From 340d20c964b62085aa636b9f05313a97d05fd20f Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Thu, 10 Jan 2019 11:23:37 -0500
Subject: [PATCH] cache: Pass through wait query param to the cache.Get (#5203)

This adds a MaxQueryTime field to the connect ca leaf cache request type and populates it via the wait query param. The cache will then do the right thing and timeout the operation as expected if no new leaf cert is available within that time.

Fixes #4462

The reproduction scenario in the original issue now times out appropriately.
---
 agent/agent_endpoint.go              |  1 +
 agent/agent_endpoint_test.go         | 19 +++++++++++++++++++
 agent/cache-types/connect_ca_leaf.go |  2 ++
 3 files changed, 22 insertions(+)

diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go
index f8a56f177..4ac4519c1 100644
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@@ -1335,6 +1335,7 @@ func (s *HTTPServer) AgentConnectCALeafCert(resp http.ResponseWriter, req *http.
 		return nil, nil
 	}
 	args.MinQueryIndex = qOpts.MinQueryIndex
+	args.MaxQueryTime = qOpts.MaxQueryTime
 
 	// Verify the proxy token. This will check both the local proxy token
 	// as well as the ACL if the token isn't local. The checks done in
diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go
index e2ecc5ed3..846b9fd5b 100644
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@@ -4715,6 +4715,25 @@ func TestAgentConnectCALeafCert_goodNotLocal(t *testing.T) {
 		require.Equal("HIT", resp.Header().Get("X-Cache"))
 	}
 
+	// Test Blocking - see https://github.com/hashicorp/consul/issues/4462
+	{
+		// Fetch it again
+		resp := httptest.NewRecorder()
+		blockingReq, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/connect/ca/leaf/test?wait=125ms&index=%d", issued.ModifyIndex), nil)
+		doneCh := make(chan struct{})
+		go func() {
+			a.srv.AgentConnectCALeafCert(resp, blockingReq)
+			close(doneCh)
+		}()
+
+		select {
+		case <-time.After(500 * time.Millisecond):
+			require.FailNow("Shouldn't block for this long - not respecting wait parameter in the query")
+
+		case <-doneCh:
+		}
+	}
+
 	// Test that caching is updated in the background
 	{
 		// Set a new CA
diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go
index 258d84f0d..9951bd2ed 100644
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@@ -493,6 +493,7 @@ type ConnectCALeafRequest struct {
 	Datacenter    string
 	Service       string // Service name, not ID
 	MinQueryIndex uint64
+	MaxQueryTime  time.Duration
 }
 
 func (r *ConnectCALeafRequest) CacheInfo() cache.RequestInfo {
@@ -501,5 +502,6 @@ func (r *ConnectCALeafRequest) CacheInfo() cache.RequestInfo {
 		Key:        r.Service,
 		Datacenter: r.Datacenter,
 		MinIndex:   r.MinQueryIndex,
+		Timeout:    r.MaxQueryTime,
 	}
 }