fix cert lifetime actions

2019-05-04 22:24:48 +10:00 · 2019-05-04 22:24:48 +10:00 · 0d3d3cfb8f
--- a/2
+++ b/2
@ -4,7 +4,7 @@ S3method(print,cert_policy)
 S3method(print,vault_access_policy)
 export(AzureKeyVault)
 export(az_key_vault)
-export(cert_expiry_actions)
+export(cert_expiry_action)
 export(cert_issuer_properties)
 export(cert_key_properties)
 export(cert_x509_properties)
--- a/R/certificates.R
+++ b/R/certificates.R
@ -9,7 +9,7 @@
 #' ```
 #' create(name, subject, x509=cert_x509_properties(), issuer=cert_issuer_properties(),
 #'        key=cert_key_properties(), format=c("pem", "pkcs12"),
-#'        actions=cert_expiry_actions(),
+#'        expiry_action=cert_expiry_action(),
 #'        attributes=vault_object_attrs(),
 #'        ..., wait=TRUE)
 #' import(name, value, pwd=NULL,
@ -34,7 +34,7 @@
 #' - `issuer`: Issuer properties for the certificate. A convenient way to provide this is via the [cert_issuer_properties] helper function. The default is to specify a self-signed certificate.
 #' - `key`: Key properties for the certificate. A convenient way to provide this is via the [cert_key_properties] helper function.
 #' - `format`: The format to store the certificate in. Can be either PEM or PFX, aka PKCS#12. This also determines the format in which the certificate will be exported (see [certificate]).
-#' - `actions`: The actions to take when the certificate is about to expire. A convenient way to provide this is via the [cert_expiry_actions] helper function.
+#' - `expiry_action`: What Key Vault should do when the certificate is about to expire. A convenient way to provide this is via the [cert_expiry_action] helper function.
 #' - `attributes`: Optional attributes for the secret. A convenient way to provide this is via the [vault_object_attrs] helper function.
 #' - `value`: For `import`, the certificate to import. This can be the name of a PFX file, or a raw vector with the contents of the file.
 #' - `pwd`: For `import`, the password if the imported certificate is password-protected.
@ -123,7 +123,7 @@ public=list(
    create=function(name, subject, x509=cert_x509_properties(), issuer=cert_issuer_properties(),
                    key=cert_key_properties(),
                    format=c("pem", "pfx"),
-                    actions=cert_expiry_actions(),
+                    expiry_action=cert_expiry_action(),
                    attributes=vault_object_attrs(),
                    ..., wait=TRUE)
    {
@ -136,7 +136,7 @@ public=list(
            key_props=key,
            secret_props=list(contentType=format),
            x509_props=c(subject=subject, x509),
-            lifetime_actions=actions,
+            lifetime_actions=expiry_action,
            attributes=attributes
        )

--- a/R/object_props.R
+++ b/R/object_props.R
@ -13,8 +13,8 @@
 #' @param issuer For `cert_issuer_properties`, the name of the issuer. Defaults to "self" for a self-signed certificate.
 #' @param cert_type For `cert_issuer_properties`, the type of certificate to issue, eg "OV-SSL", "DV-SSL" or "EV-SSL".
 #' @param transparent For `cert_issuer_properties`, whether the certificate should be transparent.
-#' @param auto_renew For `cert_expiry_actions`, when to automatically renew the certificate. If this is a number between 0 and 1, it is interpreted as the fraction of lifetime remaining; if greater than 1, the number of days remaining.
-#' @param email_contacts For `cert_expiry_actions`, when to notify the listed contacts for the key vault that a certificate is about to expire. If this is a number between 0 and 1, it is interpreted as the fraction of lifetime remaining; if greater than 1, the number of days remaining.
+#' @param remaining For `cert_expiry_action`, The remaining certificate lifetime at which to take action. If this is a number between 0 and 1, it is interpreted as the percentage of life remaining; otherwise, the number of days remaining. To disable expiry actions, set this to NULL.
+#' @param action For `cert_expiry_action`, what action to take when a certificate is about to expire. Can be either "AutoRenew" or "EmailContacts". Ignored if `remaining == NULL`.
 #' @param enabled For `vault_object_attrs`, whether this stored object (key, secret, certificate, storage account) is enabled.
 #' @param expiry_date,activation_date For `vault_object_attrs`, the optional expiry date and activation date of the stored object. Can be any R object that can be coerced to POSIXct format.
 #' @param recovery_level For `vault_object_attrs`, the recovery level for the stored object.
@ -63,24 +63,21 @@ cert_issuer_properties=function(issuer="self", cert_type=NULL, transparent=NULL)

 #' @rdname helpers
 #' @export
-cert_expiry_actions <- function(auto_renew=NULL, email_contacts=NULL)
+cert_expiry_action <- function(remaining=0.1, action=c("AutoRenew", "EmailContacts"))
 {
-    auto_renew <- if(!is.null(auto_renew))
-    {
-        if(auto_renew < 1)
-            list(action="AutoRenew", trigger=list(lifetime_percentage=round(auto_renew*100)))
-        else list(action="AutoRenew", trigger=list(days_before_expiry=auto_renew))
-    }
+    if(is_empty(remaining))
+        return(list())

-    email_contacts <- if(!is.null(email_contacts))
+    remaining <- as.numeric(remaining)
+    trigger <- if(0 < remaining && remaining < 1)
    {
-        if(email_contacts < 1)
-            list(action="EmailContacts", trigger=list(lifetime_percentage=round(email_contacts*100)))
-        else list(action="EmailContacts", trigger=list(days_before_expiry=email_contacts))
+        pct <- round((1 - remaining) * 100)
+        list(lifetime_percentage=pct)
    }
+    else list(days_before_expiry=remaining)

-    actions <- list(auto_renew, email_contacts)
-    compact(actions)
+    action <- list(action_type=match.arg(action))
+    list(list(trigger=trigger, action=action))
 }


--- a/man/certificates.Rd
+++ b/man/certificates.Rd
@ -12,7 +12,7 @@ This class represents the collection of certificates stored in a vault. It provi

 This class provides the following methods:\preformatted{create(name, subject, x509=cert_x509_properties(), issuer=cert_issuer_properties(),
       key=cert_key_properties(), format=c("pem", "pkcs12"),
-       actions=cert_expiry_actions(),
+       expiry_action=cert_expiry_action(),
       attributes=vault_object_attrs(),
       ..., wait=TRUE)
 import(name, value, pwd=NULL,
@ -41,7 +41,7 @@ list_issuers()
 \item \code{issuer}: Issuer properties for the certificate. A convenient way to provide this is via the \link{cert_issuer_properties} helper function. The default is to specify a self-signed certificate.
 \item \code{key}: Key properties for the certificate. A convenient way to provide this is via the \link{cert_key_properties} helper function.
 \item \code{format}: The format to store the certificate in. Can be either PEM or PFX, aka PKCS#12. This also determines the format in which the certificate will be exported (see \link{certificate}).
-\item \code{actions}: The actions to take when the certificate is about to expire. A convenient way to provide this is via the \link{cert_expiry_actions} helper function.
+\item \code{expiry_action}: What Key Vault should do when the certificate is about to expire. A convenient way to provide this is via the \link{cert_expiry_action} helper function.
 \item \code{attributes}: Optional attributes for the secret. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
 \item \code{value}: For \code{import}, the certificate to import. This can be the name of a PFX file, or a raw vector with the contents of the file.
 \item \code{pwd}: For \code{import}, the password if the imported certificate is password-protected.
--- a/man/helpers.Rd
+++ b/man/helpers.Rd
@ -4,7 +4,7 @@
 \alias{cert_key_properties}
 \alias{cert_x509_properties}
 \alias{cert_issuer_properties}
-\alias{cert_expiry_actions}
+\alias{cert_expiry_action}
 \alias{vault_object_attrs}
 \title{Helper functions for key vault objects}
 \usage{
@ -20,7 +20,8 @@ cert_x509_properties(dns_names = character(), emails = character(),
 cert_issuer_properties(issuer = "self", cert_type = NULL,
  transparent = NULL)

-cert_expiry_actions(auto_renew = NULL, email_contacts = NULL)
+cert_expiry_action(remaining = 0.1, action = c("AutoRenew",
+  "EmailContacts"))

 vault_object_attrs(enabled = TRUE, expiry_date = NULL,
  activation_date = NULL, recovery_level = NULL)
@ -52,9 +53,9 @@ vault_object_attrs(enabled = TRUE, expiry_date = NULL,

 \item{transparent}{For \code{cert_issuer_properties}, whether the certificate should be transparent.}

-\item{auto_renew}{For \code{cert_expiry_actions}, when to automatically renew the certificate. If this is a number between 0 and 1, it is interpreted as the fraction of lifetime remaining; if greater than 1, the number of days remaining.}
+\item{remaining}{For \code{cert_expiry_action}, The remaining certificate lifetime at which to take action. If this is a number between 0 and 1, it is interpreted as the percentage of life remaining; otherwise, the number of days remaining. To disable expiry actions, set this to NULL.}

-\item{email_contacts}{For \code{cert_expiry_actions}, when to notify the listed contacts for the key vault that a certificate is about to expire. If this is a number between 0 and 1, it is interpreted as the fraction of lifetime remaining; if greater than 1, the number of days remaining.}
+\item{action}{For \code{cert_expiry_action}, what action to take when a certificate is about to expire. Can be either "AutoRenew" or "EmailContacts". Ignored if \code{remaining == NULL}.}

 \item{enabled}{For \code{vault_object_attrs}, whether this stored object (key, secret, certificate, storage account) is enabled.}

--- a/tests/testthat/test04_certs.R
+++ b/tests/testthat/test04_certs.R
@ -13,6 +13,7 @@ vault <- key_vault(vaultname, tenant=tenant, app=app, password=password)
 try({
    vault$certificates$delete("rsacert", confirm=FALSE)
    vault$certificates$delete("pfxcert", confirm=FALSE)
+    vault$certificates$delete("notifycert", confirm=FALSE)
    vault$certificates$set_contacts(NULL)
    vault$certificates$remove_issuer("issuer1")
 }, silent=TRUE)
@ -30,7 +31,7 @@ test_that("Certificate interface works",

    rsacert2 <- vault$certificates$create("rsacert",
        subject="CN=example.com",
-        x509=cert_x509_properties(dns_names="example.com"),
+        x509=cert_x509_properties(dns_names="example.com", validity_months=24),
        attributes=vault_object_attrs(expiry_date="2099-01-01"))
    expect_true(inherits(rsacert2, "stored_cert") && is.character(rsacert2$cer))

@ -47,6 +48,12 @@ test_that("Certificate interface works",
    expect_silent(pfxcert$export(pfxfile))
    expect_true(file.exists(pfxfile) && file.info(pfxfile)$size > 0)

+    notifycert <- vault$certificates$create("notifycert",
+        subject="CN=example.com",
+        expiry_action=cert_expiry_action(action="EmailContacts"))
+    expect_true(inherits(notifycert, "stored_cert") && is.character(notifycert$cer) &&
+        notifycert$policy$lifetime_actions[[1]]$action$action_type == "EmailContacts")
+
    # need to wait for version listing to update, even though cert itself is complete
    Sys.sleep(30)

@ -54,7 +61,7 @@ test_that("Certificate interface works",
    expect_true(is.data.frame(rsalist) && nrow(rsalist) == 2)

    lst <- vault$certificates$list()
-    expect_true(is.character(lst) && length(lst) == 2)
+    expect_true(is.character(lst) && length(lst) == 3)

    backup <- vault$certificates$backup("rsacert")
    expect_type(backup, "character")
@ -70,3 +77,4 @@ test_that("Certificate interface works",

 vault$certificates$delete("rsacert", confirm=FALSE)
 vault$certificates$delete("pfxcert", confirm=FALSE)
+vault$certificates$delete("notifycert", confirm=FALSE)