Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Address some small issues within pki health-check into release/1.13.x #19347

Merged
merged 2 commits into from
Feb 24, 2023
Merged

Backport of Address some small issues within pki health-check into release/1.13.x #19347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
db361c8
backport of commit d08bf5616db060e43b2280a7dcab2defa16fe227
stevendpclark Feb 24, 2023
1c50bcd
Merge branch 'release/1.13.x' into backport/stevendpclark/fix-healthc…
stevendpclark Feb 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions command/healthcheck/healthcheck.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@ func (e *Executor) Execute() (map[string][]*Result, error) {
return nil, fmt.Errorf("failed to evaluate %v: %w", checker.Name(), err)
}

if results == nil {
results = []*Result{}
}

for _, result := range results {
result.Endpoint = e.templatePath(result.Endpoint)
result.StatusDisplay = ResultStatusNameMap[result.Status]
Expand Down
26 changes: 25 additions & 1 deletion command/healthcheck/pki_hardware_backed_root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,14 @@ type HardwareBackedRoot struct {

UnsupportedVersion bool

FetchIssues map[string]*PathFetch
IssuerKeyMap map[string]string
KeyIsManaged map[string]string
}

func NewHardwareBackedRootCheck() Check {
return &HardwareBackedRoot{
FetchIssues: make(map[string]*PathFetch),
IssuerKeyMap: make(map[string]string),
KeyIsManaged: make(map[string]string),
}
Expand Down Expand Up @@ -64,6 +66,7 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
if err != nil {
return err
}
h.FetchIssues[issuer] = ret
continue
}

Expand All @@ -83,13 +86,15 @@ func (h *HardwareBackedRoot) FetchResources(e *Executor) error {
}

h.IssuerKeyMap[issuer] = keyId
skip, _, keyEntry, err := pkiFetchKeyEntry(e, keyId, func() {
skip, ret, keyEntry, err := pkiFetchKeyEntry(e, keyId, func() {
h.UnsupportedVersion = true
})
if skip || err != nil || keyEntry == nil {
if err != nil {
return err
}

h.FetchIssues[issuer] = ret
continue
}

Expand All @@ -112,6 +117,25 @@ func (h *HardwareBackedRoot) Evaluate(e *Executor) (results []*Result, err error
return []*Result{&ret}, nil
}

for issuer, fetchPath := range h.FetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.IssuerKeyMap, issuer)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission for the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for name, keyId := range h.IssuerKeyMap {
var ret Result
ret.Status = ResultInformational
Expand Down
39 changes: 30 additions & 9 deletions command/healthcheck/pki_role_allows_glob_wildcards.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,16 @@ import (
type RoleAllowsGlobWildcards struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

RoleEntryMap map[string]map[string]interface{}
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
}

func NewRoleAllowsGlobWildcardsCheck() Check {
return &RoleAllowsGlobWildcards{
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -49,7 +51,7 @@ func (h *RoleAllowsGlobWildcards) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -60,7 +62,7 @@ func (h *RoleAllowsGlobWildcards) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -84,18 +86,37 @@ func (h *RoleAllowsGlobWildcards) Evaluate(e *Executor) (results []*Result, err
}
return []*Result{&ret}, nil
}
if h.NoPerms {
if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check.",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for role, entry := range h.RoleEntryMap {
Expand Down
40 changes: 31 additions & 9 deletions command/healthcheck/pki_role_allows_localhost.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,16 @@ import (
type RoleAllowsLocalhost struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

RoleEntryMap map[string]map[string]interface{}
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
}

func NewRoleAllowsLocalhostCheck() Check {
return &RoleAllowsLocalhost{
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -48,7 +50,7 @@ func (h *RoleAllowsLocalhost) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -59,7 +61,7 @@ func (h *RoleAllowsLocalhost) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -83,18 +85,38 @@ func (h *RoleAllowsLocalhost) Evaluate(e *Executor) (results []*Result, err erro
}
return []*Result{&ret}, nil
}
if h.NoPerms {

if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

for role, entry := range h.RoleEntryMap {
Expand Down
52 changes: 32 additions & 20 deletions command/healthcheck/pki_role_no_store_false.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,20 @@ import (
type RoleNoStoreFalse struct {
Enabled bool
UnsupportedVersion bool
NoPerms bool

AllowedRoles map[string]bool

CertCounts int
RoleEntryMap map[string]map[string]interface{}
CRLConfig *PathFetch
RoleListFetchIssue *PathFetch
RoleFetchIssues map[string]*PathFetch
RoleEntryMap map[string]map[string]interface{}
CRLConfig *PathFetch
}

func NewRoleNoStoreFalseCheck() Check {
return &RoleNoStoreFalse{
AllowedRoles: make(map[string]bool),
RoleEntryMap: make(map[string]map[string]interface{}),
RoleFetchIssues: make(map[string]*PathFetch),
AllowedRoles: make(map[string]bool),
RoleEntryMap: make(map[string]map[string]interface{}),
}
}

Expand Down Expand Up @@ -64,7 +65,7 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
})
if exit || err != nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleListFetchIssue = f
}
return err
}
Expand All @@ -75,7 +76,7 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
})
if skip || err != nil || entry == nil {
if f != nil && f.IsSecretPermissionsError() {
h.NoPerms = true
h.RoleFetchIssues[role] = f
}
if err != nil {
return err
Expand All @@ -86,14 +87,6 @@ func (h *RoleNoStoreFalse) FetchResources(e *Executor) error {
h.RoleEntryMap[role] = entry
}

exit, _, leaves, err := pkiFetchLeavesList(e, func() {
h.UnsupportedVersion = true
})
if exit || err != nil {
return err
}
h.CertCounts = len(leaves)

// Check if the issuer is fetched yet.
configRet, err := e.FetchIfNotFetched(logical.ReadOperation, "/{{mount}}/config/crl")
if err != nil {
Expand All @@ -116,18 +109,37 @@ func (h *RoleNoStoreFalse) Evaluate(e *Executor) (results []*Result, err error)
return []*Result{&ret}, nil
}

if h.NoPerms {
if h.RoleListFetchIssue != nil && h.RoleListFetchIssue.IsSecretPermissionsError() {
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: "/{{mount}}/roles",
Message: "lacks permission either to list the roles or to read a specific role. This may restrict the ability to fully execute this health check",
Endpoint: h.RoleListFetchIssue.Path,
Message: "lacks permission either to list the roles. This restricts the ability to fully execute this health check.",
}
if e.Client.Token() == "" {
ret.Message = "No token available and so this health check " + ret.Message
} else {
ret.Message = "This token " + ret.Message
}
results = append(results, &ret)
return []*Result{&ret}, nil
}

for role, fetchPath := range h.RoleFetchIssues {
if fetchPath != nil && fetchPath.IsSecretPermissionsError() {
delete(h.RoleEntryMap, role)
ret := Result{
Status: ResultInsufficientPermissions,
Endpoint: fetchPath.Path,
Message: "Without this information, this health check is unable to function.",
}

if e.Client.Token() == "" {
ret.Message = "No token available so unable for the endpoint for this mount. " + ret.Message
} else {
ret.Message = "This token lacks permission the endpoint for this mount. " + ret.Message
}

results = append(results, &ret)
}
}

crlAutoRebuild := false
Expand Down
Loading