From 17c0ee93cb63158ed4f197479e9ea3f2da163f53 Mon Sep 17 00:00:00 2001 From: Kit Haines Date: Fri, 28 Feb 2025 14:44:52 -0500 Subject: [PATCH] Enables a warning if validations (ent-feature) set issuer configuration so that it isn't usable. (#29781) --- builtin/logical/pki/path_fetch_issuers.go | 39 ++++++++++++++++++++--- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/builtin/logical/pki/path_fetch_issuers.go b/builtin/logical/pki/path_fetch_issuers.go index 4e8846524d..1c1f4068b6 100644 --- a/builtin/logical/pki/path_fetch_issuers.go +++ b/builtin/logical/pki/path_fetch_issuers.go @@ -679,8 +679,10 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da } } + var updatedIssuanceValidations bool if updateEntIssuerFields(issuer, data, false) { modified = true + updatedIssuanceValidations = true } // Updating the chain should be the last modification as there's a chance @@ -735,6 +737,8 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil } return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil + } else { + updatedIssuanceValidations = false } } @@ -757,6 +761,12 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", aiaErr)) } } + if updatedIssuanceValidations { + warning := checkIssuer(issuer, ctx, req, b) + if warning != "" { + response.AddWarning(warning) + } + } return response, err } @@ -959,6 +969,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat issuer.AIAURIs = nil } + updatedIssuanceValidations := false + if updateEntIssuerFields(issuer, data, true) { + modified = true + updatedIssuanceValidations = true + } + // Manual Chain Changes newPathData, ok := data.GetOk("manual_chain") if ok { @@ -1012,16 +1028,14 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat return logical.ErrorResponse("error reverting bad chain update, state unknown: %v, \ninitial error: %v", newErr.Error(), err.Error()), nil } return logical.ErrorResponse("other changes to issuer may be persisted. Error setting manual chain, issuer would be unusuable with this chain: %v", err), nil + } else { + updatedIssuanceValidations = false } } } } - if updateEntIssuerFields(issuer, data, true) { - modified = true - } - if modified { err := sc.writeIssuer(issuer) if err != nil { @@ -1033,6 +1047,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat if newName != oldName { addWarningOnDereferencing(sc, oldName, response) } + if updatedIssuanceValidations { + warning := checkIssuer(issuer, ctx, req, b) + if warning != "" { + response.AddWarning(warning) + } + } if issuer.AIAURIs != nil && issuer.AIAURIs.EnableTemplating { _, aiaErr := ToURLEntries(sc, issuer.ID, issuer.AIAURIs) if aiaErr != nil { @@ -1043,6 +1063,17 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat return response, err } +// checkIssuer looks at an issuer that has already been written, and returns a warning if it is not functional. +func checkIssuer(issuer *issuing.IssuerEntry, ctx context.Context, req *logical.Request, b *backend) (warning string) { + if issuer.Usage.HasUsage(issuing.IssuanceUsage) { + err := b.issueSignEmptyCert(ctx, req, issuer.ID.String()) + if err != nil { + return fmt.Sprintf("warning: issuer with issuance usage %s cannot issue certificates with this configuration: %v", issuer.ID.String(), err) + } + } + return "" +} + func (b *backend) pathGetRawIssuer(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { if b.UseLegacyBundleCaStorage() { return logical.ErrorResponse("Can not get issuer until migration has completed"), nil