Skip to content

Commit

Permalink
backport of commit 042dd57 (#21295)
Browse files Browse the repository at this point in the history
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
  • Loading branch information
1 parent 2fd24b1 commit 0610df0
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 26 deletions.
30 changes: 20 additions & 10 deletions builtin/logical/pki/path_acme_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1074,9 +1074,7 @@ func TestAcmeWithCsrIncludingBasicConstraintExtension(t *testing.T) {
}
}

func markAuthorizationSuccess(t *testing.T, client *api.Client, acmeClient *acme.Client, acct *acme.Account,
order *acme.Order,
) {
func markAuthorizationSuccess(t *testing.T, client *api.Client, acmeClient *acme.Client, acct *acme.Account, order *acme.Order) {
testCtx := context.Background()

pkiMount := findStorageMountUuid(t, client, "pki")
Expand All @@ -1090,8 +1088,15 @@ func markAuthorizationSuccess(t *testing.T, client *api.Client, acmeClient *acme
for _, authURI := range order.AuthzURLs {
authId := authURI[strings.LastIndex(authURI, "/"):]

rawPath := path.Join("/sys/raw/logical/", pkiMount, getAuthorizationPath(accountId, authId))
resp, err := client.Logical().ReadWithContext(testCtx, rawPath)
// sys/raw does not work with namespaces
baseClient := client.WithNamespace("")

values, err := baseClient.Logical().ListWithContext(testCtx, "sys/raw/logical/")
require.NoError(t, err)
require.True(t, true, "values: %v", values)

rawPath := path.Join("sys/raw/logical/", pkiMount, getAuthorizationPath(accountId, authId))
resp, err := baseClient.Logical().ReadWithContext(testCtx, rawPath)
require.NoError(t, err, "failed looking up authorization storage")
require.NotNil(t, resp, "sys raw response was nil")
require.NotEmpty(t, resp.Data["value"], "no value field in sys raw response")
Expand All @@ -1106,7 +1111,7 @@ func markAuthorizationSuccess(t *testing.T, client *api.Client, acmeClient *acme

encodeJSON, err := jsonutil.EncodeJSON(authz)
require.NoError(t, err, "failed encoding authz json")
_, err = client.Logical().WriteWithContext(testCtx, rawPath, map[string]interface{}{
_, err = baseClient.Logical().WriteWithContext(testCtx, rawPath, map[string]interface{}{
"value": base64.StdEncoding.EncodeToString(encodeJSON),
"encoding": "base64",
})
Expand Down Expand Up @@ -1144,16 +1149,18 @@ func markAuthorizationSuccess(t *testing.T, client *api.Client, acmeClient *acme
func deleteCvEntries(t *testing.T, client *api.Client, pkiMount string) bool {
testCtx := context.Background()

cvPath := path.Join("/sys/raw/logical/", pkiMount, acmeValidationPrefix)
resp, err := client.Logical().ListWithContext(testCtx, cvPath)
baseClient := client.WithNamespace("")

cvPath := path.Join("sys/raw/logical/", pkiMount, acmeValidationPrefix)
resp, err := baseClient.Logical().ListWithContext(testCtx, cvPath)
require.NoError(t, err, "failed listing cv path items")

deletedEntries := false
if resp != nil {
cvEntries := resp.Data["keys"].([]interface{})
for _, cvEntry := range cvEntries {
cvEntryPath := path.Join(cvPath, cvEntry.(string))
_, err = client.Logical().DeleteWithContext(testCtx, cvEntryPath)
_, err = baseClient.Logical().DeleteWithContext(testCtx, cvEntryPath)
require.NoError(t, err, "failed to delete cv entry")
deletedEntries = true
}
Expand Down Expand Up @@ -1205,7 +1212,7 @@ func setupAcmeBackendOnClusterAtPath(t *testing.T, cluster *vault.TestCluster, c
require.NoError(t, err, "failed to mount new PKI instance at "+mount)
}

err := client.Sys().TuneMountWithContext(ctx, mountName, api.MountConfigInput{
err := client.Sys().TuneMountWithContext(ctx, mount, api.MountConfigInput{
DefaultLeaseTTL: "3000h",
MaxLeaseTTL: "600000h",
})
Expand Down Expand Up @@ -1585,6 +1592,9 @@ func getAcmeClientForCluster(t *testing.T, cluster *vault.TestCluster, baseUrl s
if !strings.HasPrefix(baseUrl, "v1/") {
baseUrl = "v1/" + baseUrl
}
if !strings.HasSuffix(baseUrl, "/") {
baseUrl = baseUrl + "/"
}
baseAcmeURL := fmt.Sprintf("https://%s/%s", coreAddr.String(), baseUrl)
return &acme.Client{
Key: key,
Expand Down
16 changes: 0 additions & 16 deletions builtin/logical/pki/path_ocsp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -710,19 +710,3 @@ func sendOcspPostRequest(b *backend, s logical.Storage, ocspRequest []byte) (*lo

return resp, err
}

func generateRequest(t *testing.T, requestHash crypto.Hash, cert *x509.Certificate, issuer *x509.Certificate) []byte {
t.Helper()

opts := &ocsp.RequestOptions{Hash: requestHash}
ocspRequestDer, err := ocsp.CreateRequest(cert, issuer, opts)
require.NoError(t, err, "Failed generating OCSP request")
return ocspRequestDer
}

func requireOcspResponseSignedBy(t *testing.T, ocspResp *ocsp.Response, issuer *x509.Certificate) {
t.Helper()

err := ocspResp.CheckSignatureFrom(issuer)
require.NoError(t, err, "Failed signature verification of ocsp response: %w", err)
}
43 changes: 43 additions & 0 deletions builtin/logical/pki/test_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"io"
"math"
"math/big"
http2 "net/http"
"strings"
"testing"
"time"
Expand All @@ -24,6 +25,7 @@ import (
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/logical"
"github.com/stretchr/testify/require"
"golang.org/x/crypto/ocsp"
)

// Setup helpers
Expand Down Expand Up @@ -393,3 +395,44 @@ func summarizeCrl(t *testing.T, crl pkix.TBSCertificateList) string {
"Revoked Serial Count: %d\n"+
"Revoked Serials: %v", version, crl.ThisUpdate, crl.NextUpdate, len(serials), serials)
}

// OCSP helpers
func generateRequest(t *testing.T, requestHash crypto.Hash, cert *x509.Certificate, issuer *x509.Certificate) []byte {
t.Helper()

opts := &ocsp.RequestOptions{Hash: requestHash}
ocspRequestDer, err := ocsp.CreateRequest(cert, issuer, opts)
require.NoError(t, err, "Failed generating OCSP request")
return ocspRequestDer
}

func requireOcspResponseSignedBy(t *testing.T, ocspResp *ocsp.Response, issuer *x509.Certificate) {
t.Helper()

err := ocspResp.CheckSignatureFrom(issuer)
require.NoError(t, err, "Failed signature verification of ocsp response: %w", err)
}

func performOcspPost(t *testing.T, cert *x509.Certificate, issuerCert *x509.Certificate, client *api.Client, ocspPath string) *ocsp.Response {
t.Helper()

baseClient := client.WithNamespace("")

ocspReq := generateRequest(t, crypto.SHA256, cert, issuerCert)
ocspPostReq := baseClient.NewRequest(http2.MethodPost, ocspPath)
ocspPostReq.Headers.Set("Content-Type", "application/ocsp-request")
ocspPostReq.BodyBytes = ocspReq
rawResp, err := baseClient.RawRequest(ocspPostReq)
require.NoError(t, err, "failed sending unified-ocsp post request")

require.Equal(t, 200, rawResp.StatusCode)
require.Equal(t, ocspResponseContentType, rawResp.Header.Get("Content-Type"))
bodyReader := rawResp.Body
respDer, err := io.ReadAll(bodyReader)
bodyReader.Close()
require.NoError(t, err, "failed reading response body")

ocspResp, err := ocsp.ParseResponse(respDer, issuerCert)
require.NoError(t, err, "parsing ocsp get response")
return ocspResp
}

0 comments on commit 0610df0

Please sign in to comment.