Actually use ocsp_enabled, and bind to a random port for testing

hashicorp · Nov 4, 2022 · 7e50dd0 · 7e50dd0
1 parent 0ff724c
commit 7e50dd0
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 11 deletions.
diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go
@@ -1919,7 +1919,6 @@ func testAccStepCertWithExtraParams(t *testing.T, name string, cert []byte, poli
 		"required_extensions":          testData.ext,
 		"allowed_metadata_extensions":  testData.metadata_ext,
 		"lease":                        1000,
-		"ocsp_enabled":                 true,
 	}
 	for k, v := range extraParams {
 		data[k] = v

diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
@@ -576,19 +576,22 @@ func (b *backend) loadTrustedCerts(ctx context.Context, storage logical.Storage,
 				Certificates: parsed,
 			})
 		}
-		conf.OcspServersOverride = append(conf.OcspServersOverride, entry.OcspServersOverride...)
-		if entry.OcspFailOpen {
-			conf.OcspFailureMode = ocsp.FailOpenTrue
-		} else {
-			conf.OcspFailureMode = ocsp.FailOpenFalse
+		if entry.OcspEnabled {
+			conf.OcspEnabled = true
+			conf.OcspServersOverride = append(conf.OcspServersOverride, entry.OcspServersOverride...)
+			if entry.OcspFailOpen {
+				conf.OcspFailureMode = ocsp.FailOpenTrue
+			} else {
+				conf.OcspFailureMode = ocsp.FailOpenFalse
+			}
+			conf.QueryAllServers = conf.QueryAllServers || entry.OcspQueryAllServers
 		}
-		conf.QueryAllServers = conf.QueryAllServers || entry.OcspQueryAllServers
 	}
 	return
 }
 
 func (b *backend) checkForCertInOCSP(ctx context.Context, clientCert *x509.Certificate, chain []*x509.Certificate, conf *ocsp.VerifyConfig) (bool, error) {
-	if len(chain) < 2 {
+	if !conf.OcspEnabled || len(chain) < 2 {
 		return true, nil
 	}
 	b.ocspClientMutex.RLock()

diff --git a/builtin/credential/cert/path_login_test.go b/builtin/credential/cert/path_login_test.go
@@ -1,6 +1,7 @@
 package cert
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -25,15 +26,26 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-const ocspPort = 31808
+var ocspPort int
 
 var source InMemorySource
 
 func TestMain(m *testing.M) {
 	source = make(InMemorySource)
+
+	listener, err := net.Listen("tcp", ":0")
+	if err != nil {
+		return
+	}
+	ocspPort = listener.Addr().(*net.TCPAddr).Port
+	srv := &http.Server{
+		Addr:    "localhost:0",
+		Handler: NewResponder(source, nil),
+	}
 	go func() {
-		http.ListenAndServe(fmt.Sprintf("localhost:%d", ocspPort), NewResponder(source, nil))
+		srv.Serve(listener)
 	}()
+	defer srv.Shutdown(context.Background())
 	m.Run()
 }
 
@@ -288,7 +300,7 @@ func TestCert_RoleResolveOCSP(t *testing.T) {
 				CredentialBackend: b,
 				Steps: []logicaltest.TestStep{
 					testAccStepCertWithExtraParams(t, "web", ca, "foo", allowed{dns: "example.com"}, false,
-						map[string]interface{}{"ocsp_fail_open": c.failOpen}),
+						map[string]interface{}{"ocsp_enabled": true, "ocsp_fail_open": c.failOpen}),
 					testAccStepLoginWithName(t, connState, "web", c.errExpected),
 					testAccStepResolveRoleWithName(t, connState, "web"),
 				},

diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -513,6 +513,7 @@ func isValidOCSPStatus(status ocspStatusCode) bool {
 }
 
 type VerifyConfig struct {
+	OcspEnabled         bool
 	ExtraCas            []*x509.Certificate
 	OcspServersOverride []string
 	OcspFailureMode     FailOpenMode