Enables a warning if validations (ent-feature) set issuer configuration so that it isn't usable. (#29781)

builtin/logical/pki/path_fetch_issuers.go

@@ -679,8 +679,10 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
 		}
 	}
 
+	var updatedIssuanceValidations bool
 	if updateEntIssuerFields(issuer, data, false) {
 		modified = true
+		updatedIssuanceValidations = true
 	}
 
 	// Updating the chain should be the last modification as there's a chance
@@ -735,6 +737,8 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
 					return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil
 				}
 				return logical.ErrorResponse("other changes to issuer may be persisted.  Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil
+			} else {
+				updatedIssuanceValidations = false
 			}
 		}
 
@@ -757,6 +761,12 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
 			response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", aiaErr))
 		}
 	}
+	if updatedIssuanceValidations {
+		warning := checkIssuer(issuer, ctx, req, b)
+		if warning != "" {
+			response.AddWarning(warning)
+		}
+	}
 
 	return response, err
 }
@@ -959,6 +969,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
 		issuer.AIAURIs = nil
 	}
 
+	updatedIssuanceValidations := false
+	if updateEntIssuerFields(issuer, data, true) {
+		modified = true
+		updatedIssuanceValidations = true
+	}
+
 	// Manual Chain Changes
 	newPathData, ok := data.GetOk("manual_chain")
 	if ok {
@@ -1012,16 +1028,14 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
 						return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil
 					}
 					return logical.ErrorResponse("other changes to issuer may be persisted.  Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil
+				} else {
+					updatedIssuanceValidations = false
 				}
 			}
 
 		}
 	}
 
-	if updateEntIssuerFields(issuer, data, true) {
-		modified = true
-	}
-
 	if modified {
 		err := sc.writeIssuer(issuer)
 		if err != nil {
@@ -1033,6 +1047,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
 	if newName != oldName {
 		addWarningOnDereferencing(sc, oldName, response)
 	}
+	if updatedIssuanceValidations {
+		warning := checkIssuer(issuer, ctx, req, b)
+		if warning != "" {
+			response.AddWarning(warning)
+		}
+	}
 	if issuer.AIAURIs != nil && issuer.AIAURIs.EnableTemplating {
 		_, aiaErr := ToURLEntries(sc, issuer.ID, issuer.AIAURIs)
 		if aiaErr != nil {
@@ -1043,6 +1063,17 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
 	return response, err
 }
 
+// checkIssuer looks at an issuer that has already been written, and returns a warning if it is not functional.
+func checkIssuer(issuer *issuing.IssuerEntry, ctx context.Context, req *logical.Request, b *backend) (warning string) {
+	if issuer.Usage.HasUsage(issuing.IssuanceUsage) {
+		err := b.issueSignEmptyCert(ctx, req, issuer.ID.String())
+		if err != nil {
+			return fmt.Sprintf("warning: issuer with issuance usage %s cannot issue certificates with this configuration: %v", issuer.ID.String(), err)
+		}
+	}
+	return ""
+}
+
 func (b *backend) pathGetRawIssuer(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	if b.UseLegacyBundleCaStorage() {
 		return logical.ErrorResponse("Can not get issuer until migration has completed"), nil