Add ACME health checks to pki health-check CLI (#20619)

* Add ACME health checks to pki health-check CLI - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location' - Make sure the local cluster config path variable contains an URL with an https scheme * Split ACME health checks into two separate verifications - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently - If ACME is enabled verify that we have a valid 'path' field within local cluster configuration as well as the proper response headers allowed. - Factor out response header verifications into a separate check mainly to work around possible permission issues. * Only recommend enabling ACME on mounts with intermediate issuers * Attempt to connect to the ACME directory based on the cluster path variable - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy. * Fix broken unit test
2025-11-02 03:27:54 +00:00 · 2023-05-23 10:37:31 -04:00
parent 676d1c69fe
commit 476bec104e
4 changed files with 451 additions and 1 deletions
--- a/command/pki_health_check_test.go
+++ b/command/pki_health_check_test.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"strings"
 	"testing"
 	"time"
@@ -30,7 +31,7 @@ func TestPKIHC_AllGood(t *testing.T) {
 			AuditNonHMACRequestKeys:   healthcheck.VisibleReqParams,
 			AuditNonHMACResponseKeys:  healthcheck.VisibleRespParams,
 			PassthroughRequestHeaders: []string{"If-Modified-Since"},
-			AllowedResponseHeaders:    []string{"Last-Modified"},
+			AllowedResponseHeaders:    []string{"Last-Modified", "Replay-Nonce", "Link", "Location"},
 			MaxLeaseTTL:               "36500d",
 		},
 	}); err != nil {
@@ -69,6 +70,21 @@ func TestPKIHC_AllGood(t *testing.T) {
 		t.Fatalf("failed to run tidy: %v", err)
 	}

+	path, err := url.Parse(client.Address())
+	require.NoError(t, err, "failed parsing client address")
+
+	if _, err := client.Logical().Write("pki/config/cluster", map[string]interface{}{
+		"path": path.JoinPath("/v1/", "pki/").String(),
+	}); err != nil {
+		t.Fatalf("failed to update local cluster: %v", err)
+	}
+
+	if _, err := client.Logical().Write("pki/config/acme", map[string]interface{}{
+		"enabled": "true",
+	}); err != nil {
+		t.Fatalf("failed to update acme config: %v", err)
+	}
+
 	_, _, results := execPKIHC(t, client, true)

 	validateExpectedPKIHC(t, expectedAllGood, results)
@@ -345,6 +361,11 @@ var expectedAllGood = map[string][]map[string]interface{}{
 			"status": "ok",
 		},
 	},
+	"allow_acme_headers": {
+		{
+			"status": "ok",
+		},
+	},
 	"allow_if_modified_since": {
 		{
 			"status": "ok",
@@ -355,6 +376,11 @@ var expectedAllGood = map[string][]map[string]interface{}{
 			"status": "ok",
 		},
 	},
+	"enable_acme_issuance": {
+		{
+			"status": "ok",
+		},
+	},
 	"enable_auto_tidy": {
 		{
 			"status": "ok",
@@ -406,6 +432,11 @@ var expectedAllBad = map[string][]map[string]interface{}{
 			"status": "critical",
 		},
 	},
+	"allow_acme_headers": {
+		{
+			"status": "not_applicable",
+		},
+	},
 	"allow_if_modified_since": {
 		{
 			"status": "informational",
@@ -503,6 +534,11 @@ var expectedAllBad = map[string][]map[string]interface{}{
 			"status": "informational",
 		},
 	},
+	"enable_acme_issuance": {
+		{
+			"status": "not_applicable",
+		},
+	},
 	"enable_auto_tidy": {
 		{
 			"status": "informational",
@@ -554,8 +590,18 @@ var expectedEmptyWithIssuer = map[string][]map[string]interface{}{
 			"status": "ok",
 		},
 	},
+	"allow_acme_headers": {
+		{
+			"status": "not_applicable",
+		},
+	},
 	"allow_if_modified_since": nil,
 	"audit_visibility":        nil,
+	"enable_acme_issuance": {
+		{
+			"status": "not_applicable",
+		},
+	},
 	"enable_auto_tidy": {
 		{
 			"status": "informational",
@@ -598,8 +644,18 @@ var expectedNoPerm = map[string][]map[string]interface{}{
 			"status": "critical",
 		},
 	},
+	"allow_acme_headers": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
 	"allow_if_modified_since": nil,
 	"audit_visibility":        nil,
+	"enable_acme_issuance": {
+		{
+			"status": "insufficient_permissions",
+		},
+	},
 	"enable_auto_tidy": {
 		{
 			"status": "insufficient_permissions",