-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
initial commit, baseline pki plugin forked and wrapped into a plugin
- Loading branch information
0 parents
commit aae158d
Showing
27 changed files
with
9,702 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| APP := vault-cloud-kms-pki | ||
|
|
||
| test: | ||
| @go test -v ./... | ||
|
|
||
| build: | ||
| @CGO_ENABLED=0 go build -o bin/$(APP) | ||
|
|
||
| build-linux: | ||
| @GOOS=linux GOOARCH=amd64 CGO_ENABLED=0 go build -o bin/$(APP) | ||
|
|
||
| run-dev: build | ||
|
|
||
| .PHONY: all test build build-linux |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| module github.com/joemiller/vault-cloud-kms-pki | ||
|
|
||
| require ( | ||
| cloud.google.com/go v0.27.0 // indirect | ||
| github.com/Jeffail/gabs v1.1.0 // indirect | ||
| github.com/NYTimes/gziphandler v1.0.1 // indirect | ||
| github.com/SAP/go-hdb v0.12.1 // indirect | ||
| github.com/SermoDigital/jose v0.9.1 // indirect | ||
| github.com/apparentlymart/go-cidr v1.0.0 // indirect | ||
| github.com/armon/go-metrics v0.0.0-20180713145231-3c58d8115a78 // indirect | ||
| github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf | ||
| github.com/aws/aws-sdk-go v1.15.31 // indirect | ||
| github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect | ||
| github.com/blang/semver v3.5.1+incompatible // indirect | ||
| github.com/denisenkom/go-mssqldb v0.0.0-20180901172138-1eb28afdf9b6 // indirect | ||
| github.com/elazarl/go-bindata-assetfs v1.0.0 // indirect | ||
| github.com/fatih/structs v1.0.0 | ||
| github.com/go-sql-driver/mysql v1.4.0 // indirect | ||
| github.com/go-test/deep v1.0.1 | ||
| github.com/gocql/gocql v0.0.0-20180906200029-9bf6ce5bbcf1 // indirect | ||
| github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db // indirect | ||
| github.com/hashicorp/errwrap v1.0.0 | ||
| github.com/hashicorp/go-cleanhttp v0.5.0 // indirect | ||
| github.com/hashicorp/go-getter v0.0.0-20180809191950-4bda8fa99001 // indirect | ||
| github.com/hashicorp/go-hclog v0.0.0-20180828044259-75ecd6e6d645 // indirect | ||
| github.com/hashicorp/go-immutable-radix v1.0.0 // indirect | ||
| github.com/hashicorp/go-memdb v0.0.0-20180223233045-1289e7fffe71 // indirect | ||
| github.com/hashicorp/go-plugin v0.0.0-20180814222501-a4620f9913d1 // indirect | ||
| github.com/hashicorp/go-retryablehttp v0.0.0-20180718195005-e651d75abec6 // indirect | ||
| github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 // indirect | ||
| github.com/hashicorp/go-safetemp v1.0.0 // indirect | ||
| github.com/hashicorp/go-sockaddr v0.0.0-20180320115054-6d291a969b86 // indirect | ||
| github.com/hashicorp/go-version v1.0.0 // indirect | ||
| github.com/hashicorp/hcl v1.0.0 // indirect | ||
| github.com/hashicorp/hcl2 v0.0.0-20180905152629-864f97c8ab20 // indirect | ||
| github.com/hashicorp/hil v0.0.0-20170627220502-fa9f258a9250 // indirect | ||
| github.com/hashicorp/terraform v0.11.8 | ||
| github.com/hashicorp/vault v0.11.1 | ||
| github.com/hashicorp/yamux v0.0.0-20180826203732-cc6d2ea263b2 // indirect | ||
| github.com/jefferai/jsonx v0.0.0-20160721235117-9cc31c3135ee // indirect | ||
| github.com/keybase/go-crypto v0.0.0-20180807163025-c84d7cbef16b // indirect | ||
| github.com/lib/pq v1.0.0 // indirect | ||
| github.com/mitchellh/cli v1.0.0 // indirect | ||
| github.com/mitchellh/copystructure v1.0.0 // indirect | ||
| github.com/mitchellh/go-homedir v1.0.0 // indirect | ||
| github.com/mitchellh/go-testing-interface v1.0.0 // indirect | ||
| github.com/mitchellh/hashstructure v1.0.0 // indirect | ||
| github.com/mitchellh/mapstructure v1.0.0 | ||
| github.com/oklog/run v1.0.0 // indirect | ||
| github.com/patrickmn/go-cache v2.1.0+incompatible // indirect | ||
| github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735 | ||
| github.com/ulikunitz/xz v0.5.4 // indirect | ||
| github.com/zclconf/go-cty v0.0.0-20180907002636-07dee8a1cfd4 // indirect | ||
| golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 | ||
| golang.org/x/net v0.0.0-20180906233101-161cd47e91fd | ||
| golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 // indirect | ||
| google.golang.org/genproto v0.0.0-20180831171423-11092d34479b // indirect | ||
| google.golang.org/grpc v1.14.0 // indirect | ||
| gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce // indirect | ||
| ) |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "log" | ||
| "os" | ||
|
|
||
| "github.com/hashicorp/vault/helper/pluginutil" | ||
| "github.com/hashicorp/vault/logical/plugin" | ||
| "github.com/joemiller/vault-cloud-kms-pki/pki" | ||
| ) | ||
|
|
||
| func main() { | ||
| apiClientMeta := &pluginutil.APIClientMeta{} | ||
| flags := apiClientMeta.FlagSet() | ||
| flags.Parse(os.Args[1:]) | ||
|
|
||
| tlsConfig := apiClientMeta.GetTLSConfig() | ||
| tlsProviderFunc := pluginutil.VaultPluginTLSProvider(tlsConfig) | ||
|
|
||
| if err := plugin.Serve(&plugin.ServeOpts{ | ||
| BackendFactoryFunc: pki.Factory, | ||
| TLSProviderFunc: tlsProviderFunc, | ||
| }); err != nil { | ||
| log.Fatal(err) | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| package pki | ||
|
|
||
| import ( | ||
| "context" | ||
| "strings" | ||
| "sync" | ||
| "time" | ||
|
|
||
| "github.com/hashicorp/vault/logical" | ||
| "github.com/hashicorp/vault/logical/framework" | ||
| ) | ||
|
|
||
| // Factory creates a new backend implementing the logical.Backend interface | ||
| func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) { | ||
| b := Backend(conf) | ||
| if err := b.Setup(ctx, conf); err != nil { | ||
| return nil, err | ||
| } | ||
| return b, nil | ||
| } | ||
|
|
||
| // Backend returns a new Backend framework struct | ||
| func Backend(conf *logical.BackendConfig) *backend { | ||
| var b backend | ||
| b.Backend = &framework.Backend{ | ||
| Help: strings.TrimSpace(backendHelp), | ||
|
|
||
| PathsSpecial: &logical.Paths{ | ||
| Unauthenticated: []string{ | ||
| "cert/*", | ||
| "ca/pem", | ||
| "ca_chain", | ||
| "ca", | ||
| "crl/pem", | ||
| "crl", | ||
| }, | ||
|
|
||
| LocalStorage: []string{ | ||
| "revoked/", | ||
| "crl", | ||
| "certs/", | ||
| }, | ||
|
|
||
| Root: []string{ | ||
| "root", | ||
| "root/sign-self-issued", | ||
| }, | ||
|
|
||
| SealWrapStorage: []string{ | ||
| "config/ca_bundle", | ||
| }, | ||
| }, | ||
|
|
||
| Paths: []*framework.Path{ | ||
| pathListRoles(&b), | ||
| pathRoles(&b), | ||
| pathGenerateRoot(&b), | ||
| pathSignIntermediate(&b), | ||
| pathSignSelfIssued(&b), | ||
| pathDeleteRoot(&b), | ||
| pathGenerateIntermediate(&b), | ||
| pathSetSignedIntermediate(&b), | ||
| pathConfigCA(&b), | ||
| pathConfigCRL(&b), | ||
| pathConfigURLs(&b), | ||
| pathSignVerbatim(&b), | ||
| pathSign(&b), | ||
| pathIssue(&b), | ||
| pathRotateCRL(&b), | ||
| pathFetchCA(&b), | ||
| pathFetchCAChain(&b), | ||
| pathFetchCRL(&b), | ||
| pathFetchCRLViaCertPath(&b), | ||
| pathFetchValid(&b), | ||
| pathFetchListCerts(&b), | ||
| pathRevoke(&b), | ||
| pathTidy(&b), | ||
| }, | ||
|
|
||
| Secrets: []*framework.Secret{ | ||
| secretCerts(&b), | ||
| }, | ||
|
|
||
| BackendType: logical.TypeLogical, | ||
| } | ||
|
|
||
| b.crlLifetime = time.Hour * 72 | ||
| b.tidyCASGuard = new(uint32) | ||
| b.storage = conf.StorageView | ||
|
|
||
| return &b | ||
| } | ||
|
|
||
| type backend struct { | ||
| *framework.Backend | ||
|
|
||
| storage logical.Storage | ||
| crlLifetime time.Duration | ||
| revokeStorageLock sync.RWMutex | ||
| tidyCASGuard *uint32 | ||
| } | ||
|
|
||
| const backendHelp = ` | ||
| The PKI backend dynamically generates X509 server and client certificates. | ||
| After mounting this backend, configure the CA using the "pem_bundle" endpoint within | ||
| the "config/" path. | ||
| ` |
Oops, something went wrong.