PKI Unified CRL/OCSP apis should be ent only (#18913)

* PKI Unified CRL/OCSP apis should be ent only - Do not enable any of the unified crl/ocsp related apis on OSS. * Rollback refactoring of pathFetchCRLViaCertPath - As pointed out in the PR, this method isn't actually being used at the moment with the <serial> handler, pathFetchValid, matching everything under the cert/XXXX path. * Fix schema for ent/oss diff - Define the OSS vs ENT urls we want to see within the schema definition even if they aren't really going to be used in the end.
2023-02-01 08:35:14 -05:00 · 2023-02-01 08:35:14 -05:00 · 8d47ad792f
parent c2b222a11a
commit 8d47ad792f
2 changed files with 23 additions and 7 deletions
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@ -9,6 +9,8 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/hashicorp/vault/helper/constants"
+
 	"github.com/hashicorp/go-multierror"

 	atomic2 "go.uber.org/atomic"
@ -152,8 +154,6 @@ func Backend(conf *logical.BackendConfig) *backend {
 			pathRevoke(&b),
 			pathRevokeWithKey(&b),
 			pathListCertsRevoked(&b),
-			pathListCertsRevocationQueue(&b),
-			pathListUnifiedRevoked(&b),
 			pathTidy(&b),
 			pathTidyCancel(&b),
 			pathTidyStatus(&b),
@ -163,7 +163,6 @@ func Backend(conf *logical.BackendConfig) *backend {
 			pathListIssuers(&b),
 			pathGetIssuer(&b),
 			pathGetIssuerCRL(&b),
-			pathGetIssuerUnifiedCRL(&b),
 			pathImportIssuer(&b),
 			pathIssuerIssue(&b),
 			pathIssuerSign(&b),
@ -190,7 +189,6 @@ func Backend(conf *logical.BackendConfig) *backend {
 			pathFetchCAChain(&b),
 			pathFetchCRL(&b),
 			pathFetchCRLViaCertPath(&b),
-			pathFetchUnifiedCRL(&b),
 			pathFetchValidRaw(&b),
 			pathFetchValid(&b),
 			pathFetchListCerts(&b),
@ -198,8 +196,6 @@ func Backend(conf *logical.BackendConfig) *backend {
 			// OCSP APIs
 			buildPathOcspGet(&b),
 			buildPathOcspPost(&b),
-			buildPathUnifiedOcspGet(&b),
-			buildPathUnifiedOcspPost(&b),

 			// CRL Signing
 			pathResignCrls(&b),
@ -216,6 +212,19 @@ func Backend(conf *logical.BackendConfig) *backend {
 		PeriodicFunc:   b.periodicFunc,
 	}

+	if constants.IsEnterprise {
+		// Unified CRL/OCSP paths are ENT only
+		entOnly := []*framework.Path{
+			pathGetIssuerUnifiedCRL(&b),
+			pathListCertsRevocationQueue(&b),
+			pathListUnifiedRevoked(&b),
+			pathFetchUnifiedCRL(&b),
+			buildPathUnifiedOcspGet(&b),
+			buildPathUnifiedOcspPost(&b),
+		}
+		b.Backend.Paths = append(b.Backend.Paths, entOnly...)
+	}
+
 	b.tidyCASGuard = new(uint32)
 	b.tidyCancelCAS = new(uint32)
 	b.tidyStatus = &tidyStatus{state: tidyStatusInactive}
--- a/builtin/logical/pki/path_fetch.go
+++ b/builtin/logical/pki/path_fetch.go
@ -7,6 +7,8 @@ import (
 	"strings"
 	"time"

+	"github.com/hashicorp/vault/helper/constants"
+
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
@ -125,8 +127,13 @@ hyphen-separated octal`,

 // This returns the CRL in a non-raw format
 func pathFetchCRLViaCertPath(b *backend) *framework.Path {
+	pattern := `cert/(crl|delta-crl)`
+	if constants.IsEnterprise {
+		pattern = `cert/(crl|delta-crl|unified-crl|unified-delta-crl)`
+	}
+
 	return &framework.Path{
-		Pattern: `cert/(crl|delta-crl|unified-crl|unified-delta-crl)`,
+		Pattern: pattern,

 		Operations: map[logical.Operation]framework.OperationHandler{
 			logical.ReadOperation: &framework.PathOperation{