From 627aa80d5a46077881153b7515099c16a317f599 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Fri, 4 May 2018 16:01:38 -0700 Subject: [PATCH] Use provider state table for a global serial index --- agent/connect/ca/ca_provider_consul.go | 19 +++++++------- agent/consul/fsm/commands_oss_test.go | 7 +++--- agent/consul/state/connect_ca_test.go | 35 +++++++++++--------------- agent/structs/connect_ca.go | 7 +++--- 4 files changed, 30 insertions(+), 38 deletions(-) diff --git a/agent/connect/ca/ca_provider_consul.go b/agent/connect/ca/ca_provider_consul.go index 2b119c0a37..922472eb76 100644 --- a/agent/connect/ca/ca_provider_consul.go +++ b/agent/connect/ca/ca_provider_consul.go @@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) { // Get the provider state state := c.delegate.State() - _, providerState, err := state.CAProviderState(c.id) + idx, providerState, err := state.CAProviderState(c.id) if err != nil { return "", err } @@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) { // Cert template for generation sn := &big.Int{} - sn.SetUint64(providerState.SerialIndex + 1) + sn.SetUint64(idx + 1) template := x509.Certificate{ SerialNumber: sn, Subject: pkix.Name{CommonName: serviceId.Service}, @@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) { return "", fmt.Errorf("error encoding private key: %s", err) } - err = c.incrementSerialIndex(providerState) + err = c.incrementProviderIndex(providerState) if err != nil { return "", err } @@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) { // Get the provider state state := c.delegate.State() - _, providerState, err := state.CAProviderState(c.id) + idx, providerState, err := state.CAProviderState(c.id) if err != nil { return "", err } @@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) { // Create the cross-signing template from the existing root CA serialNum := &big.Int{} - serialNum.SetUint64(providerState.SerialIndex + 1) + serialNum.SetUint64(idx + 1) template := *cert template.SerialNumber = serialNum template.SignatureAlgorithm = rootCA.SignatureAlgorithm @@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) { return "", fmt.Errorf("error encoding private key: %s", err) } - err = c.incrementSerialIndex(providerState) + err = c.incrementProviderIndex(providerState) if err != nil { return "", err } @@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) { return buf.String(), nil } -// incrementSerialIndex increments the cert serial number index in the provider -// state. -func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error { +// incrementProviderIndex does a write to increment the provider state store table index +// used for serial numbers when generating certificates. +func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error { newState := *providerState - newState.SerialIndex++ args := &structs.CARequest{ Op: structs.CAOpSetProviderState, ProviderState: &newState, diff --git a/agent/consul/fsm/commands_oss_test.go b/agent/consul/fsm/commands_oss_test.go index 280bf5b382..85b20b4428 100644 --- a/agent/consul/fsm/commands_oss_test.go +++ b/agent/consul/fsm/commands_oss_test.go @@ -1328,10 +1328,9 @@ func TestFSM_CABuiltinProvider(t *testing.T) { // Provider state. expected := &structs.CAConsulProviderState{ - ID: "foo", - PrivateKey: "a", - RootCert: "b", - SerialIndex: 2, + ID: "foo", + PrivateKey: "a", + RootCert: "b", RaftIndex: structs.RaftIndex{ CreateIndex: 1, ModifyIndex: 1, diff --git a/agent/consul/state/connect_ca_test.go b/agent/consul/state/connect_ca_test.go index 4639c7f5ae..de914ee169 100644 --- a/agent/consul/state/connect_ca_test.go +++ b/agent/consul/state/connect_ca_test.go @@ -356,10 +356,9 @@ func TestStore_CABuiltinProvider(t *testing.T) { { expected := &structs.CAConsulProviderState{ - ID: "foo", - PrivateKey: "a", - RootCert: "b", - SerialIndex: 1, + ID: "foo", + PrivateKey: "a", + RootCert: "b", } ok, err := s.CASetProviderState(0, expected) @@ -374,10 +373,9 @@ func TestStore_CABuiltinProvider(t *testing.T) { { expected := &structs.CAConsulProviderState{ - ID: "bar", - PrivateKey: "c", - RootCert: "d", - SerialIndex: 2, + ID: "bar", + PrivateKey: "c", + RootCert: "d", } ok, err := s.CASetProviderState(1, expected) @@ -398,16 +396,14 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) { // Create multiple state entries. before := []*structs.CAConsulProviderState{ { - ID: "bar", - PrivateKey: "y", - RootCert: "z", - SerialIndex: 2, + ID: "bar", + PrivateKey: "y", + RootCert: "z", }, { - ID: "foo", - PrivateKey: "a", - RootCert: "b", - SerialIndex: 1, + ID: "foo", + PrivateKey: "a", + RootCert: "b", }, } @@ -423,10 +419,9 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) { // Modify the state store. after := &structs.CAConsulProviderState{ - ID: "foo", - PrivateKey: "c", - RootCert: "d", - SerialIndex: 1, + ID: "foo", + PrivateKey: "c", + RootCert: "d", } ok, err := s.CASetProviderState(100, after) assert.NoError(err) diff --git a/agent/structs/connect_ca.go b/agent/structs/connect_ca.go index 0570057b61..ca60a677fb 100644 --- a/agent/structs/connect_ca.go +++ b/agent/structs/connect_ca.go @@ -168,10 +168,9 @@ type ConsulCAProviderConfig struct { // CAConsulProviderState is used to track the built-in Consul CA provider's state. type CAConsulProviderState struct { - ID string - PrivateKey string - RootCert string - SerialIndex uint64 + ID string + PrivateKey string + RootCert string RaftIndex }