vaultrs/api/pki/
requests.rs

1use super::responses::{
2    GenerateCertificateResponse, GenerateIntermediateResponse, GenerateRootResponse,
3    ListCertificatesResponse, ListRolesResponse, ReadCRLConfigResponse, ReadCertificateResponse,
4    ReadRoleResponse, ReadURLsResponse, RevokeCertificateResponse, RotateCRLsResponse,
5    SignCertificateResponse, SignIntermediateResponse, SignSelfIssuedResponse,
6};
7use rustify_derive::Endpoint;
8
9/// ## Submit CA Information
10/// This endpoint allows submitting the CA information for the backend via a PEM
11/// file containing the CA certificate and its private key, concatenated.
12///
13/// * Path: {self.mount}/config/ca
14/// * Method: POST
15/// * Response: N/A
16/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#submit-ca-information>
17
18#[derive(Builder, Debug, Default, Endpoint)]
19#[endpoint(path = "{self.mount}/config/ca", method = "POST", builder = "true")]
20#[builder(setter(into, strip_option), default)]
21pub struct SubmitCARequest {
22    #[endpoint(skip)]
23    pub mount: String,
24    pub pem_bundle: String,
25}
26
27/// ## Generate Root
28/// <https://developer.hashicorp.com/vault/api-docssecret/pki#generate-root>
29/// This endpoint generates a new self-signed CA certificate and private key. If
30/// the path ends with exported, the private key will be returned in the
31/// response; if it is internal the private key will not be returned and cannot
32/// be retrieved later.
33///
34/// * Path: {self.mount}/root/generate/{self.cert_type}
35/// * Method: POST
36/// * Response: [`Option<GenerateRootResponse>`]
37/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#generate-root>
38#[derive(Builder, Debug, Default, Endpoint)]
39#[endpoint(
40    path = "{self.mount}/root/generate/{self.cert_type}",
41    method = "POST",
42    response = "Option<GenerateRootResponse>",
43    builder = "true"
44)]
45#[builder(setter(into, strip_option), default)]
46pub struct GenerateRootRequest {
47    #[endpoint(skip)]
48    pub mount: String,
49    #[endpoint(skip)]
50    pub cert_type: String,
51    pub alt_names: Option<String>,
52    pub common_name: Option<String>,
53    pub country: Option<Vec<String>>,
54    pub exclude_cn_from_sans: Option<bool>,
55    pub format: Option<String>,
56    pub locality: Option<Vec<String>>,
57    pub key_bits: Option<u64>,
58    pub key_type: Option<String>,
59    pub ip_sans: Option<String>,
60    pub max_path_length: Option<i32>,
61    pub organization: Option<Vec<String>>,
62    pub other_sans: Option<Vec<String>>,
63    pub ou: Option<Vec<String>>,
64    pub permitted_dns_domains: Vec<String>,
65    pub postal_code: Option<Vec<String>>,
66    pub private_key_format: Option<String>,
67    pub province: Option<Vec<String>>,
68    pub serial_number: Option<String>,
69    pub street_address: Option<Vec<String>>,
70    pub ttl: Option<String>,
71    pub uri_sans: Option<String>,
72}
73
74/// ## Delete Root
75/// This endpoint deletes the current CA key (the old CA certificate will still
76/// be accessible for reading until a new certificate/key is generated or
77/// uploaded).
78///
79/// * Path: {self.mount}/root
80/// * Method: DELETE
81/// * Response: N/A
82/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#delete-root>
83#[derive(Builder, Debug, Default, Endpoint)]
84#[endpoint(path = "{self.mount}/root", method = "DELETE", builder = "true")]
85#[builder(setter(into, strip_option), default)]
86pub struct DeleteRootRequest {
87    #[endpoint(skip)]
88    pub mount: String,
89}
90
91/// ## Sign Certificate
92/// This endpoint signs a new certificate based upon the provided CSR and the
93/// supplied parameters, subject to the restrictions contained in the role named
94/// in the endpoint. The issuing CA certificate is returned as well, so that
95/// only the root CA need be in a client's trust store.
96///
97/// * Path: {self.mount}/sign/{self.role}
98/// * Method: POST
99/// * Response: [SignCertificateResponse]
100/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#sign-certificate>
101#[derive(Builder, Debug, Default, Endpoint)]
102#[endpoint(
103    path = "{self.mount}/sign/{self.role}",
104    method = "POST",
105    response = "SignCertificateResponse",
106    builder = "true"
107)]
108#[builder(setter(into, strip_option), default)]
109pub struct SignCertificateRequest {
110    #[endpoint(skip)]
111    pub mount: String,
112    #[endpoint(skip)]
113    pub role: String,
114    pub alt_names: Option<String>,
115    pub common_name: Option<String>,
116    pub csr: Option<String>,
117    pub exclude_cn_from_sans: Option<bool>,
118    pub format: Option<String>,
119    pub ip_sans: Option<String>,
120    pub other_sans: Option<Vec<String>>,
121    pub serial_number: Option<String>,
122    pub ttl: Option<String>,
123    pub uri_sans: Option<String>,
124    pub remove_roots_from_chain: Option<bool>,
125}
126
127/// ## Sign Intermediate
128/// This endpoint uses the configured CA certificate to issue a certificate with
129/// appropriate values for acting as an intermediate CA.
130///
131/// * Path: {self.mount}/root/sign-intermediate
132/// * Method: POST
133/// * Response: [SignIntermediateResponse]
134/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#sign-intermediate>
135#[derive(Builder, Debug, Default, Endpoint)]
136#[endpoint(
137    path = "{self.mount}/root/sign-intermediate",
138    method = "POST",
139    response = "SignIntermediateResponse",
140    builder = "true"
141)]
142#[builder(setter(into, strip_option), default)]
143pub struct SignIntermediateRequest {
144    #[endpoint(skip)]
145    pub mount: String,
146    pub alt_names: Option<String>,
147    pub common_name: Option<String>,
148    pub country: Option<Vec<String>>,
149    pub csr: Option<String>,
150    pub exclude_cn_from_sans: Option<bool>,
151    pub format: Option<String>,
152    pub locality: Option<Vec<String>>,
153    pub ip_sans: Option<String>,
154    pub max_path_length: Option<i32>,
155    pub organization: Option<Vec<String>>,
156    pub other_sans: Option<Vec<String>>,
157    pub ou: Option<Vec<String>>,
158    pub permitted_dns_domains: Option<Vec<String>>,
159    pub postal_code: Option<Vec<String>>,
160    pub province: Option<Vec<String>>,
161    pub serial_number: Option<String>,
162    pub street_address: Option<Vec<String>>,
163    pub ttl: Option<String>,
164    pub uri_sans: Option<String>,
165    pub use_csr_values: Option<bool>,
166}
167
168/// ## Sign Self-Issued
169/// This endpoint uses the configured CA certificate to sign a self-issued
170/// certificate (which will usually be a self-signed certificate as well).
171///
172/// * Path: {self.mount}/root/sign-self-issued
173/// * Method: POST
174/// * Response: [SignSelfIssuedResponse]
175/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#sign-intermediate>
176#[derive(Builder, Debug, Default, Endpoint)]
177#[endpoint(
178    path = "{self.mount}/root/sign-self-issued",
179    method = "POST",
180    response = "SignSelfIssuedResponse",
181    builder = "true"
182)]
183#[builder(setter(into, strip_option), default)]
184pub struct SignSelfIssuedRequest {
185    #[endpoint(skip)]
186    pub mount: String,
187    pub certificate: String,
188}
189
190/// ## List Certificates
191/// This endpoint returns a list of the current certificates by serial number
192/// only.
193///
194/// * Path: {self.mount}/certs
195/// * Method: LIST
196/// * Response: [ListCertificatesResponse]
197/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#list-certificates>
198#[derive(Builder, Debug, Default, Endpoint)]
199#[endpoint(
200    path = "{self.mount}/certs",
201    method = "LIST",
202    response = "ListCertificatesResponse",
203    builder = "true"
204)]
205#[builder(setter(into, strip_option), default)]
206pub struct ListCertificatesRequest {
207    #[endpoint(skip)]
208    pub mount: String,
209}
210
211/// ## Read Certificate
212/// This endpoint retrieves one of a selection of certificates. This endpoint
213/// returns the certificate in PEM formatting in the certificate key of the JSON
214/// object, which is a standard Vault response that is readable by the Vault
215/// CLI.
216///
217/// * Path: {self.mount}/cert/{self.serial}
218/// * Method: GET
219/// * Response: [ReadCertificateResponse]
220/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#read-certificate>
221#[derive(Builder, Debug, Default, Endpoint)]
222#[endpoint(
223    path = "{self.mount}/cert/{self.serial}",
224    response = "ReadCertificateResponse",
225    builder = "true"
226)]
227#[builder(setter(into, strip_option), default)]
228pub struct ReadCertificateRequest {
229    #[endpoint(skip)]
230    pub mount: String,
231    #[endpoint(skip)]
232    pub serial: String,
233}
234
235/// ## Generate Certificate
236/// This endpoint generates a new set of credentials (private key and
237/// certificate) based on the role named in the endpoint. The issuing CA
238/// certificate is returned as well, so that only the root CA need be in a
239/// client's trust store.
240///
241/// * Path: {self.mount}/issue/{self.role}
242/// * Method: POST
243/// * Response: [GenerateCertificateResponse]
244/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#read-certificate>
245#[derive(Builder, Debug, Default, Endpoint)]
246#[endpoint(
247    path = "{self.mount}/issue/{self.role}",
248    method = "POST",
249    response = "GenerateCertificateResponse",
250    builder = "true"
251)]
252#[builder(setter(into, strip_option), default)]
253pub struct GenerateCertificateRequest {
254    #[endpoint(skip)]
255    pub mount: String,
256    #[endpoint(skip)]
257    pub role: String,
258    pub alt_names: Option<String>,
259    pub common_name: Option<String>,
260    pub exclude_cn_from_sans: Option<bool>,
261    pub format: Option<String>,
262    pub ip_sans: Option<String>,
263    pub other_sans: Option<Vec<String>>,
264    pub private_key_format: Option<String>,
265    pub ttl: Option<String>,
266    pub uri_sans: Option<String>,
267    pub remove_roots_from_chain: Option<bool>,
268}
269
270/// ## Revoke Certificate
271/// This endpoint revokes a certificate using its serial number. This is an
272/// alternative option to the standard method of revoking using Vault lease IDs.
273/// A successful revocation will rotate the CRL.
274///
275/// * Path: {self.mount}/revoke
276/// * Method: POST
277/// * Response: [RevokeCertificateResponse]
278/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#revoke-certificate>
279#[derive(Builder, Debug, Default, Endpoint)]
280#[endpoint(
281    path = "{self.mount}/revoke",
282    method = "POST",
283    response = "RevokeCertificateResponse",
284    builder = "true"
285)]
286#[builder(setter(into, strip_option), default)]
287pub struct RevokeCertificateRequest {
288    #[endpoint(skip)]
289    pub mount: String,
290    pub serial_number: String,
291}
292
293/// ## Read CRL Configuration
294/// This endpoint allows getting the duration for which the generated CRL should
295/// be marked valid.
296///
297/// * Path: {self.mount}/config/crl
298/// * Method: GET
299/// * Response: [ReadCRLConfigResponse]
300/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#read-crl-configuration>
301#[derive(Builder, Debug, Default, Endpoint)]
302#[endpoint(
303    path = "{self.mount}/config/crl",
304    response = "ReadCRLConfigResponse",
305    builder = "true"
306)]
307#[builder(setter(into, strip_option), default)]
308pub struct ReadCRLConfigRequest {
309    #[endpoint(skip)]
310    pub mount: String,
311}
312
313/// ## Set CRL Configuration
314/// This endpoint allows setting the duration for which the generated CRL should
315/// be marked valid. If the CRL is disabled, it will return a signed but
316/// zero-length CRL for any request. If enabled, it will re-build the CRL.
317///
318/// * Path: {self.mount}/config/crl
319/// * Method: POST
320/// * Response: N/A
321/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#set-crl-configuration>
322#[derive(Builder, Debug, Default, Endpoint)]
323#[endpoint(path = "{self.mount}/config/crl", method = "POST", builder = "true")]
324#[builder(setter(into, strip_option), default)]
325pub struct SetCRLConfigRequest {
326    #[endpoint(skip)]
327    pub mount: String,
328    pub expiry: Option<String>,
329    pub disable: Option<bool>,
330}
331
332/// ## Rotate CRLs
333/// This endpoint forces a rotation of the CRL. This can be used by
334/// administrators to cut the size of the CRL if it contains a number of
335/// certificates that have now expired, but has not been rotated due to no
336/// further certificates being revoked.
337///
338/// * Path: {self.mount}/crl/rotate
339/// * Method: GET
340/// * Response: [RotateCRLsResponse]
341/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#rotate-crls>
342#[derive(Builder, Debug, Default, Endpoint)]
343#[endpoint(
344    path = "{self.mount}/crl/rotate",
345    response = "RotateCRLsResponse",
346    builder = "true"
347)]
348#[builder(setter(into, strip_option), default)]
349pub struct RotateCRLsRequest {
350    #[endpoint(skip)]
351    pub mount: String,
352}
353
354/// ## Read URLs
355/// This endpoint fetches the URLs to be encoded in generated certificates.
356///
357/// * Path: {self.mount}/config/urls
358/// * Method: GET
359/// * Response: [ReadURLsResponse]
360/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#read-urls>
361#[derive(Builder, Debug, Default, Endpoint)]
362#[endpoint(
363    path = "{self.mount}/config/urls",
364    response = "ReadURLsResponse",
365    builder = "true"
366)]
367#[builder(setter(into, strip_option), default)]
368pub struct ReadURLsRequest {
369    #[endpoint(skip)]
370    pub mount: String,
371}
372
373/// ## Set URLs
374/// This endpoint allows setting the issuing certificate endpoints, CRL
375/// distribution points, and OCSP server endpoints that will be encoded into
376/// issued certificates.
377///
378/// * Path: {self.mount}/config/urls
379/// * Method: POST
380/// * Response: N/A
381/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#set-urls>
382#[derive(Builder, Debug, Default, Endpoint)]
383#[endpoint(path = "{self.mount}/config/urls", method = "POST", builder = "true")]
384#[builder(setter(into, strip_option), default)]
385pub struct SetURLsRequest {
386    #[endpoint(skip)]
387    pub mount: String,
388    pub issuing_certificates: Option<Vec<String>>,
389    pub crl_distribution_points: Option<Vec<String>>,
390    pub ocsp_servers: Option<Vec<String>>,
391}
392
393/// ## Generate Intermediate
394/// This endpoint generates a new private key and a CSR for signing. If using
395/// Vault as a root, and for many other CAs, the various parameters on the final
396/// certificate are set at signing time and may or may not honor the parameters
397/// set here.
398///
399/// * Path: {self.mount}/intermediate/generate/{self.cert_type}
400/// * Method: POST
401/// * Response: [GenerateIntermediateResponse]
402/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#generate-intermediate>
403#[derive(Builder, Debug, Default, Endpoint)]
404#[endpoint(
405    path = "{self.mount}/intermediate/generate/{self.cert_type}",
406    method = "POST",
407    response = "GenerateIntermediateResponse",
408    builder = "true"
409)]
410#[builder(setter(into, strip_option), default)]
411pub struct GenerateIntermediateRequest {
412    #[endpoint(skip)]
413    pub mount: String,
414    #[endpoint(skip)]
415    pub cert_type: String,
416    pub alt_names: Option<String>,
417    pub common_name: Option<String>,
418    pub country: Option<Vec<String>>,
419    pub exclude_cn_from_sans: Option<bool>,
420    pub format: Option<String>,
421    pub locality: Option<Vec<String>>,
422    pub key_type: Option<String>,
423    pub key_name: Option<String>,
424    pub key_ref: Option<String>,
425    pub key_bits: Option<u64>,
426    pub signature_bits: Option<u64>,
427    pub key_format: Option<String>,
428    pub ip_sans: Option<String>,
429    pub organization: Option<Vec<String>>,
430    pub other_sans: Option<Vec<String>>,
431    pub ou: Option<Vec<String>>,
432    pub postal_code: Option<Vec<String>>,
433    pub private_key_format: Option<String>,
434    pub province: Option<Vec<String>>,
435    pub serial_number: Option<String>,
436    pub street_address: Option<Vec<String>>,
437    pub uri_sans: Option<String>,
438    pub add_basic_constrains: Option<bool>,
439}
440
441/// ## Set Signed Intermediate
442/// This endpoint allows submitting the signed CA certificate corresponding to a
443/// private key generated via /pki/intermediate/generate. The certificate should
444/// be submitted in PEM format.
445///
446/// * Path: {{self.mount}/intermediate/set-signed
447/// * Method: POST
448/// * Response: N/A
449/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#set-signed-intermediate>
450#[derive(Builder, Debug, Default, Endpoint)]
451#[endpoint(
452    path = "{self.mount}/intermediate/set-signed",
453    method = "POST",
454    builder = "true"
455)]
456#[builder(setter(into, strip_option), default)]
457pub struct SetSignedIntermediateRequest {
458    #[endpoint(skip)]
459    pub mount: String,
460    pub certificate: String,
461}
462
463/// ## List Roles
464/// This endpoint returns a list of available roles. Only the role names are
465/// returned, not any values.
466///
467/// * Path: {self.mount}/roles
468/// * Method: LIST
469/// * Response: [ListRolesResponse]
470/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#list-roles>
471#[derive(Builder, Debug, Default, Endpoint)]
472#[endpoint(
473    path = "{self.mount}/roles",
474    method = "LIST",
475    response = "ListRolesResponse",
476    builder = "true"
477)]
478#[builder(setter(into, strip_option), default)]
479pub struct ListRolesRequest {
480    #[endpoint(skip)]
481    pub mount: String,
482}
483
484/// ## Read Role
485/// This endpoint queries the role definition.
486///
487/// * Path: {self.mount}/roles/{self.name}
488/// * Method: GET
489/// * Response: [ReadRoleResponse]
490/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#read-role>
491#[derive(Builder, Debug, Default, Endpoint)]
492#[endpoint(
493    path = "{self.mount}/roles/{self.name}",
494    response = "ReadRoleResponse",
495    builder = "true"
496)]
497#[builder(setter(into, strip_option), default)]
498pub struct ReadRoleRequest {
499    #[endpoint(skip)]
500    pub mount: String,
501    #[endpoint(skip)]
502    pub name: String,
503}
504
505/// ## Create/Update Role
506/// This endpoint creates or updates the role definition.
507///
508/// * Path: {self.mount}/roles/{self.name}
509/// * Method: POST
510/// * Response: N/A
511/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#create-update-role>
512#[derive(Builder, Debug, Default, Endpoint)]
513#[endpoint(
514    path = "{self.mount}/roles/{self.name}",
515    method = "POST",
516    builder = "true"
517)]
518#[builder(setter(into, strip_option), default)]
519pub struct SetRoleRequest {
520    #[endpoint(skip)]
521    pub mount: String,
522    #[endpoint(skip)]
523    pub name: String,
524    pub allow_any_name: Option<bool>,
525    pub allow_bare_domains: Option<bool>,
526    pub allow_glob_domains: Option<bool>,
527    pub allow_ip_sans: Option<bool>,
528    pub allow_localhost: Option<bool>,
529    pub allow_subdomains: Option<bool>,
530    pub allow_token_displayname: Option<bool>,
531    pub allowed_domains: Option<Vec<String>>,
532    pub allowed_domains_template: Option<bool>,
533    pub allowed_other_sans: Option<Vec<String>>,
534    pub allowed_serial_numbers: Option<Vec<String>>,
535    pub allowed_uri_sans: Option<Vec<String>>,
536    pub basic_constraints_valid_for_non_ca: Option<bool>,
537    pub client_flag: Option<bool>,
538    pub code_signing_flag: Option<bool>,
539    pub country: Option<Vec<String>>,
540    pub email_protection_flag: Option<bool>,
541    pub enforce_hostnames: Option<bool>,
542    pub ext_key_usage: Option<Vec<String>>,
543    pub ext_key_usage_oids: Option<Vec<String>>,
544    pub generate_lease: Option<bool>,
545    pub key_bits: Option<u64>,
546    pub key_type: Option<String>,
547    pub key_usage: Option<Vec<String>>,
548    pub locality: Option<Vec<String>>,
549    pub max_ttl: Option<u64>,
550    pub no_store: Option<bool>,
551    pub not_before_duration: Option<u64>,
552    pub organization: Option<Vec<String>>,
553    pub ou: Option<Vec<String>>,
554    pub policy_identifiers: Option<Vec<String>>,
555    pub postal_code: Option<Vec<String>>,
556    pub province: Option<Vec<String>>,
557    pub require_cn: Option<bool>,
558    pub server_flag: Option<bool>,
559    pub street_address: Option<Vec<String>>,
560    pub ttl: Option<u64>,
561    pub use_csr_common_name: Option<bool>,
562    pub use_csr_sans: Option<bool>,
563}
564
565/// ## Delete Role
566/// This endpoint deletes the role definition. Deleting a role does not revoke
567/// certificates previously issued under this role.
568///
569/// * Path: {self.mount}/roles/{self.name}
570/// * Method: DELETE
571/// * Response: N/A
572/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#delete-role>
573#[derive(Builder, Debug, Default, Endpoint)]
574#[endpoint(
575    path = "{self.mount}/roles/{self.name}",
576    method = "DELETE",
577    builder = "true"
578)]
579#[builder(setter(into, strip_option), default)]
580pub struct DeleteRoleRequest {
581    #[endpoint(skip)]
582    pub mount: String,
583    #[endpoint(skip)]
584    pub name: String,
585}
586
587/// ## Tidy
588/// This endpoint allows tidying up the storage backend and/or CRL by removing
589/// certificates that have expired and are past a certain buffer period beyond
590/// their expiration time.
591///
592/// * Path: {self.mount}/tidy
593/// * Method: POST
594/// * Response: N/A
595/// * Reference: <https://developer.hashicorp.com/vault/api-docssecret/pki#tidy>
596#[derive(Builder, Debug, Default, Endpoint)]
597#[endpoint(
598    path = "{self.mount}/tidy",
599    method = "POST",
600    response = "()",
601    builder = "true"
602)]
603#[builder(setter(into, strip_option), default)]
604pub struct TidyRequest {
605    #[endpoint(skip)]
606    pub mount: String,
607    pub tidy_cert_store: Option<bool>,
608    pub tidy_revoked_certs: Option<bool>,
609    pub safety_buffer: Option<String>,
610}