diff --git a/command/commands.go b/command/commands.go index a7761c8596..6953440ddc 100644 --- a/command/commands.go +++ b/command/commands.go @@ -544,7 +544,7 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) { }, nil }, "pki list-intermediates": func() (cli.Command, error) { - return &PKIListChildrenCommand{ + return &PKIListIntermediateCommand{ BaseCommand: getBaseCommand(), }, nil }, diff --git a/command/healthcheck/pki_crl_validity_period.go b/command/healthcheck/pki_crl_validity_period.go index ae31e73324..bd8e856baa 100644 --- a/command/healthcheck/pki_crl_validity_period.go +++ b/command/healthcheck/pki_crl_validity_period.go @@ -169,7 +169,7 @@ func (h *CRLValidityPeriod) Evaluate(e *Executor) (results []*Result, err error) ret.Status = ResultCritical ret.Message = fmt.Sprintf("CRL's validity is outside of suggested rotation window: CRL's next update is expected at %v, but expires within %v%% of validity window (starting on %v and ending on %v). It is suggested to rotate this CRL and start propagating it to hosts to avoid any issues caused by stale CRLs.", crl.NextUpdate.Format("2006-01-02"), h.CRLExpiryPercentage, crl.ThisUpdate.Format("2006-01-02"), expWhen.Format("2006-01-02")) - if crlDisabled == true { + if crlDisabled { ret.Status = ResultInformational ret.Message += " Because the CRL is disabled, this is less of a concern." } @@ -192,7 +192,7 @@ func (h *CRLValidityPeriod) Evaluate(e *Executor) (results []*Result, err error) ret.Status = ResultCritical ret.Message = fmt.Sprintf("Delta CRL's validity is outside of suggested rotation window: Delta CRL's next update is expected at %v, but expires within %v%% of validity window (starting on %v and ending on %v). It is suggested to rotate this Delta CRL and start propagating it to hosts to avoid any issues caused by stale CRLs.", crl.NextUpdate.Format("2006-01-02"), h.CRLExpiryPercentage, crl.ThisUpdate.Format("2006-01-02"), expWhen.Format("2006-01-02")) - if crlDisabled == true { + if crlDisabled { ret.Status = ResultInformational ret.Message += " Because the CRL is disabled, this is less of a concern." } diff --git a/command/pki_list_children_command.go b/command/pki_list_intermediate_command.go similarity index 77% rename from command/pki_list_children_command.go rename to command/pki_list_intermediate_command.go index 23a390a7ad..c7ac918642 100644 --- a/command/pki_list_children_command.go +++ b/command/pki_list_intermediate_command.go @@ -12,7 +12,7 @@ import ( "github.com/ryanuber/columnize" ) -type PKIListChildrenCommand struct { +type PKIListIntermediateCommand struct { *BaseCommand flagConfig string @@ -29,24 +29,33 @@ type PKIListChildrenCommand struct { flagPathMatch bool } -func (c *PKIListChildrenCommand) Synopsis() string { +func (c *PKIListIntermediateCommand) Synopsis() string { return "Determine Which (of a List) of Certificates Were Issued by A Given Parent Certificate" } -func (c *PKIListChildrenCommand) Help() string { +func (c *PKIListIntermediateCommand) Help() string { helpText := ` Usage: vault pki list-intermediates PARENT [CHILD] [CHILD] [CHILD] ... -PARENT is the certificate that might be the issuer that everything should be verified against. -CHILD is a list of paths to certificates to be compared to the PARENT, or pki mounts to look for certificates on. -If CHILD is omitted entirely, the list will be constructed from all accessible pki mounts. -This returns a list of issuing certificates, and whether they are a match. -By default, the type of match required is whether the PARENT has the expected subject, key_id, and could have (directly) -signed this issuer. The match criteria can be updated by changed the corresponding flag. -` + + Lists the set of intermediate CAs issued by this parent issuer. + + PARENT is the certificate that might be the issuer that everything should + be verified against. + + CHILD is an optional list of paths to certificates to be compared to the + PARENT, or pki mounts to look for certificates on. If CHILD is omitted + entirely, the list will be constructed from all accessible pki mounts. + + This returns a list of issuing certificates, and whether they are a match. + By default, the type of match required is whether the PARENT has the + expected subject, key_id, and could have (directly) signed this issuer. + The match criteria can be updated by changed the corresponding flag. + +` + c.Flags().Help() return strings.TrimSpace(helpText) } -func (c *PKIListChildrenCommand) Flags() *FlagSets { +func (c *PKIListIntermediateCommand) Flags() *FlagSets { set := c.flagSet(FlagSetHTTP | FlagSetOutputFormat) f := set.NewFlagSet("Command Options") @@ -55,7 +64,7 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagSubjectMatch, Default: true, EnvVar: "", - Usage: `Whether the subject name of the potential parent cert matches the issuer name of the child cert`, + Usage: `Whether the subject name of the potential parent cert matches the issuer name of the child cert.`, }) f.BoolVar(&BoolVar{ @@ -63,7 +72,7 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagKeyIdMatch, Default: true, EnvVar: "", - Usage: `Whether the subject key_id of the potential parent cert matches the issuing key id of the child cert`, + Usage: `Whether the subject key id (SKID) of the potential parent cert matches the authority key id (AKID) of the child cert.`, }) f.BoolVar(&BoolVar{ @@ -71,7 +80,7 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagPathMatch, Default: false, EnvVar: "", - Usage: `Whether the potential parent appears in the certificate chain of the issued cert`, + Usage: `Whether the potential parent appears in the certificate chain field (ca_chain) of the issued cert.`, }) f.BoolVar(&BoolVar{ @@ -79,7 +88,7 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagSignatureMatch, Default: true, EnvVar: "", - Usage: `Whether the key of the potential parent signed this issued certificate`, + Usage: `Whether the key of the potential parent directly signed this issued certificate.`, }) f.BoolVar(&BoolVar{ @@ -87,7 +96,7 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagIndirectSignMatch, Default: true, EnvVar: "", - Usage: `Whether trusting the parent certificate is sufficient to trust the child certificate`, + Usage: `Whether trusting the parent certificate is sufficient to trust the child certificate.`, }) f.BoolVar(&BoolVar{ @@ -95,13 +104,13 @@ func (c *PKIListChildrenCommand) Flags() *FlagSets { Target: &c.flagUseNames, Default: false, EnvVar: "", - Usage: `Whether the list of issuers returned is referred to by name when it exists rather than uuid`, + Usage: `Whether the list of issuers returned is referred to by name (when it exists) rather than by uuid.`, }) return set } -func (c *PKIListChildrenCommand) Run(args []string) int { +func (c *PKIListIntermediateCommand) Run(args []string) int { f := c.Flags() if err := f.Parse(args); err != nil { c.UI.Error(err.Error()) @@ -198,7 +207,7 @@ func (c *PKIListChildrenCommand) Run(args []string) int { return 0 } -func (c *PKIListChildrenCommand) getIssuerListFromMount(client *api.Client, mountString string) ([]string, error) { +func (c *PKIListIntermediateCommand) getIssuerListFromMount(client *api.Client, mountString string) ([]string, error) { var issuerList []string issuerListEndpoint := sanitizePath(mountString) + "/issuers" rawIssuersResp, err := client.Logical().List(issuerListEndpoint) @@ -231,16 +240,14 @@ func (c *PKIListChildrenCommand) getIssuerListFromMount(client *api.Client, moun func checkIfResultsMatchFilters(verifyResults, constraintMap map[string]bool) bool { for key, required := range constraintMap { - if required == true { - if verifyResults[key] == false { - return false - } + if required && !verifyResults[key] { + return false } } return true } -func (c *PKIListChildrenCommand) outputResults(results map[string]bool) error { +func (c *PKIListIntermediateCommand) outputResults(results map[string]bool) error { switch Format(c.UI) { case "", "table": return c.outputResultsTable(results) @@ -253,7 +260,7 @@ func (c *PKIListChildrenCommand) outputResults(results map[string]bool) error { } } -func (c *PKIListChildrenCommand) outputResultsTable(results map[string]bool) error { +func (c *PKIListIntermediateCommand) outputResultsTable(results map[string]bool) error { data := []string{"intermediate" + hopeDelim + "match?"} for field, finding := range results { row := field + hopeDelim + strconv.FormatBool(finding) @@ -267,7 +274,7 @@ func (c *PKIListChildrenCommand) outputResultsTable(results map[string]bool) err return nil } -func (c *PKIListChildrenCommand) outputResultsJSON(results map[string]bool) error { +func (c *PKIListIntermediateCommand) outputResultsJSON(results map[string]bool) error { bytes, err := json.MarshalIndent(results, "", " ") if err != nil { return err @@ -277,7 +284,7 @@ func (c *PKIListChildrenCommand) outputResultsJSON(results map[string]bool) erro return nil } -func (c *PKIListChildrenCommand) outputResultsYAML(results map[string]bool) error { +func (c *PKIListIntermediateCommand) outputResultsYAML(results map[string]bool) error { bytes, err := yaml.Marshal(results) if err != nil { return err diff --git a/command/pki_list_children_test.go b/command/pki_list_intermediate_test.go similarity index 99% rename from command/pki_list_children_test.go rename to command/pki_list_intermediate_test.go index 23f642fd65..84739ad8de 100644 --- a/command/pki_list_children_test.go +++ b/command/pki_list_intermediate_test.go @@ -5,7 +5,7 @@ import ( "testing" ) -func TestPKIListChildren(t *testing.T) { +func TestPKIListIntermediate(t *testing.T) { t.Parallel() client, closer := testVaultServer(t) diff --git a/command/pki_verify_sign_command.go b/command/pki_verify_sign_command.go index ce00eeee55..ac52a6478f 100644 --- a/command/pki_verify_sign_command.go +++ b/command/pki_verify_sign_command.go @@ -30,15 +30,25 @@ func (c *PKIVerifySignCommand) Synopsis() string { func (c *PKIVerifySignCommand) Help() string { helpText := ` Usage: vault pki verify-sign POSSIBLE-ISSUER POSSIBLE-ISSUED -Here POSSIBLE-ISSUER and POSSIBLE-ISSUED are the fully name-spaced path to the certificate, -for instance: 'ns1/mount1/issuer/issuerName/json' -Returns five fields of information: -- signature_match: was the key of the issuer used to sign the issued -- path_match: the possible issuer appears in the valid certificate chain of the issued -- key_id_match: does the key-id of the issuer match the key_id of the subject -- subject_match: does the subject name of the issuer match the issuer subject of the issued -- trust_match: if someone trusted the parent issuer, is the chain provided sufficient to trust the child issued -` + + Verifies whether the listed issuer has signed the listed issued certificate. + + POSSIBLE-ISSUER and POSSIBLE-ISSUED are the fully name-spaced path to + an issuer certificate, for instance: 'ns1/mount1/issuer/issuerName/json'. + + Returns five fields of information: + + - signature_match: was the key of the issuer used to sign the issued. + - path_match: the possible issuer appears in the valid certificate chain + of the issued. + - key_id_match: does the key-id of the issuer match the key_id of the + subject. + - subject_match: does the subject name of the issuer match the issuer + subject of the issued. + - trust_match: if someone trusted the parent issuer, is the chain + provided sufficient to trust the child issued. + +` + c.Flags().Help() return strings.TrimSpace(helpText) }