Generate CSR using real trust-domain

2018-05-09 17:15:29 +01:00 · 2018-05-09 17:15:29 +01:00 · b4803eca59
parent 622a475eb1
commit b4803eca59
10 changed files with 136 additions and 31 deletions
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@ -2106,13 +2106,14 @@ func TestAgentConnectCARoots_empty(t *testing.T) {
 	t.Parallel()
 	assert := assert.New(t)
 	require := require.New(t)
 	a := NewTestAgent(t.Name(), "connect { enabled = false }")
 	defer a.Shutdown()
 	req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/roots", nil)
 	resp := httptest.NewRecorder()
 	obj, err := a.srv.AgentConnectCARoots(resp, req)
-	assert.Nil(err)
+	require.NoError(err)
 	value := obj.(structs.IndexedCARoots)
 	assert.Equal(value.ActiveRootID, "")
@ -2122,6 +2123,7 @@ func TestAgentConnectCARoots_empty(t *testing.T) {
 func TestAgentConnectCARoots_list(t *testing.T) {
 	t.Parallel()
 	assert := assert.New(t)
 	require := require.New(t)
 	a := NewTestAgent(t.Name(), "")
 	defer a.Shutdown()
@ -2137,30 +2139,34 @@ func TestAgentConnectCARoots_list(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/roots", nil)
 	resp := httptest.NewRecorder()
 	obj, err := a.srv.AgentConnectCARoots(resp, req)
-	require.Nil(err)
+	require.NoError(err)
 	value := obj.(structs.IndexedCARoots)
-	require.Equal(value.ActiveRootID, ca2.ID)
+	assert.Equal(value.ActiveRootID, ca2.ID)
-	require.Len(value.Roots, 2)
+	// Would like to assert that it's the same as the TestAgent domain but the
 	// only way to access that state via this package is by RPC to the server
 	// implementation running in TestAgent which is more or less a tautology.
 	assert.NotEmpty(value.TrustDomain)
 	assert.Len(value.Roots, 2)
 	// We should never have the secret information
 	for _, r := range value.Roots {
-		require.Equal("", r.SigningCert)
+		assert.Equal("", r.SigningCert)
-		require.Equal("", r.SigningKey)
+		assert.Equal("", r.SigningKey)
 	}
 	// That should've been a cache miss, so no hit change
-	require.Equal(cacheHits, a.cache.Hits())
+	assert.Equal(cacheHits, a.cache.Hits())
 	// Test caching
 	{
 		// List it again
 		obj2, err := a.srv.AgentConnectCARoots(httptest.NewRecorder(), req)
-		require.Nil(err)
+		require.NoError(err)
-		require.Equal(obj, obj2)
+		assert.Equal(obj, obj2)
 		// Should cache hit this time and not make request
-		require.Equal(cacheHits+1, a.cache.Hits())
+		assert.Equal(cacheHits+1, a.cache.Hits())
 		cacheHits++
 	}
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@ -1,6 +1,7 @@
 package cachetype
 import (
 	"errors"
 	"fmt"
 	"sync"
 	"sync/atomic"
@ -9,9 +10,7 @@ import (
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/structs"
 	// NOTE(mitcehllh): This is temporary while certs are stubbed out.
 	"github.com/mitchellh/go-testing-interface"
 )
 // Recommended name for registration.
@ -97,16 +96,41 @@ func (c *ConnectCALeaf) Fetch(opts cache.FetchOptions, req cache.Request) (cache
 		// by the above channel).
 	}
-	// Create a CSR.
+	// Need to lookup RootCAs response to discover trust domain. First just lookup
-	// TODO(mitchellh): This is obviously not production ready! The host
+	// with no blocking info - this should be a cache hit most of the time.
-	// needs a correct host ID, and we probably don't want to use TestCSR
+	rawRoots, err := c.Cache.Get(ConnectCARootName, &structs.DCSpecificRequest{
 	// and want a non-test-specific way to create a CSR.
 	csr, pk := connect.TestCSR(&testing.RuntimeT{}, &connect.SpiffeIDService{
 		Host:       "11111111-2222-3333-4444-555555555555.consul",
 		Namespace:  "default",
 		Datacenter: reqReal.Datacenter,
 		Service:    reqReal.Service,
 	})
 	if err != nil {
 		return result, err
 	}
 	roots, ok := rawRoots.(*structs.IndexedCARoots)
 	if !ok {
 		return result, errors.New("invalid RootCA response type")
 	}
 	if roots.TrustDomain == "" {
 		return result, errors.New("cluster has no CA bootstrapped")
 	}
 	// Build the service ID
 	serviceID := &connect.SpiffeIDService{
 		Host:       roots.TrustDomain,
 		Datacenter: reqReal.Datacenter,
 		Namespace:  "default",
 		Service:    reqReal.Service,
 	}
 	// Create a new private key
 	pk, pkPEM, err := connect.GeneratePrivateKey()
 	if err != nil {
 		return result, err
 	}
 	// Create a CSR.
 	csr, err := connect.CreateCSR(serviceID, pk)
 	if err != nil {
 		return result, err
 	}
 	// Request signing
 	var reply structs.IssuedCert
@ -117,7 +141,7 @@ func (c *ConnectCALeaf) Fetch(opts cache.FetchOptions, req cache.Request) (cache
 	if err := c.RPC.RPC("ConnectCA.Sign", &args, &reply); err != nil {
 		return result, err
 	}
-	reply.PrivateKeyPEM = pk
+	reply.PrivateKeyPEM = pkPEM
 	// Lock the issued certs map so we can insert it. We only insert if
 	// we didn't happen to get a newer one. This should never happen since
--- a/agent/cache-types/connect_ca_leaf_test.go
+++ b/agent/cache-types/connect_ca_leaf_test.go
@ -25,10 +25,11 @@ func TestConnectCALeaf_changingRoots(t *testing.T) {
 	defer close(rootsCh)
 	rootsCh <- structs.IndexedCARoots{
 		ActiveRootID: "1",
 		TrustDomain:  "fake-trust-domain.consul",
 		QueryMeta:    structs.QueryMeta{Index: 1},
 	}
-	// Instrument ConnectCA.Sign to
+	// Instrument ConnectCA.Sign to return signed cert
 	var resp *structs.IssuedCert
 	var idx uint64
 	rpc.On("RPC", "ConnectCA.Sign", mock.Anything, mock.Anything).Return(nil).
@ -67,6 +68,7 @@ func TestConnectCALeaf_changingRoots(t *testing.T) {
 	// Let's send in new roots, which should trigger the sign req
 	rootsCh <- structs.IndexedCARoots{
 		ActiveRootID: "2",
 		TrustDomain:  "fake-trust-domain.consul",
 		QueryMeta:    structs.QueryMeta{Index: 2},
 	}
 	select {
@ -101,6 +103,7 @@ func TestConnectCALeaf_expiringLeaf(t *testing.T) {
 	defer close(rootsCh)
 	rootsCh <- structs.IndexedCARoots{
 		ActiveRootID: "1",
 		TrustDomain:  "fake-trust-domain.consul",
 		QueryMeta:    structs.QueryMeta{Index: 1},
 	}
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@ -79,7 +79,7 @@ func NewConsulProvider(rawConfig map[string]interface{}, delegate ConsulProvider
 	// Generate a private key if needed
 	if conf.PrivateKey == "" {
-		pk, err := connect.GeneratePrivateKey()
+		_, pk, err := connect.GeneratePrivateKey()
 		if err != nil {
 			return nil, err
 		}
@ -247,7 +247,7 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 	}
 	err = pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: bs})
 	if err != nil {
-		return "", fmt.Errorf("error encoding private key: %s", err)
+		return "", fmt.Errorf("error encoding certificate: %s", err)
 	}
 	err = c.incrementProviderIndex(providerState)
--- a/agent/connect/csr.go
+++ b/agent/connect/csr.go
@ -0,0 +1,59 @@
 package connect
 import (
 	"bytes"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"net/url"
 )
 // CreateCSR returns a CSR to sign the given service along with the PEM-encoded
 // private key for this certificate.
 func CreateCSR(uri CertURI, privateKey crypto.Signer) (string, error) {
 	template := &x509.CertificateRequest{
 		URIs:               []*url.URL{uri.URI()},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
 	// Create the CSR itself
 	var csrBuf bytes.Buffer
 	bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)
 	if err != nil {
 		return "", err
 	}
 	err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})
 	if err != nil {
 		return "", err
 	}
 	return csrBuf.String(), nil
 }
 // GeneratePrivateKey generates a new Private key
 func GeneratePrivateKey() (crypto.Signer, string, error) {
 	var pk *ecdsa.PrivateKey
 	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, "", fmt.Errorf("error generating private key: %s", err)
 	}
 	bs, err := x509.MarshalECPrivateKey(pk)
 	if err != nil {
 		return nil, "", fmt.Errorf("error generating private key: %s", err)
 	}
 	var buf bytes.Buffer
 	err = pem.Encode(&buf, &pem.Block{Type: "EC PRIVATE KEY", Bytes: bs})
 	if err != nil {
 		return nil, "", fmt.Errorf("error encoding private key: %s", err)
 	}
 	return pk, buf.String(), nil
 }
--- a/agent/connect/testing_ca.go
+++ b/agent/connect/testing_ca.go
@ -161,7 +161,10 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string
 	}
 	// Generate fresh private key
-	pkSigner, pkPEM := testPrivateKey(t)
+	pkSigner, pkPEM, err := GeneratePrivateKey()
 	if err != nil {
 		t.Fatalf("failed to generate private key: %s", err)
 	}
 	// Cert template for generation
 	template := x509.Certificate{
--- a/agent/connect/uri_signing.go
+++ b/agent/connect/uri_signing.go
@ -62,7 +62,8 @@ func (id *SpiffeIDSigning) CanSign(cu CertURI) bool {
 }
 // SpiffeIDSigningForCluster returns the SPIFFE signing identifier (trust
-// domain) representation of the given CA config.
+// domain) representation of the given CA config. If config is nil this function
 // will panic.
 //
 // NOTE(banks): we intentionally fix the tld `.consul` for now rather than tie
 // this to the `domain` config used for DNS because changing DNS domain can't
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@ -224,10 +224,18 @@ func (s *ConnectCA) Roots(
 		if err != nil {
 			return err
 		}
 		// Check CA is actually bootstrapped...
 		if config != nil {
 			// Build TrustDomain based on the ClusterID stored.
 			signingID := connect.SpiffeIDSigningForCluster(config)
 			if signingID == nil {
 				// If CA is bootstrapped at all then this should never happen but be
 				// defensive.
 				return errors.New("no cluster trust domain setup")
 			}
 			reply.TrustDomain = signingID.Host()
 		}
 	}
 	return s.srv.blockingQuery(
 		&args.QueryOptions, &reply.QueryMeta,
--- a/agent/consul/connect_ca_endpoint_test.go
+++ b/agent/consul/connect_ca_endpoint_test.go
@ -157,7 +157,7 @@ func TestConnectCAConfig_TriggerRotation(t *testing.T) {
 	// Update the provider config to use a new private key, which should
 	// cause a rotation.
-	newKey, err := connect.GeneratePrivateKey()
+	_, newKey, err := connect.GeneratePrivateKey()
 	assert.NoError(err)
 	newConfig := &structs.CAConfiguration{
 		Provider: "consul",
--- a/agent/testagent.go
+++ b/agent/testagent.go
@ -16,6 +16,8 @@ import (
 	"time"
 	metrics "github.com/armon/go-metrics"
 	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/consul/agent/config"
 	"github.com/hashicorp/consul/agent/consul"
 	"github.com/hashicorp/consul/agent/structs"
@ -23,7 +25,6 @@ import (
 	"github.com/hashicorp/consul/lib/freeport"
 	"github.com/hashicorp/consul/logger"
 	"github.com/hashicorp/consul/testutil/retry"
 	uuid "github.com/hashicorp/go-uuid"
 )
 func init() {