* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Updating the license from MPL to Business Source License.
Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.
* add missing license headers
* Update copyright file headers to BUS-1.1
* Fix test that expected exact offset on hcl file
---------
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
- The Golang ACME library will retry on failures until the passed in
context times out. So if a test is broken it will never end until
the context expires.
- The timeouts are rather large to avoid some issues with slow CI
runners, that have already triggered on a nightly 32 bit run
* imprv: Add a parameter to allow ExtKeyUsage field usage from a role
* chore: Add the changelog entry
* imprv: Reword UI and changelog
* doc: Add allow_role_extkeyusage in parameter list
* imprv: Align variable names with existing fields/codebase
* Add unit test and tweak some labels
---------
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* Add backend format linting to pre-commit hook
By taking a slight penalty with each commit, we can ensure that
contributors follow the format behavior by default (if they run hooks),
making accidental PRs without proper formatting less likely.
Additionally, fix gofmtcheck to align with the Makefile, fixing the
corresponding fmtcheck target for use with the hook.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix formatting errors
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Supporting PR for Enterprise ACME PR cluster tests
- Some changes within the OSS test helpers to help in the ACME Enterprise test cases.
* Don't rename existing helper method to make oss/ent merge easier
* Correctly validate ACME PoP against public key
ACME's proof of possession based revocation uses a signature from the
private key, but only sends the public copy along with the request.
Ensure the public copy matches the certificate, instead of failing to
cast it to a private key.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME revocation tests
* Clarify commentary in acmeRevocationByPoP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* Allow CSRs with basic constraint extension with IsCA=false
- We previously forbid any CSR with a basic constraint extension within the CSR.
- It was discovered that some ACME clients (Proxmox ACME client) do send us this extension with a value of IsCA to false.
- So allow the extension to be set within the ACME CSR with
a value of IsCA set to false
- Add a test for both the IsCA=true and IsCA=false use-cases and make sure we don't actually set the extension back within the generated certificate.
* PR feedback
- Move basic constraint function to sdk, increase test coverage
- Error out on extra characters being returned from the asn1 unmarshalling.
* make fmt
* Add ACME TLS-ALPN-01 Challenge validator to PKI
This adds support for verifying the last missing challenge type,
TLS-ALPN-01 challenges, using Go's TLS library. We wish to add this as
many servers (such as Caddy) support transparently renewing certificates
via this protocol, without influencing the contents of sites served.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Enable suggesting, validating tls-alpn-01 in PKI
Notably, while RFC 8737 is somewhat vague about what identifier types
can be validated with this protocol, it does restrict SANs to be only
DNSSans; from this, we can infer that it is not applicable for IP
typed identifiers. Additionally, since this must resolve to a specific
domain name, we cannot provision it for wildcard identifiers either.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix test expectations to allow ALPN challenges
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tls-alpn-01 as a supported challenge to docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for tls-alpn-01 challenge verifier
This hacks the challenge engine to allow non-standard (non-443) ports,
letting us use a local server listener with custom implementation.
In addition to the standard test cases, we run:
- A test with a longer chain (bad),
- A test without a DNSSan (bad),
- A test with a bad DNSSan (bad),
- A test with some other SANs (bad),
- A test without a CN (good),
- A test without any leaf (bad), and
- A test without the extension (bad).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update builtin/logical/pki/acme_challenges.go
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Kit Haines <khaines@mit.edu>
* Allow not specifying CN on CSR
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case validating behavior
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notice about failure to validate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Limit ACME issued certificates to a max of 90 days
- If the normal NotAfter date that is calculated from the mount/issuer/role TTL values is greater than 90 days, override the TTL value to a 90-day value.
* Add changelog
* Generate ACME EAB tokens that do not start with -
- To avoid people having issues copying EAB tokens and using them on command lines when they start with - from the base64 encoded values, append a prefix.
- Remove the key_bits data from the eab api, not really useful and now technically wrong
- Fix up some issues with tests not running in parallel.
- Update docs to reflect new EAB apis.
* Add ACME directory to the various EAB output APIs
* Update EAB token prefix to be divisable by 3
- Our decoded prefix was not divisable by 3, which meant the last
character might be tweaked by the rest of the input
* Attempt to resolve flaky test TestAcmeBasicWorkflow test
- Since we can't control the challenge engine, flush the validation records it leverages prior to manually updating the authorization/challenge statuses
```
path_acme_test.go:261: csr: &{[] [] [] [] 0 [] 0 0 <nil> CN=*.localdomain [] [] [] [localhost.localdomain *.localdomain] [] [] []}
path_acme_test.go:300:
Error Trace: /home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/builtin/logical/pki/path_acme_test.go:300
Error: Received unexpected error:
403 urn:ietf:params:acme:error:orderNotReady: The request attempted to finalize an order that is not ready to be finalized: order is status pending, needs to be in ready state
Test: TestAcmeBasicWorkflow/role
Messages: failed finalizing order
```
* make fmt
* Fix ACME computed order status
* Return validation errors and status updates for authorizations
- We now populate the error field within challenges with the error results from the challenge
- Update the status of the challenge and authorizations to invalid when we give up on the challenge
- Verify that only a single challenge within a given authorization can be accepted to avoid race conditions.
* Update EAB management urls underneath pki/eab
- It was decided that for ease of ACLing, the management
paths for EAB apis should be outside of the acme path
prefix
- Delete duplicated tests, rely on the proper cluster
based tests for EAB management.
* Update ACME EAB creation paths to be directory specific
- Make the EAB creation APIs directory specific.
- This commit is still missing the enforcement that
they can be redeemed on a specific path.
* Enforce EAB tokens per ACME directory context like accounts
- Do not allow an EAB from one ACME directory to be used
in another.
- Rework the ACME directory function to simply get the path from the request instead of parsing out the role/issuer name.
- Add some commentary around expectations if operators change issuer names
* Add an EAB certbot integration test
- Verify with the 3rd party certbot cli that our EAB workflow works as expected.
* Fix unit test
- Unit test wasn't setting up r.Path within the request
that we now use to determine the acme directory.
* ACME override issuer's leaf_not_after_behavior to truncate
- To provide a better ACME experience as we don't allow clients to specify TTL times, we will override the issuer's leaf_not_after_behavior setting to 'truncate' if set to the default of 'err' and issue the certificate truncated to the issuer's NotAfter time.
* Only allow ServerAuth ExtKeyUsage from ACME certificates
- Add an enforcement to ACME issued certificates that the only ExtKeyUsage we currently allow is the ServerAuth usage.
* Force ServerAuth as the ExtKeyUsage in ACME roles
- Override a role's values related to ExtKeyUsage when
running in ACME mode to only return the ServerAuth usage.
- We do this as the majority of roles out there will most likely have the ClientAuth set to true which will cause friction using ACME.
* Fix error handling in ACME
- If we don't match a specific ACME error, use ErrServerInternal instead of the last error type from the internal map
- Logger parameters need two params
* Enforce cluster local path is set when enabling ACME
* Add a warning on ACME config read api if enabled but path not set
- This might help expose that the local path configuration on a secondary cluster was not set which would prevent ACME from running.
* Fix various EAB related issues
- List API wasn't plumbed through properly so it did not work as expected
- Use random 32 bytes instead of an EC key for EAB key values
- Update OpenAPI definitions
* Clean up unused EAB keys within tidy
* Move Vault EAB creation path to pki/acme/new-eab
* Update eab vault responses to match up with docs
* upgrade go-jose library to v3
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* chore: fix unnecessary import alias
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* upgrade go-jose library to v2 in vault
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---------
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* Add stub ACME billing interfaces
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial implementation of client count
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly attribute to mount, namespace
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor adding entities of custom types
This begins to add custom types of events; presently these are counted
as non-entity tokens, but prefixed with a custom ClientID prefix.
In the future, this will be the basis for counting these events
separately (into separate buckets and separate storage segments).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor creation of ACME mounts
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for billing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Better support managed key system view casting
Without an additional parameter, SystemView could be of a different
internal implementation type that cannot be directly casted to in OSS.
Use a separate parameter for the managed key system view to use instead.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor creation of mounts for enterprise
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Validate mounts in ACME billing tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use a hopefully unique separator for encoded identifiers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use mount accesor, not path
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename AddEventToFragment->AddActivityToFragment
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* Disable requiring EAB in ACME by default
- After an internal meeting it was decided that enabling EAB support by default was probably not the right decision.
- The main motivating factor being ease of use by end-users as the majority of implementations aren't expecting EAB to be required by default.
* Leverage function isPublicACMEDisabledByEnv and log parsing error
- Add logging to the new isPublicACMEDisabledByEnv function if we fail to parse the env var
- Leverage the function within the isAcmeDisabled function in acme_wrappers.go to not duplicate the env getting logic in two places.
* Fail closed when VAULT_DISABLE_PUBLIC_ACME is un-parsable.
* Add Vault APIS to create, list, delete ACME EAB keys
- Add Vault authenticated APIs to create, list and delete ACME
EAB keys.
- Add supporting tests for all new apis
* Add require_eab to acme configuration
* Add EAB support to ACME
* Add EAB support to ACME
* PR feedback 1
- Address missing err return within DeleteEab
- Move verifyEabPayload to acme_jws.go no code changes in this PR
- Update error message returned for error on account storage with EAB.
* PR feedback 2
- Verify JWK signature payload after signature verification
* Introduce an ACME eab_policy in configuration
- Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
- The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
- Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
- Having 'always-required' as a policy, will override the environment variable to disable public acme as well.
* Add missing go-docs to new tests.
* Add valid eab_policy values in error message.
- Do not serialize the entire internal object, instead return
just the Type and Value fields back to the caller.
- Also within authorization responses, return the base domain
on wildcard queries, dropping the *. as the RFC requests.
- Update tests to reflect/test this logic.
* Add default ACME configuration, invalidate on write
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add enforcment of ACME enabled
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Validate requested role against ACME config
Co-authored-by: kitography <khaines@mit.edu>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add validation of issuer restrictions with ACME
Co-authored-by: kitography <khaines@mit.edu>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add validation around allowed config lenghts
Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prune later deemed unnecessary config options
Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* make fmt
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: kitography <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add the ability to disable ACME through an OS environment variable
- Disable ACME through the VAULT_DISABLE_PUBLIC_ACME environment
variable.
* PR feedback
- Switch to using t.Setenv instead of manually doing it
- Remove t.Parallel from the test not to influence others
* make fmt
* Enforce ACME accounts to a specific directory path
- Accounts and correspondingly orders, authz should not cross
the path boundaries. So we now tag an ACME account with a specific
directory based on the requested role/issuer values in the path.
- If an operation occurs on a different acme directory path it will
cause a failure of the request.
- Add some go doc to a few places and reorder the methods in the
acme_wrappers.go class to highlight the wrappers and not intertwine
the helper functions
- Rename path_acme_new_account.go to path_acme_account.go as it has
several account related methods now.
* Get rid of bad test case
- The previous commit contained a bug fix for us properly
loading issuers within the ACME path, that exposed
this broken/bad test case. Simply remove it.
* Add support to load roles and issuers within ACME wrapper
* Add missing go doc to new test
* PR feedback
- Move field definitions into fields.go
- Update wording and associated errors to some role failures.
- Add missing ':' to error messages
* Refactor wildcard validation checks
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add helper to determine if identifier is wildcard
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Better validate wildcard acceptance
This correctly validates wildcards to contain only a leading prefix
(*.) and must include another label, also ensuring that the remaining
domain components pass non-IP and IDNA validation, and removing them
from display on the authorization. Finally, we restrict the challenge
types available for various combinations of IP, DNS, and wildcard
addresses.
This then updates the tests to validate this as well.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* WIP: Implement ACME CSR signing and certificate retrieval
* Add some validations within the ACME finalize API
- Validate that the CSR we were given matches the DNS names
and IP addresses within the order
- Validate that the CSR does not share the same public as the
account
* Gate ACME finalize order validating all authorizations are in valid state
* Allow creating storageContext with timeout
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add challenge validation engine to ACME
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Initialize the ACME challenge validation engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Trigger challenge validation on endpoint submission
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix GetKeyThumbprint to use raw base64
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Point at localhost for testing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add cleanup of validation engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add HTTP challenge validator
This will attempt to safely validate HTTP challenges, following a
limited number of redirects and timing out after too much time has
passed.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for ValidateKeyAuthorization
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test cases for ValidateHTTP01Challenge
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add token to HTTP challenge
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Move all ACME wrappers into a dedicated go file
- Make it easier to figure out where the various wrappers for
ACME exist by locating them inside a dedicated go file instead
of spread out across the various path_acme_xxx files.
* Add missing copyright headers to PKI files
* Implement ACME new-order API
- This is a very rough draft for the new order ACME API
* Add ACME order list API
* Implement ACME Get order API
* Misc order related fixes
- Filter authorizations in GetOrders for valid
- Validate notBefore and notAfter dates make sense
- Add <order>/cert URL path to order response if set to valid
* Return account status within err authorized, if the account key verified
* Rework ACME workflow test to leverage Golang's ACME client library
- Instead of testing manually, leverage the Golang ACME library
to test against our implementation from the unit tests.
* Add tests for new-account and misc fixes
- Set and return the account status for registration
- Add handlers for the account/ api/updates
- Switch acme/ to cluster local storage
- Disable terms of service checks for now as we don't set the url
* PR feedback
- Implement account deactivation
- Create separate account update handler, to not mix account creation
logic
- Add kid field to account update definition
- Add support to update contact details on an existing account
- Instead of using tests that just test the plugin storage/interface
layer, use a full Vault instance to validate that we can send/receive
the proper headers and responses back to a client.
- Found an issue with HEAD new-nounce api calls returning 500 errors.
- Add the /acme/ suffix to the baseUrl in the acme context so we don't
have to keep adding it a bit everywhere.
