Add list to cert auth's CRLs (#18043)

* Add crl list capabilities to cert auth

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on cert auth CRL listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for cert auth listing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-11-18 11:39:17 -05:00 committed by GitHub
parent 8927a55741
commit 75b70d84e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 76 additions and 1 deletions

View File

@ -40,6 +40,7 @@ func Backend() *backend {
pathLogin(&b), pathLogin(&b),
pathListCerts(&b), pathListCerts(&b),
pathCerts(&b), pathCerts(&b),
pathListCRLs(&b),
pathCRLs(&b), pathCRLs(&b),
}, },
AuthRenew: b.pathLoginRenew, AuthRenew: b.pathLoginRenew,

View File

@ -925,6 +925,21 @@ func TestBackend_RegisteredNonCA_CRL(t *testing.T) {
t.Fatalf("err:%v resp:%#v", err, resp) t.Fatalf("err:%v resp:%#v", err, resp)
} }
// Ensure the CRL shows up on a list.
listReq := &logical.Request{
Operation: logical.ListOperation,
Storage: storage,
Path: "crls",
Data: map[string]interface{}{},
}
resp, err = b.HandleRequest(context.Background(), listReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
if len(resp.Data) != 1 || len(resp.Data["keys"].([]string)) != 1 || resp.Data["keys"].([]string)[0] != "issuedcrl" {
t.Fatalf("bad listing: resp:%v", resp)
}
// Attempt login with the same connection state but with the CRL registered // Attempt login with the same connection state but with the CRL registered
resp, err = b.HandleRequest(context.Background(), loginReq) resp, err = b.HandleRequest(context.Background(), loginReq)
if err != nil { if err != nil {

View File

@ -16,6 +16,28 @@ import (
"github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/sdk/logical"
) )
func pathListCRLs(b *backend) *framework.Path {
return &framework.Path{
Pattern: "crls/?$",
Operations: map[logical.Operation]framework.OperationHandler{
logical.ListOperation: &framework.PathOperation{
Callback: b.pathCRLsList,
},
},
HelpSynopsis: pathCRLsHelpSyn,
HelpDescription: pathCRLsHelpDesc,
}
}
func (b *backend) pathCRLsList(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
entries, err := req.Storage.List(ctx, "crls/")
if err != nil {
return nil, fmt.Errorf("failed to list CRLs: %w", err)
}
return logical.ListResponse(entries), nil
}
func pathCRLs(b *backend) *framework.Path { func pathCRLs(b *backend) *framework.Path {
return &framework.Path{ return &framework.Path{
Pattern: "crls/" + framework.GenericNameRegex("name"), Pattern: "crls/" + framework.GenericNameRegex("name"),
@ -288,7 +310,7 @@ Manage Certificate Revocation Lists checked during authentication.
` `
const pathCRLsHelpDesc = ` const pathCRLsHelpDesc = `
This endpoint allows you to create, read, update, and delete the Certificate This endpoint allows you to list, create, read, update, and delete the Certificate
Revocation Lists checked during authentication, and/or CRL Distribution Point Revocation Lists checked during authentication, and/or CRL Distribution Point
URLs. URLs.

3
changelog/18043.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
auth/cert: Support listing provisioned CRLs within the mount.
```

View File

@ -187,6 +187,40 @@ $ curl \
https://127.0.0.1:8200/v1/auth/cert/certs/cert1 https://127.0.0.1:8200/v1/auth/cert/certs/cert1
``` ```
## List CRLs
Lists configured certificate revocation lists.
| Method | Path |
| :----- | :---------------- |
| `LIST` | `/auth/cert/crls` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/crls
```
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": ["crl1", "crl2"]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Create CRL ## Create CRL
Sets a named CRL. Sets a named CRL.