agent/consul/state: ensure exactly one active CA exists when setting
This commit is contained in:
parent
9d93c52098
commit
1985655dff
|
@ -110,6 +110,17 @@ func (s *Store) CARootSetCAS(idx, cidx uint64, rs []*structs.CARoot) (bool, erro
|
||||||
tx := s.db.Txn(true)
|
tx := s.db.Txn(true)
|
||||||
defer tx.Abort()
|
defer tx.Abort()
|
||||||
|
|
||||||
|
// There must be exactly one active CA root.
|
||||||
|
activeCount := 0
|
||||||
|
for _, r := range rs {
|
||||||
|
if r.Active {
|
||||||
|
activeCount++
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if activeCount != 1 {
|
||||||
|
return false, fmt.Errorf("there must be exactly one active CA")
|
||||||
|
}
|
||||||
|
|
||||||
// Get the current max index
|
// Get the current max index
|
||||||
if midx := maxIndexTxn(tx, caRootTableName); midx != cidx {
|
if midx := maxIndexTxn(tx, caRootTableName); midx != cidx {
|
||||||
return false, nil
|
return false, nil
|
||||||
|
|
|
@ -75,6 +75,48 @@ func TestStore_CARootSet_emptyID(t *testing.T) {
|
||||||
assert.Len(roots, 0)
|
assert.Len(roots, 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestStore_CARootSet_noActive(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
s := testStateStore(t)
|
||||||
|
|
||||||
|
// Call list to populate the watch set
|
||||||
|
ws := memdb.NewWatchSet()
|
||||||
|
_, _, err := s.CARoots(ws)
|
||||||
|
assert.Nil(err)
|
||||||
|
|
||||||
|
// Build a valid value
|
||||||
|
ca1 := connect.TestCA(t, nil)
|
||||||
|
ca1.Active = false
|
||||||
|
ca2 := connect.TestCA(t, nil)
|
||||||
|
ca2.Active = false
|
||||||
|
|
||||||
|
// Set
|
||||||
|
ok, err := s.CARootSetCAS(1, 0, []*structs.CARoot{ca1, ca2})
|
||||||
|
assert.NotNil(err)
|
||||||
|
assert.Contains(err.Error(), "exactly one active")
|
||||||
|
assert.False(ok)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestStore_CARootSet_multipleActive(t *testing.T) {
|
||||||
|
assert := assert.New(t)
|
||||||
|
s := testStateStore(t)
|
||||||
|
|
||||||
|
// Call list to populate the watch set
|
||||||
|
ws := memdb.NewWatchSet()
|
||||||
|
_, _, err := s.CARoots(ws)
|
||||||
|
assert.Nil(err)
|
||||||
|
|
||||||
|
// Build a valid value
|
||||||
|
ca1 := connect.TestCA(t, nil)
|
||||||
|
ca2 := connect.TestCA(t, nil)
|
||||||
|
|
||||||
|
// Set
|
||||||
|
ok, err := s.CARootSetCAS(1, 0, []*structs.CARoot{ca1, ca2})
|
||||||
|
assert.NotNil(err)
|
||||||
|
assert.Contains(err.Error(), "exactly one active")
|
||||||
|
assert.False(ok)
|
||||||
|
}
|
||||||
|
|
||||||
func TestStore_CARootActive_valid(t *testing.T) {
|
func TestStore_CARootActive_valid(t *testing.T) {
|
||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
s := testStateStore(t)
|
s := testStateStore(t)
|
||||||
|
|
Loading…
Reference in New Issue