* Squash pki/acme package down to pki folder
Without refactoring most of PKI to export the storage layer, which we
were initially hesitant about, it would be nearly impossible to have the
ACME layer handle its own storage while being in the acme/ subpackage
under the pki package.
Thus, merge the two packages together again.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Properly format errors for missing parameters
When missing required ACME request parameters, don't return Vault-level
errors, but drop into the PKI package to return properly-formatted ACME
error messages.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Error type clarifications
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix GetOk with type conversion calls
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Identify whether JWKs existed or were created, set KIDs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Reclassify ErrAccountDoesNotExist as 400 per spec
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional stub methods for ACME accounts
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Start adding ACME newAccount handlers
This handler supports two pieces of functionality:
1. Searching for whether an existing account already exists.
2. Creating a new account.
One side effect of our JWS parsing logic is that we needed a way to
differentiate between whether a JWK existed on disk from an account or
if it was specified in the request. This technically means we're
potentially responding to certain requests with positive results (e.g.,
key search based on kid) versus erring earlier like other
implementations do.
No account storage has been done as part of this commit.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Unify path fields handling, fix newAccount method
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
When testing the rollback mechanism, there's two categories of tests
typically written:
1. Ones in which the rollback manager is entirely left alone, which
usually are a bit slower and less predictable. However, it is still
sufficient in many scenarios.
2. Ones in which the rollback manager is explicitly probed by tests
and "stepped" to achieve the next rollback.
Here, without a mechanism to fully disable the rollback manager's
periodic ticker (without affecting its ability to work!) we'll continue
to see races of the sort:
> --- FAIL: TestRevocationQueue (50.95s)
> panic: sync: WaitGroup is reused before previous Wait has returned [recovered]
> panic: sync: WaitGroup is reused before previous Wait has returned
This allows us to disable the ticker, returning control to the test
suite entirely.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new PKI ACME subpackage to test_packages list
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Restrict JWS keys to specified algorithms
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* responses for rotate endpoints
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* add test for rotate config
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update to use newer function
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new func
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added response struct for version-history
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for leader
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for ha-status
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for host-info
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for in-flight-req
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* make fmt
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Add ACME package to provide a nonce service
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add JWS parsing helper
Using go-jose v2, we start building a JWS parsing helper, ensuring that
fields are properly validated w.r.t. the ACME spec's intersection with
JWS.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add error context information
Start adding the ability to wrap errors returned by Vault to
ACME-specific errors.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Make ACMEState exported
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add response structures for /sys/wrapping endpoints
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* dynamic tests should be nil
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* deprecation check
* adding script
* add execute permission to script
* revert changes
* adding the script back
* added working script for local and GHA
* give execute permissions
* updating revgrep
* adding changes to script, tools
* run go mod tidy
* removing default ref
* make bootstrap
* adding to makefile
* add struct for /sys/tools/hash
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added responses for /sys/tools paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add changelog
* verify respose structure for hash
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* verify respose structure for hash/random
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use newer testing funct
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new test method
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* fixes issue navigating back a level using the breadcrumbs from kvv2 metadata view
* adds changelog entry
* deletes kv mount after breadcrumb test -- attempt to fix unrelated failing secrets tests
Theron Voran