Commit graph

3 commits

Author SHA1 Message Date
Alexander Scheel 0217f7de65
Add role-based health checks to PKI Health Check (#17877)
* Add more PKI related common utilities

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_allows_localhost health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_allows_glob_wildcards health checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_no_store_false health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new checks to the CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to new guard style

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Provision role for test

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix invalid version check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix message with auto-rebuild enabled

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-17 15:31:58 -05:00
Alexander Scheel d1c078381e
Add hardware_backed_root, root_issued_leaves health checks (#17865)
* Add hardware_backed_root health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add root_issued_leaves health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new health checks to CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add more helpers to common PKI health-check code

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Show config when listing, stable output order

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix %v->%w

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 15:24:54 -05:00
Alexander Scheel 5101e31857
PKI Health Check Command (#17750)
* Stub out initial health check command

This command will be used to generate health check results for the PKI
engine.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Start common health check implementation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add common health check utilities

These utilities will collect helpers not specific to PKI health checks,
such as formatting longer durations more legibly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PKI health check common utils

Many health checks will need issuer and/or CRL information in order to
execute. We've centrally located these helpers to avoid particular
health checks from needing to reimplement them each time.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Adding ca_validity_period health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Begin using health-checks in PKI command

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow parsing raw requests afterwards

This shifts the last of the logic difference between Read(...) and
ReadRaw(...) to a new helper, allowing ReadRaw(...) requests to be
parsed into the same response structure afterwards as Read(...); this
allows API callers to fetch the raw secret and inspect the raw response
object in case something went wrong (error code &c) -- and when the
request succeeds, they can still get the api.Secret out.

This will be used with the PKI health check functionality, making both
LIST and READ operations use ReadRaw, and optionally parsing the secret
afterwards.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add crl_validity_period health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for PKI health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bug in raw reading with contexts

When reading raw objects, don't manually call the context cancellation:
this causes timeouts and/or EOF errors when attempting to read or parse
the response body. See message in client.RawRequestWithContext(...) for
more information.

This was causing the test suite to randomly fail, due to the context
cancelling. The test suite's client usually had a default timeout,
whereas the CLI didn't, and thus didn't exhibit the same issue.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix typo in permissions message

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Move %v->%w for errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:27:56 -05:00