Kitography/vault 5474 #15094
Closed
Kitography/vault 5474 #15094
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Simple starting PKI storage api for CA rotation * Add key and issuer storage apis * Add listKeys and listIssuers storage implementations * Add simple keys and issuers configuration storage api methods
The API context will usually have a user-specified reference to the key. This is either the literal string "default" to select the default key, an identifier of the key, or a slug name for the key. Here, we wish to resolve this reference to an actual identifier that can be understood by storage. Also adds the missing Name field to keys. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This adds a method to construct a certutil.CertBundle from the specified issuer identifier, optionally loading its corresponding key for signing. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This refactors the parsing of PrivateKeys from PEM blobs into shared methods (ParsePEMKey, ParseDERKey) that can be reused by the existing Bundle parsing logic (ParsePEMBundle) or independently in the new issuers/key-based PKI storage code. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
importKey is generally preferable to the low-level writeKey for adding new entries. This takes only the contents of the private key (as a string -- so a PEM bundle or a managed key handle) and checks if it already exists in the storage. If it does, it returns the existing key instance. Otherwise, we create a new one. In the process, we detect any issuers using this key and link them back to the new key entry. The same holds for importCert over importKey, with the note that keys are not modified when importing certificates. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This adds tests for importing keys and issuers into the new storage layout, ensuring that identifiers are correctly inferred and linked. Note that directly writing entries to storage (writeKey/writeissuer) will take KeyID links from the parent entry and should not be used for import; only existing entries should be updated with this info. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Hook into the backend::initialize function, calling the migration on a primary only. - Migrate an existing certificate bundle to the new issuers and key layout
This allows fetchCAInfo to fetch a specified issuer, via a reference parameter provided by the user. We pass that into the storage layer and have it return a cert bundle for us. Finally, we need to validate that it truly has the key desired. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This implements the fetch operations around issuers in the PKI Secrets
Engine. We implement the following operations:
- LIST /issuers - returns a list of known issuers' IDs and names.
- GET /issuer/:ref - returns a JSON blob with information about this
issuer.
- POST /issuer/:ref - allows configuring information about issuers,
presently just its name.
- DELETE /issuer/:ref - allows deleting the specified issuer.
- GET /issuer/:ref/{der,pem} - returns a raw API response with just
the DER (or PEM) of the issuer's certificate.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This adds the two core import code paths to the API: /issuers/import/cert and /issuers/import/bundle. The former differs from the latter in that the latter allows the import of keys. This allows operators to restrict importing of keys to privileged roles, while allowing more operators permission to import additional certificates (not used for signing, but instead for path/chain building). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This endpoint allows existing issuers to be used to sign intermediate CA certificates. In the process, we've updated the existing /root/sign-intermediate endpoint to be equivalent to a call to /issuer/default/sign-intermediate. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This endpoint allows existing issuers to be used to sign self-signed certificates. In the process, we've updated the existing /root/sign-self-issued endpoint to be equivalent to a call to /issuer/default/sign-self-issued. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This endpoint allows existing issuers to be used to directly sign CSRs. In the process, we've updated the existing /sign-verbatim endpoint to be equivalent to a call to /issuer/:ref/sign-verbatim. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Using the new updateDefaultIssuerId(...) from the storage migration PR allows for easy implementation of configuring the default issuer. We restrict callers from setting blank defaults and setting default to default. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
After setting a default issuer, one should be able to use the old /ca,
/ca_chain, and /cert/{ca,ca_chain} endpoints to fetch the default issuer
(and its chain). Update the fetchCertBySerial helper to no longer
support fetching the ca and prefer fetchCAInfo for that instead (as
we've already updated that to support fetching the new issuer location).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This updates the /sign and /issue endpoints, allowing them to take the default issuer (if none is provided by a role) and adding issuer-specific versions of them. Note that at this point in time, the behavior isn't yet ideal (as /sign/:role allows adding the ref=... parameter to override the default issuer); a later change adding role-based issuer specification will fix this incorrect behavior. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Update all new API endpoints to use the new agreed upon argument names. - issuer_ref & key_ref to refer to existing - issuer_name & key_name for new definitions - Update returned values to always user issuer_id and key_id
- Add utility methods to fetch the issuer_name, issuer_ref, key_name and key_ref arguments from data fields. - Centralize the logic to clean up these inputs and apply various validations to all of them.
- Use the buildPath convention for the function name instead of common...
…suer} methods - PR feedback, move setting up the default configuration references within the import methods instead of within the writeCaBundle method. This should now cover all use cases of us setting up the defaults properly.
- Addresses some test failures due to an incorrect refactoring of a legacy api path /sign-verbatim within PKI
The existing bundle import code will satisfy the intermediate import; use it instead of the old ca_bundle import logic. Additionally, update /config/ca to use the new import code as well. While testing, a panic was discovered: > reflect.Value.SetMapIndex: value of type string is not assignable to type pki.keyId This was caused by returning a map with type issuerId->keyId; instead switch to returning string->string maps so the audit log can properly HMAC them. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
When the default issuer and key are missing (and haven't yet been specified), we should clarify that error message. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This makes two minor changes to the existing test suite:
1. Importing partial bundles should now succeed, where they'd
previously error.
2. fetchCertBySerial no longer handles CA certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The old DELETE /root code must now delete all keys and issuers for backwards compatibility. We strongly suggest calling individual delete methods (DELETE /key/:key_ref or DELETE /issuer/:issuer_ref) instead, for finer control. In the process, we detect whether the deleted key/issuers was set as the default. This will allow us to warn (from the single key/deletion issuer code) whether or not the default was deleted (while allowing the operation to succeed). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
…t missing fields, desc, etc.)
…ndling (#14963) temporary namespace calls
* VAULT-5422: Add rate limit for TOTP passcode attempts * fixing the docs * CL * feedback * Additional info in doc * rate limit is done per entity per methodID * refactoring a test * rate limit OSS work for policy MFA * adding max_validation_attempts to TOTP config * feedback * checking for non-nil reference
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* fix dev-plugin-dir when backend is builtin * use builtinRegistry.Contains * revert aa76337 * use correct plugin type for logical backend after revert * fix factory func default setting after revert * add ut coverage for builtin plugin with plugin directory set * add coverage for secrets plugin type * use totp in tests to avoid test import cycle in ssh package * use nomad in tests to avoid test import cycle * remove secrets mount tests due to unavoidable test import cycle
#15046) * the conditional fix * add test coverage * changelog * add possesive * fix language * fix * fix * change quotes * fix * replace with find
* WIP * Cleanup * cleanup * Add changelog
* Add MFA support to login helpers
Per updated toolchain update procedure. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* update /monthly endpoint * change object key names to match API * update serializers * add optional no data mesage for horizontal chart * add split chart option for attribution component * wire up filtering namespaces and auth methods * update clients current tests * update todos and address comments * fix attribution test
* fix TypeCommaIntSlice panic caused by json.Number input * add changelog entry
* website: rm content moved to learn * fix: delete intro page file and data * fix: restore page file so build works, need to make change in dev-dot * fix: avoid empty sidebar data error * fix: proper rm now that hashicorp/dev-portal#287 has landed
* add BuildDate to version base * populate BuildDate with ldflags * include BuildDate in FullVersionNumber * add BuildDate to seal-status and associated status cmd * extend core/versions entries to include BuildDate * include BuildDate in version-history API and CLI * fix version history tests * fix sys status tests * fix TestStatusFormat * remove extraneous LD_FLAGS from build.sh * add BuildDate to build.bat * fix TestSysUnseal_Reset * attempt to add build-date to release builds * add branch to github build workflow * add get-build-date to build-* job needs * fix release build command vars * add missing quote in release build command * Revert "add branch to github build workflow" This reverts commit b835699. * add changelog entry
* removes site source code * remove algolia index and docker image workflows * remove unneeded dependencies
* Includes sprig template functions * Includes improvements to writeTo template function * Add sprig functions test, improve failure message
* remove storybook: * changelog * clean up * update browserstack * remove special case for storybook * add back gen-story-md
VAULT-5827 Update mongodb, brotli Closes hashicorp/vault-plugin-secrets-mongodbatlas#11 * `brotli` 1.0.1 was withdrawn * `go-client-mongodb-atlas` has an old dependency on a renamed repo, and has been renamed twice. This caused issues in hashicorp/vault-plugin-secrets-mongodbatlas#11 for example. * VAULT-5827 Set unwrap token during database tests The unwrap token is necessary for the plugins to start correctly when running when running acceptance tests locally, e.g., ``` $ VAULT_MONGODBATLAS_PROJECT_ID=... VAULT_MONGODBATLAS_PRIVATE_KEY=... VAULT_MONGODBATLAS_PUBLIC_KEY=... TEST='-run TestBackend_StaticRole_Rotations_MongoDBAtlas github.com/hashicorp/vault/builtin/logical/database' make test --- FAIL: TestBackend_StaticRole_Rotations_MongoDBAtlas (5.33s) rotation_test.go:818: err:%!s(<nil>) resp:&logical.Response{Secret:<nil>, Auth:<nil>, Data:map[string]interface {}{"error":"error creating database object: invalid database version: 2 errors occurred:\n\t* Unrecognized remote plugin message: PASS\n\nThis usually means that the plugin is either invalid or simply\nneeds to be recompiled to support the latest protocol.\n\t* Incompatible API version with plugin. Plugin version: 5, Client versions: [3 4]\n\n"}, Redirect:"", Warnings:[]string(nil), WrapInfo:(*wrapping.ResponseWrapInfo)(nil), Headers:map[string][]string(nil)} ``` Note the `PASS` message there, which indicates that the plugin exited before starting the RPC server.
* deprecating Legacy MFA * removing legacy MFA doc json entry * CL * changing the link to legacy MFA in CL * removing legacy MFA stuff from credentials' cli
* clean up activity serailizer * fix line chart so only plot months with data * cleanup monthly serializer * account for empty months in vertical bar chart * tidy version upgrade info * fix version history model typo * extract const into helper * add upgrade indicator to line chart * fix tests * add todos
* updates path help service to handle setting id of model * adds changelog entry * removes changelog entry
|
Closing this - i really need to rebase, and made a mess of this PR not realizing I couldn't do that here. (Sorry for the spam ecosystem + taoism4504) #15150 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There's a bug in PEM/DER encoding of private keys here, but creating the long overdue PR.