scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 01:32:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enables a warning if validations (ent-feature) set issuer configuration so that it isn't usable. (#29781)

Browse Source
This commit is contained in:
Kit Haines
2025-02-28 14:44:52 -05:00
committed by GitHub
parent 39df7fa973
commit 17c0ee93cb
1 changed files with 35 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
builtin/logical/pki/path_fetch_issuers.go
View File

@@ -679,8 +679,10 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
} }
} }
var updatedIssuanceValidations bool
if updateEntIssuerFields(issuer, data, false) { if updateEntIssuerFields(issuer, data, false) {
modified = true modified = true
updatedIssuanceValidations = true
} }
// Updating the chain should be the last modification as there's a chance // Updating the chain should be the last modification as there's a chance
@@ -735,6 +737,8 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil
} }
return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil
} else {
updatedIssuanceValidations = false
} }
} }
@@ -757,6 +761,12 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", aiaErr)) response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", aiaErr))
} }
} }
if updatedIssuanceValidations {
warning := checkIssuer(issuer, ctx, req, b)
if warning != "" {
response.AddWarning(warning)
}
}
return response, err return response, err
} }
@@ -959,6 +969,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
issuer.AIAURIs = nil issuer.AIAURIs = nil
} }
updatedIssuanceValidations := false
if updateEntIssuerFields(issuer, data, true) {
modified = true
updatedIssuanceValidations = true
}
// Manual Chain Changes // Manual Chain Changes
newPathData, ok := data.GetOk("manual_chain") newPathData, ok := data.GetOk("manual_chain")
if ok { if ok {
@@ -1012,16 +1028,14 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil
} }
return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil
} else {
updatedIssuanceValidations = false
} }
} }
} }
} }
if updateEntIssuerFields(issuer, data, true) {
modified = true
}
if modified { if modified {
err := sc.writeIssuer(issuer) err := sc.writeIssuer(issuer)
if err != nil { if err != nil {
@@ -1033,6 +1047,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
if newName != oldName { if newName != oldName {
addWarningOnDereferencing(sc, oldName, response) addWarningOnDereferencing(sc, oldName, response)
} }
if updatedIssuanceValidations {
warning := checkIssuer(issuer, ctx, req, b)
if warning != "" {
response.AddWarning(warning)
}
}
if issuer.AIAURIs != nil && issuer.AIAURIs.EnableTemplating { if issuer.AIAURIs != nil && issuer.AIAURIs.EnableTemplating {
_, aiaErr := ToURLEntries(sc, issuer.ID, issuer.AIAURIs) _, aiaErr := ToURLEntries(sc, issuer.ID, issuer.AIAURIs)
if aiaErr != nil { if aiaErr != nil {
@@ -1043,6 +1063,17 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
return response, err return response, err
} }
// checkIssuer looks at an issuer that has already been written, and returns a warning if it is not functional.
func checkIssuer(issuer *issuing.IssuerEntry, ctx context.Context, req *logical.Request, b *backend) (warning string) {
if issuer.Usage.HasUsage(issuing.IssuanceUsage) {
err := b.issueSignEmptyCert(ctx, req, issuer.ID.String())
if err != nil {
return fmt.Sprintf("warning: issuer with issuance usage %s cannot issue certificates with this configuration: %v", issuer.ID.String(), err)
}
}
return ""
}
func (b *backend) pathGetRawIssuer(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { func (b *backend) pathGetRawIssuer(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
if b.UseLegacyBundleCaStorage() { if b.UseLegacyBundleCaStorage() {
return logical.ErrorResponse("Can not get issuer until migration has completed"), nil return logical.ErrorResponse("Can not get issuer until migration has completed"), nil