ConnectCA.Sign gRPC Endpoint (#12787)
Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port.
This commit is contained in:
parent
c1cea9a725
commit
769d1d6e8e
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:feature
|
||||||
|
ca: Leaf certificates can now be obtained via the gRPC API: `Sign`
|
||||||
|
```
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/asn1"
|
"encoding/asn1"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/url"
|
"net/url"
|
||||||
)
|
)
|
||||||
|
@ -100,3 +101,24 @@ func CreateCAExtension() (pkix.Extension, error) {
|
||||||
Value: bitstr,
|
Value: bitstr,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// InvalidCSRError returns an error with the given fmt.Sprintf-formatted message
|
||||||
|
// indicating certificate signing failed because the user supplied an invalid CSR.
|
||||||
|
//
|
||||||
|
// See: IsInvalidCSRError.
|
||||||
|
func InvalidCSRError(format string, args ...interface{}) error {
|
||||||
|
return invalidCSRError{fmt.Sprintf(format, args...)}
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsInvalidCSRError returns whether the given error indicates that certificate
|
||||||
|
// signing failed because the user supplied an invalid CSR.
|
||||||
|
func IsInvalidCSRError(err error) bool {
|
||||||
|
_, ok := err.(invalidCSRError)
|
||||||
|
return ok
|
||||||
|
}
|
||||||
|
|
||||||
|
type invalidCSRError struct {
|
||||||
|
s string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e invalidCSRError) Error() string { return e.s }
|
||||||
|
|
|
@ -24,7 +24,7 @@ var (
|
||||||
// consul.ErrRateLimited.Error()` which is very sad. Short of replacing our
|
// consul.ErrRateLimited.Error()` which is very sad. Short of replacing our
|
||||||
// RPC mechanism it's hard to know how to make that much better though.
|
// RPC mechanism it's hard to know how to make that much better though.
|
||||||
ErrConnectNotEnabled = errors.New("Connect must be enabled in order to use this endpoint")
|
ErrConnectNotEnabled = errors.New("Connect must be enabled in order to use this endpoint")
|
||||||
ErrRateLimited = errors.New("Rate limit reached, try again later")
|
ErrRateLimited = errors.New("Rate limit reached, try again later") // Note: we depend on this error message in the gRPC ConnectCA.Sign endpoint (see: isRateLimitError).
|
||||||
ErrNotPrimaryDatacenter = errors.New("not the primary datacenter")
|
ErrNotPrimaryDatacenter = errors.New("not the primary datacenter")
|
||||||
ErrStateReadOnly = errors.New("CA Provider State is read-only")
|
ErrStateReadOnly = errors.New("CA Provider State is read-only")
|
||||||
)
|
)
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
package consul
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"google.golang.org/grpc"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
|
"github.com/hashicorp/consul/proto-public/pbconnectca"
|
||||||
|
"github.com/hashicorp/consul/testrpc"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestGRPCIntegration_ConnectCA_Sign(t *testing.T) {
|
||||||
|
if testing.Short() {
|
||||||
|
t.Skip("too slow for testing.Short")
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
// The gRPC endpoint itself well-tested with mocks. This test checks we're
|
||||||
|
// correctly wiring everything up in the server by:
|
||||||
|
//
|
||||||
|
// * Starting a cluster with multiple servers.
|
||||||
|
// * Making a request to a follower's public gRPC port.
|
||||||
|
// * Ensuring that the request is correctly forwarded to the leader.
|
||||||
|
// * Ensuring we get a valid certificate back (so it went through the CAManager).
|
||||||
|
dir1, server1 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.Bootstrap = false
|
||||||
|
c.BootstrapExpect = 2
|
||||||
|
})
|
||||||
|
defer os.RemoveAll(dir1)
|
||||||
|
defer server1.Shutdown()
|
||||||
|
|
||||||
|
dir2, server2 := testServerWithConfig(t, func(c *Config) {
|
||||||
|
c.Bootstrap = false
|
||||||
|
})
|
||||||
|
defer os.RemoveAll(dir2)
|
||||||
|
defer server2.Shutdown()
|
||||||
|
|
||||||
|
joinLAN(t, server2, server1)
|
||||||
|
|
||||||
|
testrpc.WaitForLeader(t, server1.RPC, "dc1")
|
||||||
|
|
||||||
|
var follower *Server
|
||||||
|
if server1.IsLeader() {
|
||||||
|
follower = server2
|
||||||
|
} else {
|
||||||
|
follower = server1
|
||||||
|
}
|
||||||
|
|
||||||
|
// publicGRPCServer is bound to a listener by the wrapping agent code, so we
|
||||||
|
// need to do it ourselves here.
|
||||||
|
lis, err := net.Listen("tcp", "127.0.0.1:0")
|
||||||
|
require.NoError(t, err)
|
||||||
|
go func() {
|
||||||
|
require.NoError(t, follower.publicGRPCServer.Serve(lis))
|
||||||
|
}()
|
||||||
|
t.Cleanup(follower.publicGRPCServer.Stop)
|
||||||
|
|
||||||
|
conn, err := grpc.Dial(lis.Addr().String(), grpc.WithInsecure())
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
client := pbconnectca.NewConnectCAServiceClient(conn)
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, &connect.SpiffeIDService{
|
||||||
|
Host: connect.TestClusterID + ".consul",
|
||||||
|
Namespace: "default",
|
||||||
|
Datacenter: "dc1",
|
||||||
|
Service: "foo",
|
||||||
|
})
|
||||||
|
|
||||||
|
// This would fail if it wasn't forwarded to the leader.
|
||||||
|
rsp, err := client.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
_, err = connect.ParseCert(rsp.CertPem)
|
||||||
|
require.NoError(t, err)
|
||||||
|
}
|
|
@ -1382,7 +1382,7 @@ func (l *connectSignRateLimiter) getCSRRateLimiterWithLimit(limit rate.Limit) *r
|
||||||
func (c *CAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, authz acl.Authorizer) (*structs.IssuedCert, error) {
|
func (c *CAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, authz acl.Authorizer) (*structs.IssuedCert, error) {
|
||||||
// Parse the SPIFFE ID from the CSR SAN.
|
// Parse the SPIFFE ID from the CSR SAN.
|
||||||
if len(csr.URIs) == 0 {
|
if len(csr.URIs) == 0 {
|
||||||
return nil, errors.New("CSR SAN does not contain a SPIFFE ID")
|
return nil, connect.InvalidCSRError("CSR SAN does not contain a SPIFFE ID")
|
||||||
}
|
}
|
||||||
spiffeID, err := connect.ParseCertURI(csr.URIs[0])
|
spiffeID, err := connect.ParseCertURI(csr.URIs[0])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -1403,7 +1403,7 @@ func (c *CAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, au
|
||||||
// requirement later but being restrictive for now is safer.
|
// requirement later but being restrictive for now is safer.
|
||||||
dc := c.serverConf.Datacenter
|
dc := c.serverConf.Datacenter
|
||||||
if v.Datacenter != dc {
|
if v.Datacenter != dc {
|
||||||
return nil, fmt.Errorf("SPIFFE ID in CSR from a different datacenter: %s, "+
|
return nil, connect.InvalidCSRError("SPIFFE ID in CSR from a different datacenter: %s, "+
|
||||||
"we are %s", v.Datacenter, dc)
|
"we are %s", v.Datacenter, dc)
|
||||||
}
|
}
|
||||||
case *connect.SpiffeIDAgent:
|
case *connect.SpiffeIDAgent:
|
||||||
|
@ -1412,7 +1412,7 @@ func (c *CAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, au
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
return nil, errors.New("SPIFFE ID in CSR must be a service or agent ID")
|
return nil, connect.InvalidCSRError("SPIFFE ID in CSR must be a service or agent ID")
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.SignCertificate(csr, spiffeID)
|
return c.SignCertificate(csr, spiffeID)
|
||||||
|
@ -1436,13 +1436,13 @@ func (c *CAManager) SignCertificate(csr *x509.CertificateRequest, spiffeID conne
|
||||||
serviceID, isService := spiffeID.(*connect.SpiffeIDService)
|
serviceID, isService := spiffeID.(*connect.SpiffeIDService)
|
||||||
agentID, isAgent := spiffeID.(*connect.SpiffeIDAgent)
|
agentID, isAgent := spiffeID.(*connect.SpiffeIDAgent)
|
||||||
if !isService && !isAgent {
|
if !isService && !isAgent {
|
||||||
return nil, fmt.Errorf("SPIFFE ID in CSR must be a service or agent ID")
|
return nil, connect.InvalidCSRError("SPIFFE ID in CSR must be a service or agent ID")
|
||||||
}
|
}
|
||||||
|
|
||||||
var entMeta acl.EnterpriseMeta
|
var entMeta acl.EnterpriseMeta
|
||||||
if isService {
|
if isService {
|
||||||
if !signingID.CanSign(spiffeID) {
|
if !signingID.CanSign(spiffeID) {
|
||||||
return nil, fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+
|
return nil, connect.InvalidCSRError("SPIFFE ID in CSR from a different trust domain: %s, "+
|
||||||
"we are %s", serviceID.Host, signingID.Host())
|
"we are %s", serviceID.Host, signingID.Host())
|
||||||
}
|
}
|
||||||
entMeta.Merge(serviceID.GetEnterpriseMeta())
|
entMeta.Merge(serviceID.GetEnterpriseMeta())
|
||||||
|
|
|
@ -238,6 +238,11 @@ type Server struct {
|
||||||
// is only ever closed.
|
// is only ever closed.
|
||||||
leaveCh chan struct{}
|
leaveCh chan struct{}
|
||||||
|
|
||||||
|
// publicConnectCAServer serves the Connect CA service exposed on the public
|
||||||
|
// gRPC port. It is also exposed on the private multiplexed "server" port to
|
||||||
|
// enable RPC forwarding.
|
||||||
|
publicConnectCAServer *connectca.Server
|
||||||
|
|
||||||
// publicGRPCServer is the gRPC server exposed on the dedicated gRPC port, as
|
// publicGRPCServer is the gRPC server exposed on the dedicated gRPC port, as
|
||||||
// opposed to the multiplexed "server" port which is served by grpcHandler.
|
// opposed to the multiplexed "server" port which is served by grpcHandler.
|
||||||
publicGRPCServer *grpc.Server
|
publicGRPCServer *grpc.Server
|
||||||
|
@ -657,6 +662,29 @@ func NewServer(config *Config, flat Deps, publicGRPCServer *grpc.Server) (*Serve
|
||||||
s.overviewManager = NewOverviewManager(s.logger, s.fsm, s.config.MetricsReportingInterval)
|
s.overviewManager = NewOverviewManager(s.logger, s.fsm, s.config.MetricsReportingInterval)
|
||||||
go s.overviewManager.Run(&lib.StopChannelContext{StopCh: s.shutdownCh})
|
go s.overviewManager.Run(&lib.StopChannelContext{StopCh: s.shutdownCh})
|
||||||
|
|
||||||
|
// Initialize public gRPC server - register services on public gRPC server.
|
||||||
|
s.publicConnectCAServer = connectca.NewServer(connectca.Config{
|
||||||
|
Publisher: s.publisher,
|
||||||
|
GetStore: func() connectca.StateStore { return s.FSM().State() },
|
||||||
|
Logger: logger.Named("grpc-api.connect-ca"),
|
||||||
|
ACLResolver: plainACLResolver{s.ACLResolver},
|
||||||
|
CAManager: s.caManager,
|
||||||
|
ForwardRPC: func(info structs.RPCInfo, fn func(*grpc.ClientConn) error) (bool, error) {
|
||||||
|
return s.ForwardGRPC(s.grpcConnPool, info, fn)
|
||||||
|
},
|
||||||
|
ConnectEnabled: s.config.ConnectEnabled,
|
||||||
|
})
|
||||||
|
s.publicConnectCAServer.Register(s.publicGRPCServer)
|
||||||
|
|
||||||
|
dataplane.NewServer(dataplane.Config{
|
||||||
|
Logger: logger.Named("grpc-api.dataplane"),
|
||||||
|
ACLResolver: plainACLResolver{s.ACLResolver},
|
||||||
|
}).Register(s.publicGRPCServer)
|
||||||
|
|
||||||
|
// Initialize private gRPC server.
|
||||||
|
//
|
||||||
|
// Note: some "public" gRPC services are also exposed on the private gRPC server
|
||||||
|
// to enable RPC forwarding.
|
||||||
s.grpcHandler = newGRPCHandlerFromConfig(flat, config, s)
|
s.grpcHandler = newGRPCHandlerFromConfig(flat, config, s)
|
||||||
s.grpcLeaderForwarder = flat.LeaderForwarder
|
s.grpcLeaderForwarder = flat.LeaderForwarder
|
||||||
go s.trackLeaderChanges()
|
go s.trackLeaderChanges()
|
||||||
|
@ -669,18 +697,6 @@ func NewServer(config *Config, flat Deps, publicGRPCServer *grpc.Server) (*Serve
|
||||||
// since it can fire events when leadership is obtained.
|
// since it can fire events when leadership is obtained.
|
||||||
go s.monitorLeadership()
|
go s.monitorLeadership()
|
||||||
|
|
||||||
// Initialize public gRPC server - register services on public gRPC server.
|
|
||||||
connectca.NewServer(connectca.Config{
|
|
||||||
Publisher: s.publisher,
|
|
||||||
GetStore: func() connectca.StateStore { return s.FSM().State() },
|
|
||||||
Logger: logger.Named("grpc-api.connect-ca"),
|
|
||||||
ACLResolver: plainACLResolver{s.ACLResolver},
|
|
||||||
}).Register(s.publicGRPCServer)
|
|
||||||
dataplane.NewServer(dataplane.Config{
|
|
||||||
Logger: logger.Named("grpc-api.dataplane"),
|
|
||||||
ACLResolver: plainACLResolver{s.ACLResolver},
|
|
||||||
}).Register(s.publicGRPCServer)
|
|
||||||
|
|
||||||
// Start listening for RPC requests.
|
// Start listening for RPC requests.
|
||||||
go func() {
|
go func() {
|
||||||
if err := s.grpcHandler.Run(); err != nil {
|
if err := s.grpcHandler.Run(); err != nil {
|
||||||
|
@ -712,6 +728,10 @@ func newGRPCHandlerFromConfig(deps Deps, config *Config, s *Server) connHandler
|
||||||
deps.Logger.Named("grpc-api.subscription")))
|
deps.Logger.Named("grpc-api.subscription")))
|
||||||
}
|
}
|
||||||
s.registerEnterpriseGRPCServices(deps, srv)
|
s.registerEnterpriseGRPCServices(deps, srv)
|
||||||
|
|
||||||
|
// Note: this public gRPC service is also exposed on the private server to
|
||||||
|
// enable RPC forwarding.
|
||||||
|
s.publicConnectCAServer.Register(srv)
|
||||||
}
|
}
|
||||||
|
|
||||||
return agentgrpc.NewHandler(deps.Logger, config.RPCAddr, register)
|
return agentgrpc.NewHandler(deps.Logger, config.RPCAddr, register)
|
||||||
|
|
|
@ -3,9 +3,8 @@
|
||||||
package connectca
|
package connectca
|
||||||
|
|
||||||
import (
|
import (
|
||||||
mock "github.com/stretchr/testify/mock"
|
|
||||||
|
|
||||||
acl "github.com/hashicorp/consul/acl"
|
acl "github.com/hashicorp/consul/acl"
|
||||||
|
mock "github.com/stretchr/testify/mock"
|
||||||
)
|
)
|
||||||
|
|
||||||
// MockACLResolver is an autogenerated mock type for the ACLResolver type
|
// MockACLResolver is an autogenerated mock type for the ACLResolver type
|
||||||
|
@ -13,13 +12,13 @@ type MockACLResolver struct {
|
||||||
mock.Mock
|
mock.Mock
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResolveTokenAndDefaultMeta provides a mock function with given fields: _a0, _a1, _a2
|
// ResolveTokenAndDefaultMeta provides a mock function with given fields: token, entMeta, authzContext
|
||||||
func (_m *MockACLResolver) ResolveTokenAndDefaultMeta(_a0 string, _a1 *acl.EnterpriseMeta, _a2 *acl.AuthorizerContext) (acl.Authorizer, error) {
|
func (_m *MockACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
||||||
ret := _m.Called(_a0, _a1, _a2)
|
ret := _m.Called(token, entMeta, authzContext)
|
||||||
|
|
||||||
var r0 acl.Authorizer
|
var r0 acl.Authorizer
|
||||||
if rf, ok := ret.Get(0).(func(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) acl.Authorizer); ok {
|
if rf, ok := ret.Get(0).(func(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) acl.Authorizer); ok {
|
||||||
r0 = rf(_a0, _a1, _a2)
|
r0 = rf(token, entMeta, authzContext)
|
||||||
} else {
|
} else {
|
||||||
if ret.Get(0) != nil {
|
if ret.Get(0) != nil {
|
||||||
r0 = ret.Get(0).(acl.Authorizer)
|
r0 = ret.Get(0).(acl.Authorizer)
|
||||||
|
@ -28,7 +27,7 @@ func (_m *MockACLResolver) ResolveTokenAndDefaultMeta(_a0 string, _a1 *acl.Enter
|
||||||
|
|
||||||
var r1 error
|
var r1 error
|
||||||
if rf, ok := ret.Get(1).(func(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) error); ok {
|
if rf, ok := ret.Get(1).(func(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) error); ok {
|
||||||
r1 = rf(_a0, _a1, _a2)
|
r1 = rf(token, entMeta, authzContext)
|
||||||
} else {
|
} else {
|
||||||
r1 = ret.Error(1)
|
r1 = ret.Error(1)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
// Code generated by mockery v1.0.0. DO NOT EDIT.
|
||||||
|
|
||||||
|
package connectca
|
||||||
|
|
||||||
|
import (
|
||||||
|
acl "github.com/hashicorp/consul/acl"
|
||||||
|
mock "github.com/stretchr/testify/mock"
|
||||||
|
|
||||||
|
structs "github.com/hashicorp/consul/agent/structs"
|
||||||
|
|
||||||
|
x509 "crypto/x509"
|
||||||
|
)
|
||||||
|
|
||||||
|
// MockCAManager is an autogenerated mock type for the CAManager type
|
||||||
|
type MockCAManager struct {
|
||||||
|
mock.Mock
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeAndSignCertificate provides a mock function with given fields: csr, authz
|
||||||
|
func (_m *MockCAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, authz acl.Authorizer) (*structs.IssuedCert, error) {
|
||||||
|
ret := _m.Called(csr, authz)
|
||||||
|
|
||||||
|
var r0 *structs.IssuedCert
|
||||||
|
if rf, ok := ret.Get(0).(func(*x509.CertificateRequest, acl.Authorizer) *structs.IssuedCert); ok {
|
||||||
|
r0 = rf(csr, authz)
|
||||||
|
} else {
|
||||||
|
if ret.Get(0) != nil {
|
||||||
|
r0 = ret.Get(0).(*structs.IssuedCert)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var r1 error
|
||||||
|
if rf, ok := ret.Get(1).(func(*x509.CertificateRequest, acl.Authorizer) error); ok {
|
||||||
|
r1 = rf(csr, authz)
|
||||||
|
} else {
|
||||||
|
r1 = ret.Error(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
return r0, r1
|
||||||
|
}
|
|
@ -1,7 +1,11 @@
|
||||||
package connectca
|
package connectca
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/codes"
|
||||||
|
"google.golang.org/grpc/status"
|
||||||
|
|
||||||
"github.com/hashicorp/go-hclog"
|
"github.com/hashicorp/go-hclog"
|
||||||
"github.com/hashicorp/go-memdb"
|
"github.com/hashicorp/go-memdb"
|
||||||
|
@ -21,6 +25,9 @@ type Config struct {
|
||||||
GetStore func() StateStore
|
GetStore func() StateStore
|
||||||
Logger hclog.Logger
|
Logger hclog.Logger
|
||||||
ACLResolver ACLResolver
|
ACLResolver ACLResolver
|
||||||
|
CAManager CAManager
|
||||||
|
ForwardRPC func(structs.RPCInfo, func(*grpc.ClientConn) error) (bool, error)
|
||||||
|
ConnectEnabled bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type EventPublisher interface {
|
type EventPublisher interface {
|
||||||
|
@ -34,7 +41,12 @@ type StateStore interface {
|
||||||
|
|
||||||
//go:generate mockery -name ACLResolver -inpkg
|
//go:generate mockery -name ACLResolver -inpkg
|
||||||
type ACLResolver interface {
|
type ACLResolver interface {
|
||||||
ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (acl.Authorizer, error)
|
ResolveTokenAndDefaultMeta(token string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error)
|
||||||
|
}
|
||||||
|
|
||||||
|
//go:generate mockery -name CAManager -inpkg
|
||||||
|
type CAManager interface {
|
||||||
|
AuthorizeAndSignCertificate(csr *x509.CertificateRequest, authz acl.Authorizer) (*structs.IssuedCert, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewServer(cfg Config) *Server {
|
func NewServer(cfg Config) *Server {
|
||||||
|
@ -44,3 +56,10 @@ func NewServer(cfg Config) *Server {
|
||||||
func (s *Server) Register(grpcServer *grpc.Server) {
|
func (s *Server) Register(grpcServer *grpc.Server) {
|
||||||
pbconnectca.RegisterConnectCAServiceServer(grpcServer, s)
|
pbconnectca.RegisterConnectCAServiceServer(grpcServer, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Server) requireConnect() error {
|
||||||
|
if s.ConnectEnabled {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return status.Error(codes.FailedPrecondition, "Connect must be enabled in order to use this endpoint")
|
||||||
|
}
|
||||||
|
|
|
@ -12,9 +12,14 @@ import (
|
||||||
|
|
||||||
"github.com/hashicorp/consul/agent/consul/state"
|
"github.com/hashicorp/consul/agent/consul/state"
|
||||||
"github.com/hashicorp/consul/agent/consul/stream"
|
"github.com/hashicorp/consul/agent/consul/stream"
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/proto-public/pbconnectca"
|
"github.com/hashicorp/consul/proto-public/pbconnectca"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func noopForwardRPC(structs.RPCInfo, func(*grpc.ClientConn) error) (bool, error) {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
func testStateStore(t *testing.T, publisher state.EventPublisher) *state.Store {
|
func testStateStore(t *testing.T, publisher state.EventPublisher) *state.Store {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,95 @@
|
||||||
|
package connectca
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/codes"
|
||||||
|
"google.golang.org/grpc/status"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/acl"
|
||||||
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
|
"github.com/hashicorp/consul/agent/grpc/public"
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/hashicorp/consul/proto-public/pbconnectca"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
||||||
|
// ID in the given CSR's SAN.
|
||||||
|
func (s *Server) Sign(ctx context.Context, req *pbconnectca.SignRequest) (*pbconnectca.SignResponse, error) {
|
||||||
|
if err := s.requireConnect(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
logger := s.Logger.Named("sign").With("request_id", traceID())
|
||||||
|
logger.Trace("request received")
|
||||||
|
|
||||||
|
token := public.TokenFromContext(ctx)
|
||||||
|
|
||||||
|
if req.Csr == "" {
|
||||||
|
return nil, status.Error(codes.InvalidArgument, "CSR is required")
|
||||||
|
}
|
||||||
|
|
||||||
|
// For private/internal gRPC handlers, protoc-gen-rpc-glue generates the
|
||||||
|
// requisite methods to satisfy the structs.RPCInfo interface using fields
|
||||||
|
// from the pbcommon package. This service is public, so we can't use those
|
||||||
|
// fields in our proto definition. Instead, we construct our RPCInfo manually.
|
||||||
|
//
|
||||||
|
// Embedding WriteRequest ensures RPCs are forwarded to the leader, embedding
|
||||||
|
// DCSpecificRequest adds the RequestDatacenter method (but as we're not
|
||||||
|
// setting Datacenter it has the effect of *not* doing DC forwarding).
|
||||||
|
var rpcInfo struct {
|
||||||
|
structs.WriteRequest
|
||||||
|
structs.DCSpecificRequest
|
||||||
|
}
|
||||||
|
rpcInfo.Token = token
|
||||||
|
|
||||||
|
var rsp *pbconnectca.SignResponse
|
||||||
|
handled, err := s.ForwardRPC(&rpcInfo, func(conn *grpc.ClientConn) error {
|
||||||
|
logger.Trace("forwarding RPC")
|
||||||
|
var err error
|
||||||
|
rsp, err = pbconnectca.NewConnectCAServiceClient(conn).Sign(ctx, req)
|
||||||
|
return err
|
||||||
|
})
|
||||||
|
if handled || err != nil {
|
||||||
|
return rsp, err
|
||||||
|
}
|
||||||
|
|
||||||
|
csr, err := connect.ParseCSR(req.Csr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
authz, err := s.ACLResolver.ResolveTokenAndDefaultMeta(token, nil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, status.Error(codes.Unauthenticated, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := s.CAManager.AuthorizeAndSignCertificate(csr, authz)
|
||||||
|
switch {
|
||||||
|
case connect.IsInvalidCSRError(err):
|
||||||
|
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||||||
|
case acl.IsErrPermissionDenied(err):
|
||||||
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
||||||
|
case isRateLimitError(err):
|
||||||
|
return nil, status.Error(codes.ResourceExhausted, err.Error())
|
||||||
|
case err != nil:
|
||||||
|
logger.Error("failed to sign leaf certificate", "error", err.Error())
|
||||||
|
return nil, status.Error(codes.Internal, "failed to sign leaf certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
return &pbconnectca.SignResponse{
|
||||||
|
CertPem: cert.CertPEM,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO(agentless): CAManager currently lives in the `agent/consul` package and
|
||||||
|
// returns ErrRateLimited which we can't reference directly here because it'd
|
||||||
|
// create an import cycle. Checking the error message like this is fragile, but
|
||||||
|
// because of net/rpc's limited error handling support it's what we already do
|
||||||
|
// on the client. We should either move the error constant so that can use it
|
||||||
|
// here, or perhaps make it a typed error?
|
||||||
|
func isRateLimitError(err error) bool {
|
||||||
|
return err != nil && strings.Contains(err.Error(), "limit reached")
|
||||||
|
}
|
|
@ -0,0 +1,252 @@
|
||||||
|
package connectca
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"errors"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/codes"
|
||||||
|
"google.golang.org/grpc/status"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-hclog"
|
||||||
|
"github.com/stretchr/testify/mock"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
|
acl "github.com/hashicorp/consul/acl"
|
||||||
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/hashicorp/consul/proto-public/pbconnectca"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestSign_ConnectDisabled(t *testing.T) {
|
||||||
|
server := NewServer(Config{ConnectEnabled: false})
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.FailedPrecondition.String(), status.Code(err).String())
|
||||||
|
require.Contains(t, status.Convert(err).Message(), "Connect")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_Validation(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
testCases := map[string]struct {
|
||||||
|
csr, err string
|
||||||
|
}{
|
||||||
|
"no csr": {
|
||||||
|
csr: "",
|
||||||
|
err: "CSR is required",
|
||||||
|
},
|
||||||
|
"invalid csr": {
|
||||||
|
csr: "bogus",
|
||||||
|
err: "no PEM-encoded data found",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for desc, tc := range testCases {
|
||||||
|
t.Run(desc, func(t *testing.T) {
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: tc.csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
|
||||||
|
require.Equal(t, tc.err, status.Convert(err).Message())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_Unauthenticated(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(nil, acl.ErrNotFound)
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.Unauthenticated.String(), status.Code(err).String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_PermissionDenied(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(nil, acl.ErrPermissionDenied)
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_InvalidCSR(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(nil, connect.InvalidCSRError("nope"))
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_RateLimited(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(nil, errors.New("Rate limit reached, try again later"))
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.ResourceExhausted.String(), status.Code(err).String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_InternalError(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(nil, errors.New("something went very wrong"))
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.Error(t, err)
|
||||||
|
require.Equal(t, codes.Internal.String(), status.Code(err).String())
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_Success(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(&structs.IssuedCert{CertPEM: "this is the PEM"}, nil)
|
||||||
|
|
||||||
|
server := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
rsp, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, "this is the PEM", rsp.CertPem)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSign_RPCForwarding(t *testing.T) {
|
||||||
|
aclResolver := &MockACLResolver{}
|
||||||
|
aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(acl.AllowAll(), nil)
|
||||||
|
|
||||||
|
caManager := &MockCAManager{}
|
||||||
|
caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
|
||||||
|
Return(&structs.IssuedCert{CertPEM: "leader response"}, nil)
|
||||||
|
|
||||||
|
leader := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ACLResolver: aclResolver,
|
||||||
|
CAManager: caManager,
|
||||||
|
ForwardRPC: noopForwardRPC,
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
leaderConn, err := grpc.Dial(runTestServer(t, leader).String(), grpc.WithInsecure())
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
follower := NewServer(Config{
|
||||||
|
Logger: hclog.NewNullLogger(),
|
||||||
|
ForwardRPC: func(_ structs.RPCInfo, fn func(*grpc.ClientConn) error) (bool, error) {
|
||||||
|
return true, fn(leaderConn)
|
||||||
|
},
|
||||||
|
ConnectEnabled: true,
|
||||||
|
})
|
||||||
|
|
||||||
|
csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
|
||||||
|
|
||||||
|
rsp, err := follower.Sign(context.Background(), &pbconnectca.SignRequest{
|
||||||
|
Csr: csr,
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, "leader response", rsp.CertPem)
|
||||||
|
}
|
|
@ -26,8 +26,11 @@ import (
|
||||||
// Connect CA roots. Current roots are sent immediately at the start of the
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
||||||
// stream, and new lists will be sent whenever the roots are rotated.
|
// stream, and new lists will be sent whenever the roots are rotated.
|
||||||
func (s *Server) WatchRoots(_ *emptypb.Empty, serverStream pbconnectca.ConnectCAService_WatchRootsServer) error {
|
func (s *Server) WatchRoots(_ *emptypb.Empty, serverStream pbconnectca.ConnectCAService_WatchRootsServer) error {
|
||||||
logger := s.Logger.Named("watch-roots").With("stream_id", streamID())
|
if err := s.requireConnect(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
logger := s.Logger.Named("watch-roots").With("stream_id", traceID())
|
||||||
logger.Trace("starting stream")
|
logger.Trace("starting stream")
|
||||||
defer logger.Trace("stream closed")
|
defer logger.Trace("stream closed")
|
||||||
|
|
||||||
|
@ -179,8 +182,8 @@ func (s *Server) authorize(token string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// We tag logs with a unique identifier to ease debugging. In the future this
|
// We tag logs with a unique identifier to ease debugging. In the future this
|
||||||
// should probably be an Open Telemetry trace ID.
|
// should probably be a real Open Telemetry trace ID.
|
||||||
func streamID() string {
|
func traceID() string {
|
||||||
id, err := uuid.GenerateUUID()
|
id, err := uuid.GenerateUUID()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ""
|
return ""
|
||||||
|
|
|
@ -26,6 +26,20 @@ import (
|
||||||
|
|
||||||
const testACLToken = "acl-token"
|
const testACLToken = "acl-token"
|
||||||
|
|
||||||
|
func TestWatchRoots_ConnectDisabled(t *testing.T) {
|
||||||
|
server := NewServer(Config{ConnectEnabled: false})
|
||||||
|
|
||||||
|
// Begin the stream.
|
||||||
|
client := testClient(t, server)
|
||||||
|
stream, err := client.WatchRoots(context.Background(), &emptypb.Empty{})
|
||||||
|
require.NoError(t, err)
|
||||||
|
rspCh := handleRootsStream(t, stream)
|
||||||
|
|
||||||
|
err = mustGetError(t, rspCh)
|
||||||
|
require.Equal(t, codes.FailedPrecondition.String(), status.Code(err).String())
|
||||||
|
require.Contains(t, status.Convert(err).Message(), "Connect")
|
||||||
|
}
|
||||||
|
|
||||||
func TestWatchRoots_Success(t *testing.T) {
|
func TestWatchRoots_Success(t *testing.T) {
|
||||||
fsm, publisher := setupFSMAndPublisher(t)
|
fsm, publisher := setupFSMAndPublisher(t)
|
||||||
|
|
||||||
|
@ -49,6 +63,7 @@ func TestWatchRoots_Success(t *testing.T) {
|
||||||
GetStore: func() StateStore { return fsm.GetStore() },
|
GetStore: func() StateStore { return fsm.GetStore() },
|
||||||
Logger: testutil.Logger(t),
|
Logger: testutil.Logger(t),
|
||||||
ACLResolver: aclResolver,
|
ACLResolver: aclResolver,
|
||||||
|
ConnectEnabled: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
// Begin the stream.
|
// Begin the stream.
|
||||||
|
@ -96,6 +111,7 @@ func TestWatchRoots_InvalidACLToken(t *testing.T) {
|
||||||
GetStore: func() StateStore { return fsm.GetStore() },
|
GetStore: func() StateStore { return fsm.GetStore() },
|
||||||
Logger: testutil.Logger(t),
|
Logger: testutil.Logger(t),
|
||||||
ACLResolver: aclResolver,
|
ACLResolver: aclResolver,
|
||||||
|
ConnectEnabled: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
// Start the stream.
|
// Start the stream.
|
||||||
|
@ -133,6 +149,7 @@ func TestWatchRoots_ACLTokenInvalidated(t *testing.T) {
|
||||||
GetStore: func() StateStore { return fsm.GetStore() },
|
GetStore: func() StateStore { return fsm.GetStore() },
|
||||||
Logger: testutil.Logger(t),
|
Logger: testutil.Logger(t),
|
||||||
ACLResolver: aclResolver,
|
ACLResolver: aclResolver,
|
||||||
|
ConnectEnabled: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
// Start the stream.
|
// Start the stream.
|
||||||
|
@ -200,6 +217,7 @@ func TestWatchRoots_StateStoreAbandoned(t *testing.T) {
|
||||||
GetStore: func() StateStore { return fsm.GetStore() },
|
GetStore: func() StateStore { return fsm.GetStore() },
|
||||||
Logger: testutil.Logger(t),
|
Logger: testutil.Logger(t),
|
||||||
ACLResolver: aclResolver,
|
ACLResolver: aclResolver,
|
||||||
|
ConnectEnabled: true,
|
||||||
})
|
})
|
||||||
|
|
||||||
// Begin the stream.
|
// Begin the stream.
|
||||||
|
|
|
@ -26,3 +26,23 @@ func (msg *CARoot) MarshalBinary() ([]byte, error) {
|
||||||
func (msg *CARoot) UnmarshalBinary(b []byte) error {
|
func (msg *CARoot) UnmarshalBinary(b []byte) error {
|
||||||
return proto.Unmarshal(b, msg)
|
return proto.Unmarshal(b, msg)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MarshalBinary implements encoding.BinaryMarshaler
|
||||||
|
func (msg *SignRequest) MarshalBinary() ([]byte, error) {
|
||||||
|
return proto.Marshal(msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalBinary implements encoding.BinaryUnmarshaler
|
||||||
|
func (msg *SignRequest) UnmarshalBinary(b []byte) error {
|
||||||
|
return proto.Unmarshal(b, msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// MarshalBinary implements encoding.BinaryMarshaler
|
||||||
|
func (msg *SignResponse) MarshalBinary() ([]byte, error) {
|
||||||
|
return proto.Marshal(msg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalBinary implements encoding.BinaryUnmarshaler
|
||||||
|
func (msg *SignResponse) UnmarshalBinary(b []byte) error {
|
||||||
|
return proto.Unmarshal(b, msg)
|
||||||
|
}
|
||||||
|
|
|
@ -228,6 +228,106 @@ func (x *CARoot) GetRotatedOutAt() *timestamppb.Timestamp {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type SignRequest struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
// csr is the PEM-encoded Certificate Signing Request (CSR).
|
||||||
|
//
|
||||||
|
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
|
||||||
|
// to which the ACL token provided in the `x-consul-token` metadata has write
|
||||||
|
// access.
|
||||||
|
Csr string `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignRequest) Reset() {
|
||||||
|
*x = SignRequest{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_proto_public_pbconnectca_ca_proto_msgTypes[2]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignRequest) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*SignRequest) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *SignRequest) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_proto_public_pbconnectca_ca_proto_msgTypes[2]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use SignRequest.ProtoReflect.Descriptor instead.
|
||||||
|
func (*SignRequest) Descriptor() ([]byte, []int) {
|
||||||
|
return file_proto_public_pbconnectca_ca_proto_rawDescGZIP(), []int{2}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignRequest) GetCsr() string {
|
||||||
|
if x != nil {
|
||||||
|
return x.Csr
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
type SignResponse struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
// cert_pem is the PEM-encoded leaf certificate.
|
||||||
|
CertPem string `protobuf:"bytes,2,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignResponse) Reset() {
|
||||||
|
*x = SignResponse{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_proto_public_pbconnectca_ca_proto_msgTypes[3]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignResponse) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*SignResponse) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *SignResponse) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_proto_public_pbconnectca_ca_proto_msgTypes[3]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use SignResponse.ProtoReflect.Descriptor instead.
|
||||||
|
func (*SignResponse) Descriptor() ([]byte, []int) {
|
||||||
|
return file_proto_public_pbconnectca_ca_proto_rawDescGZIP(), []int{3}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *SignResponse) GetCertPem() string {
|
||||||
|
if x != nil {
|
||||||
|
return x.CertPem
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
var File_proto_public_pbconnectca_ca_proto protoreflect.FileDescriptor
|
var File_proto_public_pbconnectca_ca_proto protoreflect.FileDescriptor
|
||||||
|
|
||||||
var file_proto_public_pbconnectca_ca_proto_rawDesc = []byte{
|
var file_proto_public_pbconnectca_ca_proto_rawDesc = []byte{
|
||||||
|
@ -264,17 +364,25 @@ var file_proto_public_pbconnectca_ca_proto_rawDesc = []byte{
|
||||||
0x75, 0x74, 0x5f, 0x61, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
|
0x75, 0x74, 0x5f, 0x61, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
|
||||||
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
|
0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
|
||||||
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64,
|
0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x64,
|
||||||
0x4f, 0x75, 0x74, 0x41, 0x74, 0x32, 0x5b, 0x0a, 0x10, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
|
0x4f, 0x75, 0x74, 0x41, 0x74, 0x22, 0x1f, 0x0a, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x71,
|
||||||
0x43, 0x41, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x47, 0x0a, 0x0a, 0x57, 0x61, 0x74,
|
0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
|
||||||
0x63, 0x68, 0x52, 0x6f, 0x6f, 0x74, 0x73, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
|
0x09, 0x52, 0x03, 0x63, 0x73, 0x72, 0x22, 0x29, 0x0a, 0x0c, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65,
|
||||||
0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a,
|
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x70,
|
||||||
0x1d, 0x2e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x63, 0x61, 0x2e, 0x57, 0x61, 0x74, 0x63,
|
0x65, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x65, 0x72, 0x74, 0x50, 0x65,
|
||||||
0x68, 0x52, 0x6f, 0x6f, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
|
0x6d, 0x32, 0x96, 0x01, 0x0a, 0x10, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x43, 0x41, 0x53,
|
||||||
0x30, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
|
0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x47, 0x0a, 0x0a, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52,
|
||||||
0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75,
|
0x6f, 0x6f, 0x74, 0x73, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
|
||||||
0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70,
|
0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x63,
|
||||||
0x62, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x63, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
|
0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x63, 0x61, 0x2e, 0x57, 0x61, 0x74, 0x63, 0x68, 0x52, 0x6f,
|
||||||
0x6f, 0x33,
|
0x6f, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12,
|
||||||
|
0x39, 0x0a, 0x04, 0x53, 0x69, 0x67, 0x6e, 0x12, 0x16, 0x2e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
|
||||||
|
0x74, 0x63, 0x61, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
|
||||||
|
0x17, 0x2e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x63, 0x61, 0x2e, 0x53, 0x69, 0x67, 0x6e,
|
||||||
|
0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69,
|
||||||
|
0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
|
||||||
|
0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d,
|
||||||
|
0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
|
||||||
|
0x63, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -289,20 +397,24 @@ func file_proto_public_pbconnectca_ca_proto_rawDescGZIP() []byte {
|
||||||
return file_proto_public_pbconnectca_ca_proto_rawDescData
|
return file_proto_public_pbconnectca_ca_proto_rawDescData
|
||||||
}
|
}
|
||||||
|
|
||||||
var file_proto_public_pbconnectca_ca_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
var file_proto_public_pbconnectca_ca_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
|
||||||
var file_proto_public_pbconnectca_ca_proto_goTypes = []interface{}{
|
var file_proto_public_pbconnectca_ca_proto_goTypes = []interface{}{
|
||||||
(*WatchRootsResponse)(nil), // 0: connectca.WatchRootsResponse
|
(*WatchRootsResponse)(nil), // 0: connectca.WatchRootsResponse
|
||||||
(*CARoot)(nil), // 1: connectca.CARoot
|
(*CARoot)(nil), // 1: connectca.CARoot
|
||||||
(*timestamppb.Timestamp)(nil), // 2: google.protobuf.Timestamp
|
(*SignRequest)(nil), // 2: connectca.SignRequest
|
||||||
(*emptypb.Empty)(nil), // 3: google.protobuf.Empty
|
(*SignResponse)(nil), // 3: connectca.SignResponse
|
||||||
|
(*timestamppb.Timestamp)(nil), // 4: google.protobuf.Timestamp
|
||||||
|
(*emptypb.Empty)(nil), // 5: google.protobuf.Empty
|
||||||
}
|
}
|
||||||
var file_proto_public_pbconnectca_ca_proto_depIdxs = []int32{
|
var file_proto_public_pbconnectca_ca_proto_depIdxs = []int32{
|
||||||
1, // 0: connectca.WatchRootsResponse.roots:type_name -> connectca.CARoot
|
1, // 0: connectca.WatchRootsResponse.roots:type_name -> connectca.CARoot
|
||||||
2, // 1: connectca.CARoot.rotated_out_at:type_name -> google.protobuf.Timestamp
|
4, // 1: connectca.CARoot.rotated_out_at:type_name -> google.protobuf.Timestamp
|
||||||
3, // 2: connectca.ConnectCAService.WatchRoots:input_type -> google.protobuf.Empty
|
5, // 2: connectca.ConnectCAService.WatchRoots:input_type -> google.protobuf.Empty
|
||||||
0, // 3: connectca.ConnectCAService.WatchRoots:output_type -> connectca.WatchRootsResponse
|
2, // 3: connectca.ConnectCAService.Sign:input_type -> connectca.SignRequest
|
||||||
3, // [3:4] is the sub-list for method output_type
|
0, // 4: connectca.ConnectCAService.WatchRoots:output_type -> connectca.WatchRootsResponse
|
||||||
2, // [2:3] is the sub-list for method input_type
|
3, // 5: connectca.ConnectCAService.Sign:output_type -> connectca.SignResponse
|
||||||
|
4, // [4:6] is the sub-list for method output_type
|
||||||
|
2, // [2:4] is the sub-list for method input_type
|
||||||
2, // [2:2] is the sub-list for extension type_name
|
2, // [2:2] is the sub-list for extension type_name
|
||||||
2, // [2:2] is the sub-list for extension extendee
|
2, // [2:2] is the sub-list for extension extendee
|
||||||
0, // [0:2] is the sub-list for field type_name
|
0, // [0:2] is the sub-list for field type_name
|
||||||
|
@ -338,6 +450,30 @@ func file_proto_public_pbconnectca_ca_proto_init() {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
file_proto_public_pbconnectca_ca_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*SignRequest); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file_proto_public_pbconnectca_ca_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*SignResponse); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
type x struct{}
|
type x struct{}
|
||||||
out := protoimpl.TypeBuilder{
|
out := protoimpl.TypeBuilder{
|
||||||
|
@ -345,7 +481,7 @@ func file_proto_public_pbconnectca_ca_proto_init() {
|
||||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||||
RawDescriptor: file_proto_public_pbconnectca_ca_proto_rawDesc,
|
RawDescriptor: file_proto_public_pbconnectca_ca_proto_rawDesc,
|
||||||
NumEnums: 0,
|
NumEnums: 0,
|
||||||
NumMessages: 2,
|
NumMessages: 4,
|
||||||
NumExtensions: 0,
|
NumExtensions: 0,
|
||||||
NumServices: 1,
|
NumServices: 1,
|
||||||
},
|
},
|
||||||
|
@ -375,6 +511,9 @@ type ConnectCAServiceClient interface {
|
||||||
// Connect CA roots. Current roots are sent immediately at the start of the
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
||||||
// stream, and new lists will be sent whenever the roots are rotated.
|
// stream, and new lists will be sent whenever the roots are rotated.
|
||||||
WatchRoots(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (ConnectCAService_WatchRootsClient, error)
|
WatchRoots(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (ConnectCAService_WatchRootsClient, error)
|
||||||
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
||||||
|
// ID in the given CSR's SAN.
|
||||||
|
Sign(ctx context.Context, in *SignRequest, opts ...grpc.CallOption) (*SignResponse, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
type connectCAServiceClient struct {
|
type connectCAServiceClient struct {
|
||||||
|
@ -417,12 +556,24 @@ func (x *connectCAServiceWatchRootsClient) Recv() (*WatchRootsResponse, error) {
|
||||||
return m, nil
|
return m, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *connectCAServiceClient) Sign(ctx context.Context, in *SignRequest, opts ...grpc.CallOption) (*SignResponse, error) {
|
||||||
|
out := new(SignResponse)
|
||||||
|
err := c.cc.Invoke(ctx, "/connectca.ConnectCAService/Sign", in, out, opts...)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return out, nil
|
||||||
|
}
|
||||||
|
|
||||||
// ConnectCAServiceServer is the server API for ConnectCAService service.
|
// ConnectCAServiceServer is the server API for ConnectCAService service.
|
||||||
type ConnectCAServiceServer interface {
|
type ConnectCAServiceServer interface {
|
||||||
// WatchRoots provides a stream on which you can receive the list of active
|
// WatchRoots provides a stream on which you can receive the list of active
|
||||||
// Connect CA roots. Current roots are sent immediately at the start of the
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
||||||
// stream, and new lists will be sent whenever the roots are rotated.
|
// stream, and new lists will be sent whenever the roots are rotated.
|
||||||
WatchRoots(*emptypb.Empty, ConnectCAService_WatchRootsServer) error
|
WatchRoots(*emptypb.Empty, ConnectCAService_WatchRootsServer) error
|
||||||
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
||||||
|
// ID in the given CSR's SAN.
|
||||||
|
Sign(context.Context, *SignRequest) (*SignResponse, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// UnimplementedConnectCAServiceServer can be embedded to have forward compatible implementations.
|
// UnimplementedConnectCAServiceServer can be embedded to have forward compatible implementations.
|
||||||
|
@ -432,6 +583,9 @@ type UnimplementedConnectCAServiceServer struct {
|
||||||
func (*UnimplementedConnectCAServiceServer) WatchRoots(*emptypb.Empty, ConnectCAService_WatchRootsServer) error {
|
func (*UnimplementedConnectCAServiceServer) WatchRoots(*emptypb.Empty, ConnectCAService_WatchRootsServer) error {
|
||||||
return status.Errorf(codes.Unimplemented, "method WatchRoots not implemented")
|
return status.Errorf(codes.Unimplemented, "method WatchRoots not implemented")
|
||||||
}
|
}
|
||||||
|
func (*UnimplementedConnectCAServiceServer) Sign(context.Context, *SignRequest) (*SignResponse, error) {
|
||||||
|
return nil, status.Errorf(codes.Unimplemented, "method Sign not implemented")
|
||||||
|
}
|
||||||
|
|
||||||
func RegisterConnectCAServiceServer(s *grpc.Server, srv ConnectCAServiceServer) {
|
func RegisterConnectCAServiceServer(s *grpc.Server, srv ConnectCAServiceServer) {
|
||||||
s.RegisterService(&_ConnectCAService_serviceDesc, srv)
|
s.RegisterService(&_ConnectCAService_serviceDesc, srv)
|
||||||
|
@ -458,10 +612,33 @@ func (x *connectCAServiceWatchRootsServer) Send(m *WatchRootsResponse) error {
|
||||||
return x.ServerStream.SendMsg(m)
|
return x.ServerStream.SendMsg(m)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func _ConnectCAService_Sign_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
|
||||||
|
in := new(SignRequest)
|
||||||
|
if err := dec(in); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if interceptor == nil {
|
||||||
|
return srv.(ConnectCAServiceServer).Sign(ctx, in)
|
||||||
|
}
|
||||||
|
info := &grpc.UnaryServerInfo{
|
||||||
|
Server: srv,
|
||||||
|
FullMethod: "/connectca.ConnectCAService/Sign",
|
||||||
|
}
|
||||||
|
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
||||||
|
return srv.(ConnectCAServiceServer).Sign(ctx, req.(*SignRequest))
|
||||||
|
}
|
||||||
|
return interceptor(ctx, in, info, handler)
|
||||||
|
}
|
||||||
|
|
||||||
var _ConnectCAService_serviceDesc = grpc.ServiceDesc{
|
var _ConnectCAService_serviceDesc = grpc.ServiceDesc{
|
||||||
ServiceName: "connectca.ConnectCAService",
|
ServiceName: "connectca.ConnectCAService",
|
||||||
HandlerType: (*ConnectCAServiceServer)(nil),
|
HandlerType: (*ConnectCAServiceServer)(nil),
|
||||||
Methods: []grpc.MethodDesc{},
|
Methods: []grpc.MethodDesc{
|
||||||
|
{
|
||||||
|
MethodName: "Sign",
|
||||||
|
Handler: _ConnectCAService_Sign_Handler,
|
||||||
|
},
|
||||||
|
},
|
||||||
Streams: []grpc.StreamDesc{
|
Streams: []grpc.StreamDesc{
|
||||||
{
|
{
|
||||||
StreamName: "WatchRoots",
|
StreamName: "WatchRoots",
|
||||||
|
|
|
@ -12,6 +12,10 @@ service ConnectCAService {
|
||||||
// Connect CA roots. Current roots are sent immediately at the start of the
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
||||||
// stream, and new lists will be sent whenever the roots are rotated.
|
// stream, and new lists will be sent whenever the roots are rotated.
|
||||||
rpc WatchRoots(google.protobuf.Empty) returns (stream WatchRootsResponse) {};
|
rpc WatchRoots(google.protobuf.Empty) returns (stream WatchRootsResponse) {};
|
||||||
|
|
||||||
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
||||||
|
// ID in the given CSR's SAN.
|
||||||
|
rpc Sign(SignRequest) returns (SignResponse) {};
|
||||||
}
|
}
|
||||||
|
|
||||||
message WatchRootsResponse {
|
message WatchRootsResponse {
|
||||||
|
@ -70,3 +74,17 @@ message CARoot {
|
||||||
// active root.
|
// active root.
|
||||||
google.protobuf.Timestamp rotated_out_at = 8;
|
google.protobuf.Timestamp rotated_out_at = 8;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
message SignRequest {
|
||||||
|
// csr is the PEM-encoded Certificate Signing Request (CSR).
|
||||||
|
//
|
||||||
|
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
|
||||||
|
// to which the ACL token provided in the `x-consul-token` metadata has write
|
||||||
|
// access.
|
||||||
|
string csr = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
message SignResponse {
|
||||||
|
// cert_pem is the PEM-encoded leaf certificate.
|
||||||
|
string cert_pem = 2;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue