open-consul/agent/consul/server_connect.go

package consul

import (
	"fmt"

	"github.com/hashicorp/go-memdb"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/connect/ca"
	"github.com/hashicorp/consul/agent/consul/state"
	"github.com/hashicorp/consul/agent/structs"
)

func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.IndexedCARoots, error) {
	index, roots, config, err := state.CARootsAndConfig(ws)
	if err != nil {
		return nil, err
	}

	indexedRoots := &structs.IndexedCARoots{}

	if config != nil {
		// Build TrustDomain based on the ClusterID stored.
		signingID := connect.SpiffeIDSigningForCluster(config)
		if signingID == nil {
			// If CA is bootstrapped at all then this should never happen but be
			// defensive.
			return nil, fmt.Errorf("no cluster trust domain setup")
		}

		indexedRoots.TrustDomain = signingID.Host()
	}

	indexedRoots.Index, indexedRoots.Roots = index, roots
	if indexedRoots.Roots == nil {
		indexedRoots.Roots = make(structs.CARoots, 0)
	}

	// The response should not contain all fields as there are sensitive
	// data such as key material stored within the struct. So here we
	// pull out some of the fields and copy them into
	for i, r := range indexedRoots.Roots {
		var intermediates []string
		if r.IntermediateCerts != nil {
			intermediates = make([]string, len(r.IntermediateCerts))
			for i, intermediate := range r.IntermediateCerts {
				intermediates[i] = intermediate
			}
		}
		// IMPORTANT: r must NEVER be modified, since it is a pointer
		// directly to the structure in the memdb store.

		indexedRoots.Roots[i] = &structs.CARoot{
			ID:                  r.ID,
			Name:                r.Name,
			SerialNumber:        r.SerialNumber,
			SigningKeyID:        r.SigningKeyID,
			ExternalTrustDomain: r.ExternalTrustDomain,
			NotBefore:           r.NotBefore,
			NotAfter:            r.NotAfter,
			RootCert:            ca.EnsureTrailingNewline(r.RootCert),
			IntermediateCerts:   intermediates,
			RaftIndex:           r.RaftIndex,
			Active:              r.Active,
			PrivateKeyType:      r.PrivateKeyType,
			PrivateKeyBits:      r.PrivateKeyBits,
		}

		if r.Active {
			indexedRoots.ActiveRootID = r.ID
		}
	}

	return indexedRoots, nil
}
Store the Connect CA rate limiter on the server This fixes a bug where auto_encrypt was operating without utilizing a common rate limiter. 2020-06-29 19:52:47 +00:00			`package consul`

			`import (`
Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) The code now lives on the Server type itself. This was done so that all of this could be shared with auto config certificate signing. 2020-07-24 14:00:51 +00:00			`"fmt"`
Store the Connect CA rate limiter on the server This fixes a bug where auto_encrypt was operating without utilizing a common rate limiter. 2020-06-29 19:52:47 +00:00
ca: move SignCertificate to the file where it is used 2021-06-23 20:32:59 +00:00			`"github.com/hashicorp/go-memdb"`
connect/ca: cease including the common name field in generated certs (#10424) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS 2021-06-25 18:00:00 +00:00
Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) The code now lives on the Server type itself. This was done so that all of this could be shared with auto config certificate signing. 2020-07-24 14:00:51 +00:00			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/connect/ca"`
			`"github.com/hashicorp/consul/agent/consul/state"`
			`"github.com/hashicorp/consul/agent/structs"`
Store the Connect CA rate limiter on the server This fixes a bug where auto_encrypt was operating without utilizing a common rate limiter. 2020-06-29 19:52:47 +00:00			`)`

Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) The code now lives on the Server type itself. This was done so that all of this could be shared with auto config certificate signing. 2020-07-24 14:00:51 +00:00			`func (s Server) getCARoots(ws memdb.WatchSet, state state.Store) (*structs.IndexedCARoots, error) {`
			`index, roots, config, err := state.CARootsAndConfig(ws)`
			`if err != nil {`
			`return nil, err`
			`}`

			`indexedRoots := &structs.IndexedCARoots{}`

			`if config != nil {`
			`// Build TrustDomain based on the ClusterID stored.`
			`signingID := connect.SpiffeIDSigningForCluster(config)`
			`if signingID == nil {`
			`// If CA is bootstrapped at all then this should never happen but be`
			`// defensive.`
			`return nil, fmt.Errorf("no cluster trust domain setup")`
			`}`

			`indexedRoots.TrustDomain = signingID.Host()`
			`}`

			`indexedRoots.Index, indexedRoots.Roots = index, roots`
			`if indexedRoots.Roots == nil {`
			`indexedRoots.Roots = make(structs.CARoots, 0)`
			`}`

			`// The response should not contain all fields as there are sensitive`
			`// data such as key material stored within the struct. So here we`
			`// pull out some of the fields and copy them into`
			`for i, r := range indexedRoots.Roots {`
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-01 00:48:29 +00:00			`var intermediates []string`
			`if r.IntermediateCerts != nil {`
			`intermediates = make([]string, len(r.IntermediateCerts))`
			`for i, intermediate := range r.IntermediateCerts {`
			`intermediates[i] = intermediate`
			`}`
			`}`
Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) The code now lives on the Server type itself. This was done so that all of this could be shared with auto config certificate signing. 2020-07-24 14:00:51 +00:00			`// IMPORTANT: r must NEVER be modified, since it is a pointer`
			`// directly to the structure in the memdb store.`

			`indexedRoots.Roots[i] = &structs.CARoot{`
			`ID: r.ID,`
			`Name: r.Name,`
			`SerialNumber: r.SerialNumber,`
			`SigningKeyID: r.SigningKeyID,`
			`ExternalTrustDomain: r.ExternalTrustDomain,`
			`NotBefore: r.NotBefore,`
			`NotAfter: r.NotAfter,`
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-01 00:48:29 +00:00			`RootCert: ca.EnsureTrailingNewline(r.RootCert),`
			`IntermediateCerts: intermediates,`
Move connect root retrieval and cert signing logic out of the RPC endpoints (#8364) The code now lives on the Server type itself. This was done so that all of this could be shared with auto config certificate signing. 2020-07-24 14:00:51 +00:00			`RaftIndex: r.RaftIndex,`
			`Active: r.Active,`
			`PrivateKeyType: r.PrivateKeyType,`
			`PrivateKeyBits: r.PrivateKeyBits,`
			`}`

			`if r.Active {`
			`indexedRoots.ActiveRootID = r.ID`
			`}`
			`}`

			`return indexedRoots, nil`
			`}`