Commit Graph

2535 Commits

Author SHA1 Message Date
hc-github-team-secure-vault-core 52835311b2
Backport of Fix transit import/export of hmac-only keys into release/1.14.x (#20902)
* backport of commit daf72aa42790144c3a0ca9c17bb19b1c5bce66c6

* Fix formatting

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-31 18:42:44 +00:00
hc-github-team-secure-vault-core e5f1ff2548
backport of commit 657ee3107a10b85b5e72cf1992a4410f8107e8e9 (#20893)
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-05-31 16:02:51 +00:00
hc-github-team-secure-vault-core e3e947b386
backport of commit 4b60ffd5ef87e5f6535dcf578ed6c36b24b75174 (#20892)
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-31 14:19:49 +00:00
hc-github-team-secure-vault-core 9f9ca7cede
backport of commit 10c16ccbcb13fbb0dab56fd7b11b4fdb41609436 (#20875)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-31 13:16:25 +00:00
hc-github-team-secure-vault-core a486b13957
backport of commit 63ccb60b9a6dadf717e6813f9789c7194a2375de (#20877)
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-30 23:49:24 +00:00
hc-github-team-secure-vault-core 3e6bc17036
backport of commit bd4d7269dd987395426275901afa06b17dc54220 (#20849)
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-30 21:30:35 +00:00
hc-github-team-secure-vault-core 1bad8f2f78
backport of commit 08ee474850e090cf9100878f02e0bdefc7d959f7 (#20871)
Co-authored-by: Milena Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
2023-05-30 20:44:21 +00:00
hc-github-team-secure-vault-core da127db836
backport of commit 000d754c40b5daaae21e97dd548d3c308c7c6475 (#20870)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-30 19:34:01 +00:00
hc-github-team-secure-vault-core a1d3c88f56
backport of commit 12d851de3755aaeba6531c87db5c488a5782b9cb (#20853)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-30 19:01:44 +00:00
hc-github-team-secure-vault-core 765427257e
backport of commit 7cf3ba33b5bf46954bdc872f9a3b72352fcd7a64 (#20852)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-30 18:15:53 +00:00
hc-github-team-secure-vault-core 0f66ddb8f8
backport of commit 34571d4d230537126ba4fa879fc161beada742ae (#20850)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-30 17:42:15 +00:00
hc-github-team-secure-vault-core 127cef66a2
backport of commit 7490a2ebb7f5950321ec7930ee5f911c86febb04 (#20856)
Co-authored-by: Milena Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
2023-05-30 17:13:11 +00:00
Alexander Scheel 34804c6817
Increase retry limit on dnstest/server.go (#20810)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-26 14:33:21 +00:00
Alexander Scheel 30488bc374
sdk/helper/nonce -> go-secure-stdlib/nonceutil (#20737)
Depends on https://github.com/hashicorp/go-secure-stdlib/pull/73

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-25 20:57:08 +00:00
Anton Averchenkov 5b510ffeca
openapi: Fix response schema for pki list roles (#20782) 2023-05-25 13:34:34 -04:00
Steven Clark d2f74c3901
Address various issues related to ACME EAB (#20755)
* Fix various EAB related issues

 - List API wasn't plumbed through properly so it did not work as expected
 - Use random 32 bytes instead of an EC key for EAB key values
 - Update OpenAPI definitions

* Clean up unused EAB keys within tidy

* Move Vault EAB creation path to pki/acme/new-eab

* Update eab vault responses to match up with docs
2023-05-24 21:17:33 +00:00
Alexander Scheel f156a57325
Validate no_store=false on role configuration (#20757)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 21:13:28 +00:00
kpcraig 628c51516a
VAULT-12226: Add Static Roles to the AWS plugin (#20536)
Add static roles to the aws secrets engine

---------

Co-authored-by: maxcoulombe <max.coulombe@hashicorp.com>
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-24 14:55:13 -04:00
Steven Clark f29fabe7c1
Enforce valid ACME accounts in challenge APIS (#20744)
- Make sure we have an ACME account in a valid state and
   enforce EAB policies on that account for the challenge
   and revocation by account ACME apis.
2023-05-24 17:28:56 +00:00
Alexander Scheel c67546511d
Move activityType to a constant, set precedence (#20738)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 12:29:47 -04:00
Alexander Scheel 04bb7eef15
Update transit public keys for Ed25519 support (#20727)
* Refine documentation for public_key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Support additional key types in importing version

This originally left off the custom support for Ed25519 and RSA-PSS
formatted keys that we've added manually.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for Ed25519 keys

Here, we prevent importing public-key only keys with derived Ed25519
keys. Notably, we still allow import of derived Ed25519 keys via private
key method, though this is a touch weird: this private key must have
been packaged in an Ed25519 format (and parseable through Go as such),
even though it is (strictly) an HKDF key and isn't ever used for Ed25519.

Outside of this, importing non-derived Ed25519 keys works as expected.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key only export method to Transit

This allows the existing endpoints to retain private-key only, including
empty strings for versions which lack private keys. On the public-key
endpoint, all versions will have key material returned.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update tests for exporting via public-key interface

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key export option to docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 11:26:35 -04:00
Alexander Scheel 83d32240c7
Add nonce service to sdk/helpers, use in PKI (#20688)
* Build a better nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add internal nonce service for testing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add benchmarks for nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add statistics around how long tidy took

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Replace ACME nonces with shared nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add an initialize method to nonce services

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use the new initialize helper on nonce service in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional tests for nonces

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Format sdk/helper/nonce

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use default 90s nonce expiry in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove parallel test case as covered by benchmark

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional commentary to encrypted nonce implementation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add nonce to test_packages

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-23 19:44:05 +00:00
Ethan Lowman 3f4dc700bd
Correct signing terminology in comments and error messages (#20714) 2023-05-23 12:44:06 +00:00
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
Alexander Scheel 1f21afba21
Fix race in PKI's runUnifiedTransfer (#20701)
* Fix race in PKI's runUnifiedTransfer

During this race, we'll sometimes start (or fail to start) an additional
unified transfer if the updated last run timestamp was written at the
same time as another thread was reading it.

Instead, delay this check until we're holding the CAS guard; this will
occasionally result in more messages saying that an existing process is
already running, but otherwise shouldn't impact the functionality at
all.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-22 18:31:19 +00:00
Mike Palmiotto a40341d176
Add client_type field to EntityRecord protobuf (#20626)
* Add client_type field to EntityRecord protobuf

* changelog

* Add ACME clientType verification
2023-05-19 20:30:12 +00:00
Alexander Scheel e552c06173
Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654)
* Ensure proper error message from CA validity period

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning to issuance of leaf cert with basic constraints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-19 19:52:16 +00:00
John-Michael Faircloth 4330265469
secrets/aws: fix role field description (#20686) 2023-05-19 18:33:18 +00:00
Alexander Scheel ea3441333a
Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false (#20664)
* Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false

The logic around the check to set both to false was wrong, and should
be validated independently.

Additionally, these fields should only exist on auto-tidy and not on the
manual tidy endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/path_tidy.go

Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
2023-05-19 12:09:48 +00:00
claire bontempo 7753808910
ctivated (#20670) 2023-05-19 07:38:13 -04:00
Alexander Scheel f9fdac0345
Transit UX improvements: show key policy, configs on write (#20652)
* Respond with cache size on config write

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Respond with key policy on write

This includes creating a key, but also trimming or rotating an
existing key.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly handle locking around policy formatting

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate that responses are non-empty

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 14:36:10 -04:00
John-Michael Faircloth f9541a1c96
pki: add subject key identifier to read key response (#20642)
* pki: add subject key identifier to read key response

This will be helpful for the Terraform Vault Provider to detect
migration of pre-1.11 exported keys (from CA generation) into post-1.11
Vault.

* add changelog

* Update builtin/logical/pki/path_fetch_keys.go

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* check for managed key first

* Validate the SKID matches on root CAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate SKID matches on int CAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix formatting of tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 16:49:22 +00:00
Alexander Scheel 2b5f3509e5
Correctly search for namespace path, not id (#20651)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 15:41:16 +00:00
Hamid Ghaf 04d81e1c27
report intermediate error messages during request forwarding (#20643)
* report intermediate error messages during request forwarding

* CL
2023-05-18 05:07:54 -07:00
Alexander Scheel b204e51263
ACME tests for Intermediate CA issuance prevention (#20633)
* Do not set use_csr_values when issuing ACME certs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure CSRs with Basic Constraints are rejected

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure CA certificates cannot be issued

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pkiext/pkiext_binary/acme_test.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update builtin/logical/pkiext/pkiext_binary/acme_test.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update acme_test.go to include certutil

* Update acme_test.go - unused imports, reformat

* Update acme_test.go - hex really was used

This is why I can't use the GH web editor. :-)

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-17 19:54:37 +00:00
Alexander Scheel e58f3816a4
Start counting ACME certificate issuance as client activity (#20520)
* Add stub ACME billing interfaces

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add initial implementation of client count

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly attribute to mount, namespace

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor adding entities of custom types

This begins to add custom types of events; presently these are counted
as non-entity tokens, but prefixed with a custom ClientID prefix.

In the future, this will be the basis for counting these events
separately (into separate buckets and separate storage segments).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor creation of ACME mounts

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for billing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better support managed key system view casting

Without an additional parameter, SystemView could be of a different
internal implementation type that cannot be directly casted to in OSS.
Use a separate parameter for the managed key system view to use instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor creation of mounts for enterprise

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate mounts in ACME billing tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use a hopefully unique separator for encoded identifiers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use mount accesor, not path

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename AddEventToFragment->AddActivityToFragment

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-05-17 16:12:04 +00:00
Steven Clark e3a99fdaab
Update ACME endpoint help synopsis and description (#20624)
- Use generic help synopsis and help description values for the various ACME endpoints defined.
 - Add missing values for the Vault ACME EAB apis
2023-05-17 13:59:30 +00:00
Anton Averchenkov 89e5b566ac
openapi: Fix ACME-related errors (#20599) 2023-05-16 16:05:07 +00:00
Steven Clark 57dc281561
Disable requiring EAB in ACME by default (#20600)
* Disable requiring EAB in ACME by default

 - After an internal meeting it was decided that enabling EAB support by default was probably not the right decision.
 - The main motivating factor being ease of use by end-users as the majority of implementations aren't expecting EAB to be required by default.

* Leverage function isPublicACMEDisabledByEnv and log parsing error

 - Add logging to the new isPublicACMEDisabledByEnv function if we fail to parse the env var
 - Leverage the function within the isAcmeDisabled function in acme_wrappers.go to not duplicate the env getting logic in two places.

* Fail closed when VAULT_DISABLE_PUBLIC_ACME is un-parsable.
2023-05-16 11:17:04 -04:00
Steven Clark b483288703
Add a last issued date on ACME accounts (#20534)
* Add a last issued date on ACME accounts

 - When we issue a new ACME certificate, attempt to update the account's last issued field
 - Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
 - Cleanup the cert serial to account tracker
 - Misc formatting fixes in JSON objects

* Move account max-cert-expiry updates within tidy

 - Perform the account update of max-cert-expiry within
   the tidy operation as it has the account write lock
   and is already iterating over all orders.
 - With this the order path does not need any account
   level locks

* Prefix ACME account status constants with AccountStatusX
2023-05-15 16:02:40 -04:00
Steven Clark b9b49116d0
Add External Account Binding support to ACME (#20523)
* Add Vault APIS to create, list, delete ACME EAB keys

 - Add Vault authenticated APIs to create, list and delete ACME
   EAB keys.
 - Add supporting tests for all new apis

* Add require_eab to acme configuration

* Add EAB support to ACME

* Add EAB support to ACME

* PR feedback 1

 - Address missing err return within DeleteEab
 - Move verifyEabPayload to acme_jws.go no code changes in this PR
 - Update error message returned for error on account storage with EAB.

* PR feedback 2

 - Verify JWK signature payload after signature verification

* Introduce an ACME eab_policy in configuration

 - Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
 - The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
 - Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
 - Having 'always-required' as a policy, will override the environment variable to disable public acme as well.

* Add missing go-docs to new tests.

* Add valid eab_policy values in error message.
2023-05-15 13:15:20 -04:00
Anton Averchenkov 31d33f189f
openapi: A few fixes for display attributes (#20549) 2023-05-11 17:20:11 -04:00
Gabriel Santos 05f3236c15
Provide public key encryption via transit engine (#17934)
* import rsa and ecdsa public keys

* allow import_version to update public keys - wip

* allow import_version to update public keys

* move check key fields into func

* put private/public keys in same switch cases

* fix method in UpdateKeyVersion

* move asymmetrics keys switch to its own method - WIP

* test import public and update it with private counterpart

* test import public keys

* use public_key to encrypt if RSAKey is not present and failed to decrypt
if key version does not have a private key

* move key to KeyEntry parsing from Policy to KeyEntry method

* move extracting of key from input fields into helper function

* change back policy Import signature to keep backwards compatibility and
add new method to import private or public keys

* test import with imported public rsa and ecdsa keys

* descriptions and error messages

* error messages, remove comments and unused code

* changelog

* documentation - wip

* suggested changes - error messages/typos and unwrap public key passed

* fix unwrap key error

* fail if both key fields have been set

* fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work

* checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests

* handle panic on "export key" endpoint if imported key is public

* fmt

* remove 'isPrivateKey' argument from 'UpdateKeyVersion' and
'parseFromKey' methods

also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing'

* delete 'RSAPublicKey' when private key is imported

* path_export: return public_key for ecdsa and rsa when there's no private key imported

* allow signed data validation with pss algorithm

* remove NOTE comment

* fix typo in EC public key export where empty derBytes was being used

* export rsa public key in pkcs8 format instead of pkcs1 and improve test

* change logic on how check for is private key missing is calculated

---------

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-11 11:56:46 +00:00
Josh Black 726512b4e0
use internal docker mirror for CI (#20435)
* use internal docker mirror for CI

* maybe it needs to be https

* no just kidding it's docker://

* apparently overriding it globally causes creates to fail. time to override each image individually lol

* maybe this works
2023-05-05 09:37:31 -07:00
Kit Haines edbbd3106c
Structure of ACME Tidy (#20494)
* Structure of ACME Tidy.

* The tidy endpoints/call information.

* Counts for status plumbing.

* Update typo calls, add information saving date of account creation.

* Missed some field locations.

* Set-up of Tidy command.

* Proper tidy function; lock to work with

* Remove order safety buffer.

* Missed a field.

* Read lock for account creation; Write lock for tidy (account deletion)

* Type issues fixed.

* fix range operator.

* Fix path_tidy read.

* Add fields to auto-tidy config.

* Add (and standardize) Tidy Config Response

* Test pass, consistent fields

* Changes from PR-Reviews.

* Update test to updated default due to PR-Review.
2023-05-05 15:14:41 +00:00
Alexander Scheel c50de2ec0c
Add DNS wildcard tests to ACME test suite (#20486)
* Refactor setting local addresses

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate wildcard domains in ACME test suite

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add locking to DNS resolver

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better removal semantics for records

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-03 20:23:44 +00:00
Alexander Scheel d8c5456f8a
Add dns resolver to PKI Binary Cluster (#20485)
* Export DockerAPI for use by other consumers

As usage of DockerCluster gets more advanced, some users may want to
interact with the container nodes of the cluster. While, if you already
have a DockerAPI instance lying around you can reuse that safely, for
use cases where an existing e.g., docker/testhelpers's runner instance
is not available, reusing the existing cluster's DockerAPI is easiest.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ability to exec commands without runner

When modifying DockerTestCluster's containers manually, we might not
have a Runner instance; instead, expose the ability to run commands via
a DockerAPI instance directly, as they're awfully convenient.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add DNS resolver into ACME tests

This updates the pkiext_binary tests to use an adjacent DNS resolver,
allowing these tests to eventually be extended to solve DNS challenges,
as modifying the /etc/hosts file does not allow this.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix loading DNS resolver onto network

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bug with DNS configuration validation

Both conditionals here were inverted: address being empty means a bad
specification was given, and the parse being nil means that it was not a
valid IP address.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix specifying TXT records, allow removing records

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-03 17:32:39 +00:00
Steven Clark aa3c61c85b
In ACME responses only return Type, Value fields (#20480)
- Do not serialize the entire internal object, instead return
   just the Type and Value fields back to the caller.
 - Also within authorization responses, return the base domain
   on wildcard queries, dropping the *. as the RFC requests.
 - Update tests to reflect/test this logic.
2023-05-03 09:53:33 -04:00
Steven Clark 480f97a601
Skip OcspHigherLevel test failures if we trigger redirection bug (#20461)
- We have a known issue that is difficult to address in released versions of Vault that OCSP GET requests can contain consecutive / characters which the Golang HTTP mux will force a redirection.
  - Instead of failing various PRs and runs with this known issue, check to see if we are about to trigger it and if so skip the test. We have already at this point tested the POST version of the API.
2023-05-02 14:44:09 +00:00
Steven Clark 504aaf5fe5
Update ACME order status on order fetch (#20451)
- When someone is fetching the order to get it's status, compute if we
   need to bump the status to Ready like we do in finalize handler
 - Add a wait state to the ACME docker test suite to deal with a race
   condition
2023-05-01 16:18:18 -04:00