Always return PKI configs for CRLs, URLs (#15470)
* Always return non-nil CRL configuration When using the default CRL configuration (as none has been set), return the default configuration rather than inferring it in buildCRL. This additionally allows us to return the default configuration on GET operations to /config/crl. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Always return non-nil URL configuration When using the default (empty) URL configuration as none has been set, return the default configuration rather than inferring it inside of fetchCAInfoByIssuerId or generateCert. This additionally allows us to return the default configuration on GET operations to /config/urls. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
2fb8a9e667
commit
3e7414b605
|
@ -143,13 +143,6 @@ func fetchCAInfoByIssuerId(ctx context.Context, b *backend, req *logical.Request
|
|||
if err != nil {
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch URL information: %v", err)}
|
||||
}
|
||||
if entries == nil {
|
||||
entries = &certutil.URLEntries{
|
||||
IssuingCertificates: []string{},
|
||||
CRLDistributionPoints: []string{},
|
||||
OCSPServers: []string{},
|
||||
}
|
||||
}
|
||||
caInfo.URLs = entries
|
||||
|
||||
return caInfo, nil
|
||||
|
@ -633,13 +626,6 @@ func generateCert(ctx context.Context,
|
|||
if err != nil {
|
||||
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch URL information: %v", err)}
|
||||
}
|
||||
if entries == nil {
|
||||
entries = &certutil.URLEntries{
|
||||
IssuingCertificates: []string{},
|
||||
CRLDistributionPoints: []string{},
|
||||
OCSPServers: []string{},
|
||||
}
|
||||
}
|
||||
data.Params.URLs = entries
|
||||
|
||||
if input.role.MaxPathLength == nil {
|
||||
|
|
|
@ -569,7 +569,6 @@ func buildCRL(ctx context.Context, b *backend, req *logical.Request, forceNew bo
|
|||
crlLifetime := b.crlLifetime
|
||||
var revokedCerts []pkix.RevokedCertificate
|
||||
|
||||
if crlInfo != nil {
|
||||
if crlInfo.Expiry != "" {
|
||||
crlDur, err := time.ParseDuration(crlInfo.Expiry)
|
||||
if err != nil {
|
||||
|
@ -591,7 +590,6 @@ func buildCRL(ctx context.Context, b *backend, req *logical.Request, forceNew bo
|
|||
// an assignment from a pre-queried list.
|
||||
goto WRITE
|
||||
}
|
||||
}
|
||||
|
||||
revokedCerts = revoked
|
||||
|
||||
|
|
|
@ -54,11 +54,15 @@ func (b *backend) CRL(ctx context.Context, s logical.Storage) (*crlConfig, error
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if entry == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
var result crlConfig
|
||||
result.Expiry = b.crlLifetime.String()
|
||||
result.Disable = false
|
||||
|
||||
if entry == nil {
|
||||
return &result, nil
|
||||
}
|
||||
|
||||
if err := entry.DecodeJSON(&result); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -71,9 +75,6 @@ func (b *backend) pathCRLRead(ctx context.Context, req *logical.Request, _ *fram
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if config == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
|
@ -88,9 +89,6 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if config == nil {
|
||||
config = &crlConfig{}
|
||||
}
|
||||
|
||||
if expiryRaw, ok := d.GetOk("expiry"); ok {
|
||||
expiry := expiryRaw.(string)
|
||||
|
|
|
@ -63,16 +63,22 @@ func getURLs(ctx context.Context, req *logical.Request) (*certutil.URLEntries, e
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if entry == nil {
|
||||
return nil, nil
|
||||
|
||||
entries := &certutil.URLEntries{
|
||||
IssuingCertificates: []string{},
|
||||
CRLDistributionPoints: []string{},
|
||||
OCSPServers: []string{},
|
||||
}
|
||||
|
||||
var entries certutil.URLEntries
|
||||
if err := entry.DecodeJSON(&entries); err != nil {
|
||||
if entry == nil {
|
||||
return entries, nil
|
||||
}
|
||||
|
||||
if err := entry.DecodeJSON(entries); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &entries, nil
|
||||
return entries, nil
|
||||
}
|
||||
|
||||
func writeURLs(ctx context.Context, req *logical.Request, entries *certutil.URLEntries) error {
|
||||
|
@ -97,9 +103,6 @@ func (b *backend) pathReadURL(ctx context.Context, req *logical.Request, _ *fram
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if entries == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
resp := &logical.Response{
|
||||
Data: structs.New(entries).Map(),
|
||||
|
@ -113,13 +116,6 @@ func (b *backend) pathWriteURL(ctx context.Context, req *logical.Request, data *
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if entries == nil {
|
||||
entries = &certutil.URLEntries{
|
||||
IssuingCertificates: []string{},
|
||||
CRLDistributionPoints: []string{},
|
||||
OCSPServers: []string{},
|
||||
}
|
||||
}
|
||||
|
||||
if urlsInt, ok := data.GetOk("issuing_certificates"); ok {
|
||||
entries.IssuingCertificates = urlsInt.([]string)
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
secrets/pki: Always return CRLs, URLs configurations, even if using the default value.
|
||||
```
|
Loading…
Reference in New Issue