open-vault/builtin/logical/pki
Alexander Scheel 43e722c69a
Let PKI tidy associate revoked certs with their issuers (#16871)
* Refactor tidy steps into two separate helpers

This refactors the tidy go routine into two separate helpers, making it
clear where the boundaries of each are: variables are passed into these
method and concerns are separated. As more operations are rolled into
tidy, we can continue adding more helpers as appropriate. Additionally,
as we move to make auto-tidy occur, we can use these as points to hook
into periodic tidying.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor revInfo checking to helper

This allows us to validate whether or not a revInfo entry contains a
presently valid issuer, from the existing mapping. Coupled with the
changeset to identify the issuer on revocation, we can begin adding
capabilities to tidy to update this association, decreasing CRL build
time and increasing the performance of OCSP.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor issuer fetching for revocation purposes

Revocation needs to gracefully handle using the old legacy cert bundle,
so fetching issuers (and parsing them) needs to be done slightly
differently than other places. Refactor this from revokeCert into a
common helper that can be used by tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow tidy to associate revoked certs, issuers

When revoking a certificate, we need to associate the issuer that signed
its certificate back to the revInfo entry. Historically this was
performed during CRL building (and still remains so), but when running
without CRL building and with only OCSP, performance will degrade as the
issuer needs to be found each time.

Instead, allow the tidy operation to take over this role, allowing us to
increase the performance of OCSP and CRL in this scenario, by decoupling
issuer identification from CRL building in the ideal case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for tidy updates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on new tidy parameter, metrics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor tidy config into shared struct

Finish adding metrics, status messages about new tidy operation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-26 10:13:45 -07:00
..
cmd/pki Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
backend.go Let PKI tidy associate revoked certs with their issuers (#16871) 2022-08-26 10:13:45 -07:00
backend_test.go Let PKI tidy associate revoked certs with their issuers (#16871) 2022-08-26 10:13:45 -07:00
ca_test.go Make PKI tests run in parallel (#16514) 2022-08-01 16:43:38 -04:00
ca_util.go Add PSS support to PKI Secrets Engine (#16519) 2022-08-03 12:42:24 -04:00
cert_util.go Add an OCSP responder to Vault's PKI plugin (#16723) 2022-08-22 14:06:15 -04:00
cert_util_test.go Make PKI tests run in parallel (#16514) 2022-08-01 16:43:38 -04:00
chain_test.go Cleanup changes around issuer revocation (#16874) 2022-08-25 11:36:37 -04:00
chain_util.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
config_util.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
crl_test.go Let PKI tidy associate revoked certs with their issuers (#16871) 2022-08-26 10:13:45 -07:00
crl_util.go Let PKI tidy associate revoked certs with their issuers (#16871) 2022-08-26 10:13:45 -07:00
fields.go Add PSS support to PKI Secrets Engine (#16519) 2022-08-03 12:42:24 -04:00
integation_test.go Make PKI tests run in parallel (#16514) 2022-08-01 16:43:38 -04:00
key_util.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
managed_key_util.go secret/pki: Return correct algorithm type from key fetch API for managed keys (#15468) 2022-05-17 11:36:14 -04:00
ocsp.go Add ocsp_expiry configuration field to PKI crl config (#16888) 2022-08-25 16:01:39 -04:00
ocsp_test.go Add ocsp_expiry configuration field to PKI crl config (#16888) 2022-08-25 16:01:39 -04:00
path_config_ca.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_config_crl.go Add ocsp_expiry configuration field to PKI crl config (#16888) 2022-08-25 16:01:39 -04:00
path_config_urls.go Add per-issuer AIA URI information to PKI secrets engine (#16563) 2022-08-19 11:43:44 -04:00
path_fetch.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_fetch_issuers.go Don't allow crl-signing issuer usage without CRLSign KeyUsage (#16865) 2022-08-24 07:45:54 -07:00
path_fetch_keys.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_intermediate.go Add per-issuer AIA URI information to PKI secrets engine (#16563) 2022-08-19 11:43:44 -04:00
path_issue_sign.go Add PSS support to PKI Secrets Engine (#16519) 2022-08-03 12:42:24 -04:00
path_manage_issuers.go Add per-issuer AIA URI information to PKI secrets engine (#16563) 2022-08-19 11:43:44 -04:00
path_manage_keys.go Refactor PKI storage calls to take a shared struct (#16019) 2022-06-29 12:00:44 -04:00
path_manage_keys_test.go Make PKI tests run in parallel (#16514) 2022-08-01 16:43:38 -04:00
path_revoke.go Add proof possession revocation for PKI secrets engine (#16566) 2022-08-16 14:01:26 -04:00
path_roles.go Add warning when generate_lease=true (#16398) 2022-08-08 13:26:10 -04:00
path_roles_test.go Make PKI tests run in parallel (#16514) 2022-08-01 16:43:38 -04:00
path_root.go Add per-issuer AIA URI information to PKI secrets engine (#16563) 2022-08-19 11:43:44 -04:00
path_sign_issuers.go Add PSS support to PKI Secrets Engine (#16519) 2022-08-03 12:42:24 -04:00
path_tidy.go Let PKI tidy associate revoked certs with their issuers (#16871) 2022-08-26 10:13:45 -07:00
secret_certs.go Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod (#15277) 2022-05-11 12:42:28 -04:00
storage.go Add ocsp_expiry configuration field to PKI crl config (#16888) 2022-08-25 16:01:39 -04:00
storage_migrations.go Add an OCSP responder to Vault's PKI plugin (#16723) 2022-08-22 14:06:15 -04:00
storage_migrations_test.go Migrate existing PKI mounts that only contains a key (#16813) 2022-08-22 10:11:21 -07:00
storage_test.go Add an OCSP responder to Vault's PKI plugin (#16723) 2022-08-22 14:06:15 -04:00
test_helpers.go Add an OCSP responder to Vault's PKI plugin (#16723) 2022-08-22 14:06:15 -04:00
util.go Add an OCSP responder to Vault's PKI plugin (#16723) 2022-08-22 14:06:15 -04:00