From c3d0f9f2bd6f17376837f2fa0e2a1cc10a9bc6d8 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Thu, 27 Oct 2022 11:20:12 -0400
Subject: [PATCH] Add empty expiry crlConfig upgrade test (#17701)

* Add regression test for default CRL expiry

Also fixes a bug w.r.t. upgrading older entries and missing the Delta
Rebuild Interval field, setting it to the default.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog for earlier PR

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/backend_test.go | 23 +++++++++++++++++++++++
 builtin/logical/pki/storage.go      |  6 ++++++
 changelog/17693.txt                 |  3 +++
 3 files changed, 32 insertions(+)
 create mode 100644 changelog/17693.txt

diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index dbd2be2e3d..73b6e9188f 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -5861,6 +5861,29 @@ EBuOIhCv6WiwVyGeTVynuHYkHyw3rIL/zU7N8+zIFV2G2M1UAv5D/eyh/74cr9Of
 	requireSuccessNonNilResponse(t, resp, err, "failed to issue PSS leaf")
 }
 
+func TestPKI_EmptyCRLConfigUpgraded(t *testing.T) {
+	t.Parallel()
+	b, s := createBackendWithStorage(t)
+
+	// Write an empty CRLConfig into storage.
+	crlConfigEntry, err := logical.StorageEntryJSON("config/crl", &crlConfig{})
+	require.NoError(t, err)
+	err = s.Put(ctx, crlConfigEntry)
+	require.NoError(t, err)
+
+	resp, err := CBRead(b, s, "config/crl")
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NotNil(t, resp.Data)
+	require.Equal(t, resp.Data["expiry"], defaultCrlConfig.Expiry)
+	require.Equal(t, resp.Data["disable"], defaultCrlConfig.Disable)
+	require.Equal(t, resp.Data["ocsp_disable"], defaultCrlConfig.OcspDisable)
+	require.Equal(t, resp.Data["auto_rebuild"], defaultCrlConfig.AutoRebuild)
+	require.Equal(t, resp.Data["auto_rebuild_grace_period"], defaultCrlConfig.AutoRebuildGracePeriod)
+	require.Equal(t, resp.Data["enable_delta"], defaultCrlConfig.EnableDelta)
+	require.Equal(t, resp.Data["delta_rebuild_interval"], defaultCrlConfig.DeltaRebuildInterval)
+}
+
 var (
 	initTest  sync.Once
 	rsaCAKey  string
diff --git a/builtin/logical/pki/storage.go b/builtin/logical/pki/storage.go
index fe9d5a3491..8bdd411497 100644
--- a/builtin/logical/pki/storage.go
+++ b/builtin/logical/pki/storage.go
@@ -1173,6 +1173,12 @@ func (sc *storageContext) getRevocationConfig() (*crlConfig, error) {
 		result.AutoRebuildGracePeriod = defaultCrlConfig.AutoRebuildGracePeriod
 		result.Version = 1
 	}
+	if result.Version == 1 {
+		if result.DeltaRebuildInterval == "" {
+			result.DeltaRebuildInterval = defaultCrlConfig.DeltaRebuildInterval
+		}
+		result.Version = 2
+	}
 
 	// Depending on client version, it's possible that the expiry is unset.
 	// This sets the default value to prevent issues in downstream code.
diff --git a/changelog/17693.txt b/changelog/17693.txt
new file mode 100644
index 0000000000..748af4eddd
--- /dev/null
+++ b/changelog/17693.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default.
+```