mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-10 00:27:02 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
199 lines
6.3 KiB
Go
199 lines
6.3 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package pki
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/asaskevich/govalidator"
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func pathConfigCluster(b *backend) *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: "config/cluster",
|
|
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
OperationPrefix: operationPrefixPKI,
|
|
},
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"path": {
|
|
Type: framework.TypeString,
|
|
Description: `Canonical URI to this mount on this performance
|
|
replication cluster's external address. This is for resolving AIA URLs and
|
|
providing the {{cluster_path}} template parameter but might be used for other
|
|
purposes in the future.
|
|
|
|
This should only point back to this particular PR replica and should not ever
|
|
point to another PR cluster. It may point to any node in the PR replica,
|
|
including standby nodes, and need not always point to the active node.
|
|
|
|
For example: https://pr1.vault.example.com:8200/v1/pki`,
|
|
},
|
|
"aia_path": {
|
|
Type: framework.TypeString,
|
|
Description: `Optional URI to this mount's AIA distribution
|
|
point; may refer to an external non-Vault responder. This is for resolving AIA
|
|
URLs and providing the {{cluster_aia_path}} template parameter and will not
|
|
be used for other purposes. As such, unlike path above, this could safely
|
|
be an insecure transit mechanism (like HTTP without TLS).
|
|
|
|
For example: http://cdn.example.com/pr1/pki`,
|
|
},
|
|
},
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.UpdateOperation: &framework.PathOperation{
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
OperationVerb: "configure",
|
|
OperationSuffix: "cluster",
|
|
},
|
|
Callback: b.pathWriteCluster,
|
|
Responses: map[int][]framework.Response{
|
|
http.StatusOK: {{
|
|
Description: "OK",
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"path": {
|
|
Type: framework.TypeString,
|
|
Description: `Canonical URI to this mount on this performance
|
|
replication cluster's external address. This is for resolving AIA URLs and
|
|
providing the {{cluster_path}} template parameter but might be used for other
|
|
purposes in the future.
|
|
|
|
This should only point back to this particular PR replica and should not ever
|
|
point to another PR cluster. It may point to any node in the PR replica,
|
|
including standby nodes, and need not always point to the active node.
|
|
|
|
For example: https://pr1.vault.example.com:8200/v1/pki`,
|
|
},
|
|
"aia_path": {
|
|
Type: framework.TypeString,
|
|
Description: `Optional URI to this mount's AIA distribution
|
|
point; may refer to an external non-Vault responder. This is for resolving AIA
|
|
URLs and providing the {{cluster_aia_path}} template parameter and will not
|
|
be used for other purposes. As such, unlike path above, this could safely
|
|
be an insecure transit mechanism (like HTTP without TLS).
|
|
|
|
For example: http://cdn.example.com/pr1/pki`,
|
|
},
|
|
},
|
|
}},
|
|
},
|
|
},
|
|
logical.ReadOperation: &framework.PathOperation{
|
|
Callback: b.pathReadCluster,
|
|
DisplayAttrs: &framework.DisplayAttributes{
|
|
OperationSuffix: "cluster-configuration",
|
|
},
|
|
Responses: map[int][]framework.Response{
|
|
http.StatusOK: {{
|
|
Description: "OK",
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"path": {
|
|
Type: framework.TypeString,
|
|
Description: `Canonical URI to this mount on this performance
|
|
replication cluster's external address. This is for resolving AIA URLs and
|
|
providing the {{cluster_path}} template parameter but might be used for other
|
|
purposes in the future.
|
|
|
|
This should only point back to this particular PR replica and should not ever
|
|
point to another PR cluster. It may point to any node in the PR replica,
|
|
including standby nodes, and need not always point to the active node.
|
|
|
|
For example: https://pr1.vault.example.com:8200/v1/pki`,
|
|
Required: true,
|
|
},
|
|
"aia_path": {
|
|
Type: framework.TypeString,
|
|
Description: `Optional URI to this mount's AIA distribution
|
|
point; may refer to an external non-Vault responder. This is for resolving AIA
|
|
URLs and providing the {{cluster_aia_path}} template parameter and will not
|
|
be used for other purposes. As such, unlike path above, this could safely
|
|
be an insecure transit mechanism (like HTTP without TLS).
|
|
|
|
For example: http://cdn.example.com/pr1/pki`,
|
|
},
|
|
},
|
|
}},
|
|
},
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathConfigClusterHelpSyn,
|
|
HelpDescription: pathConfigClusterHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathReadCluster(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
|
|
sc := b.makeStorageContext(ctx, req.Storage)
|
|
cfg, err := sc.getClusterConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
Data: map[string]interface{}{
|
|
"path": cfg.Path,
|
|
"aia_path": cfg.AIAPath,
|
|
},
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
func (b *backend) pathWriteCluster(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
sc := b.makeStorageContext(ctx, req.Storage)
|
|
cfg, err := sc.getClusterConfig()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if value, ok := data.GetOk("path"); ok {
|
|
cfg.Path = value.(string)
|
|
|
|
// This field is required by ACME, if ever we allow un-setting in the
|
|
// future, this code will need to verify that ACME is not enabled.
|
|
if !govalidator.IsURL(cfg.Path) {
|
|
return nil, fmt.Errorf("invalid, non-URL path given to cluster: %v", cfg.Path)
|
|
}
|
|
}
|
|
|
|
if value, ok := data.GetOk("aia_path"); ok {
|
|
cfg.AIAPath = value.(string)
|
|
if !govalidator.IsURL(cfg.AIAPath) {
|
|
return nil, fmt.Errorf("invalid, non-URL aia_path given to cluster: %v", cfg.AIAPath)
|
|
}
|
|
}
|
|
|
|
if err := sc.writeClusterConfig(cfg); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
Data: map[string]interface{}{
|
|
"path": cfg.Path,
|
|
"aia_path": cfg.AIAPath,
|
|
},
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
const pathConfigClusterHelpSyn = `
|
|
Set cluster-local configuration, including address to this PR cluster.
|
|
`
|
|
|
|
const pathConfigClusterHelpDesc = `
|
|
This path allows you to set cluster-local configuration, including the
|
|
URI to this performance replication cluster. This allows you to use
|
|
templated AIA URLs with /config/urls and /issuer/:issuer_ref, setting the
|
|
reference to the cluster's URI.
|
|
|
|
Only one address can be specified for any given cluster.
|
|
`
|