hashicorp · jefferai · Apr 7, 2017 · Apr 4, 2017 · Apr 4, 2017 · Apr 7, 2017
diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
@@ -240,10 +240,12 @@ func (b *backend) pathIssueSignCert(
 		resp.Secret.TTL = parsedBundle.Certificate.NotAfter.Sub(time.Now())
 	}
 
-	err = req.Storage.Put(&logical.StorageEntry{
-		Key:   "certs/" + cb.SerialNumber,
-		Value: parsedBundle.CertificateBytes,
-	})
+	if !*role.NoStore {
+		err = req.Storage.Put(&logical.StorageEntry{
+			Key:   "certs/" + cb.SerialNumber,
+			Value: parsedBundle.CertificateBytes,
+		})
+	}
 	if err != nil {
 		return nil, fmt.Errorf("Unable to store certificate locally: %v", err)
 	}

diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go
@@ -204,6 +204,17 @@ to the CRL.  When large number of certificates are generated with long
 lifetimes, it is recommended that lease generation be disabled, as large amount of
 leases adversely affect the startup time of Vault.`,
 			},
+			"no_store": &framework.FieldSchema{
+				Type:    framework.TypeBool,
+				Default: false,
+				Description: `
+If set, certificates issued/signed against this role will not be stored in the
+in the storage backend. This can improve performance when issuing large numbers
+of certificates. However, certificates issued in this way cannot be enumerated
+or revoked, so this option is recommended only for certificates that are
+non-sensitive, or extremely short-lived. This option implies a value of "false"
+for "generate_lease".`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -280,6 +291,13 @@ func (b *backend) getRole(s logical.Storage, n string) (*roleEntry, error) {
 		modified = true
 	}
 
+	// analogous upgrade for no_store
+	if result.NoStore == nil {
+		result.NoStore = new(bool)
+		*result.NoStore = false
+		modified = true
+	}
+
 	if modified {
 		jsonEntry, err := logical.StorageEntryJSON("role/"+n, &result)
 		if err != nil {
@@ -384,9 +402,16 @@ func (b *backend) pathRoleCreate(
 		OU:                  data.Get("ou").(string),
 		Organization:        data.Get("organization").(string),
 		GenerateLease:       new(bool),
+		NoStore:             new(bool),
 	}
 
-	*entry.GenerateLease = data.Get("generate_lease").(bool)
+	*entry.NoStore = data.Get("no_store").(bool)
+	// no_store implies generate_lease := false
+	if *entry.NoStore {
+		*entry.GenerateLease = false
+	} else {
+		*entry.GenerateLease = data.Get("generate_lease").(bool)
+	}
 
 	if entry.KeyType == "rsa" && entry.KeyBits < 2048 {
 		return logical.ErrorResponse("RSA keys < 2048 bits are unsafe and not supported"), nil
@@ -504,6 +529,7 @@ type roleEntry struct {
 	OU                    string `json:"ou" structs:"ou" mapstructure:"ou"`
 	Organization          string `json:"organization" structs:"organization" mapstructure:"organization"`
 	GenerateLease         *bool  `json:"generate_lease,omitempty" structs:"generate_lease,omitempty"`
+	NoStore               *bool  `json:"no_store,omitempty" structs:"no_store,omitempty"`
 }
 
 const pathListRolesHelpSyn = `List the existing roles in this backend`

diff --git a/builtin/logical/pki/path_roles_test.go b/builtin/logical/pki/path_roles_test.go
@@ -124,6 +124,156 @@ func TestPki_RoleGenerateLease(t *testing.T) {
 	}
 }
 
+func TestPki_RoleNoStore(t *testing.T) {
+	var resp *logical.Response
+	var err error
+	b, storage := createBackendWithStorage(t)
+
+	roleData := map[string]interface{}{
+		"allowed_domains": "myvault.com",
+		"ttl":             "5h",
+	}
+
+	roleReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "roles/testrole",
+		Storage:   storage,
+		Data:      roleData,
+	}
+
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	roleReq.Operation = logical.ReadOperation
+
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	// no_store cannot be nil
+	noStore := resp.Data["no_store"].(*bool)
+	if noStore == nil {
+		t.Fatalf("no_store should not be nil")
+	}
+
+	// By default, generate_lease should be `false`
+	if *noStore {
+		t.Fatalf("no_store should not be set by default")
+	}
+
+	// role.GenerateLease will be nil after the decode
+	var role roleEntry
+	err = mapstructure.Decode(resp.Data, &role)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Make it explicit
+	role.NoStore = nil
+
+	entry, err := logical.StorageEntryJSON("role/testrole", role)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(entry); err != nil {
+		t.Fatal(err)
+	}
+
+	// Reading should upgrade no_store
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	noStore = resp.Data["no_store"].(*bool)
+	if noStore == nil {
+		t.Fatalf("no_store should not be nil")
+	}
+
+	// Upgrade should set no_store to `false`
+	if *noStore {
+		t.Fatalf("no_store should be false after an upgrade")
+	}
+
+	// Make sure that setting no_store to `true` works properly
+	roleReq.Operation = logical.UpdateOperation
+	roleReq.Path = "roles/testrole_nostore"
+	roleReq.Data["no_store"] = true
+	roleReq.Data["allowed_domain"] = "myvault.com"
+	roleReq.Data["allow_subdomains"] = true
+	roleReq.Data["ttl"] = "5h"
+
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	roleReq.Operation = logical.ReadOperation
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	noStore = resp.Data["no_store"].(*bool)
+	if noStore == nil {
+		t.Fatalf("no_store should not be nil")
+	}
+	if !*noStore {
+		t.Fatalf("no_store should have been set to true")
+	}
+
+	// issue a certificate and test that it's not stored
+	caData := map[string]interface{}{
+		"common_name": "myvault.com",
+		"ttl":         "5h",
+		"ip_sans":     "127.0.0.1",
+	}
+	caReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "root/generate/internal",
+		Storage:   storage,
+		Data:      caData,
+	}
+	resp, err = b.HandleRequest(caReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	issueData := map[string]interface{}{
+		"common_name": "cert.myvault.com",
+		"format":      "pem",
+		"ip_sans":     "127.0.0.1",
+		"ttl":         "1h",
+	}
+	issueReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "issue/testrole_nostore",
+		Storage:   storage,
+		Data:      issueData,
+	}
+
+	resp, err = b.HandleRequest(issueReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+
+	// list certs
+	resp, err = b.HandleRequest(&logical.Request{
+		Operation: logical.ListOperation,
+		Path:      "certs",
+		Storage:   storage,
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: err: %v resp: %#v", err, resp)
+	}
+	if len(resp.Data["keys"].([]string)) != 1 {
+		t.Fatalf("Only the CA certificate should be stored: %#v", resp)
+	}
+}
+
 func TestPki_CertsLease(t *testing.T) {
 	var resp *logical.Response
 	var err error