vault

mirrors/vault

Fork 0

mirror of https://github.com/hashicorp/vault.git synced 2025-08-17 20:17:00 +02:00

Commit Graph

Author	SHA1	Message	Date
Steven Clark	000d754c40	Make ACME EAB keys specific to the ACME directory they are created within (#20803 ) * Update EAB management urls underneath pki/eab - It was decided that for ease of ACLing, the management paths for EAB apis should be outside of the acme path prefix - Delete duplicated tests, rely on the proper cluster based tests for EAB management. * Update ACME EAB creation paths to be directory specific - Make the EAB creation APIs directory specific. - This commit is still missing the enforcement that they can be redeemed on a specific path. * Enforce EAB tokens per ACME directory context like accounts - Do not allow an EAB from one ACME directory to be used in another. - Rework the ACME directory function to simply get the path from the request instead of parsing out the role/issuer name. - Add some commentary around expectations if operators change issuer names * Add an EAB certbot integration test - Verify with the 3rd party certbot cli that our EAB workflow works as expected. * Fix unit test - Unit test wasn't setting up r.Path within the request that we now use to determine the acme directory.	2023-05-30 11:49:01 -04:00
Alexander Scheel	ca5f5947de	Integrate acme config enable/disable into tests (#20407 ) * Add default ACME configuration, invalidate on write Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add enforcment of ACME enabled Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Validate requested role against ACME config Co-authored-by: kitography <khaines@mit.edu> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add validation of issuer restrictions with ACME Co-authored-by: kitography <khaines@mit.edu> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add validation around allowed config lenghts Co-authored-by: kitography <khaines@mit.edu> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Prune later deemed unnecessary config options Co-authored-by: kitography <khaines@mit.edu> Co-authored-by: Steven Clark <steven.clark@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * make fmt --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: kitography <khaines@mit.edu> Co-authored-by: Steven Clark <steven.clark@hashicorp.com>	2023-04-27 20:31:13 +00:00
Steven Clark	28dd171cd2	Add support to load roles and issuers within ACME wrapper (#20333 ) * Add support to load roles and issuers within ACME wrapper * Add missing go doc to new test * PR feedback - Move field definitions into fields.go - Update wording and associated errors to some role failures. - Add missing ':' to error messages	2023-04-25 13:29:07 +00:00

Author

SHA1

Message

Date

Steven Clark

000d754c40

Make ACME EAB keys specific to the ACME directory they are created within (#20803 )

* Update EAB management urls underneath pki/eab

 - It was decided that for ease of ACLing, the management
   paths for EAB apis should be outside of the acme path
   prefix
 - Delete duplicated tests, rely on the proper cluster
   based tests for EAB management.

* Update ACME EAB creation paths to be directory specific

 - Make the EAB creation APIs directory specific.
 - This commit is still missing the enforcement that
   they can be redeemed on a specific path.

* Enforce EAB tokens per ACME directory context like accounts

 - Do not allow an EAB from one ACME directory to be used
   in another.
 - Rework the ACME directory function to simply get the path from the request instead of parsing out the role/issuer name.
 - Add some commentary around expectations if operators change issuer names

* Add an EAB certbot integration test

 - Verify with the 3rd party certbot cli that our EAB workflow works as expected.

* Fix unit test

 - Unit test wasn't setting up r.Path within the request
   that we now use to determine the acme directory.

2023-05-30 11:49:01 -04:00

Alexander Scheel

ca5f5947de

Integrate acme config enable/disable into tests (#20407 )

* Add default ACME configuration, invalidate on write

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add enforcment of ACME enabled

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate requested role against ACME config

Co-authored-by: kitography <khaines@mit.edu>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add validation of issuer restrictions with ACME

Co-authored-by: kitography <khaines@mit.edu>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add validation around allowed config lenghts

Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prune later deemed unnecessary config options

Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* make fmt

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

2023-04-27 20:31:13 +00:00

Steven Clark

28dd171cd2

Add support to load roles and issuers within ACME wrapper (#20333 )

* Add support to load roles and issuers within ACME wrapper

* Add missing go doc to new test

* PR feedback

 - Move field definitions into fields.go
 - Update wording and associated errors to some role failures.
 - Add missing ':' to error messages

2023-04-25 13:29:07 +00:00

3 Commits