consul/agent/connect_ca_endpoint.go

package agent

import (
	"fmt"
	"net/http"

	"github.com/hashicorp/consul/agent/structs"
)

// GET /v1/connect/ca/roots
func (s *HTTPServer) ConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	var args structs.DCSpecificRequest
	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
		return nil, nil
	}

	var reply structs.IndexedCARoots
	defer setMeta(resp, &reply.QueryMeta)
	if err := s.agent.RPC("ConnectCA.Roots", &args, &reply); err != nil {
		return nil, err
	}

	return reply, nil
}

// /v1/connect/ca/configuration
func (s *HTTPServer) ConnectCAConfiguration(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	switch req.Method {
	case "GET":
		return s.ConnectCAConfigurationGet(resp, req)

	case "PUT":
		return s.ConnectCAConfigurationSet(resp, req)

	default:
		return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}
	}
}

// GEt /v1/connect/ca/configuration
func (s *HTTPServer) ConnectCAConfigurationGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	// Method is tested in ConnectCAConfiguration
	var args structs.DCSpecificRequest
	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
		return nil, nil
	}

	var reply structs.CAConfiguration
	err := s.agent.RPC("ConnectCA.ConfigurationGet", &args, &reply)
	if err != nil {
		return nil, err
	}

	fixupConfig(&reply)
	return reply, nil
}

// PUT /v1/connect/ca/configuration
func (s *HTTPServer) ConnectCAConfigurationSet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
	// Method is tested in ConnectCAConfiguration

	var args structs.CARequest
	s.parseDC(req, &args.Datacenter)
	s.parseToken(req, &args.Token)
	if err := decodeBody(req, &args.Config, nil); err != nil {
		resp.WriteHeader(http.StatusBadRequest)
		fmt.Fprintf(resp, "Request decode failed: %v", err)
		return nil, nil
	}

	var reply interface{}
	err := s.agent.RPC("ConnectCA.ConfigurationSet", &args, &reply)
	return nil, err
}

// A hack to fix up the config types inside of the map[string]interface{}
// so that they get formatted correctly during json.Marshal. Without this,
// string values that get converted to []uint8 end up getting output back
// to the user in base64-encoded form.
func fixupConfig(conf *structs.CAConfiguration) {
	for k, v := range conf.Config {
		if raw, ok := v.([]uint8); ok {
			strVal := structs.Uint8ToString(raw)
			conf.Config[k] = strVal
			switch conf.Provider {
			case structs.ConsulCAProvider:
				if k == "PrivateKey" && strVal != "" {
					conf.Config["PrivateKey"] = "hidden"
				}
			case structs.VaultCAProvider:
				if k == "Token" && strVal != "" {
					conf.Config["Token"] = "hidden"
				}
			}
		}
	}
}
agent: /v1/connect/ca/roots 7 years ago			`package agent`

			`import (`
agent: /v1/connect/ca/configuration PUT for setting configuration 7 years ago			`"fmt"`
agent: /v1/connect/ca/roots 7 years ago			`"net/http"`

			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`// GET /v1/connect/ca/roots`
			`func (s HTTPServer) ConnectCARoots(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
			`var args structs.DCSpecificRequest`
			`if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {`
			`return nil, nil`
			`}`

			`var reply structs.IndexedCARoots`
			`defer setMeta(resp, &reply.QueryMeta)`
			`if err := s.agent.RPC("ConnectCA.Roots", &args, &reply); err != nil {`
			`return nil, err`
			`}`

agent/structs: json omit QueryMeta 7 years ago			`return reply, nil`
agent: /v1/connect/ca/roots 7 years ago			`}`
agent: /v1/connect/ca/configuration PUT for setting configuration 7 years ago
			`// /v1/connect/ca/configuration`
			`func (s HTTPServer) ConnectCAConfiguration(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
			`switch req.Method {`
Update the CA config endpoint to enable GETs 7 years ago			`case "GET":`
			`return s.ConnectCAConfigurationGet(resp, req)`

agent: /v1/connect/ca/configuration PUT for setting configuration 7 years ago			`case "PUT":`
			`return s.ConnectCAConfigurationSet(resp, req)`

			`default:`
			`return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}`
			`}`
			`}`

Update the CA config endpoint to enable GETs 7 years ago			`// GEt /v1/connect/ca/configuration`
			`func (s HTTPServer) ConnectCAConfigurationGet(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
			`// Method is tested in ConnectCAConfiguration`
			`var args structs.DCSpecificRequest`
			`if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {`
			`return nil, nil`
			`}`

			`var reply structs.CAConfiguration`
			`err := s.agent.RPC("ConnectCA.ConfigurationGet", &args, &reply)`
Re-use uint8ToString 7 years ago			`if err != nil {`
			`return nil, err`
			`}`

Support giving the duration as a string in CA config 7 years ago			`fixupConfig(&reply)`
Re-use uint8ToString 7 years ago			`return reply, nil`
Update the CA config endpoint to enable GETs 7 years ago			`}`

agent: /v1/connect/ca/configuration PUT for setting configuration 7 years ago			`// PUT /v1/connect/ca/configuration`
			`func (s HTTPServer) ConnectCAConfigurationSet(resp http.ResponseWriter, req http.Request) (interface{}, error) {`
			`// Method is tested in ConnectCAConfiguration`

Update the CA config endpoint to enable GETs 7 years ago			`var args structs.CARequest`
			`s.parseDC(req, &args.Datacenter)`
			`s.parseToken(req, &args.Token)`
			`if err := decodeBody(req, &args.Config, nil); err != nil {`
agent: /v1/connect/ca/configuration PUT for setting configuration 7 years ago			`resp.WriteHeader(http.StatusBadRequest)`
			`fmt.Fprintf(resp, "Request decode failed: %v", err)`
			`return nil, nil`
			`}`

			`var reply interface{}`
			`err := s.agent.RPC("ConnectCA.ConfigurationSet", &args, &reply)`
			`return nil, err`
			`}`
Support giving the duration as a string in CA config 7 years ago
			`// A hack to fix up the config types inside of the map[string]interface{}`
			`// so that they get formatted correctly during json.Marshal. Without this,`
agent: format all CA config fields 7 years ago			`// string values that get converted to []uint8 end up getting output back`
Support giving the duration as a string in CA config 7 years ago			`// to the user in base64-encoded form.`
			`func fixupConfig(conf *structs.CAConfiguration) {`
connect/ca: add the Vault CA provider 7 years ago			`for k, v := range conf.Config {`
			`if raw, ok := v.([]uint8); ok {`
Fix CA pruning when CA config uses string durations. (#4669) * Fix CA pruning when CA config uses string durations. The tl;dr here is: - Configuring LeafCertTTL with a string like "72h" is how we do it by default and should be supported - Most of our tests managed to escape this by defining them as time.Duration directly - Out actual default value is a string - Since this is stored in a map[string]interface{} config, when it is written to Raft it goes through a msgpack encode/decode cycle (even though it's written from server not over RPC). - msgpack decode leaves the string as a `[]uint8` - Some of our parsers required string and failed - So after 1 hour, a default configured server would throw an error about pruning old CAs - If a new CA was configured that set LeafCertTTL as a time.Duration, things might be OK after that, but if a new CA was just configured from config file, intialization would cause same issue but always fail still so would never prune the old CA. - Mostly this is just a janky error that got passed tests due to many levels of complicated encoding/decoding. tl;dr of the tl;dr: Yay for type safety. Map[string]interface{} combined with msgpack always goes wrong but we somehow get bitten every time in a new way :D We already fixed this once! The main CA config had the same problem so @kyhavlov already wrote the mapstructure DecodeHook that fixes it. It wasn't used in several places it needed to be and one of those is notw in `structs` which caused a dependency cycle so I've moved them. This adds a whole new test thta explicitly tests the case that broke here. It also adds tests that would have failed in other places before (Consul and Vaul provider parsing functions). I'm not sure if they would ever be affected as it is now as we've not seen things broken with them but it seems better to explicitly test that and support it to not be bitten a third time! * Typo fix * Fix bad Uint8 usage 6 years ago			`strVal := structs.Uint8ToString(raw)`
connect/ca: leave blank root key/cert out of the default config (unnecessary) 7 years ago			`conf.Config[k] = strVal`
connect/ca: update Consul provider to use new cross-sign CSR method 7 years ago			`switch conf.Provider {`
			`case structs.ConsulCAProvider:`
connect/ca: leave blank root key/cert out of the default config (unnecessary) 7 years ago			`if k == "PrivateKey" && strVal != "" {`
connect/ca: update Consul provider to use new cross-sign CSR method 7 years ago			`conf.Config["PrivateKey"] = "hidden"`
			`}`
			`case structs.VaultCAProvider:`
connect/ca: leave blank root key/cert out of the default config (unnecessary) 7 years ago			`if k == "Token" && strVal != "" {`
connect/ca: update Consul provider to use new cross-sign CSR method 7 years ago			`conf.Config["Token"] = "hidden"`
			`}`
connect/ca: fix vault provider URI SANs and test 7 years ago			`}`
agent: format all CA config fields 7 years ago			`}`
Support giving the duration as a string in CA config 7 years ago			`}`
			`}`