Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force new root CA resource creation on out of band changes #1432

Merged
merged 8 commits into from
May 6, 2022
Merged

Force new root CA resource creation on out of band changes #1432

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
624411d
Force new root CA creation on out of band changes
benashz May 3, 2022
7abee15
Add read function for detecting an orphaned mount
benashz May 3, 2022
bf19e0c
Drop vestigial Read func
benashz May 3, 2022
1ac9b55
Remove extraneous file
benashz May 4, 2022
fd6cb1a
Correct logic in CheckMountEnabled()
benashz May 5, 2022
1401134
Add support for testing certificate renewal
benashz May 5, 2022
2cc2482
Docs: move serial to the deprecations section
benashz May 5, 2022
35570aa
Update changelog
benashz May 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion util/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,16 @@ func ToStringArray(input []interface{}) []string {
}

func Is404(err error) bool {
return strings.Contains(err.Error(), "Code: 404")
return ErrorContainsHTTPCode(err, http.StatusNotFound)
}

func ErrorContainsHTTPCode(err error, codes ...int) bool {
for _, code := range codes {
if strings.Contains(err.Error(), fmt.Sprintf("Code: %d", code)) {
return true
}
}
return false
}

func CalculateConflictsWith(self string, group []string) []string {
Expand Down Expand Up @@ -296,3 +305,20 @@ func SetResourceData(d *schema.ResourceData, data map[string]interface{}) error

return nil
}

// NormalizeMountPath to be in a form valid for accessing values from api.MountOutput
func NormalizeMountPath(path string) string {
return strings.Trim(path, "/") + "/"
}

// CheckMountEnabled in Vault, path must contain a trailing '/',
func CheckMountEnabled(client *api.Client, path string) (bool, error) {
mounts, err := client.Sys().ListMounts()
if err != nil {
return false, err
}

_, ok := mounts[NormalizeMountPath(path)]

return ok, nil
}
57 changes: 48 additions & 9 deletions vault/resource_pki_secret_backend_cert_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (

type testPKICertStore struct {
cert string
serialNumber string
expectRevoked bool
}

Expand Down Expand Up @@ -341,22 +342,34 @@ func testPkiSecretBackendCertWaitUntilRenewal(n string) resource.TestCheckFunc {
}
}

func testCapturePKICert(resourcePath string, store *testPKICertStore) resource.TestCheckFunc {
func testCapturePKICert(resourceName string, store *testPKICertStore) resource.TestCheckFunc {
return func(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "vault_pki_secret_backend_cert" {
continue
}
rs, err := testGetResourceFromRootModule(s, resourceName)
if err != nil {
return err
}

cert, ok := rs.Primary.Attributes["certificate"]
if !ok {
return fmt.Errorf("certificate not found in state")
}
store.cert = cert

store.cert = rs.Primary.Attributes["certificate"]
v, err := strconv.ParseBool(rs.Primary.Attributes["revoke"])
sn, ok := rs.Primary.Attributes["serial_number"]
if !ok {
return fmt.Errorf("serial_number not found in state")
}
store.serialNumber = sn

if val, ok := rs.Primary.Attributes["revoke"]; ok {
v, err := strconv.ParseBool(val)
if err != nil {
return err
}
store.expectRevoked = v
return nil
}
return fmt.Errorf("certificate not found in state")

return nil
}
}

Expand Down Expand Up @@ -414,3 +427,29 @@ func testPKICertRevocation(path string, store *testPKICertStore) resource.TestCh
return nil
}
}

func testPKICertReIssued(resourceName string, store *testPKICertStore) resource.TestCheckFunc {
return func(s *terraform.State) error {
rs, err := testGetResourceFromRootModule(s, resourceName)
if err != nil {
return err
}
if store.serialNumber == "" {
return fmt.Errorf("serial_number must be set on test store %#v", store)
}

if store.serialNumber == rs.Primary.Attributes["serial_number"] {
return fmt.Errorf("expected certificate not re-issued, serial_number was not changed")
}

return nil
}
}

func testGetResourceFromRootModule(s *terraform.State, resourceName string) (*terraform.ResourceState, error) {
if rs, ok := s.RootModule().Resources[resourceName]; ok {
return rs, nil
}

return nil, fmt.Errorf("expected resource %q, not found in state", resourceName)
}
135 changes: 129 additions & 6 deletions vault/resource_pki_secret_backend_root_cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,68 @@
package vault

import (
"context"
"crypto/x509"
"encoding/pem"
"fmt"
"io"
"log"
"net/http"
"strings"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/helper/certutil"

"github.com/hashicorp/terraform-provider-vault/util"
)

func pkiSecretBackendRootCertResource() *schema.Resource {
return &schema.Resource{
Create: pkiSecretBackendRootCertCreate,
Read: pkiSecretBackendRootCertRead,
Update: pkiSecretBackendRootCertUpdate,
Delete: pkiSecretBackendRootCertDelete,
Update: func(data *schema.ResourceData, i interface{}) error {
return nil
},
Read: pkiSecretBackendRootCertRead,
StateUpgraders: []schema.StateUpgrader{
{
Version: 0,
Type: pkiSecretBackendRootCertV0().CoreConfigSchema().ImpliedType(),
Upgrade: pkiSecretBackendRootCertUpgradeV0,
},
},
SchemaVersion: 1,
CustomizeDiff: func(_ context.Context, d *schema.ResourceDiff, meta interface{}) error {
key := "serial"
o, _ := d.GetChange(key)
// skip on new resource
if o.(string) == "" {
return nil
}

client := meta.(*api.Client)
cert, err := getCACertificate(client, d.Get("backend").(string))
if err != nil {
return err
}

if cert != nil {
n := certutil.GetHexFormatted(cert.SerialNumber.Bytes(), ":")
if d.Get(key).(string) != n {
if err := d.SetNewComputed(key); err != nil {
return err
}
if err := d.ForceNew(key); err != nil {
return err
}
}

}

return nil
},

Schema: map[string]*schema.Schema{
"backend": {
Expand Down Expand Up @@ -177,7 +224,7 @@ func pkiSecretBackendRootCertResource() *schema.Resource {
"certificate": {
Type: schema.TypeString,
Computed: true,
Description: "The certicate.",
Description: "The certificate.",
},
"issuing_ca": {
Type: schema.TypeString,
Expand All @@ -187,8 +234,14 @@ func pkiSecretBackendRootCertResource() *schema.Resource {
"serial": {
Type: schema.TypeString,
Computed: true,
Deprecated: "Use serial_number instead",
Description: "The serial number.",
},
"serial_number": {
Type: schema.TypeString,
Computed: true,
Description: "The certificate's serial number, hex formatted.",
},
},
}
}
Expand Down Expand Up @@ -279,17 +332,67 @@ func pkiSecretBackendRootCertCreate(d *schema.ResourceData, meta interface{}) er
d.Set("certificate", resp.Data["certificate"])
d.Set("issuing_ca", resp.Data["issuing_ca"])
d.Set("serial", resp.Data["serial_number"])
d.Set("serial_number", resp.Data["serial_number"])

d.SetId(path)
return pkiSecretBackendRootCertRead(d, meta)

return nil
}

func pkiSecretBackendRootCertRead(d *schema.ResourceData, meta interface{}) error {
if d.IsNewResource() {
return nil
}

client := meta.(*api.Client)
path := d.Get("backend").(string)
enabled, err := util.CheckMountEnabled(client, path)
if err != nil {
log.Printf("[WARN] Failed to check if mount %q exist, preempting the read operation", path)
return nil
}

// trigger a resource re-creation whenever the engine's mount has disappeared
if !enabled {
log.Printf("[WARN] Mount %q does not exist, setting resource for re-creation", path)
d.SetId("")
}

return nil
}

func pkiSecretBackendRootCertUpdate(d *schema.ResourceData, m interface{}) error {
return nil
func getCACertificate(client *api.Client, mount string) (*x509.Certificate, error) {
path := fmt.Sprintf("/v1/%s/ca/pem", mount)
req := client.NewRequest(http.MethodGet, path)
req.ClientToken = ""
resp, err := client.RawRequest(req)
if err != nil {
if util.ErrorContainsHTTPCode(err, http.StatusNotFound, http.StatusForbidden) {
return nil, nil
}
return nil, err
}

if resp == nil {
return nil, fmt.Errorf("expected a response body, got nil response")
}

defer resp.Body.Close()
data, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}

b, _ := pem.Decode(data)
if b != nil {
cert, err := x509.ParseCertificate(b.Bytes)
if err != nil {
return nil, err
}
return cert, nil
}

return nil, nil
}

func pkiSecretBackendRootCertDelete(d *schema.ResourceData, meta interface{}) error {
Expand All @@ -314,3 +417,23 @@ func pkiSecretBackendIntermediateSetSignedReadPath(backend string, rootType stri
func pkiSecretBackendIntermediateSetSignedDeletePath(backend string) string {
return strings.Trim(backend, "/") + "/root"
}

func pkiSecretBackendRootCertV0() *schema.Resource {
return &schema.Resource{
Schema: map[string]*schema.Schema{
"serial_number": {
Type: schema.TypeString,
Optional: true,
Computed: true,
},
},
}
}

func pkiSecretBackendRootCertUpgradeV0(
_ context.Context, rawState map[string]interface{}, _ interface{},
) (map[string]interface{}, error) {
rawState["serial_number"] = rawState["serial"]

return rawState, nil
}
Loading