Skip to content

Commit

Permalink
Address some small issues within pki health-check (hashicorp#19295)
Browse files Browse the repository at this point in the history 
* Address some small issues within pki health-check

 - Notify user yaml output mode is not support with --list argument
 - Output pure JSON in json output mode with --list argument
 - If a checker returns a nil response, convert to an empty slice
 - Add handler for permission errors to too many certs checker
 - Add checks for permission issues within hardware_backed_root and root_issued_leaves

* Identify the role that contained the permission issue in role based checks

 - Augument the role health checks to identify the role(s) that we have
   insufficient permissions to read instead of an overall read failure
 - Treat the failure to list roles as a complete failure for the check
  • Loading branch information
@stevendpclark
stevendpclark authored Feb 24, 2023
1 parent a9e17c2 commit d08bf56
Show file tree
Hide file tree
Showing 9 changed files with 187 additions and 45 deletions.
4 changes: 4 additions & 0 deletions command/healthcheck/healthcheck.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@ func (e *Executor) Execute() (map[string][]*Result, error) {
return nil, fmt.Errorf("failed to evaluate %v: %w", checker.Name(), err)
}

if results == nil {
results = []*Result{}
}

for _, result := range results {
result.Endpoint = e.templatePath(result.Endpoint)
result.StatusDisplay = ResultStatusNameMap[result.Status]
Expand Down
26 changes: 25 additions & 1 deletion command/healthcheck/pki_hardware_backed_root.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,14 @@ type HardwareBackedRoot struct {

UnsupportedVersion bool

FetchIssues map[string]*PathFetch
IssuerKeyMap map[string]string
KeyIsManaged map[string]string
}

func NewHardwareBackedRootCheck() Check {
return &HardwareBackedRoot{
FetchIssues: make(map[string]*PathFetch),
IssuerKeyMap: make(map[string]string),
KeyIsManaged: make(map[string]string),
}
Expand Down Expand Up @@ -64,6 +66,7 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
if err != nil {
return err
}
h.FetchIssues[issuer] = ret
continue
}

Expand All @@ -83,13 +86,15 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
}

h.IssuerKeyMap[issuer] = keyId
skip, _, keyEntry, err := pkiFetchKeyEntry(e, keyId, func() {
skip, ret, keyEntry, err := pkiFetchKeyEntry(e, keyId, func() {
h.UnsupportedVersion = true
})
if skip || err != nil || keyEntry == nil {
if err != nil {
return err
}

h.FetchIssues[issuer] = ret
continue
}

Expand All @@ -112,6 +117,25 @@ func (h *HardwareBackedRoot) Evaluate(e *Executor) (results []*Result, err error
return []*Result{&ret}, nil
}

for issuer, fetchPath := range h.FetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.IssuerKeyMap, issuer)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission for the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for name, keyId := range h.IssuerKeyMap {
var ret Result
ret.Status = ResultInformational
Expand Down
39 changes: 30 additions & 9 deletions command/healthcheck/pki_role_allows_glob_wildcards.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,16 @@ import (
type RoleAllowsGlobWildcards struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

RoleEntryMap map[string]map[string]interface{}
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
}

func NewRoleAllowsGlobWildcardsCheck() Check {
return &RoleAllowsGlobWildcards{
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -49,7 +51,7 @@ func (h *RoleAllowsGlobWildcards) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -60,7 +62,7 @@ func (h *RoleAllowsGlobWildcards) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -84,18 +86,37 @@ func (h *RoleAllowsGlobWildcards) Evaluate(e *Executor) (results []*Result, err
}
return []*Result{&ret}, nil
}
if h.NoPerms {
if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check.",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for role, entry := range h.RoleEntryMap {
Expand Down
40 changes: 31 additions & 9 deletions command/healthcheck/pki_role_allows_localhost.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,16 @@ import (
type RoleAllowsLocalhost struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

RoleEntryMap map[string]map[string]interface{}
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
}

func NewRoleAllowsLocalhostCheck() Check {
return &RoleAllowsLocalhost{
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -48,7 +50,7 @@ func (h *RoleAllowsLocalhost) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -59,7 +61,7 @@ func (h *RoleAllowsLocalhost) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -83,18 +85,38 @@ func (h *RoleAllowsLocalhost) Evaluate(e *Executor) (results []*Result, err erro
}
return []*Result{&ret}, nil
}
if h.NoPerms {

if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for role, entry := range h.RoleEntryMap {
Expand Down
52 changes: 32 additions & 20 deletions command/healthcheck/pki_role_no_store_false.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,20 @@ import (
type RoleNoStoreFalse struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

AllowedRoles map[string]bool

CertCounts int
RoleEntryMap map[string]map[string]interface{}
CRLConfig *PathFetch
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
CRLConfig *PathFetch
}

func NewRoleNoStoreFalseCheck() Check {
return &RoleNoStoreFalse{
AllowedRoles: make(map[string]bool),
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
AllowedRoles: make(map[string]bool),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -64,7 +65,7 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -75,7 +76,7 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -86,14 +87,6 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
h.RoleEntryMap[role] = entry
}

exit, _, leaves, err := pkiFetchLeavesList(e, func() {
h.UnsupportedVersion = true
})
if exit || err != nil {
return err
}
h.CertCounts = len(leaves)

// Check if the issuer is fetched yet.
configRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/config/crl")
if err != nil {
Expand All @@ -116,18 +109,37 @@ func (h *RoleNoStoreFalse) Evaluate(e *Executor) (results []*Result, err error)
return []*Result{&ret}, nil
}

if h.NoPerms {
if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

crlAutoRebuild := false
Expand Down
Loading

0 comments on commit d08bf56

Please sign in to comment.