Merge pull request #97 from stormshield-gt/add_cert_auth_configuration

add cert auth configuration
jmgilman · Jul 10, 2024 · 818959c · 818959c
2 parents 46e40c0 + c63a971
commit 818959c
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 2 deletions.
diff --git a/src/api/auth/cert/requests.rs b/src/api/auth/cert/requests.rs
@@ -108,6 +108,29 @@ pub struct ListCaCertificateRoleRequest {
     pub mount: String,
 }
 
+/// ## Configure TLS certificate method
+/// Configuration options for the method.
+///
+/// * Path: /auth/{self.mount}/config
+/// * Method: POST
+/// * Response: N/A
+/// * Reference: <https://developer.hashicorp.com/vault/api-docs/auth/cert#configure-tls-certificate-method>
+#[derive(Builder, Debug, Default, Endpoint)]
+#[endpoint(path = "/auth/{self.mount}/config", method = "POST", builder = "true")]
+#[builder(setter(into, strip_option), default)]
+pub struct ConfigureTlsCertificateMethod {
+    #[endpoint(skip)]
+    pub mount: String,
+    /// If set, during renewal, skips the matching of presented client identity with the client identity used during login.
+    disable_binding: Option<bool>,
+    /// If set, metadata of the certificate including the metadata corresponding to allowed_metadata_extensions will be stored in the alias.
+    enable_identity_alias_metadata: Option<bool>,
+    /// The size of the OCSP response LRU cache. Note that this cache is used for all configured certificates.
+    ocsp_cache_size: Option<u64>,
+    /// The size of the role cache. Use -1 to disable role caching.
+    role_cache_size: Option<u64>,
+}
+
 /// ## Login
 /// Login with the TLS certificate method and authenticate against only the named
 /// certificate role.

diff --git a/src/auth/cert.rs b/src/auth/cert.rs
@@ -1,5 +1,11 @@
 use crate::{
-    api::{self, auth::cert::requests::LoginRequest, AuthInfo},
+    api::{
+        self,
+        auth::cert::requests::{
+            ConfigureTlsCertificateMethod, ConfigureTlsCertificateMethodBuilder, LoginRequest,
+        },
+        AuthInfo,
+    },
     client::Client,
     error::ClientError,
 };
@@ -20,6 +26,19 @@ pub async fn login(
     api::auth(client, endpoint).await
 }
 
+/// ConfigureTlsCertificateMethod
+///
+/// See [ConfigureTlsCertificateMethod]
+pub async fn configure_tls_certificate_method(
+    client: &impl Client,
+    mount: &str,
+    opts: Option<&mut ConfigureTlsCertificateMethodBuilder>,
+) -> Result<(), ClientError> {
+    let mut t = ConfigureTlsCertificateMethod::builder();
+    let endpoint = opts.unwrap_or(&mut t).mount(mount).build().unwrap();
+    api::exec_with_empty(client, endpoint).await
+}
+
 pub mod ca_cert_role {
     use crate::{
         api::{

diff --git a/tests/cert.rs b/tests/cert.rs
@@ -13,6 +13,9 @@ use rcgen::{BasicConstraints, Certificate, CertificateParams, IsCa};
 use tempfile::TempDir;
 use test_log::test;
 use vault_bind_mounts_container::{VaultServer, VaultServerConfig};
+use vaultrs::api::auth::cert::requests::{
+    ConfigureTlsCertificateMethodBuilder, CreateCaCertificateRoleRequestBuilder,
+};
 use vaultrs::auth::cert::{self};
 use vaultrs::client::{Client, VaultClient, VaultClientSettingsBuilder};
 use vaultrs::error::ClientError;
@@ -73,13 +76,15 @@ fn test() {
         let endpoint = setup(&client).await.unwrap();
 
         // Test CA cert role
-        ca_cert_role::test_set(&client, &endpoint, client_cert_str).await;
+        ca_cert_role::test_set(&client, &endpoint, client_cert_str.clone()).await;
         ca_cert_role::test_read(&client, &endpoint).await;
         ca_cert_role::test_list(&client, &endpoint).await;
 
         // Test login
         test_login(&client, &endpoint).await;
 
+        test_configure(&client, &endpoint).await;
+
         // Test delete
         ca_cert_role::test_delete(&client, &endpoint).await;
     });
@@ -90,6 +95,27 @@ pub async fn test_login(client: &impl Client, endpoint: &CertEndpoint) {
     assert!(res.is_ok());
 }
 
+pub async fn test_configure(client: &impl Client, endpoint: &CertEndpoint) {
+    cert::configure_tls_certificate_method(
+        client,
+        endpoint.path.as_str(),
+        Some(
+            &mut ConfigureTlsCertificateMethodBuilder::default()
+                .enable_identity_alias_metadata(true),
+        ),
+    )
+    .await
+    .unwrap();
+    let login = cert::login(client, endpoint.path.as_str(), endpoint.name.as_str())
+        .await
+        .unwrap();
+    let entity = vaultrs::identity::entity::read_by_id(client, &login.entity_id)
+        .await
+        .unwrap();
+    // FIXME: When we will bump the tested vault to a newer version, we will need to update this assert.
+    assert!(entity.metadata.is_none());
+}
+
 pub mod ca_cert_role {
     use vaultrs::{auth::cert::ca_cert_role, client::Client};