open-consul/troubleshoot/proxy/certs.go

package troubleshoot

import (
	"errors"
	"fmt"
	"time"

	envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
	"github.com/hashicorp/go-multierror"
	"google.golang.org/protobuf/encoding/protojson"
)

func (t *Troubleshoot) validateCerts(certs *envoy_admin_v3.Certificates) error {

	// TODO: we can probably warn if the expiration date is close
	var resultErr error
	now := time.Now()

	if certs == nil {
		return errors.New("certs object is nil")
	}

	if len(certs.GetCertificates()) == 0 {
		return errors.New("no certificates provided")
	}

	for _, cert := range certs.GetCertificates() {
		for _, cacert := range cert.GetCaCert() {
			if now.After(cacert.GetExpirationTime().AsTime()) {
				resultErr = multierror.Append(resultErr, fmt.Errorf("Ca cert is expired"))
			}

		}
		for _, cc := range cert.GetCertChain() {
			if now.After(cc.GetExpirationTime().AsTime()) {
				resultErr = multierror.Append(resultErr, fmt.Errorf("cert chain is expired"))
			}
		}
	}
	return resultErr
}

func (t *Troubleshoot) getEnvoyCerts() (*envoy_admin_v3.Certificates, error) {

	certsRaw, err := t.request("certs?format=json")
	if err != nil {
		return nil, fmt.Errorf("error in requesting Envoy Admin API /certs endpoint: %w", err)
	}

	certs := &envoy_admin_v3.Certificates{}

	unmarshal := &protojson.UnmarshalOptions{
		DiscardUnknown: true,
	}
	err = unmarshal.Unmarshal(certsRaw, certs)
	if err != nil {
		return nil, fmt.Errorf("error in unmarshalling /certs response: %w", err)
	}

	t.envoyCerts = certs
	return certs, nil
}
validate certs and get stats (#16139) 2023-02-02 22:24:18 +00:00			`package troubleshoot`

			`import (`
add cert tests (#16192) 2023-02-07 17:58:00 +00:00			`"errors"`
validate certs and get stats (#16139) 2023-02-02 22:24:18 +00:00			`"fmt"`
			`"time"`

			`envoy_admin_v3 "github.com/envoyproxy/go-control-plane/envoy/admin/v3"`
			`"github.com/hashicorp/go-multierror"`
			`"google.golang.org/protobuf/encoding/protojson"`
			`)`

			`func (t Troubleshoot) validateCerts(certs envoy_admin_v3.Certificates) error {`

			`// TODO: we can probably warn if the expiration date is close`
			`var resultErr error`
			`now := time.Now()`

add cert tests (#16192) 2023-02-07 17:58:00 +00:00			`if certs == nil {`
			`return errors.New("certs object is nil")`
			`}`

			`if len(certs.GetCertificates()) == 0 {`
			`return errors.New("no certificates provided")`
			`}`

validate certs and get stats (#16139) 2023-02-02 22:24:18 +00:00			`for _, cert := range certs.GetCertificates() {`
			`for _, cacert := range cert.GetCaCert() {`
			`if now.After(cacert.GetExpirationTime().AsTime()) {`
refactor: remove troubleshoot module dependency on consul top level module (#16162) Ensure nothing in the troubleshoot go module depends on consul's top level module. This is so we can import troubleshoot into consul-k8s and not import all of consul. * turns troubleshoot into a go module [authored by @curtbushko] * gets the envoy protos into the troubleshoot module [authored by @curtbushko] * adds a new go module `envoyextensions` which has xdscommon and extensioncommon folders that both the xds package and the troubleshoot package can import * adds testing and linting for the new go modules * moves the unit tests in `troubleshoot/validateupstream` that depend on proxycfg/xds into the xds package, with a comment describing why those tests cannot be in the troubleshoot package * fixes all the imports everywhere as a result of these changes Co-authored-by: Curt Bushko <cbushko@gmail.com> 2023-02-06 17:14:35 +00:00			`resultErr = multierror.Append(resultErr, fmt.Errorf("Ca cert is expired"))`
validate certs and get stats (#16139) 2023-02-02 22:24:18 +00:00			`}`

			`}`
			`for _, cc := range cert.GetCertChain() {`
			`if now.After(cc.GetExpirationTime().AsTime()) {`
refactor: remove troubleshoot module dependency on consul top level module (#16162) Ensure nothing in the troubleshoot go module depends on consul's top level module. This is so we can import troubleshoot into consul-k8s and not import all of consul. * turns troubleshoot into a go module [authored by @curtbushko] * gets the envoy protos into the troubleshoot module [authored by @curtbushko] * adds a new go module `envoyextensions` which has xdscommon and extensioncommon folders that both the xds package and the troubleshoot package can import * adds testing and linting for the new go modules * moves the unit tests in `troubleshoot/validateupstream` that depend on proxycfg/xds into the xds package, with a comment describing why those tests cannot be in the troubleshoot package * fixes all the imports everywhere as a result of these changes Co-authored-by: Curt Bushko <cbushko@gmail.com> 2023-02-06 17:14:35 +00:00			`resultErr = multierror.Append(resultErr, fmt.Errorf("cert chain is expired"))`
validate certs and get stats (#16139) 2023-02-02 22:24:18 +00:00			`}`
			`}`
			`}`
			`return resultErr`
			`}`

			`func (t Troubleshoot) getEnvoyCerts() (envoy_admin_v3.Certificates, error) {`

			`certsRaw, err := t.request("certs?format=json")`
			`if err != nil {`
			`return nil, fmt.Errorf("error in requesting Envoy Admin API /certs endpoint: %w", err)`
			`}`

			`certs := &envoy_admin_v3.Certificates{}`

			`unmarshal := &protojson.UnmarshalOptions{`
			`DiscardUnknown: true,`
			`}`
			`err = unmarshal.Unmarshal(certsRaw, certs)`
			`if err != nil {`
			`return nil, fmt.Errorf("error in unmarshalling /certs response: %w", err)`
			`}`

			`t.envoyCerts = certs`
			`return certs, nil`
			`}`