scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a max_crl_size parameter to CRL config (#28654)

Browse Source 
* wip

* Unit test the CRL limit, wire up config

* Bigger error

* API docs

* wording

* max_crl_entries, + ignore 0 or < -1 values to the config endpoint

* changelog

* rename field in docs

* Update website/content/api-docs/secret/pki/index.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update website/content/api-docs/secret/pki/index.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

---------

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
Scott Miller
2024-10-09 16:38:55 -05:00
committed by GitHub
parent 3b0614abd0
commit 004dfc49f8
7 changed files with 135 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
builtin/logical/pki/crl_test.go
View File

@@ -285,7 +285,7 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
}
serials := make(map[int]string)
for i := 0; i < 6; i++ {
for i := 0; i < 7; i++ {
resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
"common_name": "test.foobar.com",
})
@@ -323,11 +323,15 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
}
}
revoke := func(serialIndex int) {
revoke := func(serialIndex int, errorText ...string) {
_, err = CBWrite(b, s, "revoke", map[string]interface{}{
"serial_number": serials[serialIndex],
})
if err != nil {
if err != nil && len(errorText) == 1 {
if strings.Contains(err.Error(), errorText[0]) {
err = nil
return
}
t.Fatal(err)
}
@@ -377,6 +381,24 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
crlCreationTime2 := getParsedCrlFromBackend(t, b, s, "crl").TBSCertList.ThisUpdate
require.NotEqual(t, crlCreationTime1, crlCreationTime2)
// Set a limit, and test that it blocks building an over-large CRL
CBWrite(b, s, "config/crl", map[string]interface{}{
"max_crl_entries": 6,
})
revoke(6, "revocation list size (7) exceeds configured maximum (6)")
test(6)
_, err = CBRead(b, s, "crl/rotate")
require.Error(t, err)
require.True(t, strings.Contains(err.Error(), "revocation list size (7) exceeds configured maximum (6)"))
// Set unlimited, and try again
CBWrite(b, s, "config/crl", map[string]interface{}{
"max_crl_entries": -1,
})
_, err = CBRead(b, s, "crl/rotate")
require.NoError(t, err)
}
func TestBackend_Secondary_CRL_Rebuilding(t *testing.T) {