From 45b8674d03dcfdd0e76d2471691722b102450930 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Mon, 26 Jun 2023 14:42:40 -0400 Subject: [PATCH] backport of commit df304012f3b3f4d7860b3bb3b58f844291495793 (#21457) Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> --- builtin/logical/pki/integration_test.go | 6 ++++++ builtin/logical/pki/path_fetch.go | 4 ++-- builtin/logical/pki/path_fetch_issuers.go | 2 +- builtin/logical/pki/path_issue_sign.go | 14 +++++++------- builtin/logical/pki/path_manage_issuers.go | 6 +++--- builtin/logical/pki/path_revoke.go | 4 ++-- builtin/logical/pki/path_roles.go | 8 ++++---- builtin/logical/pki/path_tidy.go | 18 ++++++++++-------- changelog/21449.txt | 3 +++ 9 files changed, 38 insertions(+), 27 deletions(-) create mode 100644 changelog/21449.txt diff --git a/builtin/logical/pki/integration_test.go b/builtin/logical/pki/integration_test.go index f6e9ec648..1c0eb25d2 100644 --- a/builtin/logical/pki/integration_test.go +++ b/builtin/logical/pki/integration_test.go @@ -237,6 +237,8 @@ func TestIntegration_SetSignedWithBackwardsPemBundles(t *testing.T) { require.False(t, resp.IsError(), "got an error from generating root ca: %#v", resp) rootCert := resp.Data["certificate"].(string) + schema.ValidateResponse(t, schema.GetResponseSchema(t, rootBackend.Route("issuers/generate/root/internal"), logical.UpdateOperation), resp, true) + // generate intermediate resp, err = intBackend.HandleRequest(context.Background(), &logical.Request{ Operation: logical.UpdateOperation, @@ -298,6 +300,8 @@ func TestIntegration_SetSignedWithBackwardsPemBundles(t *testing.T) { require.NoError(t, err, "failed setting up role example") require.NotNil(t, resp, "got nil response from setting up role example: %#v", resp) + schema.ValidateResponse(t, schema.GetResponseSchema(t, intBackend.Route("roles/example"), logical.UpdateOperation), resp, true) + // Issue cert resp, err = intBackend.HandleRequest(context.Background(), &logical.Request{ Operation: logical.UpdateOperation, @@ -312,6 +316,8 @@ func TestIntegration_SetSignedWithBackwardsPemBundles(t *testing.T) { require.NoError(t, err, "failed issuing a leaf cert from int ca") require.NotNil(t, resp, "got nil response issuing a leaf cert from int ca") require.False(t, resp.IsError(), "got an error issuing a leaf cert from int ca: %#v", resp) + + schema.ValidateResponse(t, schema.GetResponseSchema(t, intBackend.Route("issue/example"), logical.UpdateOperation), resp, true) } func TestIntegration_CSRGeneration(t *testing.T) { diff --git a/builtin/logical/pki/path_fetch.go b/builtin/logical/pki/path_fetch.go index 1798e705d..b255cee51 100644 --- a/builtin/logical/pki/path_fetch.go +++ b/builtin/logical/pki/path_fetch.go @@ -28,7 +28,7 @@ var pathFetchReadSchema = map[int][]framework.Response{ Required: false, }, "revocation_time": { - Type: framework.TypeString, + Type: framework.TypeInt64, Description: `Revocation time`, Required: false, }, @@ -43,7 +43,7 @@ var pathFetchReadSchema = map[int][]framework.Response{ Required: false, }, "ca_chain": { - Type: framework.TypeStringSlice, + Type: framework.TypeString, Description: `Issuing CA Chain`, Required: false, }, diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go index 48596bb58..759436f60 100644 --- a/builtin/logical/pki/path_fetch_issuers.go +++ b/builtin/logical/pki/path_fetch_issuers.go @@ -249,7 +249,7 @@ to be set on all PR secondary clusters.`, Required: false, }, "usage": { - Type: framework.TypeStringSlice, + Type: framework.TypeString, Description: `Usage`, Required: false, }, diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go index 388e80cd2..983360558 100644 --- a/builtin/logical/pki/path_issue_sign.go +++ b/builtin/logical/pki/path_issue_sign.go @@ -75,12 +75,12 @@ func buildPathIssue(b *backend, pattern string, displayAttrs *framework.DisplayA "serial_number": { Type: framework.TypeString, Description: `Serial Number`, - Required: false, + Required: true, }, "expiration": { - Type: framework.TypeString, + Type: framework.TypeInt64, Description: `Time of expiration`, - Required: false, + Required: true, }, "private_key": { Type: framework.TypeString, @@ -163,7 +163,7 @@ func buildPathSign(b *backend, pattern string, displayAttrs *framework.DisplayAt Required: true, }, "expiration": { - Type: framework.TypeString, + Type: framework.TypeInt64, Description: `Time of expiration`, Required: true, }, @@ -253,12 +253,12 @@ func buildPathIssuerSignVerbatim(b *backend, pattern string, displayAttrs *frame "serial_number": { Type: framework.TypeString, Description: `Serial Number`, - Required: false, + Required: true, }, "expiration": { - Type: framework.TypeString, + Type: framework.TypeInt64, Description: `Time of expiration`, - Required: false, + Required: true, }, "private_key": { Type: framework.TypeString, diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go index 0a4a4bc8c..2b6e10869 100644 --- a/builtin/logical/pki/path_manage_issuers.go +++ b/builtin/logical/pki/path_manage_issuers.go @@ -34,7 +34,7 @@ func pathRotateRoot(b *backend) *framework.Path { pattern := "root/rotate/" + framework.GenericNameRegex("exported") displayAttrs := &framework.DisplayAttributes{ - OperationPrefix: operationPrefixPKIIssuers, + OperationPrefix: operationPrefixPKI, OperationVerb: "rotate", OperationSuffix: "root", } @@ -55,8 +55,8 @@ func buildPathGenerateRoot(b *backend, pattern string, displayAttrs *framework.D Description: "OK", Fields: map[string]*framework.FieldSchema{ "expiration": { - Type: framework.TypeString, - Description: `The expiration of the given.`, + Type: framework.TypeInt64, + Description: `The expiration of the given issuer.`, Required: true, }, "serial_number": { diff --git a/builtin/logical/pki/path_revoke.go b/builtin/logical/pki/path_revoke.go index 90ae6942d..2decd50cf 100644 --- a/builtin/logical/pki/path_revoke.go +++ b/builtin/logical/pki/path_revoke.go @@ -111,7 +111,7 @@ signed by an issuer in this mount.`, Description: "OK", Fields: map[string]*framework.FieldSchema{ "revocation_time": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt64, Description: `Revocation Time`, Required: false, }, @@ -176,7 +176,7 @@ be in PEM format.`, Description: "OK", Fields: map[string]*framework.FieldSchema{ "revocation_time": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt64, Description: `Revocation Time`, Required: false, }, diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go index 16564085e..5b7d37e99 100644 --- a/builtin/logical/pki/path_roles.go +++ b/builtin/logical/pki/path_roles.go @@ -55,7 +55,7 @@ func pathListRoles(b *backend) *framework.Path { func pathRoles(b *backend) *framework.Path { pathRolesResponseFields := map[string]*framework.FieldSchema{ "ttl": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt64, Required: true, Description: `The lease duration (validity period of the certificate) if no specific lease duration is requested. @@ -65,7 +65,7 @@ value or the value of max_ttl, whichever is shorter.`, }, "max_ttl": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt64, Required: true, Description: `The maximum allowed lease duration. If not set, defaults to the system maximum lease TTL.`, @@ -384,8 +384,8 @@ information, which must include an oid, and may include a notice and/or cps url, Description: `Mark Basic Constraints valid when issuing non-CA certificates.`, }, "not_before_duration": { - Type: framework.TypeDurationSecond, - Description: `The duration before now which the certificate needs to be backdated by.`, + Type: framework.TypeInt64, + Description: `The duration in seconds before now which the certificate needs to be backdated by.`, }, "not_after": { Type: framework.TypeString, diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go index 33dfd4288..906f93be7 100644 --- a/builtin/logical/pki/path_tidy.go +++ b/builtin/logical/pki/path_tidy.go @@ -279,8 +279,9 @@ func pathTidyCancel(b *backend) *framework.Path { Required: false, }, "tidy_cross_cluster_revoked_certs": { - Type: framework.TypeBool, - Required: false, + Type: framework.TypeBool, + Description: `Tidy the cross-cluster revoked certificate store`, + Required: false, }, "tidy_revocation_queue": { Type: framework.TypeBool, @@ -387,8 +388,8 @@ func pathTidyStatus(b *backend) *framework.Path { Required: true, }, "tidy_cross_cluster_revoked_certs": { - Type: framework.TypeString, - Description: ``, + Type: framework.TypeBool, + Description: `Tidy the cross-cluster revoked certificate store`, Required: false, }, "tidy_acme": { @@ -617,7 +618,7 @@ available on the tidy-status endpoint.`, Required: true, }, "revocation_queue_safety_buffer": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt, Required: true, }, "publish_stored_certificate_count_metrics": { @@ -698,8 +699,9 @@ available on the tidy-status endpoint.`, Required: true, }, "tidy_cross_cluster_revoked_certs": { - Type: framework.TypeBool, - Required: true, + Type: framework.TypeBool, + Description: `Tidy the cross-cluster revoked certificate store`, + Required: true, }, "tidy_revocation_queue": { Type: framework.TypeBool, @@ -710,7 +712,7 @@ available on the tidy-status endpoint.`, Required: true, }, "revocation_queue_safety_buffer": { - Type: framework.TypeDurationSecond, + Type: framework.TypeInt, Required: true, }, "publish_stored_certificate_count_metrics": { diff --git a/changelog/21449.txt b/changelog/21449.txt new file mode 100644 index 000000000..7711909a4 --- /dev/null +++ b/changelog/21449.txt @@ -0,0 +1,3 @@ +```release-note:bug +openapi: Fix response schema for PKI Issue requests +```