{}{
"path": "https://localhost/v1/pki",
"aia_path": "http://localhost/v1/pki",
})
requireSuccessNonNilResponse(t, resp, err, "failed updating AIA config")
// 3. Add AIA information
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
"issuing_certificates": "http://localhost/v1/pki-1/ca",
"crl_distribution_points": "http://localhost/v1/pki-1/crl",
"ocsp_servers": "http://localhost/v1/pki-1/ocsp",
})
requireSuccessNonNilResponse(t, resp, err, "failed setting up issuer")
// 4. Read the issuer before.
resp, err = CBRead(b, s, "issuer/default")
requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer before")
require.Equal(t, testCase.Before, resp.Data[testCase.Field], "bad expectations")
// 5. Perform modification.
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
testCase.Field: testCase.Patched,
})
requireSuccessNonNilResponse(t, resp, err, "failed patching root issuer")
if testCase.Field != "manual_chain" {
require.Equal(t, testCase.Patched, resp.Data[testCase.Field], "failed persisting value")
} else {
// self->id
require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
}
// 6. Ensure it stuck
resp, err = CBRead(b, s, "issuer/default")
requireSuccessNonNilResponse(t, resp, err, "failed reading root issuer after")
if testCase.Field != "manual_chain" {
require.Equal(t, testCase.Patched, resp.Data[testCase.Field])
} else {
// self->id
require.Equal(t, []string{id}, resp.Data[testCase.Field], "failed persisting value")
}
}
}
var ( var (
initTest sync.Once initTest sync.Once
rsaCAKey string rsaCAKey string

View File

@ -286,6 +286,11 @@ to be set on all PR secondary clusters.`,
Description: `OSCP Servers`, Description: `OSCP Servers`,
Required: false, Required: false,
}, },
"enable_aia_url_templating": {
Type: framework.TypeBool,
Description: `Whether or not templating is enabled for AIA fields`,
Required: false,
},
}, },
}}, }},
} }
@ -458,6 +463,7 @@ func respondReadIssuer(issuer *issuerEntry) (*logical.Response, error) {
data["issuing_certificates"] = issuer.AIAURIs.IssuingCertificates data["issuing_certificates"] = issuer.AIAURIs.IssuingCertificates
data["crl_distribution_points"] = issuer.AIAURIs.CRLDistributionPoints data["crl_distribution_points"] = issuer.AIAURIs.CRLDistributionPoints
data["ocsp_servers"] = issuer.AIAURIs.OCSPServers data["ocsp_servers"] = issuer.AIAURIs.OCSPServers
data["enable_aia_url_templating"] = issuer.AIAURIs.EnableTemplating
} }
response := &logical.Response{ response := &logical.Response{

3
changelog/20354.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint.
```