Merge pull request #101 from mulesoft-labs/master

support for revoke method, and addition of a useCsrSans property in PKI role object

Author: steve-perkins

src/main/java/com/bettercloud/vault/api/Auth.java

@@ -706,7 +706,7 @@ public AuthResponse loginByAwsEc2(final String role, final String pkcs7, final S
      *                      Most likely just aHR0cHM6Ly9zdHMuYW1hem9uYXdzLmNvbS8= (base64-encoding of https://sts.amazonaws.com/) as most requests will
      *                      probably use POST with an empty URI.
      * @param iamRequestBody Base64-encoded body of the signed request. Most likely QWN0aW9uPUdldENhbGxlcklkZW50aXR5JlZlcnNpb249MjAxMS0wNi0xNQ== which is
-     *                          the base64 encoding of Action=GetCallerIdentity&Version=2011-06-15.
+     *                          the base64 encoding of Action=GetCallerIdentity&Version=2011-06-15.
      * @param iamRequestHeaders
      * @return The auth token, with additional response metadata
      * @throws VaultException If any error occurs, or unexpected response received from Vault

src/main/java/com/bettercloud/vault/api/pki/Pki.java

@@ -8,8 +8,10 @@
 import com.bettercloud.vault.rest.Rest;
 import com.bettercloud.vault.rest.RestResponse;
 
+import java.util.Arrays;
 import java.util.List;
-import java.util.Optional;
+import java.util.stream.Collectors;
+
 
 /**
  * <p>The implementing class for operations on Vault's PKI backend.</p>
@@ -195,6 +197,73 @@ public PkiResponse getRole(final String roleName) throws VaultException {
         }
     }
 
+    /**
+     * <p>Operation to revike  a certificate in the vault using the PKI backend.
+     * Relies on an authentication token being present in
+     * the <code>VaultConfig</code> instance.</p>
+     *
+     * <p>A successful operation will return a 204 HTTP status.  A <code>VaultException</code> will be thrown if
+     * the role does not exist, or if any other problem occurs.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final VaultConfig config = new VaultConfig.address(...).token(...).build();
+     * final Vault vault = new Vault(config);
+     *
+     * final PkiResponse response = vault.pki().revoke("serialnumber");
+     * assertEquals(204, response.getRestResponse().getStatus();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param serialNumber The name of the role to delete
+     * @return A container for the information returned by Vault
+     * @throws VaultException If any error occurs or unexpected response is received from Vault
+     */
+    public PkiResponse revoke(final String serialNumber) throws VaultException {
+        int retryCount = 0;
+        while (true) {
+            // Make an HTTP request to Vault
+            JsonObject jsonObject = new JsonObject();
+            if (serialNumber != null) {
+                jsonObject.add("serial_number", serialNumber);
+            }
+            final String requestJson = jsonObject.toString();
+            try {
+                final RestResponse restResponse = new Rest()//NOPMD
+                        .url(String.format("%s/v1/%s/revoke", config.getAddress(), this.mountPath))
+                        .header("X-Vault-Token", config.getToken())
+                        .connectTimeoutSeconds(config.getOpenTimeout())
+                        .readTimeoutSeconds(config.getReadTimeout())
+                        .body(requestJson.getBytes("UTF-8"))
+                        .sslVerification(config.getSslConfig().isVerify())
+                        .sslContext(config.getSslConfig().getSslContext())
+                        .post();
+
+                // Validate response
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                }
+                return new PkiResponse(restResponse, retryCount);
+            } catch (Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
     /**
      * <p>Operation to delete an role using the PKI backend.  Relies on an authentication token being present in
      * the <code>VaultConfig</code> instance.</p>
@@ -387,7 +456,8 @@ public PkiResponse issue(
 
                 // Validate response
                 if (restResponse.getStatus() != 200 && restResponse.getStatus() != 404) {
-                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(), restResponse.getStatus());
+                    String body = restResponse.getBody() != null ? new String(restResponse.getBody()) : "(no body)";
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus() + " " + body, restResponse.getStatus());
                 }
                 return new PkiResponse(restResponse, retryCount);
             } catch (Exception e) {
@@ -418,15 +488,9 @@ private String roleOptionsToJson(final RoleOptions options) {
             addJsonFieldIfNotNull(jsonObject, "max_ttl", options.getMaxTtl());
             addJsonFieldIfNotNull(jsonObject, "allow_localhost", options.getAllowLocalhost());
             if (options.getAllowedDomains() != null && options.getAllowedDomains().size() > 0) {
-                final StringBuilder allowedDomains = new StringBuilder();
-                for (int index = 0; index < options.getAllowedDomains().size(); index++) {
-                    allowedDomains.append(options.getAllowedDomains().get(index));
-                    if (index + 1 < options.getAllowedDomains().size()) {
-                        allowedDomains.append(',');
-                    }
-                }
-                addJsonFieldIfNotNull(jsonObject, "allowed_domains", allowedDomains.toString());
+                addJsonFieldIfNotNull(jsonObject, "allowed_domains", options.getAllowedDomains().stream().collect(Collectors.joining(",")));
             }
+            addJsonFieldIfNotNull(jsonObject, "allow_spiffe_name", options.getAllowSpiffename());
             addJsonFieldIfNotNull(jsonObject, "allow_bare_domains", options.getAllowBareDomains());
             addJsonFieldIfNotNull(jsonObject, "allow_subdomains", options.getAllowSubdomains());
             addJsonFieldIfNotNull(jsonObject, "allow_any_name", options.getAllowAnyName());
@@ -439,6 +503,10 @@ private String roleOptionsToJson(final RoleOptions options) {
             addJsonFieldIfNotNull(jsonObject, "key_type", options.getKeyType());
             addJsonFieldIfNotNull(jsonObject, "key_bits", options.getKeyBits());
             addJsonFieldIfNotNull(jsonObject, "use_csr_common_name", options.getUseCsrCommonName());
+            addJsonFieldIfNotNull(jsonObject, "use_csr_sans", options.getUseCsrSans());
+            if (options.getKeyUsage() != null && options.getKeyUsage().size() > 0) {
+                addJsonFieldIfNotNull(jsonObject, "key_usage", options.getKeyUsage().stream().collect(Collectors.joining(",")));
+            }
         }
         return jsonObject.toString();
     }

src/main/java/com/bettercloud/vault/api/pki/RoleOptions.java

@@ -35,6 +35,10 @@ public class RoleOptions implements Serializable {
     private String keyType;
     private Long keyBits;
     private Boolean useCsrCommonName;
+    private Boolean allowSpiffename;
+    private Boolean useCsrSans;
+    private List<String> keyUsage;
+
 
     /**
      * @param ttl (optional) The Time To Live value provided as a string duration with time suffix. Hour is the largest suffix.  If not set, uses the system default value or the value of max_ttl, whichever is shorter.
@@ -98,7 +102,15 @@ public RoleOptions allowSubdomains(final Boolean allowSubdomains) {
         this.allowSubdomains = allowSubdomains;
         return this;
     }
-
+    /**
+     * @param  allowSpiffename (optional)
+     *
+     * @return This object, with AllowSpiffename populated, ready for other builder methods or immediate use.
+     */
+    public RoleOptions allowSpiffeName(final Boolean allowSpiffename) {
+        this.allowSpiffename  = allowSpiffename ;
+        return this;
+    }
     /**
      * @param allowAnyName (optional) If set, clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it. Defaults to false.
      *
@@ -198,6 +210,15 @@ public RoleOptions useCsrCommonName(final Boolean useCsrCommonName) {
         this.useCsrCommonName = useCsrCommonName;
         return this;
     }
+    /**
+     * @param useCsrSans (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.
+     *
+     * @return This object, with useCsrCommonName populated, ready for other builder methods or immediate use.
+     */
+    public RoleOptions useCsrSans(final Boolean useCsrSans) {
+        this.useCsrSans = useCsrSans;
+        return this;
+    }
 
     public String getTtl() {
         return ttl;
@@ -268,5 +289,16 @@ public Long getKeyBits() {
     public Boolean getUseCsrCommonName() {
         return useCsrCommonName;
     }
+    public Boolean getUseCsrSans() {        return useCsrSans;    }
+    public Boolean getAllowSpiffename() {        return allowSpiffename;    }
+
 
+    public RoleOptions keyUsage(List<String> keyUsage) {
+        this.keyUsage = keyUsage;
+        return this;
+    }
+
+    public List<String> getKeyUsage() {
+        return keyUsage;
+    }
 }

src/test-integration/java/com/bettercloud/vault/api/AuthBackendPkiTests.java

@@ -132,6 +132,26 @@ public void testIssueCredentialWithCsr() throws VaultException, InterruptedExcep
         assertNotNull(issueResponse.getCredential().getSerialNumber());
         assertNotNull(issueResponse.getCredential().getIssuingCa());
     }
+
+    @Test
+    public void testRevocation() throws VaultException, InterruptedException, NoSuchAlgorithmException {
+        final Vault vault = container.getRootVault();
+
+        // Create a role
+        final PkiResponse createRoleResponse = vault.pki().createOrUpdateRole("testRole",
+                new RoleOptions()
+                        .allowedDomains(new ArrayList<String>(){{ add("myvault.com"); }})
+                        .allowSubdomains(true)
+                        .maxTtl("9h")
+        );
+        assertEquals(204, createRoleResponse.getRestResponse().getStatus());
+        Thread.sleep(3000);
+        // Issue cert
+        final PkiResponse issueResponse = vault.pki().issue("testRole", "test.myvault.com", null, null, "1h", CredentialFormat.PEM);
+        assertNotNull(issueResponse.getCredential().getSerialNumber());
+        vault.pki().revoke(issueResponse.getCredential().getSerialNumber());
+    }
+
     @Test
     public void testCustomMountPath() throws VaultException {
         final Vault vault = container.getRootVault();

src/test-integration/java/com/bettercloud/vault/util/VaultContainer.java

@@ -226,6 +226,22 @@ public Vault getVault() throws VaultException {
         return getVault(config, MAX_RETRIES, RETRY_MILLIS);
     }
 
+    /**
+     * Constructs a VaultConfig that can be used to congiure your own tests
+     *
+     * @return
+     * @throws VaultException
+     */
+
+    public VaultConfig getVaultConfig() throws VaultException {
+        return new VaultConfig()
+                .address(getAddress())
+                .openTimeout(5)
+                .readTimeout(30)
+                .sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
+                .build();
+    }
+
     /**
      * Constructs an instance of the Vault driver with sensible defaults, configured to use the supplied token
      * for authentication.