* Add ACME health checks to pki health-check CLI
- Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
- Make sure the local cluster config path variable contains an URL with an https scheme
* Split ACME health checks into two separate verifications
- Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
- If ACME is enabled verify that we have a valid
'path' field within local cluster configuration as well as the proper response headers allowed.
- Factor out response header verifications into a separate check mainly to work around possible permission issues.
* Only recommend enabling ACME on mounts with intermediate issuers
* Attempt to connect to the ACME directory based on the cluster path variable
- Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.
* Fix broken unit test
* Address some small issues within pki health-check
- Notify user yaml output mode is not support with --list argument
- Output pure JSON in json output mode with --list argument
- If a checker returns a nil response, convert to an empty slice
- Add handler for permission errors to too many certs checker
- Add checks for permission issues within hardware_backed_root and root_issued_leaves
* Identify the role that contained the permission issue in role based checks
- Augument the role health checks to identify the role(s) that we have
insufficient permissions to read instead of an overall read failure
- Treat the failure to list roles as a complete failure for the check
* Handle permission issue on pki health-check tune checkers
- Prior to this fix, if the end-user's Vault token did not have permission to the
mount's tune api, we would return as if the tunable params had not been set.
- Now check to see if we encountered a permission issue and report that back to
the end-user like the other checks do.
* Fix role endpoint in pki health-check warnings
- The various warning messages point to {{mount}}/role/<rolename>
which is not a valid PKI path, it should be {{mount}}/roles/<rolename>
* Add cl
* Rename files to match test suite and existing pattern
* Factor out issuer loading into a dedicated function
- Add a little more checks/validation when loading the a PKI issuer
- Factor out the issuer loading into a dedicated function
- Leverage existing health check code to parse issuer certificates
* Read parent issuer once instead of reloading it for every child
- Read in our parent issuer once instead of running it for every child
we want to compare against
- Provides clearer error message that we have failed reading from which
path to the end user
* PR Feedback
- Rename a variable for clarity
- Use readIssuer in the validation of the parent issuer within
pkiIssuer
- Add some missing return 1 statements in error handlers that had been
missed
* Reflow pki list-intermediates help text, add args
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Reflow pki verify-sign help text, add args
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Simplify boolean checks across PKI commands
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clean up pki list-intermediate arg text
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename list_children->list_intermediate to align with command
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Removing the timeout logic from raw-response functions and adding documentation comments. The following functions are affected:
- `ReadRaw`
- `ReadRawWithContext` (newly added)
- `ReadRawWithData`
- `ReadRawWithDataWithContext`
The previous logic of using `ctx, _ = c.c.withConfiguredTimeout(ctx)` could cause a potential [context leak](https://pkg.go.dev/context):
> Failing to call the CancelFunc leaks the child and its children until the parent is canceled or the timer fires. The go vet tool checks that CancelFuncs are used on all control-flow paths.
Cancelling the context would have caused more issues since the context would be cancelled before the request body is closed.
Resolves: #18658
* Rename common.go->healthcheck.go
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Push handling of no resources to the health checks
This allows us to better run on empty mounts.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Exit when no issuers are found
This makes health checks less useful.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional test criteria, refactor tests
This will allow us to setup more tests.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add more OK statuses when checks are good
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test cases for all bad results
The test for too-many-certs was elided for now due to being too hard to
setup in CI.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for missing mount
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add expected failure test on empty mount
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for only having an issuer in the mount
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* More consistently perform permission checks
Also return them to the caller when they're relevant.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test without token
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Run health check tests in parallel
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update command/healthcheck/healthcheck.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update command/healthcheck/healthcheck.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add shared helpers across health checks
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add audit_visibility health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add allow_if_modified_since health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add mount-related health checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename fetch helpers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Soften language around managed key roots
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add enable_auto_tidy health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tidy_last_run health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add too_many_certs health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tidy, CRL, cert count checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Cache stored leaf cert count
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly parse last run
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add more PKI related common utilities
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_allows_localhost health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_allows_glob_wildcards health checks
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_no_store_false health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new checks to the CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to new guard style
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Provision role for test
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address review feedback
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix invalid version check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix message with auto-rebuild enabled
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
We previously tried to extract this log into a function (shouldExit),
but semgrep doesn't expand function invocations, leading us to be forced
to add another rule to the regex.
Instead, add the extraneous `err != nil` conditional into the if
statements, even though skip/err should always be true in these cases
and it should never be evaluated.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add hardware_backed_root health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add root_issued_leaves health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new health checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add more helpers to common PKI health-check code
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Show config when listing, stable output order
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix %v->%w
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Stub out initial health check command
This command will be used to generate health check results for the PKI
engine.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Start common health check implementation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add common health check utilities
These utilities will collect helpers not specific to PKI health checks,
such as formatting longer durations more legibly.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PKI health check common utils
Many health checks will need issuer and/or CRL information in order to
execute. We've centrally located these helpers to avoid particular
health checks from needing to reimplement them each time.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Adding ca_validity_period health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Begin using health-checks in PKI command
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow parsing raw requests afterwards
This shifts the last of the logic difference between Read(...) and
ReadRaw(...) to a new helper, allowing ReadRaw(...) requests to be
parsed into the same response structure afterwards as Read(...); this
allows API callers to fetch the raw secret and inspect the raw response
object in case something went wrong (error code &c) -- and when the
request succeeds, they can still get the api.Secret out.
This will be used with the PKI health check functionality, making both
LIST and READ operations use ReadRaw, and optionally parsing the secret
afterwards.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add crl_validity_period health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for PKI health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix bug in raw reading with contexts
When reading raw objects, don't manually call the context cancellation:
this causes timeouts and/or EOF errors when attempting to read or parse
the response body. See message in client.RawRequestWithContext(...) for
more information.
This was causing the test suite to randomly fail, due to the context
cancelling. The test suite's client usually had a default timeout,
whereas the CLI didn't, and thus didn't exhibit the same issue.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix typo in permissions message
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Move %v->%w for errs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Steven Clark