Add crl-dist-point to upload-signed-csr action
Closes-bug: 2048237, Customer: UNICC Change-Id: I8dbfc0deb9f547100bb63bd6b20737734e97667b
This commit is contained in:
parent
e00cb3f3f4
commit
b14d5e7604
@ -107,6 +107,11 @@ upload-signed-csr:
|
|||||||
default: '8760h'
|
default: '8760h'
|
||||||
description: >-
|
description: >-
|
||||||
Specifies the maximum Time To Live
|
Specifies the maximum Time To Live
|
||||||
|
crl-dist-point:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: >-
|
||||||
|
Specifies Certificate Revocation List Distribution Point
|
||||||
root-ca:
|
root-ca:
|
||||||
type: string
|
type: string
|
||||||
description: >-
|
description: >-
|
||||||
|
@ -131,7 +131,8 @@ def upload_signed_csr(*args):
|
|||||||
allow_subdomains=action_config.get('allow-subdomains'),
|
allow_subdomains=action_config.get('allow-subdomains'),
|
||||||
enforce_hostnames=action_config.get('enforce-hostnames'),
|
enforce_hostnames=action_config.get('enforce-hostnames'),
|
||||||
allow_any_name=action_config.get('allow-any-name'),
|
allow_any_name=action_config.get('allow-any-name'),
|
||||||
max_ttl=action_config.get('max-ttl'))
|
max_ttl=action_config.get('max-ttl'),
|
||||||
|
crl_dist_point=action_config.get('crl-dist-point'))
|
||||||
set_flag('charm.vault.ca.ready')
|
set_flag('charm.vault.ca.ready')
|
||||||
set_flag('pki.backend.tuned')
|
set_flag('pki.backend.tuned')
|
||||||
# reissue any certificates we might previously have provided
|
# reissue any certificates we might previously have provided
|
||||||
|
@ -23,7 +23,9 @@ def configure_pki_backend(client, name, ttl=None, max_ttl=None):
|
|||||||
:param name: Name of backend to enable
|
:param name: Name of backend to enable
|
||||||
:type name: str
|
:type name: str
|
||||||
:param ttl: TTL
|
:param ttl: TTL
|
||||||
:type ttl: str
|
:type ttl: Optional[str]
|
||||||
|
:param max_ttl: max TTL
|
||||||
|
:type max_ttl: Optional[str]
|
||||||
"""
|
"""
|
||||||
if not vault.is_backend_mounted(client, name):
|
if not vault.is_backend_mounted(client, name):
|
||||||
client.sys.enable_secrets_engine(
|
client.sys.enable_secrets_engine(
|
||||||
@ -53,7 +55,9 @@ def tune_pki_backend(ttl=None, max_ttl=None):
|
|||||||
"""Assert tuning options for Charm PKI backend
|
"""Assert tuning options for Charm PKI backend
|
||||||
|
|
||||||
:param ttl: TTL
|
:param ttl: TTL
|
||||||
:type ttl: str
|
:type ttl: Optional[str]
|
||||||
|
:param max_ttl: max TTL
|
||||||
|
:type max_ttl: Optional[str]
|
||||||
"""
|
"""
|
||||||
client = vault.get_local_client()
|
client = vault.get_local_client()
|
||||||
if vault.is_backend_mounted(client, CHARM_PKI_MP):
|
if vault.is_backend_mounted(client, CHARM_PKI_MP):
|
||||||
@ -68,6 +72,10 @@ def is_ca_ready(client, name, role):
|
|||||||
|
|
||||||
:returns: Whether CA is ready
|
:returns: Whether CA is ready
|
||||||
:rtype: bool
|
:rtype: bool
|
||||||
|
:param name: Name of backend to enable
|
||||||
|
:type name: str
|
||||||
|
:param role: Name of role
|
||||||
|
:type role: str
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
# read_role raises InvalidPath is the role is not available
|
# read_role raises InvalidPath is the role is not available
|
||||||
@ -156,17 +164,17 @@ def get_csr(ttl=None, common_name=None, locality=None,
|
|||||||
fields embedded in the CSR may have to match the CA.
|
fields embedded in the CSR may have to match the CA.
|
||||||
|
|
||||||
:param ttl: TTL
|
:param ttl: TTL
|
||||||
:type ttl: string
|
:type ttl: Optional[string]
|
||||||
:param country: The C (Country) values in the subject field of the CSR
|
:param country: The C (Country) values in the subject field of the CSR
|
||||||
:type country: string
|
:type country: Optional[string]
|
||||||
:param province: The ST (Province) values in the subject field of the CSR.
|
:param province: The ST (Province) values in the subject field of the CSR.
|
||||||
:type province: string
|
:type province: Optional[string]
|
||||||
:param organization: The O (Organization) values in the subject field of
|
:param organization: The O (Organization) values in the subject field of
|
||||||
the CSR
|
the CSR
|
||||||
:type organization: string
|
:type organization: Optional[string]
|
||||||
:param organizational_unit: The OU (OrganizationalUnit) values in the
|
:param organizational_unit: The OU (OrganizationalUnit) values in the
|
||||||
subject field of the CSR.
|
subject field of the CSR.
|
||||||
:type organizational_unit: string
|
:type organizational_unit: Optional[string]
|
||||||
:param common_name: The CN (Common_Name) values in the
|
:param common_name: The CN (Common_Name) values in the
|
||||||
subject field of the CSR.
|
subject field of the CSR.
|
||||||
:param locality: The L (Locality) values in the
|
:param locality: The L (Locality) values in the
|
||||||
@ -203,22 +211,24 @@ def get_csr(ttl=None, common_name=None, locality=None,
|
|||||||
|
|
||||||
def upload_signed_csr(pem, allowed_domains, allow_subdomains=True,
|
def upload_signed_csr(pem, allowed_domains, allow_subdomains=True,
|
||||||
enforce_hostnames=False, allow_any_name=True,
|
enforce_hostnames=False, allow_any_name=True,
|
||||||
max_ttl=None):
|
max_ttl=None, crl_dist_point=None):
|
||||||
"""Upload signed csr to intermediate pki
|
"""Upload signed csr to intermediate pki
|
||||||
|
|
||||||
:param pem: signed csr in pem format
|
:param pem: signed csr in pem format
|
||||||
:type pem: string
|
:type pem: string
|
||||||
:param allow_subdomains: Specifies if clients can request certificates with
|
:param allow_subdomains: Specifies if clients can request certificates with
|
||||||
CNs that are subdomains of the CNs:
|
CNs that are subdomains of the CNs:
|
||||||
:type allow_subdomains: bool
|
:type allow_subdomains: Optional[bool]
|
||||||
:param enforce_hostnames: Specifies if only valid host names are allowed
|
:param enforce_hostnames: Specifies if only valid host names are allowed
|
||||||
for CNs, DNS SANs, and the host part of email
|
for CNs, DNS SANs, and the host part of email
|
||||||
addresses.
|
addresses.
|
||||||
:type enforce_hostnames: bool
|
:type enforce_hostnames: Optional[bool]
|
||||||
:param allow_any_name: Specifies if clients can request any CN
|
:param allow_any_name: Specifies if clients can request any CN
|
||||||
:type allow_any_name: bool
|
:type allow_any_name:Optional[bool]
|
||||||
:param max_ttl: Specifies the maximum Time To Live
|
:param max_ttl: Specifies the maximum Time To Live
|
||||||
:type max_ttl: str
|
:type max_ttl: str
|
||||||
|
:param crl_dist_point: Defines the CRL Distribution Point URI
|
||||||
|
:type crl_dist_point: str
|
||||||
"""
|
"""
|
||||||
client = vault.get_local_client()
|
client = vault.get_local_client()
|
||||||
# Set the intermediate certificate authorities signing certificate to the
|
# Set the intermediate certificate authorities signing certificate to the
|
||||||
@ -234,7 +244,8 @@ def upload_signed_csr(pem, allowed_domains, allow_subdomains=True,
|
|||||||
{
|
{
|
||||||
"issuing_certificates": "{}/v1/{}/ca".format(addr, CHARM_PKI_MP),
|
"issuing_certificates": "{}/v1/{}/ca".format(addr, CHARM_PKI_MP),
|
||||||
"crl_distribution_points":
|
"crl_distribution_points":
|
||||||
"{}/v1/{}/crl".format(addr, CHARM_PKI_MP),
|
("{}/v1/{}/crl".format(addr, CHARM_PKI_MP) if not crl_dist_point
|
||||||
|
else crl_dist_point),
|
||||||
},
|
},
|
||||||
mount_point=CHARM_PKI_MP
|
mount_point=CHARM_PKI_MP
|
||||||
)
|
)
|
||||||
@ -388,7 +399,7 @@ def is_cert_from_vault(cert, name=None):
|
|||||||
:param cert: the certificate in x509 form
|
:param cert: the certificate in x509 form
|
||||||
:type cert: str
|
:type cert: str
|
||||||
:param name: the mount point in value, default CHARM_PKI_MP
|
:param name: the mount point in value, default CHARM_PKI_MP
|
||||||
:type name: str
|
:type name: Optional[str]
|
||||||
:returns: True if issued by vault, False if unknown.
|
:returns: True if issued by vault, False if unknown.
|
||||||
:raises VaultDown: if vault is down.
|
:raises VaultDown: if vault is down.
|
||||||
:raises VaultNotReady: if vault is sealed.
|
:raises VaultNotReady: if vault is sealed.
|
||||||
|
@ -260,6 +260,23 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
|
|||||||
'MYPEM', mount_point=vault_pki.CHARM_PKI_MP
|
'MYPEM', mount_point=vault_pki.CHARM_PKI_MP
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@patch.object(vault_pki.vault, 'get_access_address')
|
||||||
|
@patch.object(vault_pki.vault, 'get_local_client')
|
||||||
|
def test_upload_signed_csr_cdp(self, get_local_client, get_access_address):
|
||||||
|
get_access_address.return_value = 'https://vault.local:8200'
|
||||||
|
client_mock = mock.MagicMock()
|
||||||
|
get_local_client.return_value = client_mock
|
||||||
|
local_url = 'https://vault.local:8200/v1/charm-pki-local'
|
||||||
|
vault_pki.upload_signed_csr(
|
||||||
|
'MYPEM', 'example.com', crl_dist_point='https://test-cdp.com'
|
||||||
|
)
|
||||||
|
client_mock.secrets.pki.set_urls.assert_called_once_with(
|
||||||
|
{
|
||||||
|
'issuing_certificates': '{}/ca'.format(local_url),
|
||||||
|
'crl_distribution_points': 'https://test-cdp.com',
|
||||||
|
}, mount_point=vault_pki.CHARM_PKI_MP
|
||||||
|
)
|
||||||
|
|
||||||
@patch.object(vault_pki.vault, 'get_access_address')
|
@patch.object(vault_pki.vault, 'get_access_address')
|
||||||
@patch.object(vault_pki.vault, 'get_local_client')
|
@patch.object(vault_pki.vault, 'get_local_client')
|
||||||
def test_upload_signed_csr_ipv4(
|
def test_upload_signed_csr_ipv4(
|
||||||
@ -335,7 +352,7 @@ class TestLibCharmVaultPKI(unit_tests.test_utils.CharmTestCase):
|
|||||||
allow_subdomains=False,
|
allow_subdomains=False,
|
||||||
enforce_hostnames=True,
|
enforce_hostnames=True,
|
||||||
allow_any_name=False,
|
allow_any_name=False,
|
||||||
max_ttl='42h')
|
max_ttl='42h', crl_dist_point=None)
|
||||||
client_mock.secrets.pki.set_signed_intermediate.\
|
client_mock.secrets.pki.set_signed_intermediate.\
|
||||||
assert_called_once_with(
|
assert_called_once_with(
|
||||||
'MYPEM', mount_point='charm-pki-local'
|
'MYPEM', mount_point='charm-pki-local'
|
||||||
|
Loading…
Reference in New Issue
Block a user