diff --git a/src/main/java/com/bettercloud/vault/api/pki/Pki.java b/src/main/java/com/bettercloud/vault/api/pki/Pki.java index 1074c2be..ad60b361 100644 --- a/src/main/java/com/bettercloud/vault/api/pki/Pki.java +++ b/src/main/java/com/bettercloud/vault/api/pki/Pki.java @@ -374,9 +374,10 @@ public PkiResponse issue( final String ttl, final CredentialFormat format) throws VaultException { - return issue(roleName, commonName, altNames, ipSans, ttl, format, ""); + return issue(roleName, commonName, altNames, ipSans, ttl, format, true, ""); } + /** *

Operation to generate a new set of credentials or sign the embedded CSR, in the PKI backend. If CSR is passed the * sign function of the vault will be called if not, issue will be used. @@ -407,6 +408,49 @@ public PkiResponse issue( * @return A container for the information returned by Vault * @throws VaultException If any error occurs or unexpected response is received from Vault */ + public PkiResponse issue( + final String roleName, + final String commonName, + final List altNames, + final List ipSans, + final String ttl, + final CredentialFormat format, + final String csr + ) throws VaultException { + return issue(roleName, commonName, altNames, ipSans, ttl, format, true, csr); + } + + /** + *

Operation to generate a new set of credentials or sign the embedded CSR, in the PKI backend. If CSR is passed the + * sign function of the vault will be called if not, issue will be used. + * The issuing CA certificate is returned as well, so that only the root CA need be in a + * client's trust store.

+ * + *

A successful operation will return a 204 HTTP status. A VaultException will be thrown if + * the role does not exist, or if any other problem occurs. Credential information will be populated in the + * credential field of the PkiResponse return value. Example usage:

+ * + *
+ * 
{@code
+     * final VaultConfig config = new VaultConfig.address(...).token(...).build();
+     * final Vault vault = new Vault(config);
+     *
+     * final PkiResponse response = vault.pki().deleteRole("testRole");
+     * assertEquals(204, response.getRestResponse().getStatus();
+     * }
+ *
+ * + * @param roleName The role on which the credentials will be based. + * @param commonName The requested CN for the certificate. If the CN is allowed by role policy, it will be issued. + * @param altNames (optional) Requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied. + * @param ipSans (optional) Requested IP Subject Alternative Names, in a comma-delimited list. Only valid if the role allows IP SANs (which is the default). + * @param ttl (optional) Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set. + * @param format (optional) Format for returned data. Can be pem, der, or pem_bundle; defaults to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key, certificate, and issuing CA, concatenated. + * @param excludeCNFromSans (optional) Whether to use Verbatim (HashiCorp Vault UI, not sign-verbatim). If false then it will include 'excludeCNFromSans: false' in the request, otherwise it will not be included. + * @param csr (optional) PEM Encoded CSR + * @return A container for the information returned by Vault + * @throws VaultException If any error occurs or unexpected response is received from Vault + */ public PkiResponse issue( @@ -416,6 +460,7 @@ public PkiResponse issue( final List ipSans, final String ttl, final CredentialFormat format, + final boolean excludeCNFromSans, final String csr ) throws VaultException { int retryCount = 0; @@ -453,6 +498,9 @@ public PkiResponse issue( } if (csr != null) { jsonObject.add("csr", csr); + if (!excludeCNFromSans) { + jsonObject.add("exclude_cn_from_sans", false); + } } final String requestJson = jsonObject.toString(); diff --git a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java index a5f9e337..2a3ab548 100644 --- a/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java +++ b/src/test-integration/java/com/bettercloud/vault/api/AuthBackendTokenTests.java @@ -9,7 +9,6 @@ import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.Arrays; -import java.util.List; import java.util.UUID; import org.junit.BeforeClass; import org.junit.ClassRule; diff --git a/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java b/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java index 5f215dfb..05b9ff67 100644 --- a/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java +++ b/src/test/java/com/bettercloud/vault/vault/api/TransitApiTest.java @@ -7,14 +7,12 @@ import com.bettercloud.vault.response.LogicalResponse; import com.bettercloud.vault.vault.VaultTestUtils; import com.bettercloud.vault.vault.mock.MockVault; +import java.util.Collections; +import java.util.Optional; import org.eclipse.jetty.server.Server; import org.junit.After; -import org.junit.Before; import org.junit.Test; -import java.util.Collections; -import java.util.Optional; - import static org.junit.Assert.assertEquals; public class TransitApiTest {