c25b90831e
* Export CreateBackendWithStorage for pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move zlint_test.go to pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix mount all test to ignore pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
1157 lines
31 KiB
Go
1157 lines
31 KiB
Go
package pki
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/go-errors/errors"
|
|
"github.com/hashicorp/go-secure-stdlib/strutil"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestPki_RoleGenerateLease(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": "myvault.com",
|
|
"ttl": "5h",
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
// generate_lease cannot be nil. It either has to be set during role
|
|
// creation or has to be filled in by the upgrade code
|
|
generateLease := resp.Data["generate_lease"].(*bool)
|
|
if generateLease == nil {
|
|
t.Fatalf("generate_lease should not be nil")
|
|
}
|
|
|
|
// By default, generate_lease should be `false`
|
|
if *generateLease {
|
|
t.Fatalf("generate_lease should not be set by default")
|
|
}
|
|
|
|
// To test upgrade of generate_lease, we read the storage entry,
|
|
// modify it to remove generate_lease, and rewrite it.
|
|
entry, err := storage.Get(context.Background(), "role/testrole")
|
|
if err != nil || entry == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var role roleEntry
|
|
if err := entry.DecodeJSON(&role); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
role.GenerateLease = nil
|
|
|
|
entry, err = logical.StorageEntryJSON("role/testrole", role)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := storage.Put(context.Background(), entry); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Reading should upgrade generate_lease
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
generateLease = resp.Data["generate_lease"].(*bool)
|
|
if generateLease == nil {
|
|
t.Fatalf("generate_lease should not be nil")
|
|
}
|
|
|
|
// Upgrade should set generate_lease to `true`
|
|
if !*generateLease {
|
|
t.Fatalf("generate_lease should be set after an upgrade")
|
|
}
|
|
|
|
// Make sure that setting generate_lease to `true` works properly
|
|
roleReq.Operation = logical.UpdateOperation
|
|
roleReq.Path = "roles/testrole2"
|
|
roleReq.Data["generate_lease"] = true
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
generateLease = resp.Data["generate_lease"].(*bool)
|
|
if generateLease == nil {
|
|
t.Fatalf("generate_lease should not be nil")
|
|
}
|
|
if !*generateLease {
|
|
t.Fatalf("generate_lease should have been set")
|
|
}
|
|
}
|
|
|
|
func TestPki_RoleKeyUsage(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": "myvault.com",
|
|
"ttl": "5h",
|
|
"key_usage": []string{"KeyEncipherment", "DigitalSignature"},
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
keyUsage := resp.Data["key_usage"].([]string)
|
|
if len(keyUsage) != 2 {
|
|
t.Fatalf("key_usage should have 2 values")
|
|
}
|
|
|
|
// To test the upgrade of KeyUsageOld into KeyUsage, we read
|
|
// the storage entry, modify it to set KUO and unset KU, and
|
|
// rewrite it.
|
|
entry, err := storage.Get(context.Background(), "role/testrole")
|
|
if err != nil || entry == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var role roleEntry
|
|
if err := entry.DecodeJSON(&role); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
role.KeyUsageOld = "KeyEncipherment,DigitalSignature"
|
|
role.KeyUsage = nil
|
|
|
|
entry, err = logical.StorageEntryJSON("role/testrole", role)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := storage.Put(context.Background(), entry); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Reading should upgrade key_usage
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
keyUsage = resp.Data["key_usage"].([]string)
|
|
if len(keyUsage) != 2 {
|
|
t.Fatalf("key_usage should have 2 values")
|
|
}
|
|
|
|
// Read back from storage to ensure upgrade
|
|
entry, err = storage.Get(context.Background(), "role/testrole")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if entry == nil {
|
|
t.Fatalf("role should not be nil")
|
|
}
|
|
var result roleEntry
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
if result.KeyUsageOld != "" {
|
|
t.Fatal("old key usage value should be blank")
|
|
}
|
|
if len(result.KeyUsage) != 2 {
|
|
t.Fatal("key_usage should have 2 values")
|
|
}
|
|
}
|
|
|
|
func TestPki_RoleOUOrganizationUpgrade(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": "myvault.com",
|
|
"ttl": "5h",
|
|
"ou": []string{"abc", "123"},
|
|
"organization": []string{"org1", "org2"},
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
ou := resp.Data["ou"].([]string)
|
|
if len(ou) != 2 {
|
|
t.Fatalf("ou should have 2 values")
|
|
}
|
|
organization := resp.Data["organization"].([]string)
|
|
if len(organization) != 2 {
|
|
t.Fatalf("organization should have 2 values")
|
|
}
|
|
|
|
// To test upgrade of O/OU, we read the storage entry, modify it to set
|
|
// the old O/OU value over the new one, and rewrite it.
|
|
entry, err := storage.Get(context.Background(), "role/testrole")
|
|
if err != nil || entry == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var role roleEntry
|
|
if err := entry.DecodeJSON(&role); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
role.OUOld = "abc,123"
|
|
role.OU = nil
|
|
role.OrganizationOld = "org1,org2"
|
|
role.Organization = nil
|
|
|
|
entry, err = logical.StorageEntryJSON("role/testrole", role)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := storage.Put(context.Background(), entry); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Reading should upgrade key_usage
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
ou = resp.Data["ou"].([]string)
|
|
if len(ou) != 2 {
|
|
t.Fatalf("ou should have 2 values")
|
|
}
|
|
organization = resp.Data["organization"].([]string)
|
|
if len(organization) != 2 {
|
|
t.Fatalf("organization should have 2 values")
|
|
}
|
|
|
|
// Read back from storage to ensure upgrade
|
|
entry, err = storage.Get(context.Background(), "role/testrole")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if entry == nil {
|
|
t.Fatalf("role should not be nil")
|
|
}
|
|
var result roleEntry
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
if result.OUOld != "" {
|
|
t.Fatal("old ou value should be blank")
|
|
}
|
|
if len(result.OU) != 2 {
|
|
t.Fatal("ou should have 2 values")
|
|
}
|
|
if result.OrganizationOld != "" {
|
|
t.Fatal("old organization value should be blank")
|
|
}
|
|
if len(result.Organization) != 2 {
|
|
t.Fatal("organization should have 2 values")
|
|
}
|
|
}
|
|
|
|
func TestPki_RoleAllowedDomains(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": []string{"foobar.com", "*example.com"},
|
|
"ttl": "5h",
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
allowedDomains := resp.Data["allowed_domains"].([]string)
|
|
if len(allowedDomains) != 2 {
|
|
t.Fatalf("allowed_domains should have 2 values")
|
|
}
|
|
|
|
// To test upgrade of allowed_domains, we read the storage entry,
|
|
// set the old one, and rewrite it.
|
|
entry, err := storage.Get(context.Background(), "role/testrole")
|
|
if err != nil || entry == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var role roleEntry
|
|
if err := entry.DecodeJSON(&role); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
role.AllowedDomainsOld = "foobar.com,*example.com"
|
|
role.AllowedDomains = nil
|
|
|
|
entry, err = logical.StorageEntryJSON("role/testrole", role)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := storage.Put(context.Background(), entry); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Reading should upgrade key_usage
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
allowedDomains = resp.Data["allowed_domains"].([]string)
|
|
if len(allowedDomains) != 2 {
|
|
t.Fatalf("allowed_domains should have 2 values")
|
|
}
|
|
|
|
// Read back from storage to ensure upgrade
|
|
entry, err = storage.Get(context.Background(), "role/testrole")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if entry == nil {
|
|
t.Fatalf("role should not be nil")
|
|
}
|
|
var result roleEntry
|
|
if err := entry.DecodeJSON(&result); err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
if result.AllowedDomainsOld != "" {
|
|
t.Fatal("old allowed_domains value should be blank")
|
|
}
|
|
if len(result.AllowedDomains) != 2 {
|
|
t.Fatal("allowed_domains should have 2 values")
|
|
}
|
|
}
|
|
|
|
func TestPki_RoleAllowedURISANs(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_uri_sans": []string{"http://foobar.com", "spiffe://*"},
|
|
"ttl": "5h",
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
allowedURISANs := resp.Data["allowed_uri_sans"].([]string)
|
|
if len(allowedURISANs) != 2 {
|
|
t.Fatalf("allowed_uri_sans should have 2 values")
|
|
}
|
|
}
|
|
|
|
func TestPki_RolePkixFields(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"ttl": "5h",
|
|
"country": []string{"c1", "c2"},
|
|
"ou": []string{"abc", "123"},
|
|
"organization": []string{"org1", "org2"},
|
|
"locality": []string{"foocity", "bartown"},
|
|
"province": []string{"bar", "foo"},
|
|
"street_address": []string{"123 foo street", "789 bar avenue"},
|
|
"postal_code": []string{"f00", "b4r"},
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole_pkixfields",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
origCountry := roleData["country"].([]string)
|
|
respCountry := resp.Data["country"].([]string)
|
|
if !strutil.StrListSubset(origCountry, respCountry) {
|
|
t.Fatalf("country did not match values set in role")
|
|
} else if len(origCountry) != len(respCountry) {
|
|
t.Fatalf("country did not have same number of values set in role")
|
|
}
|
|
|
|
origOU := roleData["ou"].([]string)
|
|
respOU := resp.Data["ou"].([]string)
|
|
if !strutil.StrListSubset(origOU, respOU) {
|
|
t.Fatalf("ou did not match values set in role")
|
|
} else if len(origOU) != len(respOU) {
|
|
t.Fatalf("ou did not have same number of values set in role")
|
|
}
|
|
|
|
origOrganization := roleData["organization"].([]string)
|
|
respOrganization := resp.Data["organization"].([]string)
|
|
if !strutil.StrListSubset(origOrganization, respOrganization) {
|
|
t.Fatalf("organization did not match values set in role")
|
|
} else if len(origOrganization) != len(respOrganization) {
|
|
t.Fatalf("organization did not have same number of values set in role")
|
|
}
|
|
|
|
origLocality := roleData["locality"].([]string)
|
|
respLocality := resp.Data["locality"].([]string)
|
|
if !strutil.StrListSubset(origLocality, respLocality) {
|
|
t.Fatalf("locality did not match values set in role")
|
|
} else if len(origLocality) != len(respLocality) {
|
|
t.Fatalf("locality did not have same number of values set in role: ")
|
|
}
|
|
|
|
origProvince := roleData["province"].([]string)
|
|
respProvince := resp.Data["province"].([]string)
|
|
if !strutil.StrListSubset(origProvince, respProvince) {
|
|
t.Fatalf("province did not match values set in role")
|
|
} else if len(origProvince) != len(respProvince) {
|
|
t.Fatalf("province did not have same number of values set in role")
|
|
}
|
|
|
|
origStreetAddress := roleData["street_address"].([]string)
|
|
respStreetAddress := resp.Data["street_address"].([]string)
|
|
if !strutil.StrListSubset(origStreetAddress, respStreetAddress) {
|
|
t.Fatalf("street_address did not match values set in role")
|
|
} else if len(origStreetAddress) != len(respStreetAddress) {
|
|
t.Fatalf("street_address did not have same number of values set in role")
|
|
}
|
|
|
|
origPostalCode := roleData["postal_code"].([]string)
|
|
respPostalCode := resp.Data["postal_code"].([]string)
|
|
if !strutil.StrListSubset(origPostalCode, respPostalCode) {
|
|
t.Fatalf("postal_code did not match values set in role")
|
|
} else if len(origPostalCode) != len(respPostalCode) {
|
|
t.Fatalf("postal_code did not have same number of values set in role")
|
|
}
|
|
}
|
|
|
|
func TestPki_RoleNoStore(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": "myvault.com",
|
|
"ttl": "5h",
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
// By default, no_store should be `false`
|
|
noStore := resp.Data["no_store"].(bool)
|
|
if noStore {
|
|
t.Fatalf("no_store should not be set by default")
|
|
}
|
|
|
|
// By default, allowed_domains_template should be `false`
|
|
allowedDomainsTemplate := resp.Data["allowed_domains_template"].(bool)
|
|
if allowedDomainsTemplate {
|
|
t.Fatalf("allowed_domains_template should not be set by default")
|
|
}
|
|
|
|
// By default, allowed_uri_sans_template should be `false`
|
|
allowedURISANsTemplate := resp.Data["allowed_uri_sans_template"].(bool)
|
|
if allowedURISANsTemplate {
|
|
t.Fatalf("allowed_uri_sans_template should not be set by default")
|
|
}
|
|
|
|
// Make sure that setting no_store to `true` works properly
|
|
roleReq.Operation = logical.UpdateOperation
|
|
roleReq.Path = "roles/testrole_nostore"
|
|
roleReq.Data["no_store"] = true
|
|
roleReq.Data["allowed_domain"] = "myvault.com"
|
|
roleReq.Data["allow_subdomains"] = true
|
|
roleReq.Data["ttl"] = "5h"
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleReq.Operation = logical.ReadOperation
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
noStore = resp.Data["no_store"].(bool)
|
|
if !noStore {
|
|
t.Fatalf("no_store should have been set to true")
|
|
}
|
|
|
|
// issue a certificate and test that it's not stored
|
|
caData := map[string]interface{}{
|
|
"common_name": "myvault.com",
|
|
"ttl": "5h",
|
|
"ip_sans": "127.0.0.1",
|
|
}
|
|
caReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "root/generate/internal",
|
|
Storage: storage,
|
|
Data: caData,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), caReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
issueData := map[string]interface{}{
|
|
"common_name": "cert.myvault.com",
|
|
"format": "pem",
|
|
"ip_sans": "127.0.0.1",
|
|
"ttl": "1h",
|
|
}
|
|
issueReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "issue/testrole_nostore",
|
|
Storage: storage,
|
|
Data: issueData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), issueReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
// list certs
|
|
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
|
Operation: logical.ListOperation,
|
|
Path: "certs",
|
|
Storage: storage,
|
|
})
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
if len(resp.Data["keys"].([]string)) != 1 {
|
|
t.Fatalf("Only the CA certificate should be stored: %#v", resp)
|
|
}
|
|
}
|
|
|
|
func TestPki_CertsLease(t *testing.T) {
|
|
t.Parallel()
|
|
var resp *logical.Response
|
|
var err error
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
caData := map[string]interface{}{
|
|
"common_name": "myvault.com",
|
|
"ttl": "5h",
|
|
"ip_sans": "127.0.0.1",
|
|
}
|
|
|
|
caReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "root/generate/internal",
|
|
Storage: storage,
|
|
Data: caData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), caReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
roleData := map[string]interface{}{
|
|
"allowed_domains": "myvault.com",
|
|
"allow_subdomains": true,
|
|
"ttl": "2h",
|
|
}
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
issueData := map[string]interface{}{
|
|
"common_name": "cert.myvault.com",
|
|
"format": "pem",
|
|
"ip_sans": "127.0.0.1",
|
|
}
|
|
issueReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "issue/testrole",
|
|
Storage: storage,
|
|
Data: issueData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), issueReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
if resp.Secret != nil {
|
|
t.Fatalf("expected a response that does not contain a secret")
|
|
}
|
|
|
|
// Turn on the lease generation and issue a certificate. The response
|
|
// should have a `Secret` object populated.
|
|
roleData["generate_lease"] = true
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), issueReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, resp)
|
|
}
|
|
|
|
if resp.Secret == nil {
|
|
t.Fatalf("expected a response that contains a secret")
|
|
}
|
|
}
|
|
|
|
func TestPki_RolePatch(t *testing.T) {
|
|
t.Parallel()
|
|
type TestCase struct {
|
|
Field string
|
|
Before interface{}
|
|
Patched interface{}
|
|
}
|
|
|
|
testCases := []TestCase{
|
|
{
|
|
Field: "ttl",
|
|
Before: int64(5),
|
|
Patched: int64(10),
|
|
},
|
|
{
|
|
Field: "max_ttl",
|
|
Before: int64(5),
|
|
Patched: int64(10),
|
|
},
|
|
{
|
|
Field: "allow_localhost",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "allowed_domains",
|
|
Before: []string{"alex", "bob"},
|
|
Patched: []string{"sam", "alex", "frank"},
|
|
},
|
|
{
|
|
Field: "allowed_domains_template",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "allow_bare_domains",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "allow_subdomains",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "allow_glob_domains",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "allow_wildcard_certificates",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "allow_any_name",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "enforce_hostnames",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "allow_ip_sans",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "allowed_uri_sans",
|
|
Before: []string{"gopher://*"},
|
|
Patched: []string{"https://*"},
|
|
},
|
|
{
|
|
Field: "allowed_uri_sans_template",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "allowed_other_sans",
|
|
Before: []string{"1.2.3.4;UTF8:magic"},
|
|
Patched: []string{"4.3.2.1;UTF8:cigam"},
|
|
},
|
|
{
|
|
Field: "allowed_serial_numbers",
|
|
Before: []string{"*"},
|
|
Patched: []string{""},
|
|
},
|
|
{
|
|
Field: "server_flag",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "client_flag",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "code_signing_flag",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "email_protection_flag",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
// key_type, key_bits, and signature_bits can't be tested in this setup
|
|
// due to their non-default stored nature.
|
|
{
|
|
Field: "key_usage",
|
|
Before: []string{"DigitialSignature"},
|
|
Patched: []string{"DigitalSignature", "KeyAgreement"},
|
|
},
|
|
{
|
|
Field: "ext_key_usage",
|
|
Before: []string{"ServerAuth"},
|
|
Patched: []string{"ClientAuth"},
|
|
},
|
|
{
|
|
Field: "ext_key_usage_oids",
|
|
Before: []string{"1.2.3.4"},
|
|
Patched: []string{"4.3.2.1"},
|
|
},
|
|
{
|
|
Field: "use_csr_common_name",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "use_csr_sans",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "ou",
|
|
Before: []string{"crypto"},
|
|
Patched: []string{"cryptosec"},
|
|
},
|
|
{
|
|
Field: "organization",
|
|
Before: []string{"hashicorp"},
|
|
Patched: []string{"dadgarcorp"},
|
|
},
|
|
{
|
|
Field: "country",
|
|
Before: []string{"US"},
|
|
Patched: []string{"USA"},
|
|
},
|
|
{
|
|
Field: "locality",
|
|
Before: []string{"Orange"},
|
|
Patched: []string{"Blue"},
|
|
},
|
|
{
|
|
Field: "province",
|
|
Before: []string{"CA"},
|
|
Patched: []string{"AC"},
|
|
},
|
|
{
|
|
Field: "street_address",
|
|
Before: []string{"101 First"},
|
|
Patched: []string{"202 Second", "Unit 020"},
|
|
},
|
|
{
|
|
Field: "postal_code",
|
|
Before: []string{"12345"},
|
|
Patched: []string{"54321-1234"},
|
|
},
|
|
{
|
|
Field: "generate_lease",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "no_store",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "require_cn",
|
|
Before: false,
|
|
Patched: true,
|
|
},
|
|
{
|
|
Field: "policy_identifiers",
|
|
Before: []string{"1.3.6.1.4.1.1.1"},
|
|
Patched: []string{"1.3.6.1.4.1.1.2"},
|
|
},
|
|
{
|
|
Field: "basic_constraints_valid_for_non_ca",
|
|
Before: true,
|
|
Patched: false,
|
|
},
|
|
{
|
|
Field: "not_before_duration",
|
|
Before: int64(30),
|
|
Patched: int64(300),
|
|
},
|
|
{
|
|
Field: "not_after",
|
|
Before: "9999-12-31T23:59:59Z",
|
|
Patched: "1230-12-31T23:59:59Z",
|
|
},
|
|
{
|
|
Field: "issuer_ref",
|
|
Before: "default",
|
|
Patched: "missing",
|
|
},
|
|
}
|
|
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
for index, testCase := range testCases {
|
|
var resp *logical.Response
|
|
var roleDataResp *logical.Response
|
|
var afterRoleDataResp *logical.Response
|
|
var err error
|
|
|
|
// Create the role
|
|
roleData := map[string]interface{}{}
|
|
roleData[testCase.Field] = testCase.Before
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad [%d/%v] create: err: %v resp: %#v", index, testCase.Field, err, resp)
|
|
}
|
|
|
|
// Read the role after creation
|
|
roleReq.Operation = logical.ReadOperation
|
|
roleDataResp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (roleDataResp != nil && roleDataResp.IsError()) {
|
|
t.Fatalf("bad [%d/%v] read: err: %v resp: %#v", index, testCase.Field, err, resp)
|
|
}
|
|
|
|
beforeRoleData := roleDataResp.Data
|
|
|
|
// Patch the role
|
|
roleReq.Operation = logical.PatchOperation
|
|
roleReq.Data[testCase.Field] = testCase.Patched
|
|
resp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("bad [%d/%v] patch: err: %v resp: %#v", index, testCase.Field, err, resp)
|
|
}
|
|
|
|
// Re-read and verify the role
|
|
roleReq.Operation = logical.ReadOperation
|
|
afterRoleDataResp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (afterRoleDataResp != nil && afterRoleDataResp.IsError()) {
|
|
t.Fatalf("bad [%d/%v] read: err: %v resp: %#v", index, testCase.Field, err, resp)
|
|
}
|
|
|
|
afterRoleData := afterRoleDataResp.Data
|
|
|
|
for field, before := range beforeRoleData {
|
|
switch typed := before.(type) {
|
|
case *bool:
|
|
before = *typed
|
|
afterRoleData[field] = *(afterRoleData[field].(*bool))
|
|
}
|
|
|
|
if field != testCase.Field {
|
|
require.Equal(t, before, afterRoleData[field], fmt.Sprintf("bad [%d/%v] compare: non-modified field %v should not be changed", index, testCase.Field, field))
|
|
} else {
|
|
require.Equal(t, before, testCase.Before, fmt.Sprintf("bad [%d] compare: modified field %v before should be correct", index, field))
|
|
require.Equal(t, afterRoleData[field], testCase.Patched, fmt.Sprintf("bad [%d] compare: modified field %v after should be correct", index, field))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestPKI_RolePolicyInformation_Flat(t *testing.T) {
|
|
t.Parallel()
|
|
type TestCase struct {
|
|
Input interface{}
|
|
ASN interface{}
|
|
OidList []string
|
|
}
|
|
|
|
expectedSimpleAsnExtension := "MBYwCQYHKwYBBAEBATAJBgcrBgEEAQEC"
|
|
expectedSimpleOidList := append(*new([]string), "1.3.6.1.4.1.1.1", "1.3.6.1.4.1.1.2")
|
|
|
|
testCases := []TestCase{
|
|
{
|
|
Input: "1.3.6.1.4.1.1.1,1.3.6.1.4.1.1.2",
|
|
ASN: expectedSimpleAsnExtension,
|
|
OidList: expectedSimpleOidList,
|
|
},
|
|
{
|
|
Input: "[{\"oid\":\"1.3.6.1.4.1.1.1\"},{\"oid\":\"1.3.6.1.4.1.1.2\"}]",
|
|
ASN: expectedSimpleAsnExtension,
|
|
OidList: expectedSimpleOidList,
|
|
},
|
|
{
|
|
Input: "[{\"oid\":\"1.3.6.1.4.1.7.8\",\"notice\":\"I am a user Notice\"},{\"oid\":\"1.3.6.1.44947.1.2.4\",\"cps\":\"https://example.com\"}]",
|
|
ASN: "MF8wLQYHKwYBBAEHCDAiMCAGCCsGAQUFBwICMBQMEkkgYW0gYSB1c2VyIE5vdGljZTAuBgkrBgGC3xMBAgQwITAfBggrBgEFBQcCARYTaHR0cHM6Ly9leGFtcGxlLmNvbQ==",
|
|
OidList: append(*new([]string), "1.3.6.1.4.1.7.8", "1.3.6.1.44947.1.2.4"),
|
|
},
|
|
}
|
|
|
|
b, storage := CreateBackendWithStorage(t)
|
|
|
|
caData := map[string]interface{}{
|
|
"common_name": "myvault.com",
|
|
"ttl": "5h",
|
|
"ip_sans": "127.0.0.1",
|
|
}
|
|
caReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "root/generate/internal",
|
|
Storage: storage,
|
|
Data: caData,
|
|
}
|
|
caResp, err := b.HandleRequest(context.Background(), caReq)
|
|
if err != nil || (caResp != nil && caResp.IsError()) {
|
|
t.Fatalf("bad: err: %v resp: %#v", err, caResp)
|
|
}
|
|
|
|
for index, testCase := range testCases {
|
|
var roleResp *logical.Response
|
|
var issueResp *logical.Response
|
|
var err error
|
|
|
|
// Create/update the role
|
|
roleData := map[string]interface{}{}
|
|
roleData[policyIdentifiersParam] = testCase.Input
|
|
|
|
roleReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "roles/testrole",
|
|
Storage: storage,
|
|
Data: roleData,
|
|
}
|
|
|
|
roleResp, err = b.HandleRequest(context.Background(), roleReq)
|
|
if err != nil || (roleResp != nil && roleResp.IsError()) {
|
|
t.Fatalf("bad [%d], setting policy identifier %v err: %v resp: %#v", index, testCase.Input, err, roleResp)
|
|
}
|
|
|
|
// Issue Using this role
|
|
issueData := map[string]interface{}{}
|
|
issueData["common_name"] = "localhost"
|
|
issueData["ttl"] = "2s"
|
|
|
|
issueReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "issue/testrole",
|
|
Storage: storage,
|
|
Data: issueData,
|
|
}
|
|
|
|
issueResp, err = b.HandleRequest(context.Background(), issueReq)
|
|
if err != nil || (issueResp != nil && issueResp.IsError()) {
|
|
t.Fatalf("bad [%d], setting policy identifier %v err: %v resp: %#v", index, testCase.Input, err, issueResp)
|
|
}
|
|
|
|
// Validate the OIDs
|
|
policyIdentifiers, err := getPolicyIdentifiersOffCertificate(*issueResp)
|
|
if err != nil {
|
|
t.Fatalf("bad [%d], getting policy identifier from %v err: %v resp: %#v", index, testCase.Input, err, issueResp)
|
|
}
|
|
if len(policyIdentifiers) != len(testCase.OidList) {
|
|
t.Fatalf("bad [%d], wrong certificate policy identifier from %v len expected: %d got %d", index, testCase.Input, len(testCase.OidList), len(policyIdentifiers))
|
|
}
|
|
for i, identifier := range policyIdentifiers {
|
|
if identifier != testCase.OidList[i] {
|
|
t.Fatalf("bad [%d], wrong certificate policy identifier from %v expected: %v got %v", index, testCase.Input, testCase.OidList[i], policyIdentifiers[i])
|
|
}
|
|
}
|
|
// Validate the ASN
|
|
certificateAsn, err := getPolicyInformationExtensionOffCertificate(*issueResp)
|
|
if err != nil {
|
|
t.Fatalf("bad [%d], getting extension from %v err: %v resp: %#v", index, testCase.Input, err, issueResp)
|
|
}
|
|
certificateB64 := make([]byte, len(certificateAsn)*2)
|
|
base64.StdEncoding.Encode(certificateB64, certificateAsn)
|
|
certificateString := string(certificateB64[:])
|
|
assert.Contains(t, certificateString, testCase.ASN)
|
|
}
|
|
}
|
|
|
|
func getPolicyIdentifiersOffCertificate(resp logical.Response) ([]string, error) {
|
|
stringCertificate := resp.Data["certificate"].(string)
|
|
block, _ := pem.Decode([]byte(stringCertificate))
|
|
certificate, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
policyIdentifierStrings := make([]string, len(certificate.PolicyIdentifiers))
|
|
for index, asnOid := range certificate.PolicyIdentifiers {
|
|
policyIdentifierStrings[index] = asnOid.String()
|
|
}
|
|
return policyIdentifierStrings, nil
|
|
}
|
|
|
|
func getPolicyInformationExtensionOffCertificate(resp logical.Response) ([]byte, error) {
|
|
stringCertificate := resp.Data["certificate"].(string)
|
|
block, _ := pem.Decode([]byte(stringCertificate))
|
|
certificate, err := x509.ParseCertificate(block.Bytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, extension := range certificate.Extensions {
|
|
if extension.Id.Equal(asn1.ObjectIdentifier{2, 5, 29, 32}) {
|
|
return extension.Value, nil
|
|
}
|
|
}
|
|
return *new([]byte), errors.New("No Policy Information Extension Found")
|
|
}
|