luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

Merge pull request #11589 from hashicorp/dnephin/ca-cleanup-cluster-id-1 

ca: small cleanup of SpiffeIDSigningForCluster args
This commit is contained in:
Daniel Nephin 2021-11-17 12:43:04 -05:00 committed by GitHub
parent 40566d82c2 fee9696d4f
commit 38d4974584
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 10 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
agent/connect/ca/provider_aws.go
View File

@ -603,7 +603,7 @@ func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error) {
// SignIntermediate implements Provider // SignIntermediate implements Provider
func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error) { func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error) {
err := validateSignIntermediate(csr, &connect.SpiffeIDSigning{ClusterID: a.clusterID, Domain: "consul"}) err := validateSignIntermediate(csr, connect.SpiffeIDSigningForCluster(a.clusterID))
if err != nil { if err != nil {
return "", err return "", err
} }

10
agent/connect/ca/provider_consul.go
View File

@ -76,7 +76,7 @@ func (c *ConsulProvider) Configure(cfg ProviderConfig) error {
c.id = hexStringHash(fmt.Sprintf("%s,%s,%s,%d,%v", config.PrivateKey, config.RootCert, config.PrivateKeyType, config.PrivateKeyBits, cfg.IsPrimary)) c.id = hexStringHash(fmt.Sprintf("%s,%s,%s,%d,%v", config.PrivateKey, config.RootCert, config.PrivateKeyType, config.PrivateKeyBits, cfg.IsPrimary))
c.clusterID = cfg.ClusterID c.clusterID = cfg.ClusterID
c.isPrimary = cfg.IsPrimary c.isPrimary = cfg.IsPrimary
c.spiffeID = connect.SpiffeIDSigningForCluster(&structs.CAConfiguration{ClusterID: c.clusterID}) c.spiffeID = connect.SpiffeIDSigningForCluster(c.clusterID)
// Passthrough test state for state handling tests. See testState doc. // Passthrough test state for state handling tests. See testState doc.
c.parseTestState(cfg.RawConfig, cfg.State) c.parseTestState(cfg.RawConfig, cfg.State)
@ -617,19 +617,13 @@ func (c *ConsulProvider) incrementAndGetNextSerialNumber() (uint64, error) {
// generateCA makes a new root CA using the current private key // generateCA makes a new root CA using the current private key
func (c *ConsulProvider) generateCA(privateKey string, sn uint64, rootCertTTL time.Duration) (string, error) { func (c *ConsulProvider) generateCA(privateKey string, sn uint64, rootCertTTL time.Duration) (string, error) {
stateStore := c.Delegate.State()
_, config, err := stateStore.CAConfig(nil)
if err != nil {
return "", err
}
privKey, err := connect.ParseSigner(privateKey) privKey, err := connect.ParseSigner(privateKey)
if err != nil { if err != nil {
return "", fmt.Errorf("error parsing private key %q: %s", privateKey, err) return "", fmt.Errorf("error parsing private key %q: %s", privateKey, err)
} }
// The URI (SPIFFE compatible) for the cert // The URI (SPIFFE compatible) for the cert
id := connect.SpiffeIDSigningForCluster(config) id := connect.SpiffeIDSigningForCluster(c.clusterID)
keyId, err := connect.KeyId(privKey.Public()) keyId, err := connect.KeyId(privKey.Public())
if err != nil { if err != nil {
return "", err return "", err

2
agent/connect/ca/provider_vault.go
View File

@ -87,7 +87,7 @@ func (v *VaultProvider) Configure(cfg ProviderConfig) error {
v.client = client v.client = client
v.isPrimary = cfg.IsPrimary v.isPrimary = cfg.IsPrimary
v.clusterID = cfg.ClusterID v.clusterID = cfg.ClusterID
v.spiffeID = connect.SpiffeIDSigningForCluster(&structs.CAConfiguration{ClusterID: v.clusterID}) v.spiffeID = connect.SpiffeIDSigningForCluster(v.clusterID)
// Look up the token to see if we can auto-renew its lease. // Look up the token to see if we can auto-renew its lease.
secret, err := client.Auth().Token().LookupSelf() secret, err := client.Auth().Token().LookupSelf()

6
agent/connect/uri_signing.go
View File

@ -4,8 +4,6 @@ import (
"fmt" "fmt"
"net/url" "net/url"
"strings" "strings"
"github.com/hashicorp/consul/agent/structs"
) )
// SpiffeIDSigning is the structure to represent the SPIFFE ID for a // SpiffeIDSigning is the structure to represent the SPIFFE ID for a
@ -64,6 +62,6 @@ func (id SpiffeIDSigning) CanSign(cu CertURI) bool {
// break all certificate validation. That does mean that DNS prefix might not // break all certificate validation. That does mean that DNS prefix might not
// match the identity URIs and so the trust domain might not actually resolve // match the identity URIs and so the trust domain might not actually resolve
// which we would like but don't actually need. // which we would like but don't actually need.
func SpiffeIDSigningForCluster(config *structs.CAConfiguration) *SpiffeIDSigning { func SpiffeIDSigningForCluster(clusterID string) *SpiffeIDSigning {
return &SpiffeIDSigning{ClusterID: config.ClusterID, Domain: "consul"} return &SpiffeIDSigning{ClusterID: clusterID, Domain: "consul"}
} }

7
agent/connect/uri_signing_test.go
View File

@ -5,17 +5,12 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/hashicorp/consul/agent/structs"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
func TestSpiffeIDSigningForCluster(t *testing.T) { func TestSpiffeIDSigningForCluster(t *testing.T) {
// For now it should just append .consul to the ID. // For now it should just append .consul to the ID.
config := &structs.CAConfiguration{ id := SpiffeIDSigningForCluster(TestClusterID)
ClusterID: TestClusterID,
}
id := SpiffeIDSigningForCluster(config)
assert.Equal(t, id.URI().String(), "spiffe://"+TestClusterID+".consul") assert.Equal(t, id.URI().String(), "spiffe://"+TestClusterID+".consul")
} }

2
agent/consul/leader_connect_ca.go
View File

@ -1401,7 +1401,7 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne
if err != nil { if err != nil {
return nil, err return nil, err
} }
signingID := connect.SpiffeIDSigningForCluster(config) signingID := connect.SpiffeIDSigningForCluster(config.ClusterID)
serviceID, isService := spiffeID.(*connect.SpiffeIDService) serviceID, isService := spiffeID.(*connect.SpiffeIDService)
agentID, isAgent := spiffeID.(*connect.SpiffeIDAgent) agentID, isAgent := spiffeID.(*connect.SpiffeIDAgent)
if !isService && !isAgent { if !isService && !isAgent {

2
agent/consul/server_connect.go
View File

@ -23,7 +23,7 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
indexedRoots := &structs.IndexedCARoots{} indexedRoots := &structs.IndexedCARoots{}
// Build TrustDomain based on the ClusterID stored. // Build TrustDomain based on the ClusterID stored.
signingID := connect.SpiffeIDSigningForCluster(config) signingID := connect.SpiffeIDSigningForCluster(config.ClusterID)
if signingID == nil { if signingID == nil {
// If CA is bootstrapped at all then this should never happen but be // If CA is bootstrapped at all then this should never happen but be
// defensive. // defensive.

2
agent/consul/state/config_entry.go
View File

@ -800,7 +800,7 @@ func (s *Store) serviceDiscoveryChainTxn(
} }
// Build TrustDomain based on the ClusterID stored. // Build TrustDomain based on the ClusterID stored.
signingID := connect.SpiffeIDSigningForCluster(config) signingID := connect.SpiffeIDSigningForCluster(config.ClusterID)
if signingID == nil { if signingID == nil {
// If CA is bootstrapped at all then this should never happen but be // If CA is bootstrapped at all then this should never happen but be
// defensive. // defensive.