Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cert/auth: support OCSP role fields #2056

Merged
merged 5 commits into from
Oct 23, 2023
Merged

cert/auth: support OCSP role fields #2056

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4ca5454
cert/auth: support OCSP role fields
fairclothjm Oct 16, 2023
074eeb4
add changelog
fairclothjm Oct 16, 2023
009f38c
docs++
fairclothjm Oct 16, 2023
89b628e
check vault is 1.13+
fairclothjm Oct 16, 2023
4133f8d
docs++
fairclothjm Oct 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

FEATURES:
* Add support for `custom_metadata` on `vault_namespace`: ([#2033](https://github.com/hashicorp/terraform-provider-vault/pull/2033))
* Add support for `OCSP*` role fields for the cert auth resource: ([#2056](https://github.com/hashicorp/terraform-provider-vault/pull/2056))

BUGS:
* Fix panic when readnig client_secret from a public oidc client ([#2048](https://github.com/hashicorp/terraform-provider-vault/pull/2048))
Expand Down
236 changes: 164 additions & 72 deletions vault/resource_cert_auth_backend_role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,62 +11,113 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"

"github.com/hashicorp/terraform-provider-vault/internal/consts"
"github.com/hashicorp/terraform-provider-vault/internal/provider"
)

const (
fieldAllowedCommonNames = "allowed_common_names"
fieldAllowedDNSSans = "allowed_dns_sans"
fieldAllowedEmailSans = "allowed_email_sans"
fieldAllowedNames = "allowed_names"
fieldAllowedOrganizationUnits = "allowed_organization_units"
fieldAllowedOrganizationalUnits = "allowed_organizational_units"
fieldAllowedURISans = "allowed_uri_sans"
fieldDisplayName = "display_name"
fieldOCSPCACertificates = "ocsp_ca_certificates"
fieldOCSPEnabled = "ocsp_enabled"
fieldOCSPFailOpen = "ocsp_fail_open"
fieldOCSPQueryAllServers = "ocsp_query_all_servers"
fieldOCSPServersOverride = "ocsp_servers_override"
fieldRequiredExtensions = "required_extensions"
)

var (
certAuthStringFields = []string{
consts.FieldCertificate,
fieldDisplayName,
fieldOCSPCACertificates,
}
certAuthListFields = []string{
fieldAllowedCommonNames,
fieldAllowedDNSSans,
fieldAllowedEmailSans,
fieldAllowedNames,
fieldAllowedOrganizationUnits,
fieldAllowedOrganizationalUnits,
fieldAllowedURISans,
fieldOCSPServersOverride,
fieldRequiredExtensions,
}
certAuthBoolFields = []string{
fieldOCSPEnabled,
fieldOCSPFailOpen,
fieldOCSPQueryAllServers,
}

// the following require Vault Server Version 1.13+
certAuthVault113Fields = map[string]bool{
fieldOCSPCACertificates: true,
fieldOCSPEnabled: true,
fieldOCSPFailOpen: true,
fieldOCSPQueryAllServers: true,
fieldOCSPServersOverride: true,
}
)

func certAuthBackendRoleResource() *schema.Resource {
fields := map[string]*schema.Schema{
"name": {
consts.FieldName: {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"certificate": {
consts.FieldCertificate: {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
"allowed_names": {
fieldAllowedNames: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"allowed_common_names": {
fieldAllowedCommonNames: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"allowed_dns_sans": {
fieldAllowedDNSSans: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"allowed_email_sans": {
fieldAllowedEmailSans: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"allowed_uri_sans": {
fieldAllowedURISans: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"allowed_organization_units": {
fieldAllowedOrganizationUnits: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
Expand All @@ -76,28 +127,28 @@ func certAuthBackendRoleResource() *schema.Resource {
Deprecated: "Use allowed_organizational_units",
ConflictsWith: []string{"allowed_organizational_units"},
},
"allowed_organizational_units": {
fieldAllowedOrganizationalUnits: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
ConflictsWith: []string{"allowed_organization_units"},
},
"required_extensions": {
fieldRequiredExtensions: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Computed: true,
},
"display_name": {
fieldDisplayName: {
Type: schema.TypeString,
Optional: true,
Computed: true,
},
"backend": {
consts.FieldBackend: {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Expand All @@ -106,6 +157,44 @@ func certAuthBackendRoleResource() *schema.Resource {
return strings.Trim(v.(string), "/")
},
},
fieldOCSPCACertificates: {
Type: schema.TypeString,
Optional: true,
Description: "Any additional CA certificates needed to verify OCSP " +
"responses. Provided as base64 encoded PEM data.",
},
fieldOCSPServersOverride: {
Type: schema.TypeSet,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
Description: "A comma-separated list of OCSP server addresses. If " +
"unset, the OCSP server is determined from the " +
"AuthorityInformationAccess extension on the certificate being inspected.",
},
fieldOCSPEnabled: {
Type: schema.TypeBool,
Optional: true,
Computed: true,
Description: "If enabled, validate certificates' revocation status using OCSP.",
},
fieldOCSPFailOpen: {
Type: schema.TypeBool,
Optional: true,
Computed: true,
Description: "If true and an OCSP response cannot be fetched or is " +
"of an unknown status, the login will proceed as if the certificate " +
"has not been revoked.",
},
fieldOCSPQueryAllServers: {
Type: schema.TypeBool,
Optional: true,
Computed: true,
Description: "If set to true, rather than accepting the first " +
"successful OCSP response, query all servers and consider the " +
"certificate valid only if all servers agree.",
},
}

addTokenFields(fields, &addTokenFieldsConfig{})
Expand Down Expand Up @@ -139,38 +228,29 @@ func certAuthResourceWrite(ctx context.Context, d *schema.ResourceData, meta int
data := map[string]interface{}{}
updateTokenFields(d, data, true)

data["certificate"] = d.Get("certificate")

if v, ok := d.GetOk("allowed_names"); ok {
data["allowed_names"] = v.(*schema.Set).List()
for _, k := range certAuthStringFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
if v, ok := d.GetOk(k); ok {
data[k] = v
}
}

if v, ok := d.GetOk("allowed_common_names"); ok {
data["allowed_common_names"] = v.(*schema.Set).List()
for _, k := range certAuthListFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
if v, ok := d.GetOk(k); ok {
data[k] = v.(*schema.Set).List()
}
}

if v, ok := d.GetOk("allowed_dns_sans"); ok {
data["allowed_dns_sans"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_email_sans"); ok {
data["allowed_email_sans"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_uri_sans"); ok {
data["allowed_uri_sans"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_organizational_units"); ok {
data["allowed_organizational_units"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("required_extensions"); ok {
data["required_extensions"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("display_name"); ok {
data["display_name"] = v.(string)
for _, k := range certAuthBoolFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
data[k] = d.Get(k)
}

log.Printf("[DEBUG] Writing %q to cert auth backend", path)
Expand All @@ -195,38 +275,35 @@ func certAuthResourceUpdate(ctx context.Context, d *schema.ResourceData, meta in
data := map[string]interface{}{}
updateTokenFields(d, data, false)

data["certificate"] = d.Get("certificate")

if v, ok := d.GetOk("allowed_names"); ok {
data["allowed_names"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_common_names"); ok {
data["allowed_common_names"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_dns_sans"); ok {
data["allowed_dns_sans"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_email_sans"); ok {
data["allowed_email_sans"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("allowed_uri_sans"); ok {
data["allowed_uri_sans"] = v.(*schema.Set).List()
}

if d.HasChange("allowed_organizational_units") {
data["allowed_organizational_units"] = d.Get("allowed_organizational_units").(*schema.Set).List()
}

if v, ok := d.GetOk("required_extensions"); ok {
data["required_extensions"] = v.(*schema.Set).List()
}

if v, ok := d.GetOk("display_name"); ok {
data["display_name"] = v.(string)
for _, k := range certAuthStringFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
if v, ok := d.GetOk(k); ok {
data[k] = v
}
}

for _, k := range certAuthListFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
// special handling for allowed_organizational_units since unsetting
// this in Vault has special meaning (allow all OUs)
if k == fieldAllowedOrganizationalUnits {
if d.HasChange(k) {
data[k] = d.Get(k).(*schema.Set).List()
}
} else if v, ok := d.GetOk(k); ok {
data[k] = v.(*schema.Set).List()
}
}

for _, k := range certAuthBoolFields {
if certAuthVault113Fields[k] && !provider.IsAPISupported(meta, provider.VaultVersion113) {
continue
}
data[k] = d.Get(k)
}

log.Printf("[DEBUG] Updating %q in cert auth backend", path)
Expand Down Expand Up @@ -325,6 +402,21 @@ func certAuthResourceRead(_ context.Context, d *schema.ResourceData, meta interf
return diag.FromErr(err)
}

if provider.IsAPISupported(meta, provider.VaultVersion113) {
ocspFields := []string{
fieldOCSPCACertificates,
fieldOCSPEnabled,
fieldOCSPFailOpen,
fieldOCSPQueryAllServers,
fieldOCSPServersOverride,
}
for _, f := range ocspFields {
if err := d.Set(f, resp.Data[f]); err != nil {
return diag.FromErr(err)
}
}
}

diags := checkCIDRs(d, TokenFieldBoundCIDRs)

return diags
Expand Down
Loading