mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-29 17:52:32 +00:00
e19ce98a97
* Correctly preserve other issuer config params When setting a new default issuer, our helper function would overwrite other parameters in the issuer configuration entry. However, up until now, there were none. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add new parameter to allow default to follow new This parameter will allow operators to have the default issuer automatically update when a new root is generated or a single issuer with a key (potentially with others lacking key) is imported. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Storage migration tests fail on new members These internal members shouldn't be tested by the storage migration code, and so should be elided from the test results. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Follow new issuer on root generation, import This updates the two places where issuers can be created (outside of legacy CA bundle migration which already sets the default) to follow newly created issuers when the config is set. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test for new default-following behavior Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
105 lines
2.5 KiB
Go
105 lines
2.5 KiB
Go
package pki
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
func (sc *storageContext) isDefaultKeySet() (bool, error) {
|
|
config, err := sc.getKeysConfig()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return strings.TrimSpace(config.DefaultKeyId.String()) != "", nil
|
|
}
|
|
|
|
func (sc *storageContext) isDefaultIssuerSet() (bool, error) {
|
|
config, err := sc.getIssuersConfig()
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return strings.TrimSpace(config.DefaultIssuerId.String()) != "", nil
|
|
}
|
|
|
|
func (sc *storageContext) updateDefaultKeyId(id keyID) error {
|
|
config, err := sc.getKeysConfig()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if config.DefaultKeyId != id {
|
|
return sc.setKeysConfig(&keyConfigEntry{
|
|
DefaultKeyId: id,
|
|
})
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (sc *storageContext) updateDefaultIssuerId(id issuerID) error {
|
|
config, err := sc.getIssuersConfig()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if config.DefaultIssuerId != id {
|
|
config.DefaultIssuerId = id
|
|
return sc.setIssuersConfig(config)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (sc *storageContext) changeDefaultIssuerTimestamps(oldDefault issuerID, newDefault issuerID) error {
|
|
if newDefault == oldDefault {
|
|
return nil
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
|
|
// When the default issuer changes, we need to modify four
|
|
// pieces of information:
|
|
//
|
|
// 1. The old default issuer's modification time, as it no
|
|
// longer works for the /cert/ca path.
|
|
// 2. The new default issuer's modification time, as it now
|
|
// works for the /cert/ca path.
|
|
// 3. & 4. Both issuer's CRLs, as they behave the same, under
|
|
// the /cert/crl path!
|
|
for _, thisId := range []issuerID{oldDefault, newDefault} {
|
|
if len(thisId) == 0 {
|
|
continue
|
|
}
|
|
|
|
// 1 & 2 above.
|
|
issuer, err := sc.fetchIssuerById(thisId)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to update issuer (%v)'s modification time: error fetching issuer: %v", thisId, err)
|
|
}
|
|
|
|
issuer.LastModified = now
|
|
err = sc.writeIssuer(issuer)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to update issuer (%v)'s modification time: error persisting issuer: %v", thisId, err)
|
|
}
|
|
}
|
|
|
|
// Fetch and update the localCRLConfigEntry (3&4).
|
|
cfg, err := sc.getLocalCRLConfig()
|
|
if err != nil {
|
|
return fmt.Errorf("unable to update local CRL config's modification time: error fetching local CRL config: %v", err)
|
|
}
|
|
|
|
cfg.LastModified = now
|
|
cfg.DeltaLastModified = now
|
|
err = sc.setLocalCRLConfig(cfg)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to update local CRL config's modification time: error persisting local CRL config: %v", err)
|
|
}
|
|
|
|
return nil
|
|
}
|