mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-03 20:40:45 -05:00
* VAULT-39462 PKI observations first draft? * acme account * acme account 2 * license * belt and braces * EST, and some tests * more stuff * SCEP * key tests etc * WIP reorganize code into an observe sub-package with interfaces * make fmt * fmt * fmt * empty file hehe * copyright headers * Update builtin/logical/pki/backend_cmpv2_ent_test.go * Update builtin/logical/pki/backend_cmpv2_ent_test.go * Update builtin/logical/pki/path_ocsp.go * Update builtin/logical/pki/path_acme_order.go * Update builtin/logical/pki/path_acme_order.go * extra info * add stored to cieps * make fmt --------- Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com> Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
This commit is contained in:
Vault Automation
GitHub
parent
b3f6bbd78d
commit
7f9a3efe21
29 changed files with 644 additions and 9 deletions
|
|
@ -17,6 +17,7 @@ import (
|
|||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/managed_key"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
||||
"github.com/hashicorp/vault/helper/metricsutil"
|
||||
|
|
@ -313,6 +314,8 @@ func Backend(conf *logical.BackendConfig) *backend {
|
|||
|
||||
b.pkiCertificateCounter = logical.NewNullPkiCertificateCounter()
|
||||
|
||||
b.pkiObserver = observe.NewPkiCeObserver(b.Logger(), b)
|
||||
|
||||
// It is important that we call SetupEnt at the very end as
|
||||
// some ENT backends need access to the member vars initialized above.
|
||||
b.SetupEnt(conf)
|
||||
|
|
@ -361,6 +364,8 @@ type backend struct {
|
|||
|
||||
// Track when this mount was started.
|
||||
mountStartup time.Time
|
||||
|
||||
pkiObserver observe.PkiObserver
|
||||
}
|
||||
|
||||
// BackendOps a bridge/legacy interface until we can further
|
||||
|
|
|
|||
183
builtin/logical/pki/observe/observation_consts.go
Normal file
183
builtin/logical/pki/observe/observation_consts.go
Normal file
|
|
@ -0,0 +1,183 @@
|
|||
// Copyright (c) HashiCorp, Inc.
|
||||
// SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
package observe
|
||||
|
||||
const (
|
||||
// ---
|
||||
// Generate Root:
|
||||
|
||||
ObservationTypePKIGenerateRoot = "pki/root/generate"
|
||||
|
||||
// ---
|
||||
// Generate Intermediate:
|
||||
|
||||
ObservationTypePKIGenerateIntermediate = "pki/intermediate/generate"
|
||||
|
||||
// ---
|
||||
// Issue + Sign
|
||||
|
||||
// ObservationTypePKIIssue observations will be emitted for both the issue (pki/issue/:name) and
|
||||
// issue-and-sign endpoints (pki/sign/:name). Observations for isssued-and-signed certs will
|
||||
// contain "signed" = true, and unsigned certs will contain "signed" = false.
|
||||
ObservationTypePKIIssue = "pki/issue"
|
||||
|
||||
// ObservationTypePKICIEPSIssue observations will be emitted for both the CIEPS issue and
|
||||
// issue-and-sign endpoints. Observations for issued-and-signed certs will
|
||||
// contain "signed" = true, and unsigned certs will contain "signed" = false.
|
||||
ObservationTypePKICIEPSIssue = "pki/cieps/issue"
|
||||
|
||||
// ---
|
||||
// Issuer Related Observations
|
||||
|
||||
ObservationTypePKIIssuerRead = "pki/issuer/read"
|
||||
ObservationTypePKIIssuerWrite = "pki/issuer/write"
|
||||
ObservationTypePKIIssuerPatch = "pki/issuer/patch"
|
||||
ObservationTypePKIIssuerDelete = "pki/issuer/delete"
|
||||
ObservationTypePKIIssuerResignCRLs = "pki/issuer/resign-crls"
|
||||
// ObservationTypePKIIssuersImport is emitted when an import happens for issuers.
|
||||
// This can happen via /pki/config/ca, /pki/issuers/import/bundle, /pki/intermediate/set-signed,
|
||||
// and others.
|
||||
ObservationTypePKIIssuersImport = "pki/issuer/import"
|
||||
// ObservationTypePKIConfigIssuersWrite is emitted both for writes to /pki/config/issuers
|
||||
// and /pki/root/replace, as they have the same code path.
|
||||
ObservationTypePKIConfigIssuersWrite = "pki/config/issuers/write"
|
||||
ObservationTypePKIConfigIssuersRead = "pki/config/issuers/read"
|
||||
|
||||
// ObservationTypePKIReadIssuerCertificate is issued when the issuer's certificate is read,
|
||||
// i.e. the following:
|
||||
// https://developer.hashicorp.com/vault/api-docs/secret/pki#read-issuer-certificate
|
||||
ObservationTypePKIReadIssuerCertificate = "pki/issuer/certificate/read"
|
||||
|
||||
// ---
|
||||
// Role related observations
|
||||
|
||||
ObservationTypePKIRoleRead = "pki/role/read"
|
||||
ObservationTypePKIRoleWrite = "pki/role/write"
|
||||
ObservationTypePKIRolePatch = "pki/role/patch"
|
||||
ObservationTypePKIRoleDelete = "pki/role/delete"
|
||||
|
||||
// ---
|
||||
// Cert metadata
|
||||
|
||||
// ObservationTypePKIReadCertificateMetadata is emitted when /pki/cert-metadata/:serial is called.
|
||||
ObservationTypePKIReadCertificateMetadata = "pki/certificate-metadata/read"
|
||||
|
||||
// ---
|
||||
// Tidy
|
||||
|
||||
// ObservationTypePKITidy is emitted when a tidy operation is accepted, not completed.
|
||||
ObservationTypePKITidy = "pki/tidy"
|
||||
|
||||
// ---
|
||||
// Revoke
|
||||
|
||||
ObservationTypePKIRevoke = "pki/revoke"
|
||||
|
||||
// ---
|
||||
// Rotate CRLs
|
||||
|
||||
// ObservationTypePKIRotateCRL is emitted when pki/crl/rotate is called, which forces a rotation of all issuers' CRLs.
|
||||
ObservationTypePKIRotateCRL = "pki/crl/rotate"
|
||||
// ObservationTypePKIRotateDeltaCRL is emitted when pki/crl/rotate-delta is called, which forces a rotation of all issuers' delta CRLs.
|
||||
ObservationTypePKIRotateDeltaCRL = "pki/crl/rotate-delta"
|
||||
|
||||
// ---
|
||||
// Key Related Observations
|
||||
|
||||
ObservationTypePKIKeysGenerate = "pki/keys/generate"
|
||||
ObservationTypePKIKeysImport = "pki/keys/import"
|
||||
ObservationTypePKIConfigKeysWrite = "pki/config/keys/write"
|
||||
ObservationTypePKIConfigKeysRead = "pki/config/keys/read"
|
||||
ObservationTypePKIKeyRead = "pki/key/read"
|
||||
ObservationTypePKIKeyWrite = "pki/key/write"
|
||||
ObservationTypePKIKeyDelete = "pki/key/delete"
|
||||
|
||||
// ---
|
||||
// OCSP Related Observations
|
||||
// Note that statuses are kept to their values as per https://datatracker.ietf.org/doc/html/rfc6960 and
|
||||
// are not translated to be 'human-readable'. This observation covers both pki/ocsp and pki/unified-ocsp
|
||||
// endpoints, returning a "unified" boolean in the body.
|
||||
|
||||
ObservationTypePKIOCSP = "pki/ocsp"
|
||||
|
||||
// ---
|
||||
// Config Related Observations
|
||||
|
||||
// ObservationTypePKIConfigClusterRead will be emitted on a read to
|
||||
// pki/config/cluster
|
||||
ObservationTypePKIConfigClusterRead = "pki/config/integrations/cluster/read"
|
||||
// ObservationTypePKIConfigClusterWrite will be emitted on a write to
|
||||
// pki/config/cluster.
|
||||
ObservationTypePKIConfigClusterWrite = "pki/config/integrations/cluster/write"
|
||||
|
||||
// ObservationTypePKIConfigIntegrationsGardiumRead will be emitted on a read to
|
||||
// pki/config/integrations/gardium. It will not include any user-specified URLs.
|
||||
ObservationTypePKIConfigIntegrationsGardiumRead = "pki/config/integrations/gardium/read"
|
||||
// ObservationTypePKIConfigIntegrationsGardiumWrite will be emitted on a write to
|
||||
// pki/config/integrations/gardium. It will not include any user-specified URLs.
|
||||
ObservationTypePKIConfigIntegrationsGardiumWrite = "pki/config/integrations/gardium/write"
|
||||
|
||||
// ObservationTypePKIConfigURLsRead will be emitted on a read to
|
||||
// pki/config/urls. It will not include any user-specified URLs.
|
||||
ObservationTypePKIConfigURLsRead = "pki/config/urls/read"
|
||||
// ObservationTypePKIConfigURLsWrite will be emitted on a write to
|
||||
// pki/config/urls. It will not include any user-specified URLs.
|
||||
ObservationTypePKIConfigURLsWrite = "pki/config/urls/write"
|
||||
|
||||
// ObservationTypePKIConfigExternalPolicyRead is emitted when a read call goes to
|
||||
// pki/config/external-policy (CIEPS).
|
||||
ObservationTypePKIConfigExternalPolicyRead = "pki/config/external-policy/read"
|
||||
// ObservationTypePKIConfigExternalPolicyWrite is emitted when a write call goes to
|
||||
// pki/config/external-policy (CIEPS). Note that any sensitive information, like
|
||||
// certificates or URLs.
|
||||
ObservationTypePKIConfigExternalPolicyWrite = "pki/config/external-policy/write"
|
||||
|
||||
ObservationTypePKIConfigCRLRead = "pki/config/crl/read"
|
||||
ObservationTypePKIConfigCRLWrite = "pki/config/crl/write"
|
||||
|
||||
// ---
|
||||
// ACME Related Observations
|
||||
|
||||
ObservationTypePKIConfigACMERead = "pki/config/acme/read"
|
||||
ObservationTypePKIConfigACMEWrite = "pki/config/acme/write"
|
||||
|
||||
ObservationTypePKIAcmeRevoke = "pki/acme/revoke"
|
||||
ObservationTypePKIAcmeNewOrder = "pki/acme/order/new-order"
|
||||
ObservationTypePKIAcmeListOrders = "pki/acme/order/list-orders"
|
||||
ObservationTypePKIAcmeGetOrder = "pki/acme/order/get-order"
|
||||
ObservationTypePKIAcmeFinalizeOrder = "pki/acme/order/finalize-order"
|
||||
ObservationTypePKIAcmeFetchOrderCert = "pki/acme/order/fetch-order-cert"
|
||||
ObservationTypePKIAcmeNewAccount = "pki/acme/account/new-account"
|
||||
ObservationTypePKIAcmeUpdateAccount = "pki/acme/account/update-account"
|
||||
ObservationTypePKIAcmeChallenge = "pki/acme/challenge"
|
||||
ObservationTypePKIAcmeAuthorization = "pki/acme/authorization"
|
||||
ObservationTypePKIAcmeNewEab = "pki/acme/new-eab"
|
||||
|
||||
// ---
|
||||
// EST Related Observations
|
||||
|
||||
ObservationTypePKIConfigESTRead = "pki/config/est/read"
|
||||
ObservationTypePKIConfigESTWrite = "pki/config/est/write"
|
||||
|
||||
ObservationTypePKIESTCACerts = "pki/est/ca-certs"
|
||||
|
||||
ObservationTypePKIESTEnroll = "pki/est/enroll"
|
||||
ObservationTypePKIESTReEnroll = "pki/est/re-enroll"
|
||||
|
||||
// ---
|
||||
// CMPv2 Related Observations
|
||||
|
||||
ObservationTypePKIConfigCMPv2Read = "pki/config/cmpv2/read"
|
||||
ObservationTypePKIConfigCMPv2Write = "pki/config/cmpv2/write"
|
||||
|
||||
ObservationTypePKICMPCertRequest = "pki/cmpv2/cert-request"
|
||||
|
||||
// ---
|
||||
// SCEP Related Observations
|
||||
|
||||
ObservationTypePKIConfigSCEPRead = "pki/config/scep/read"
|
||||
ObservationTypePKIConfigSCEPWrite = "pki/config/scep/write"
|
||||
|
||||
ObservationTypePKISCEPPKIOperation = "pki/scep/operation/pki"
|
||||
)
|
||||
29
builtin/logical/pki/observe/observe.go
Normal file
29
builtin/logical/pki/observe/observe.go
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
// Copyright (c) HashiCorp, Inc.
|
||||
// SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
package observe
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
||||
type PluginObserve interface {
|
||||
// RecordObservation is used to record observations through the plugin's observation system.
|
||||
// It returns ErrNoObservations if the observation system has not been configured or enabled.
|
||||
RecordObservation(ctx context.Context, observationType string, data map[string]interface{}) error
|
||||
}
|
||||
|
||||
type PkiObserver interface {
|
||||
RecordPKIObservation(ctx context.Context, req *logical.Request, observationType string, additionalMetadata ...AdditionalPKIMetadata)
|
||||
}
|
||||
|
||||
type AdditionalPKIMetadata struct {
|
||||
key string
|
||||
value any
|
||||
}
|
||||
|
||||
func NewAdditionalPKIMetadata(key string, value any) AdditionalPKIMetadata {
|
||||
return AdditionalPKIMetadata{key: key, value: value}
|
||||
}
|
||||
29
builtin/logical/pki/observe/observer_ce.go
Normal file
29
builtin/logical/pki/observe/observer_ce.go
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
// Copyright (c) HashiCorp, Inc.
|
||||
// SPDX-License-Identifier: BUSL-1.1
|
||||
|
||||
package observe
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
||||
type PkiCeObserver struct {
|
||||
logger hclog.Logger
|
||||
observer PluginObserve
|
||||
}
|
||||
|
||||
var _ PkiObserver = (*PkiCeObserver)(nil)
|
||||
|
||||
func (p PkiCeObserver) RecordPKIObservation(_ context.Context, _ *logical.Request, _ string, _ ...AdditionalPKIMetadata) {
|
||||
// No-op for Community Edition
|
||||
}
|
||||
|
||||
func NewPkiCeObserver(logger hclog.Logger, observer PluginObserve) *PkiCeObserver {
|
||||
return &PkiCeObserver{
|
||||
logger: logger,
|
||||
observer: observer,
|
||||
}
|
||||
}
|
||||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/go-secure-stdlib/strutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -178,7 +179,7 @@ func (b *backend) acmeNewAccountHandler(acmeCtx *acmeContext, r *logical.Request
|
|||
return b.acmeNewAccountCreateHandler(acmeCtx, userCtx, contacts, termsOfServiceAgreed, r, eabData)
|
||||
}
|
||||
|
||||
return b.acmeNewAccountUpdateHandler(acmeCtx, userCtx, contacts, status, eabData)
|
||||
return b.acmeNewAccountUpdateHandler(acmeCtx, userCtx, contacts, status, r, eabData)
|
||||
}
|
||||
|
||||
func formatNewAccountResponse(acmeCtx *acmeContext, acct *acmeAccount, eabData map[string]interface{}) *logical.Response {
|
||||
|
|
@ -316,10 +317,15 @@ func (b *backend) acmeNewAccountCreateHandler(acmeCtx *acmeContext, userCtx *jws
|
|||
// > The server returns this account object in a 201 (Created) response,
|
||||
// > with the account URL in a Location header field.
|
||||
resp.Data[logical.HTTPStatusCode] = http.StatusCreated
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(acmeCtx, r, observe.ObservationTypePKIAcmeNewAccount,
|
||||
observe.NewAdditionalPKIMetadata("key_id", userCtx.Kid),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (b *backend) acmeNewAccountUpdateHandler(acmeCtx *acmeContext, userCtx *jwsCtx, contact []string, status string, eabData map[string]interface{}) (*logical.Response, error) {
|
||||
func (b *backend) acmeNewAccountUpdateHandler(acmeCtx *acmeContext, userCtx *jwsCtx, contact []string, status string, r *logical.Request, eabData map[string]interface{}) (*logical.Response, error) {
|
||||
if !userCtx.Existing {
|
||||
return nil, fmt.Errorf("cannot submit to account updates without a 'kid': %w", ErrMalformed)
|
||||
}
|
||||
|
|
@ -369,6 +375,12 @@ func (b *backend) acmeNewAccountUpdateHandler(acmeCtx *acmeContext, userCtx *jws
|
|||
}
|
||||
|
||||
resp := formatAccountResponse(acmeCtx, account)
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(acmeCtx, r, observe.ObservationTypePKIAcmeUpdateAccount,
|
||||
observe.NewAdditionalPKIMetadata("key_id", account.KeyId),
|
||||
observe.NewAdditionalPKIMetadata("status", account.Status),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ package pki
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -63,6 +64,11 @@ func (b *backend) acmeAuthorizationHandler(acmeCtx *acmeContext, r *logical.Requ
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(acmeCtx, r, observe.ObservationTypePKIAcmeAuthorization,
|
||||
observe.NewAdditionalPKIMetadata("auth_id", authId),
|
||||
observe.NewAdditionalPKIMetadata("status", status),
|
||||
)
|
||||
|
||||
if len(data) == 0 {
|
||||
return b.acmeAuthorizationFetchHandler(acmeCtx, r, fields, userCtx, data, authz)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ package pki
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -62,6 +63,11 @@ func (b *backend) acmeChallengeHandler(acmeCtx *acmeContext, r *logical.Request,
|
|||
return nil, fmt.Errorf("failed to load authorization: %w", err)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(acmeCtx, r, observe.ObservationTypePKIAcmeChallenge,
|
||||
observe.NewAdditionalPKIMetadata("auth_id", authId),
|
||||
observe.NewAdditionalPKIMetadata("challenge_type", challengeType),
|
||||
)
|
||||
|
||||
return b.acmeChallengeFetchHandler(acmeCtx, r, fields, userCtx, data, authz, challengeType)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/go-uuid"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -244,6 +245,13 @@ func (b *backend) pathAcmeCreateEab(ctx context.Context, r *logical.Request, dat
|
|||
|
||||
encodedKey := base64.RawURLEncoding.EncodeToString(eab.PrivateBytes)
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, r, observe.ObservationTypePKIAcmeNewEab,
|
||||
observe.NewAdditionalPKIMetadata("id", eab.KeyID),
|
||||
observe.NewAdditionalPKIMetadata("key_type", eab.KeyType),
|
||||
observe.NewAdditionalPKIMetadata("acme_directory", path.Join(eab.AcmeDirectory, "directory")),
|
||||
observe.NewAdditionalPKIMetadata("created_on", eab.CreatedOn.Format(time.RFC3339)),
|
||||
)
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
"id": eab.KeyID,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/strutil"
|
||||
|
|
@ -159,7 +160,7 @@ func addFieldsForACMEOrder(fields map[string]*framework.FieldSchema) {
|
|||
}
|
||||
}
|
||||
|
||||
func (b *backend) acmeFetchCertOrderHandler(ac *acmeContext, _ *logical.Request, fields *framework.FieldData, uc *jwsCtx, data map[string]interface{}, _ *acmeAccount) (*logical.Response, error) {
|
||||
func (b *backend) acmeFetchCertOrderHandler(ac *acmeContext, req *logical.Request, fields *framework.FieldData, uc *jwsCtx, data map[string]interface{}, _ *acmeAccount) (*logical.Response, error) {
|
||||
orderId := fields.Get("order_id").(string)
|
||||
|
||||
order, err := b.GetAcmeState().LoadOrder(ac, uc, orderId)
|
||||
|
|
@ -213,6 +214,25 @@ func (b *backend) acmeFetchCertOrderHandler(ac *acmeContext, _ *logical.Request,
|
|||
return nil, fmt.Errorf("failed encoding certificate ca chain: %w", err)
|
||||
}
|
||||
|
||||
var role string
|
||||
var issuerName string
|
||||
var issuerId string
|
||||
if ac.Role != nil {
|
||||
role = ac.Role.Name
|
||||
}
|
||||
if ac.Issuer != nil {
|
||||
issuerId = ac.Issuer.ID.String()
|
||||
issuerName = ac.Issuer.Name
|
||||
}
|
||||
b.pkiObserver.RecordPKIObservation(ac, req, observe.ObservationTypePKIAcmeFetchOrderCert,
|
||||
observe.NewAdditionalPKIMetadata("role", role),
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
|
||||
observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", order.CertificateSerialNumber),
|
||||
observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
|
||||
)
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
logical.HTTPContentType: "application/pem-certificate-chain",
|
||||
|
|
@ -301,6 +321,29 @@ func (b *backend) acmeFinalizeOrderHandler(ac *acmeContext, r *logical.Request,
|
|||
err = nil
|
||||
}
|
||||
|
||||
var role string
|
||||
var issuerName string
|
||||
var stored bool
|
||||
if ac.Role != nil {
|
||||
role = ac.Role.Name
|
||||
stored = !ac.Role.NoStore
|
||||
}
|
||||
if ac.Issuer != nil {
|
||||
issuerName = ac.Issuer.Name
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ac, r, observe.ObservationTypePKIAcmeFinalizeOrder,
|
||||
observe.NewAdditionalPKIMetadata("role", role),
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuerId.String()),
|
||||
observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
|
||||
observe.NewAdditionalPKIMetadata("stored", stored),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", order.CertificateSerialNumber),
|
||||
observe.NewAdditionalPKIMetadata("certificate_expiry", order.CertificateExpiry.String()),
|
||||
observe.NewAdditionalPKIMetadata("status", ACMEOrderValid),
|
||||
observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
|
||||
)
|
||||
|
||||
return formatOrderResponse(ac, order), nil
|
||||
}
|
||||
|
||||
|
|
@ -637,7 +680,7 @@ func parseCsrFromFinalize(data map[string]interface{}) (*x509.CertificateRequest
|
|||
return csr, nil
|
||||
}
|
||||
|
||||
func (b *backend) acmeGetOrderHandler(ac *acmeContext, _ *logical.Request, fields *framework.FieldData, uc *jwsCtx, _ map[string]interface{}, _ *acmeAccount) (*logical.Response, error) {
|
||||
func (b *backend) acmeGetOrderHandler(ac *acmeContext, req *logical.Request, fields *framework.FieldData, uc *jwsCtx, _ map[string]interface{}, _ *acmeAccount) (*logical.Response, error) {
|
||||
orderId := fields.Get("order_id").(string)
|
||||
|
||||
order, err := b.GetAcmeState().LoadOrder(ac, uc, orderId)
|
||||
|
|
@ -673,10 +716,28 @@ func (b *backend) acmeGetOrderHandler(ac *acmeContext, _ *logical.Request, field
|
|||
order.AuthorizationIds = filteredAuthorizationIds
|
||||
}
|
||||
|
||||
var role string
|
||||
var issuerName string
|
||||
var issuerId string
|
||||
if ac.Role != nil {
|
||||
role = ac.Role.Name
|
||||
}
|
||||
if ac.Issuer != nil {
|
||||
issuerName = ac.Issuer.Name
|
||||
issuerId = ac.Issuer.ID.String()
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ac, req, observe.ObservationTypePKIAcmeGetOrder,
|
||||
observe.NewAdditionalPKIMetadata("role", role),
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
|
||||
observe.NewAdditionalPKIMetadata("order_id", orderId),
|
||||
)
|
||||
|
||||
return formatOrderResponse(ac, order), nil
|
||||
}
|
||||
|
||||
func (b *backend) acmeListOrdersHandler(ac *acmeContext, _ *logical.Request, _ *framework.FieldData, uc *jwsCtx, _ map[string]interface{}, acct *acmeAccount) (*logical.Response, error) {
|
||||
func (b *backend) acmeListOrdersHandler(ac *acmeContext, req *logical.Request, _ *framework.FieldData, uc *jwsCtx, _ map[string]interface{}, acct *acmeAccount) (*logical.Response, error) {
|
||||
orderIds, err := b.GetAcmeState().ListOrderIds(ac.sc, acct.KeyId)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -705,10 +766,28 @@ func (b *backend) acmeListOrdersHandler(ac *acmeContext, _ *logical.Request, _ *
|
|||
},
|
||||
}
|
||||
|
||||
var role string
|
||||
var issuerName string
|
||||
var issuerId string
|
||||
if ac.Role != nil {
|
||||
role = ac.Role.Name
|
||||
}
|
||||
if ac.Issuer != nil {
|
||||
issuerName = ac.Issuer.Name
|
||||
issuerId = ac.Issuer.ID.String()
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ac, req, observe.ObservationTypePKIAcmeListOrders,
|
||||
observe.NewAdditionalPKIMetadata("role", role),
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
|
||||
observe.NewAdditionalPKIMetadata("order_ids", orderIds),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (b *backend) acmeNewOrderHandler(ac *acmeContext, _ *logical.Request, _ *framework.FieldData, _ *jwsCtx, data map[string]interface{}, account *acmeAccount) (*logical.Response, error) {
|
||||
func (b *backend) acmeNewOrderHandler(ac *acmeContext, req *logical.Request, _ *framework.FieldData, _ *jwsCtx, data map[string]interface{}, account *acmeAccount) (*logical.Response, error) {
|
||||
identifiers, err := parseOrderIdentifiers(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -785,6 +864,28 @@ func (b *backend) acmeNewOrderHandler(ac *acmeContext, _ *logical.Request, _ *fr
|
|||
// > If the server is willing to issue the requested certificate, it
|
||||
// > responds with a 201 (Created) response.
|
||||
resp.Data[logical.HTTPStatusCode] = http.StatusCreated
|
||||
|
||||
var role string
|
||||
var issuerName string
|
||||
var issuerId string
|
||||
if ac.Role != nil {
|
||||
role = ac.Role.Name
|
||||
}
|
||||
if ac.Issuer != nil {
|
||||
issuerName = ac.Issuer.Name
|
||||
issuerId = ac.Issuer.ID.String()
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ac, req, observe.ObservationTypePKIAcmeNewOrder,
|
||||
observe.NewAdditionalPKIMetadata("role", role),
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerName),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuerId),
|
||||
observe.NewAdditionalPKIMetadata("not_before", notBefore),
|
||||
observe.NewAdditionalPKIMetadata("not_after", notAfter),
|
||||
observe.NewAdditionalPKIMetadata("order_id", order.OrderId),
|
||||
observe.NewAdditionalPKIMetadata("account_id", order.AccountId),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
|
|
@ -42,7 +43,7 @@ func patternAcmeRevoke(b *backend, pattern string, opts acmeWrapperOpts) *framew
|
|||
}
|
||||
}
|
||||
|
||||
func (b *backend) acmeRevocationHandler(acmeCtx *acmeContext, _ *logical.Request, _ *framework.FieldData, userCtx *jwsCtx, data map[string]interface{}) (*logical.Response, error) {
|
||||
func (b *backend) acmeRevocationHandler(acmeCtx *acmeContext, req *logical.Request, _ *framework.FieldData, userCtx *jwsCtx, data map[string]interface{}) (*logical.Response, error) {
|
||||
var cert *x509.Certificate
|
||||
|
||||
rawCertificate, present := data["certificate"]
|
||||
|
|
@ -126,6 +127,12 @@ func (b *backend) acmeRevocationHandler(acmeCtx *acmeContext, _ *logical.Request
|
|||
return nil, fmt.Errorf("unable to revoke certificate: %w", ErrAlreadyRevoked)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(acmeCtx, req, observe.ObservationTypePKIAcmeRevoke,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
|
||||
observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
|
||||
)
|
||||
|
||||
// Finally, do the relevant permissions/authorization check as
|
||||
// appropriate based on the type of revocation happening.
|
||||
if !userCtx.Existing {
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
|
|
@ -184,6 +185,10 @@ func (b *backend) pathAcmeRead(ctx context.Context, req *logical.Request, _ *fra
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigACMERead,
|
||||
observe.NewAdditionalPKIMetadata("enabled", config.Enabled),
|
||||
)
|
||||
|
||||
return genResponseFromAcmeConfig(config, warnings), nil
|
||||
}
|
||||
|
||||
|
|
@ -364,6 +369,13 @@ func (b *backend) pathAcmeWrite(ctx context.Context, req *logical.Request, d *fr
|
|||
return nil, fmt.Errorf("failed persisting: %w", err)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigACMEWrite,
|
||||
observe.NewAdditionalPKIMetadata("enabled", config.Enabled),
|
||||
observe.NewAdditionalPKIMetadata("default_directory_policy_type", defaultDirectoryPolicyType),
|
||||
observe.NewAdditionalPKIMetadata("max_ttl", config.MaxTTL),
|
||||
observe.NewAdditionalPKIMetadata("eab_policy_name", config.EabPolicyName),
|
||||
)
|
||||
|
||||
return genResponseFromAcmeConfig(config, warnings), nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -223,6 +224,10 @@ func (b *backend) pathCAIssuersRead(ctx context.Context, req *logical.Request, _
|
|||
return logical.ErrorResponse("Error loading issuers configuration: " + err.Error()), nil
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigIssuersRead,
|
||||
observe.NewAdditionalPKIMetadata("default_issuer_id", config.DefaultIssuerId),
|
||||
observe.NewAdditionalPKIMetadata("default_follows_latest_issuer", config.DefaultFollowsLatestIssuer))
|
||||
|
||||
return b.formatCAIssuerConfigRead(config), nil
|
||||
}
|
||||
|
||||
|
|
@ -291,6 +296,10 @@ func (b *backend) pathCAIssuersWrite(ctx context.Context, req *logical.Request,
|
|||
return logical.ErrorResponse("Error updating issuer configuration: " + err.Error()), nil
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigIssuersWrite,
|
||||
observe.NewAdditionalPKIMetadata("default_issuer_id", config.DefaultIssuerId),
|
||||
observe.NewAdditionalPKIMetadata("default_follows_latest_issuer", config.DefaultFollowsLatestIssuer))
|
||||
|
||||
return response, nil
|
||||
}
|
||||
|
||||
|
|
@ -381,6 +390,9 @@ func (b *backend) pathKeyDefaultRead(ctx context.Context, req *logical.Request,
|
|||
return logical.ErrorResponse("Error loading keys configuration: " + err.Error()), nil
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigKeysRead,
|
||||
observe.NewAdditionalPKIMetadata("default_key_id", config.DefaultKeyId))
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
defaultRef: config.DefaultKeyId,
|
||||
|
|
@ -414,6 +426,10 @@ func (b *backend) pathKeyDefaultWrite(ctx context.Context, req *logical.Request,
|
|||
return logical.ErrorResponse("Error updating issuer configuration: " + err.Error()), nil
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigKeysWrite,
|
||||
observe.NewAdditionalPKIMetadata("default_key_id", parsedKey),
|
||||
)
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
defaultRef: parsedKey,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
"github.com/asaskevich/govalidator"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -143,6 +144,8 @@ func (b *backend) pathReadCluster(ctx context.Context, req *logical.Request, _ *
|
|||
},
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigClusterRead)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -181,6 +184,11 @@ func (b *backend) pathWriteCluster(ctx context.Context, req *logical.Request, da
|
|||
},
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigClusterWrite,
|
||||
observe.NewAdditionalPKIMetadata("path", cfg.Path),
|
||||
observe.NewAdditionalPKIMetadata("aia_path", cfg.AIAPath),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"net/http"
|
||||
|
||||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
|
|
@ -133,6 +134,8 @@ func (b *backend) pathCRLRead(ctx context.Context, req *logical.Request, _ *fram
|
|||
return nil, fmt.Errorf("failed fetching CRL config: %w", err)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigCRLRead)
|
||||
|
||||
return genResponseFromCrlConfig(config), nil
|
||||
}
|
||||
|
||||
|
|
@ -298,6 +301,22 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigCRLWrite,
|
||||
observe.NewAdditionalPKIMetadata("version", config.Version),
|
||||
observe.NewAdditionalPKIMetadata("expiry", config.Expiry),
|
||||
observe.NewAdditionalPKIMetadata("disable", config.Disable),
|
||||
observe.NewAdditionalPKIMetadata("ocsp_disable", config.OcspDisable),
|
||||
observe.NewAdditionalPKIMetadata("auto_rebuild", config.AutoRebuild),
|
||||
observe.NewAdditionalPKIMetadata("auto_rebuild_grace_period", config.AutoRebuildGracePeriod),
|
||||
observe.NewAdditionalPKIMetadata("ocsp_expiry", config.OcspExpiry),
|
||||
observe.NewAdditionalPKIMetadata("enable_delta", config.EnableDelta),
|
||||
observe.NewAdditionalPKIMetadata("delta_rebuild_interval", config.DeltaRebuildInterval),
|
||||
observe.NewAdditionalPKIMetadata("cross_cluster_revocation", config.UseGlobalQueue),
|
||||
observe.NewAdditionalPKIMetadata("unified_crl", config.UnifiedCRL),
|
||||
observe.NewAdditionalPKIMetadata("unified_crl_on_existing_paths", config.UnifiedCRLOnExistingPaths),
|
||||
observe.NewAdditionalPKIMetadata("max_crl_entries", config.MaxCRLEntries),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -214,6 +215,8 @@ func (b *backend) pathReadURL(ctx context.Context, req *logical.Request, _ *fram
|
|||
},
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigURLsRead)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -298,6 +301,10 @@ func (b *backend) pathWriteURL(ctx context.Context, req *logical.Request, data *
|
|||
return nil, err
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIConfigURLsWrite,
|
||||
observe.NewAdditionalPKIMetadata("enable_templating", entries.EnableTemplating),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
|
|
@ -510,6 +511,13 @@ reply:
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIReadIssuerCertificate,
|
||||
observe.NewAdditionalPKIMetadata("pem_type", pemType),
|
||||
observe.NewAdditionalPKIMetadata("content_type", contentType),
|
||||
observe.NewAdditionalPKIMetadata("revocation_time", revocationTimeRfc3339),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", serial),
|
||||
)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
|
|
@ -445,6 +446,12 @@ func (b *backend) pathGetIssuer(ctx context.Context, req *logical.Request, data
|
|||
return nil, err
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuerRead,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuer.Name),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuer.ID),
|
||||
observe.NewAdditionalPKIMetadata("last_modified", issuer.LastModified.String()),
|
||||
observe.NewAdditionalPKIMetadata("revoked", issuer.Revoked))
|
||||
|
||||
return respondReadIssuer(issuer)
|
||||
}
|
||||
|
||||
|
|
@ -796,6 +803,12 @@ func (b *backend) pathUpdateIssuer(ctx context.Context, req *logical.Request, da
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuerWrite,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuer.Name),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuer.ID),
|
||||
observe.NewAdditionalPKIMetadata("last_modified", issuer.LastModified.String()),
|
||||
observe.NewAdditionalPKIMetadata("revoked", issuer.Revoked))
|
||||
|
||||
return response, err
|
||||
}
|
||||
|
||||
|
|
@ -1099,6 +1112,12 @@ func (b *backend) pathPatchIssuer(ctx context.Context, req *logical.Request, dat
|
|||
response.AddWarning(fmt.Sprintf("delta crl distribution points were set: %v but no base crl distribution point was set, consider setting base crl distribution point.", strings.Join(issuer.AIAURIs.DeltaCRLDistributionPoints, ", ")))
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuerPatch,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuer.Name),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuer.ID),
|
||||
observe.NewAdditionalPKIMetadata("last_modified", issuer.LastModified.String()),
|
||||
observe.NewAdditionalPKIMetadata("revoked", issuer.Revoked))
|
||||
|
||||
return response, err
|
||||
}
|
||||
|
||||
|
|
@ -1257,6 +1276,11 @@ func (b *backend) pathDeleteIssuer(ctx context.Context, req *logical.Request, da
|
|||
response.AddWarning(fmt.Sprintf("Warning %d during CRL rebuild: %v", index+1, warning))
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuerDelete,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuer.Name),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", issuer.ID),
|
||||
observe.NewAdditionalPKIMetadata("was_default", wasDefault))
|
||||
|
||||
return response, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/managed_key"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
|
|
@ -290,6 +291,13 @@ func (b *backend) pathGetKeyHandler(ctx context.Context, req *logical.Request, d
|
|||
}
|
||||
respData[skidParam] = certutil.GetHexFormatted([]byte(skid), ":")
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIKeyRead,
|
||||
observe.NewAdditionalPKIMetadata("key_id", key.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_name", key.Name),
|
||||
observe.NewAdditionalPKIMetadata("key_type", key.PrivateKeyType),
|
||||
observe.NewAdditionalPKIMetadata("key_ref", keyRef),
|
||||
)
|
||||
|
||||
return &logical.Response{Data: respData}, nil
|
||||
}
|
||||
|
||||
|
|
@ -348,6 +356,13 @@ func (b *backend) pathUpdateKeyHandler(ctx context.Context, req *logical.Request
|
|||
resp.AddWarning("Name successfully deleted, you will now need to reference this key by it's Id: " + string(key.ID))
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIKeyWrite,
|
||||
observe.NewAdditionalPKIMetadata("key_id", key.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_name", key.Name),
|
||||
observe.NewAdditionalPKIMetadata("key_type", key.PrivateKeyType),
|
||||
observe.NewAdditionalPKIMetadata("key_ref", keyRef),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -397,5 +412,10 @@ func (b *backend) pathDeleteKeyHandler(ctx context.Context, req *logical.Request
|
|||
response.AddWarning(msg)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIKeyDelete,
|
||||
observe.NewAdditionalPKIMetadata("was_default", wasDefault),
|
||||
observe.NewAdditionalPKIMetadata("key_ref", keyRef),
|
||||
)
|
||||
|
||||
return response, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
|
|
@ -210,6 +211,13 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
|
|||
|
||||
resp = addWarnings(resp, warnings)
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIGenerateIntermediate,
|
||||
observe.NewAdditionalPKIMetadata("key_id", myKey.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_name", myKey.Name),
|
||||
observe.NewAdditionalPKIMetadata("role", role.Name),
|
||||
observe.NewAdditionalPKIMetadata("exported", exported),
|
||||
observe.NewAdditionalPKIMetadata("type", format))
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/consts"
|
||||
|
|
@ -482,6 +483,18 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
|
|||
|
||||
resp = addWarnings(resp, warnings)
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssue,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", role.Issuer),
|
||||
observe.NewAdditionalPKIMetadata("signed", useCSR),
|
||||
observe.NewAdditionalPKIMetadata("role_name", role.Name),
|
||||
observe.NewAdditionalPKIMetadata("stored", !role.NoStore),
|
||||
observe.NewAdditionalPKIMetadata("not_after", parsedBundle.Certificate.NotAfter.String()),
|
||||
observe.NewAdditionalPKIMetadata("not_before", parsedBundle.Certificate.NotBefore.String()),
|
||||
observe.NewAdditionalPKIMetadata("is_ca", parsedBundle.Certificate.IsCA),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", parsedBundle.Certificate.SerialNumber.String()),
|
||||
observe.NewAdditionalPKIMetadata("lease_generated", generateLease),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/errutil"
|
||||
|
|
@ -505,6 +506,13 @@ func (b *backend) pathImportIssuers(ctx context.Context, req *logical.Request, d
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIIssuersImport,
|
||||
observe.NewAdditionalPKIMetadata("mapping", issuerKeyMap),
|
||||
observe.NewAdditionalPKIMetadata("imported_keys", createdKeys),
|
||||
observe.NewAdditionalPKIMetadata("imported_issuers", createdIssuers),
|
||||
observe.NewAdditionalPKIMetadata("existing_keys", existingKeys),
|
||||
observe.NewAdditionalPKIMetadata("existing_issuers", existingIssuers))
|
||||
|
||||
return response, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/managed_key"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
|
|
@ -128,13 +129,14 @@ func (b *backend) pathGenerateKeyHandler(ctx context.Context, req *logical.Reque
|
|||
exportPrivateKey := false
|
||||
var keyBundle certutil.KeyBundle
|
||||
var actualPrivateKeyType certutil.PrivateKeyType
|
||||
var keyBits int
|
||||
switch {
|
||||
case strings.HasSuffix(req.Path, "/exported"):
|
||||
exportPrivateKey = true
|
||||
fallthrough
|
||||
case strings.HasSuffix(req.Path, "/internal"):
|
||||
keyType := data.Get(keyTypeParam).(string)
|
||||
keyBits := data.Get(keyBitsParam).(int)
|
||||
keyBits = data.Get(keyBitsParam).(int)
|
||||
|
||||
keyBits, _, err := certutil.ValidateDefaultOrValueKeyTypeSignatureLength(keyType, keyBits, 0)
|
||||
if err != nil {
|
||||
|
|
@ -179,6 +181,14 @@ func (b *backend) pathGenerateKeyHandler(ctx context.Context, req *logical.Reque
|
|||
if exportPrivateKey {
|
||||
responseData["private_key"] = privateKeyPemString
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIKeysGenerate,
|
||||
observe.NewAdditionalPKIMetadata("key_type", string(actualPrivateKeyType)),
|
||||
observe.NewAdditionalPKIMetadata("key_bits", keyBits),
|
||||
observe.NewAdditionalPKIMetadata("key_id", key.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_name", key.Name),
|
||||
)
|
||||
|
||||
return &logical.Response{
|
||||
Data: responseData,
|
||||
}, nil
|
||||
|
|
@ -316,5 +326,12 @@ func (b *backend) pathImportKeyHandler(ctx context.Context, req *logical.Request
|
|||
resp.AddWarning("Key already imported, use key/ endpoint to update name.")
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIKeysImport,
|
||||
observe.NewAdditionalPKIMetadata("existed", existed),
|
||||
observe.NewAdditionalPKIMetadata("key_type", key.PrivateKeyType),
|
||||
observe.NewAdditionalPKIMetadata("key_id", key.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_name", key.Name),
|
||||
)
|
||||
|
||||
return &resp, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import (
|
|||
"github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
|
|
@ -204,6 +205,18 @@ func (b *backend) ocspHandler(ctx context.Context, request *logical.Request, dat
|
|||
return logAndReturnInternalError(b.Logger(), err), nil
|
||||
}
|
||||
|
||||
var serialNumber string
|
||||
if ocspStatus.serialNumber != nil {
|
||||
serialNumber = ocspStatus.serialNumber.String()
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, request, observe.ObservationTypePKIOCSP,
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", ocspStatus.issuerID),
|
||||
observe.NewAdditionalPKIMetadata("unified", useUnifiedStorage),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", serialNumber),
|
||||
observe.NewAdditionalPKIMetadata("ocsp_status", ocspStatus.ocspStatus),
|
||||
)
|
||||
|
||||
return &logical.Response{
|
||||
Data: map[string]interface{}{
|
||||
logical.HTTPContentType: ocspResponseContentType,
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ import (
|
|||
|
||||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
|
|
@ -266,6 +267,11 @@ func (b *backend) pathUpdateResignCrlsHandler(ctx context.Context, request *logi
|
|||
|
||||
body := encodeResponse(crlBytes, format == "der")
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, request, observe.ObservationTypePKIIssuerResignCRLs,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", issuerRef),
|
||||
observe.NewAdditionalPKIMetadata("signature_algorithm", caBundle.RevocationSigAlg),
|
||||
observe.NewAdditionalPKIMetadata("number", big.NewInt(int64(crlNumber)).String()))
|
||||
|
||||
return &logical.Response{
|
||||
Warnings: warnings,
|
||||
Data: map[string]interface{}{
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
|
|
@ -651,6 +652,12 @@ func (b *backend) pathRevokeWrite(ctx context.Context, req *logical.Request, dat
|
|||
b.GetRevokeStorageLock().Lock()
|
||||
defer b.GetRevokeStorageLock().Unlock()
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRevoke,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
|
||||
observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
|
||||
)
|
||||
|
||||
return revokeCert(sc, config, cert)
|
||||
}
|
||||
|
||||
|
|
@ -679,6 +686,8 @@ func (b *backend) pathRotateCRLRead(ctx context.Context, req *logical.Request, _
|
|||
resp.AddWarning(fmt.Sprintf("Warning %d during CRL rebuild: %v", index+1, warning))
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRotateCRL)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -715,6 +724,8 @@ func (b *backend) pathRotateDeltaCRLRead(ctx context.Context, req *logical.Reque
|
|||
resp.AddWarning(fmt.Sprintf("Warning %d during CRL rebuild: %v", index+1, warning))
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRotateDeltaCRL)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
"github.com/hashicorp/vault/sdk/helper/consts"
|
||||
|
|
@ -920,11 +921,16 @@ func (b *backend) GetRole(ctx context.Context, s logical.Storage, n string) (*is
|
|||
}
|
||||
|
||||
func (b *backend) pathRoleDelete(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
err := req.Storage.Delete(ctx, "role/"+data.Get("name").(string))
|
||||
roleName := data.Get("name").(string)
|
||||
err := req.Storage.Delete(ctx, "role/"+roleName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRoleDelete,
|
||||
observe.NewAdditionalPKIMetadata("role_name", roleName),
|
||||
)
|
||||
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
@ -945,6 +951,12 @@ func (b *backend) pathRoleRead(ctx context.Context, req *logical.Request, data *
|
|||
resp := &logical.Response{
|
||||
Data: role.ToResponseData(),
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRoleRead,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", role.Issuer),
|
||||
observe.NewAdditionalPKIMetadata("role_name", role.Name),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -1067,6 +1079,16 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
|
|||
return nil, err
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRoleWrite,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", entry.Issuer),
|
||||
observe.NewAdditionalPKIMetadata("role_name", entry.Name),
|
||||
observe.NewAdditionalPKIMetadata("max_ttl", entry.MaxTTL.String()),
|
||||
observe.NewAdditionalPKIMetadata("ttl", entry.TTL.String()),
|
||||
observe.NewAdditionalPKIMetadata("no_store", entry.NoStore),
|
||||
observe.NewAdditionalPKIMetadata("not_after", entry.NotAfter),
|
||||
observe.NewAdditionalPKIMetadata("not_before", entry.NotBeforeDuration.String()),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
@ -1282,6 +1304,16 @@ func (b *backend) pathRolePatch(ctx context.Context, req *logical.Request, data
|
|||
return nil, err
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRolePatch,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", entry.Issuer),
|
||||
observe.NewAdditionalPKIMetadata("role_name", entry.Name),
|
||||
observe.NewAdditionalPKIMetadata("max_ttl", entry.MaxTTL.String()),
|
||||
observe.NewAdditionalPKIMetadata("ttl", entry.TTL.String()),
|
||||
observe.NewAdditionalPKIMetadata("no_store", entry.NoStore),
|
||||
observe.NewAdditionalPKIMetadata("not_after", entry.NotAfter),
|
||||
observe.NewAdditionalPKIMetadata("not_before", entry.NotBeforeDuration.String()),
|
||||
)
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/parsing"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||||
|
|
@ -332,6 +333,16 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
|
|||
|
||||
resp = addWarnings(resp, warnings)
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIGenerateRoot,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", myIssuer.Name),
|
||||
observe.NewAdditionalPKIMetadata("issuer_id", myIssuer.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_id", myKey.ID),
|
||||
observe.NewAdditionalPKIMetadata("key_id", myKey.Name),
|
||||
observe.NewAdditionalPKIMetadata("role", role.Name),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", cb.SerialNumber),
|
||||
observe.NewAdditionalPKIMetadata("type", format),
|
||||
observe.NewAdditionalPKIMetadata("expiration", parsedBundle.Certificate.NotAfter.String()))
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import (
|
|||
"github.com/hashicorp/go-hclog"
|
||||
"github.com/hashicorp/go-secure-stdlib/parseutil"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/revocation"
|
||||
"github.com/hashicorp/vault/helper/constants"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
|
|
@ -705,6 +706,14 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
|
|||
}
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKITidy,
|
||||
observe.NewAdditionalPKIMetadata("tidy_cert_store", tidyCertStore),
|
||||
observe.NewAdditionalPKIMetadata("tidy_revoked_certs", tidyRevokedCerts),
|
||||
observe.NewAdditionalPKIMetadata("tidy_revoked_cert_issuer_associations", tidyRevokedAssocs),
|
||||
observe.NewAdditionalPKIMetadata("tidy_expired_issuers", tidyExpiredIssuers),
|
||||
observe.NewAdditionalPKIMetadata("tidy_backup_bundle", tidyBackupBundle),
|
||||
)
|
||||
|
||||
return logical.RespondWithStatusCode(resp, req, http.StatusAccepted)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/issuing"
|
||||
"github.com/hashicorp/vault/builtin/logical/pki/observe"
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
|
@ -83,5 +84,11 @@ func (b *backend) secretCredsRevoke(ctx context.Context, req *logical.Request, _
|
|||
return nil, fmt.Errorf("error revoking serial: %s: failed reading config: %w", serial, err)
|
||||
}
|
||||
|
||||
b.pkiObserver.RecordPKIObservation(ctx, req, observe.ObservationTypePKIRevoke,
|
||||
observe.NewAdditionalPKIMetadata("issuer_name", cert.Issuer.String()),
|
||||
observe.NewAdditionalPKIMetadata("is_ca", cert.IsCA),
|
||||
observe.NewAdditionalPKIMetadata("serial_number", cert.SerialNumber.String()),
|
||||
)
|
||||
|
||||
return revokeCert(sc, config, cert)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue