diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 46b664208..07fff19d6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,7 +59,7 @@ jobs: version: ${{ needs.get-product-version.outputs.product-version }} product: ${{ env.PKG_NAME }} repositoryOwner: "hashicorp" - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: metadata.json path: ${{ steps.generate-metadata-file.outputs.filepath }} @@ -104,7 +104,7 @@ jobs: go build -o dist/ -ldflags "-s -w -X $(go list -m)/version.GitCommit=$(git rev-parse --short HEAD)" . zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip @@ -147,7 +147,7 @@ jobs: go build -o dist/ -ldflags "-s -w -X $(go list -m)/version.GitCommit=$(git rev-parse --short HEAD)" . zip -r -j out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: ${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip @@ -182,13 +182,13 @@ jobs: echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 if: ${{ matrix.goos == 'linux' }} with: name: ${{ env.RPM_PACKAGE }} path: out/${{ env.RPM_PACKAGE }} - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 if: ${{ matrix.goos == 'linux' }} with: name: ${{ env.DEB_PACKAGE }} diff --git a/dependency/vault_pki.go b/dependency/vault_pki.go index 8bfdab311..37bc3d6a8 100644 --- a/dependency/vault_pki.go +++ b/dependency/vault_pki.go @@ -21,11 +21,40 @@ import ( var _ Dependency = (*VaultPKIQuery)(nil) // Return type containing PEMs as strings -type PemEncoded struct{ Cert, Key, CA string } +type PemEncoded struct { + Cert, Key, CA string + CAChain []string +} + +func (a PemEncoded) Equals(b PemEncoded) bool { + if a.CA != b.CA || a.Cert != b.Cert || a.Key != b.Key { + return false + } + + if len(a.CAChain) != len(b.CAChain) { + return false + } + + for i, v := range a.CAChain { + if v != b.CAChain[i] { + return false + } + } + return true +} + +func (a PemEncoded) CaChainContains(item string) bool { + for _, v := range a.CAChain { + if v == item { + return true + } + } + return false +} // a wrapper to mimic v2 secrets Data wrapper -func (p PemEncoded) Data() PemEncoded { - return p +func (a PemEncoded) Data() PemEncoded { + return a } // VaultPKIQuery is the dependency to Vault for a secret @@ -152,10 +181,12 @@ func pemsCert(encoded []byte) (PemEncoded, *x509.Certificate, error) { var cert *x509.Certificate var encPems PemEncoded var aPem []byte + for { aPem, encoded = nextPem(encoded) // scan, find and parse PEM blocks block, _ = pem.Decode(aPem) + switch { case block == nil: // end of scan, no more PEMs found return encPems, cert, nil @@ -170,7 +201,13 @@ func pemsCert(encoded []byte) (PemEncoded, *x509.Certificate, error) { case err != nil: return PemEncoded{}, nil, err case maybeCert.IsCA: - encPems.CA = string(pem.EncodeToMemory(block)) + if encPems.CA == "" { + // set the first CA found to CA to be backward compatible + encPems.CA = string(pem.EncodeToMemory(block)) + } + if !encPems.CaChainContains(string(pem.EncodeToMemory(block))) { + encPems.CAChain = append(encPems.CAChain, string(pem.EncodeToMemory(block))) + } default: // the certificate cert = maybeCert encPems.Cert = string(pem.EncodeToMemory(block)) @@ -205,10 +242,20 @@ func (d *VaultPKIQuery) fetchPEMs(clients *ClientSet) ([]byte, error) { } printVaultWarnings(d, vaultSecret.Warnings) pems := bytes.Buffer{} - for _, v := range vaultSecret.Data { + + for k, v := range vaultSecret.Data { switch v := v.(type) { case string: pems.WriteString(v + "\n") + case []interface{}: + if k == "ca_chain" { + for _, item := range v { + switch item := item.(type) { + case string: + pems.WriteString(item + "\n") + } + } + } } } diff --git a/dependency/vault_pki_test.go b/dependency/vault_pki_test.go index 3c1eca21d..0b6727cec 100644 --- a/dependency/vault_pki_test.go +++ b/dependency/vault_pki_test.go @@ -238,7 +238,8 @@ func Test_VaultPKI_refetch(t *testing.T) { t.Fatalf("expected a pems but found: %s", pems2) } // using cached copy, so should be a match - if pems1 != pems2 { + + if !pems1.Equals(pems2) { t.Errorf("pemss don't match and should.") } @@ -261,7 +262,7 @@ func Test_VaultPKI_refetch(t *testing.T) { t.Fatalf("expected a pems but found: %s", pems2) } - if pems2 == pems3 { + if pems2.Equals(pems3) { t.Errorf("pemss match and shouldn't.") } }