15ae00d147
* Add unified CRL config storage helpers Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add support to build unified CRLs This allows us to build unified versions of both the complete and delta CRLs. This mostly involved creating a new variant of the unified-specific CRL builder, fetching certs from each cluster's storage space. Unlike OCSP, here we do not unify the node's local storage with the cross-cluster storage: this node is the active of the performance primary, so writes to unified storage happen exactly the same as writes to cluster-local storage, meaning the two are always in sync. Other performance secondaries do not rebuild the CRL, and hence the out-of-sync avoidance that we'd like to solve with the OCSP responder is not necessary to solve here. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add ability to fetch unified CRLs This adds to the path-fetch APIs the ability to return the unified CRLs. We update the If-Modified-Since infrastructure to support querying the unified CRL specific data and fetchCertBySerial to support all unified variants. This works for both the default/global fetch APIs and the issuer-specific fetch APIs. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Rebuild CRLs on unified status changes Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Handle rebuilding CRLs due to either changing This allows detecting if the Delta CRL needs to be rebuilt because either the local or the unified CRL needs to be rebuilt. We never trigger rebuilding the unified delta on a non-primary cluster. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Ensure serials aren't added to unified CRL twice Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
306 lines
11 KiB
Go
306 lines
11 KiB
Go
package pki
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/helper/constants"
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/helper/errutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
const latestCrlConfigVersion = 1
|
|
|
|
// CRLConfig holds basic CRL configuration information
|
|
type crlConfig struct {
|
|
Version int `json:"version"`
|
|
Expiry string `json:"expiry"`
|
|
Disable bool `json:"disable"`
|
|
OcspDisable bool `json:"ocsp_disable"`
|
|
AutoRebuild bool `json:"auto_rebuild"`
|
|
AutoRebuildGracePeriod string `json:"auto_rebuild_grace_period"`
|
|
OcspExpiry string `json:"ocsp_expiry"`
|
|
EnableDelta bool `json:"enable_delta"`
|
|
DeltaRebuildInterval string `json:"delta_rebuild_interval"`
|
|
UseGlobalQueue bool `json:"cross_cluster_revocation"`
|
|
UnifiedCRL bool `json:"unified_crl"`
|
|
UnifiedCRLOnExistingPaths bool `json:"unified_crl_on_existing_paths"`
|
|
}
|
|
|
|
// Implicit default values for the config if it does not exist.
|
|
var defaultCrlConfig = crlConfig{
|
|
Version: latestCrlConfigVersion,
|
|
Expiry: "72h",
|
|
Disable: false,
|
|
OcspDisable: false,
|
|
OcspExpiry: "12h",
|
|
AutoRebuild: false,
|
|
AutoRebuildGracePeriod: "12h",
|
|
EnableDelta: false,
|
|
DeltaRebuildInterval: "15m",
|
|
UseGlobalQueue: false,
|
|
UnifiedCRL: false,
|
|
UnifiedCRLOnExistingPaths: false,
|
|
}
|
|
|
|
func pathConfigCRL(b *backend) *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "config/crl",
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"expiry": {
|
|
Type: framework.TypeString,
|
|
Description: `The amount of time the generated CRL should be
|
|
valid; defaults to 72 hours`,
|
|
Default: "72h",
|
|
},
|
|
"disable": {
|
|
Type: framework.TypeBool,
|
|
Description: `If set to true, disables generating the CRL entirely.`,
|
|
},
|
|
"ocsp_disable": {
|
|
Type: framework.TypeBool,
|
|
Description: `If set to true, ocsp unauthorized responses will be returned.`,
|
|
},
|
|
"ocsp_expiry": {
|
|
Type: framework.TypeString,
|
|
Description: `The amount of time an OCSP response will be valid (controls
|
|
the NextUpdate field); defaults to 12 hours`,
|
|
Default: "1h",
|
|
},
|
|
"auto_rebuild": {
|
|
Type: framework.TypeBool,
|
|
Description: `If set to true, enables automatic rebuilding of the CRL`,
|
|
},
|
|
"auto_rebuild_grace_period": {
|
|
Type: framework.TypeString,
|
|
Description: `The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.`,
|
|
Default: "12h",
|
|
},
|
|
"enable_delta": {
|
|
Type: framework.TypeBool,
|
|
Description: `Whether to enable delta CRLs between authoritative CRL rebuilds`,
|
|
},
|
|
"delta_rebuild_interval": {
|
|
Type: framework.TypeString,
|
|
Description: `The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.`,
|
|
Default: "15m",
|
|
},
|
|
"cross_cluster_revocation": {
|
|
Type: framework.TypeBool,
|
|
Description: `Whether to enable a global, cross-cluster revocation queue.
|
|
Must be used with auto_rebuild=true.`,
|
|
},
|
|
"unified_crl": {
|
|
Type: framework.TypeBool,
|
|
Description: `If set to true enables global replication of revocation entries,
|
|
also enabling unified versions of OCSP and CRLs if their respective features are enabled.
|
|
disable for CRLs and ocsp_disable for OCSP.`,
|
|
Default: "false",
|
|
},
|
|
"unified_crl_on_existing_paths": {
|
|
Type: framework.TypeBool,
|
|
Description: `If set to true,
|
|
existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data`,
|
|
Default: "false",
|
|
},
|
|
},
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.ReadOperation: &framework.PathOperation{
|
|
Callback: b.pathCRLRead,
|
|
},
|
|
logical.UpdateOperation: &framework.PathOperation{
|
|
Callback: b.pathCRLWrite,
|
|
// Read more about why these flags are set in backend.go.
|
|
ForwardPerformanceStandby: true,
|
|
ForwardPerformanceSecondary: true,
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathConfigCRLHelpSyn,
|
|
HelpDescription: pathConfigCRLHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathCRLRead(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
|
|
sc := b.makeStorageContext(ctx, req.Storage)
|
|
config, err := sc.getRevocationConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return genResponseFromCrlConfig(config), nil
|
|
}
|
|
|
|
func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
sc := b.makeStorageContext(ctx, req.Storage)
|
|
config, err := sc.getRevocationConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if expiryRaw, ok := d.GetOk("expiry"); ok {
|
|
expiry := expiryRaw.(string)
|
|
_, err := time.ParseDuration(expiry)
|
|
if err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("given expiry could not be decoded: %s", err)), nil
|
|
}
|
|
config.Expiry = expiry
|
|
}
|
|
|
|
oldDisable := config.Disable
|
|
if disableRaw, ok := d.GetOk("disable"); ok {
|
|
config.Disable = disableRaw.(bool)
|
|
}
|
|
|
|
if ocspDisableRaw, ok := d.GetOk("ocsp_disable"); ok {
|
|
config.OcspDisable = ocspDisableRaw.(bool)
|
|
}
|
|
|
|
if expiryRaw, ok := d.GetOk("ocsp_expiry"); ok {
|
|
expiry := expiryRaw.(string)
|
|
duration, err := time.ParseDuration(expiry)
|
|
if err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("given ocsp_expiry could not be decoded: %s", err)), nil
|
|
}
|
|
if duration < 0 {
|
|
return logical.ErrorResponse(fmt.Sprintf("ocsp_expiry must be greater than or equal to 0 got: %s", duration)), nil
|
|
}
|
|
config.OcspExpiry = expiry
|
|
}
|
|
|
|
oldAutoRebuild := config.AutoRebuild
|
|
if autoRebuildRaw, ok := d.GetOk("auto_rebuild"); ok {
|
|
config.AutoRebuild = autoRebuildRaw.(bool)
|
|
}
|
|
|
|
if autoRebuildGracePeriodRaw, ok := d.GetOk("auto_rebuild_grace_period"); ok {
|
|
autoRebuildGracePeriod := autoRebuildGracePeriodRaw.(string)
|
|
if _, err := time.ParseDuration(autoRebuildGracePeriod); err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("given auto_rebuild_grace_period could not be decoded: %s", err)), nil
|
|
}
|
|
config.AutoRebuildGracePeriod = autoRebuildGracePeriod
|
|
}
|
|
|
|
oldEnableDelta := config.EnableDelta
|
|
if enableDeltaRaw, ok := d.GetOk("enable_delta"); ok {
|
|
config.EnableDelta = enableDeltaRaw.(bool)
|
|
}
|
|
|
|
if deltaRebuildIntervalRaw, ok := d.GetOk("delta_rebuild_interval"); ok {
|
|
deltaRebuildInterval := deltaRebuildIntervalRaw.(string)
|
|
if _, err := time.ParseDuration(deltaRebuildInterval); err != nil {
|
|
return logical.ErrorResponse(fmt.Sprintf("given delta_rebuild_interval could not be decoded: %s", err)), nil
|
|
}
|
|
config.DeltaRebuildInterval = deltaRebuildInterval
|
|
}
|
|
|
|
if useGlobalQueue, ok := d.GetOk("cross_cluster_revocation"); ok {
|
|
config.UseGlobalQueue = useGlobalQueue.(bool)
|
|
}
|
|
|
|
oldUnifiedCRL := config.UnifiedCRL
|
|
if unifiedCrlRaw, ok := d.GetOk("unified_crl"); ok {
|
|
config.UnifiedCRL = unifiedCrlRaw.(bool)
|
|
}
|
|
|
|
if unifiedCrlOnExistingPathsRaw, ok := d.GetOk("unified_crl_on_existing_paths"); ok {
|
|
config.UnifiedCRLOnExistingPaths = unifiedCrlOnExistingPathsRaw.(bool)
|
|
}
|
|
|
|
if config.UnifiedCRLOnExistingPaths && !config.UnifiedCRL {
|
|
return logical.ErrorResponse("unified_crl_on_existing_paths cannot be enabled if unified_crl is disabled"), nil
|
|
}
|
|
|
|
expiry, _ := time.ParseDuration(config.Expiry)
|
|
if config.AutoRebuild {
|
|
gracePeriod, _ := time.ParseDuration(config.AutoRebuildGracePeriod)
|
|
if gracePeriod >= expiry {
|
|
return logical.ErrorResponse(fmt.Sprintf("CRL auto-rebuilding grace period (%v) must be strictly shorter than CRL expiry (%v) value when auto-rebuilding of CRLs is enabled", config.AutoRebuildGracePeriod, config.Expiry)), nil
|
|
}
|
|
}
|
|
|
|
if config.EnableDelta {
|
|
deltaRebuildInterval, _ := time.ParseDuration(config.DeltaRebuildInterval)
|
|
if deltaRebuildInterval >= expiry {
|
|
return logical.ErrorResponse(fmt.Sprintf("CRL delta rebuild window (%v) must be strictly shorter than CRL expiry (%v) value when delta CRLs are enabled", config.DeltaRebuildInterval, config.Expiry)), nil
|
|
}
|
|
}
|
|
|
|
if !config.AutoRebuild {
|
|
if config.EnableDelta {
|
|
return logical.ErrorResponse("Delta CRLs cannot be enabled when auto rebuilding is disabled as the complete CRL is always regenerated!"), nil
|
|
}
|
|
|
|
if config.UseGlobalQueue {
|
|
return logical.ErrorResponse("Global, cross-cluster revocation queue cannot be enabled when auto rebuilding is disabled as the local cluster may not have the certificate entry!"), nil
|
|
}
|
|
}
|
|
|
|
if !constants.IsEnterprise && config.UseGlobalQueue {
|
|
return logical.ErrorResponse("Global, cross-cluster revocation queue can only be enabled on Vault Enterprise."), nil
|
|
}
|
|
|
|
if !constants.IsEnterprise && config.UnifiedCRL {
|
|
return logical.ErrorResponse("unified_crl can only be enabled on Vault Enterprise"), nil
|
|
}
|
|
|
|
entry, err := logical.StorageEntryJSON("config/crl", config)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = req.Storage.Put(ctx, entry)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b.crlBuilder.markConfigDirty()
|
|
b.crlBuilder.reloadConfigIfRequired(sc)
|
|
|
|
if oldDisable != config.Disable || (oldAutoRebuild && !config.AutoRebuild) || (oldEnableDelta != config.EnableDelta) || (oldUnifiedCRL != config.UnifiedCRL) {
|
|
// It wasn't disabled but now it is (or equivalently, we were set to
|
|
// auto-rebuild and we aren't now or equivalently, we changed our
|
|
// mind about delta CRLs and need a new complete one or equivalently,
|
|
// we changed our mind about unified CRLs), rotate the CRLs.
|
|
crlErr := b.crlBuilder.rebuild(sc, true)
|
|
if crlErr != nil {
|
|
switch crlErr.(type) {
|
|
case errutil.UserError:
|
|
return logical.ErrorResponse(fmt.Sprintf("Error during CRL building: %s", crlErr)), nil
|
|
default:
|
|
return nil, fmt.Errorf("error encountered during CRL building: %w", crlErr)
|
|
}
|
|
}
|
|
}
|
|
|
|
return genResponseFromCrlConfig(config), nil
|
|
}
|
|
|
|
func genResponseFromCrlConfig(config *crlConfig) *logical.Response {
|
|
return &logical.Response{
|
|
Data: map[string]interface{}{
|
|
"expiry": config.Expiry,
|
|
"disable": config.Disable,
|
|
"ocsp_disable": config.OcspDisable,
|
|
"ocsp_expiry": config.OcspExpiry,
|
|
"auto_rebuild": config.AutoRebuild,
|
|
"auto_rebuild_grace_period": config.AutoRebuildGracePeriod,
|
|
"enable_delta": config.EnableDelta,
|
|
"delta_rebuild_interval": config.DeltaRebuildInterval,
|
|
"cross_cluster_revocation": config.UseGlobalQueue,
|
|
"unified_crl": config.UnifiedCRL,
|
|
"unified_crl_on_existing_paths": config.UnifiedCRLOnExistingPaths,
|
|
},
|
|
}
|
|
}
|
|
|
|
const pathConfigCRLHelpSyn = `
|
|
Configure the CRL expiration.
|
|
`
|
|
|
|
const pathConfigCRLHelpDesc = `
|
|
This endpoint allows configuration of the CRL lifetime.
|
|
`
|