9338c22c53
* Rename files to match test suite and existing pattern * Factor out issuer loading into a dedicated function - Add a little more checks/validation when loading the a PKI issuer - Factor out the issuer loading into a dedicated function - Leverage existing health check code to parse issuer certificates * Read parent issuer once instead of reloading it for every child - Read in our parent issuer once instead of running it for every child we want to compare against - Provides clearer error message that we have failed reading from which path to the end user * PR Feedback - Rename a variable for clarity - Use readIssuer in the validation of the parent issuer within pkiIssuer - Add some missing return 1 statements in error handlers that had been missed
281 lines
7.3 KiB
Go
281 lines
7.3 KiB
Go
package healthcheck
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func pkiFetchIssuersList(e *Executor, versionError func()) (bool, *PathFetch, []string, error) {
|
|
issuersRet, err := e.FetchIfNotFetched(logical.ListOperation, "/{{mount}}/issuers")
|
|
if err != nil {
|
|
return true, issuersRet, nil, err
|
|
}
|
|
|
|
if !issuersRet.IsSecretOK() {
|
|
if issuersRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
|
|
if issuersRet.Is404NotFound() {
|
|
return true, issuersRet, nil, fmt.Errorf("this mount lacks any configured issuers, limiting health check usefulness")
|
|
}
|
|
|
|
return true, issuersRet, nil, nil
|
|
}
|
|
|
|
if len(issuersRet.ParsedCache) == 0 {
|
|
var issuers []string
|
|
for _, rawIssuerId := range issuersRet.Secret.Data["keys"].([]interface{}) {
|
|
issuers = append(issuers, rawIssuerId.(string))
|
|
}
|
|
issuersRet.ParsedCache["issuers"] = issuers
|
|
}
|
|
|
|
return false, issuersRet, issuersRet.ParsedCache["issuers"].([]string), nil
|
|
}
|
|
|
|
func parsePEM(contents string) ([]byte, error) {
|
|
// Need to parse out the issuer from its PEM format.
|
|
pemBlock, _ := pem.Decode([]byte(contents))
|
|
if pemBlock == nil {
|
|
return nil, fmt.Errorf("invalid PEM block")
|
|
}
|
|
|
|
return pemBlock.Bytes, nil
|
|
}
|
|
|
|
func ParsePEMCert(contents string) (*x509.Certificate, error) {
|
|
parsed, err := parsePEM(contents)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cert, err := x509.ParseCertificate(parsed)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid certificate: %w", err)
|
|
}
|
|
|
|
return cert, nil
|
|
}
|
|
|
|
func parsePEMCRL(contents string) (*x509.RevocationList, error) {
|
|
parsed, err := parsePEM(contents)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
crl, err := x509.ParseRevocationList(parsed)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid CRL: %w", err)
|
|
}
|
|
|
|
return crl, nil
|
|
}
|
|
|
|
func pkiFetchIssuer(e *Executor, issuer string, versionError func()) (bool, *PathFetch, *x509.Certificate, error) {
|
|
issuerRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/issuer/"+issuer+"/json")
|
|
if err != nil {
|
|
return true, issuerRet, nil, err
|
|
}
|
|
|
|
if !issuerRet.IsSecretOK() {
|
|
if issuerRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, issuerRet, nil, nil
|
|
}
|
|
|
|
if len(issuerRet.ParsedCache) == 0 {
|
|
cert, err := ParsePEMCert(issuerRet.Secret.Data["certificate"].(string))
|
|
if err != nil {
|
|
return true, issuerRet, nil, fmt.Errorf("unable to parse issuer %v's certificate: %w", issuer, err)
|
|
}
|
|
|
|
issuerRet.ParsedCache["certificate"] = cert
|
|
}
|
|
|
|
return false, issuerRet, issuerRet.ParsedCache["certificate"].(*x509.Certificate), nil
|
|
}
|
|
|
|
func pkiFetchIssuerEntry(e *Executor, issuer string, versionError func()) (bool, *PathFetch, map[string]interface{}, error) {
|
|
issuerRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/issuer/"+issuer)
|
|
if err != nil {
|
|
return true, issuerRet, nil, err
|
|
}
|
|
|
|
if !issuerRet.IsSecretOK() {
|
|
if issuerRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, issuerRet, nil, nil
|
|
}
|
|
|
|
if len(issuerRet.ParsedCache) == 0 {
|
|
cert, err := ParsePEMCert(issuerRet.Secret.Data["certificate"].(string))
|
|
if err != nil {
|
|
return true, issuerRet, nil, fmt.Errorf("unable to parse issuer %v's certificate: %w", issuer, err)
|
|
}
|
|
|
|
issuerRet.ParsedCache["certificate"] = cert
|
|
}
|
|
|
|
var data map[string]interface{} = nil
|
|
if issuerRet.Secret != nil && len(issuerRet.Secret.Data) > 0 {
|
|
data = issuerRet.Secret.Data
|
|
}
|
|
|
|
return false, issuerRet, data, nil
|
|
}
|
|
|
|
func pkiFetchIssuerCRL(e *Executor, issuer string, delta bool, versionError func()) (bool, *PathFetch, *x509.RevocationList, error) {
|
|
path := "/{{mount}}/issuer/" + issuer + "/crl"
|
|
name := "CRL"
|
|
if delta {
|
|
path += "/delta"
|
|
name = "Delta CRL"
|
|
}
|
|
|
|
crlRet, err := e.FetchIfNotFetched(logical.ReadOperation, path)
|
|
if err != nil {
|
|
return true, crlRet, nil, err
|
|
}
|
|
|
|
if !crlRet.IsSecretOK() {
|
|
if crlRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, crlRet, nil, nil
|
|
}
|
|
|
|
if len(crlRet.ParsedCache) == 0 {
|
|
crl, err := parsePEMCRL(crlRet.Secret.Data["crl"].(string))
|
|
if err != nil {
|
|
return true, crlRet, nil, fmt.Errorf("unable to parse issuer %v's %v: %w", issuer, name, err)
|
|
}
|
|
crlRet.ParsedCache["crl"] = crl
|
|
}
|
|
|
|
return false, crlRet, crlRet.ParsedCache["crl"].(*x509.RevocationList), nil
|
|
}
|
|
|
|
func pkiFetchKeyEntry(e *Executor, key string, versionError func()) (bool, *PathFetch, map[string]interface{}, error) {
|
|
keyRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/key/"+key)
|
|
if err != nil {
|
|
return true, keyRet, nil, err
|
|
}
|
|
|
|
if !keyRet.IsSecretOK() {
|
|
if keyRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, keyRet, nil, nil
|
|
}
|
|
|
|
var data map[string]interface{} = nil
|
|
if keyRet.Secret != nil && len(keyRet.Secret.Data) > 0 {
|
|
data = keyRet.Secret.Data
|
|
}
|
|
|
|
return false, keyRet, data, nil
|
|
}
|
|
|
|
func pkiFetchLeavesList(e *Executor, versionError func()) (bool, *PathFetch, []string, error) {
|
|
leavesRet, err := e.FetchIfNotFetched(logical.ListOperation, "/{{mount}}/certs")
|
|
if err != nil {
|
|
return true, leavesRet, nil, err
|
|
}
|
|
|
|
if !leavesRet.IsSecretOK() {
|
|
if leavesRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
|
|
return true, leavesRet, nil, nil
|
|
}
|
|
|
|
if len(leavesRet.ParsedCache) == 0 {
|
|
var leaves []string
|
|
for _, rawSerial := range leavesRet.Secret.Data["keys"].([]interface{}) {
|
|
leaves = append(leaves, rawSerial.(string))
|
|
}
|
|
leavesRet.ParsedCache["leaves"] = leaves
|
|
leavesRet.ParsedCache["count"] = len(leaves)
|
|
}
|
|
|
|
return false, leavesRet, leavesRet.ParsedCache["leaves"].([]string), nil
|
|
}
|
|
|
|
func pkiFetchLeaf(e *Executor, serial string, versionError func()) (bool, *PathFetch, *x509.Certificate, error) {
|
|
leafRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/cert/"+serial)
|
|
if err != nil {
|
|
return true, leafRet, nil, err
|
|
}
|
|
|
|
if !leafRet.IsSecretOK() {
|
|
if leafRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, leafRet, nil, nil
|
|
}
|
|
|
|
if len(leafRet.ParsedCache) == 0 {
|
|
cert, err := ParsePEMCert(leafRet.Secret.Data["certificate"].(string))
|
|
if err != nil {
|
|
return true, leafRet, nil, fmt.Errorf("unable to parse leaf %v's certificate: %w", serial, err)
|
|
}
|
|
|
|
leafRet.ParsedCache["certificate"] = cert
|
|
}
|
|
|
|
return false, leafRet, leafRet.ParsedCache["certificate"].(*x509.Certificate), nil
|
|
}
|
|
|
|
func pkiFetchRolesList(e *Executor, versionError func()) (bool, *PathFetch, []string, error) {
|
|
rolesRet, err := e.FetchIfNotFetched(logical.ListOperation, "/{{mount}}/roles")
|
|
if err != nil {
|
|
return true, rolesRet, nil, err
|
|
}
|
|
|
|
if !rolesRet.IsSecretOK() {
|
|
if rolesRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
|
|
return true, rolesRet, nil, nil
|
|
}
|
|
|
|
if len(rolesRet.ParsedCache) == 0 {
|
|
var roles []string
|
|
for _, roleName := range rolesRet.Secret.Data["keys"].([]interface{}) {
|
|
roles = append(roles, roleName.(string))
|
|
}
|
|
rolesRet.ParsedCache["roles"] = roles
|
|
}
|
|
|
|
return false, rolesRet, rolesRet.ParsedCache["roles"].([]string), nil
|
|
}
|
|
|
|
func pkiFetchRole(e *Executor, name string, versionError func()) (bool, *PathFetch, map[string]interface{}, error) {
|
|
roleRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/roles/"+name)
|
|
if err != nil {
|
|
return true, roleRet, nil, err
|
|
}
|
|
|
|
if !roleRet.IsSecretOK() {
|
|
if roleRet.IsUnsupportedPathError() {
|
|
versionError()
|
|
}
|
|
return true, roleRet, nil, nil
|
|
}
|
|
|
|
var data map[string]interface{} = nil
|
|
if roleRet.Secret != nil && len(roleRet.Secret.Data) > 0 {
|
|
data = roleRet.Secret.Data
|
|
}
|
|
|
|
return false, roleRet, data, nil
|
|
}
|