From 837f23441ddf83a3bcdb7f8be11b34af098ffba8 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Thu, 21 Jun 2018 16:54:59 -0700 Subject: [PATCH] connect/ca: hide the RotationPeriod config field since it isn't used yet --- agent/connect_ca_endpoint.go | 4 +++ agent/connect_ca_endpoint_test.go | 29 +++++++++++-------- api/connect_ca_test.go | 26 +++++------------ website/source/api/connect/ca.html.md | 1 - website/source/docs/agent/options.html.md | 5 ---- .../docs/commands/connect/ca.html.md.erb | 6 +--- 6 files changed, 29 insertions(+), 42 deletions(-) diff --git a/agent/connect_ca_endpoint.go b/agent/connect_ca_endpoint.go index 82d123369..336567cf3 100644 --- a/agent/connect_ca_endpoint.go +++ b/agent/connect_ca_endpoint.go @@ -88,6 +88,10 @@ func fixupConfig(conf *structs.CAConfiguration) { if k == "PrivateKey" && strVal != "" { conf.Config["PrivateKey"] = "hidden" } + // todo(kyhavlov): add this back in when it's actually used + if k == "RotationPeriod" { + delete(conf.Config, k) + } case structs.VaultCAProvider: if k == "Token" && strVal != "" { conf.Config["Token"] = "hidden" diff --git a/agent/connect_ca_endpoint_test.go b/agent/connect_ca_endpoint_test.go index afaa5f049..a14118d01 100644 --- a/agent/connect_ca_endpoint_test.go +++ b/agent/connect_ca_endpoint_test.go @@ -2,10 +2,11 @@ package agent import ( "bytes" + "fmt" "net/http" "net/http/httptest" + "strings" "testing" - "time" "github.com/hashicorp/consul/agent/connect" ca "github.com/hashicorp/consul/agent/connect/ca" @@ -65,9 +66,8 @@ func TestConnectCAConfig(t *testing.T) { a := NewTestAgent(t.Name(), "") defer a.Shutdown() - expected := &structs.ConsulCAProviderConfig{ - RotationPeriod: 90 * 24 * time.Hour, - } + root := connect.TestCA(t, nil) + expected := &structs.ConsulCAProviderConfig{} // Get the initial config. { @@ -85,13 +85,17 @@ func TestConnectCAConfig(t *testing.T) { // Set the config. { - body := bytes.NewBuffer([]byte(` - { - "Provider": "consul", - "Config": { - "RotationPeriod": 3600000000000 - } - }`)) + conf := fmt.Sprintf(` + { + "Provider": "consul", + "Config": { + "PrivateKey": "%s", + "RootCert": "%s" + } + }`, + strings.Replace(root.SigningKey, "\n", "\\n", -1), + strings.Replace(root.RootCert, "\n", "\\n", -1)) + body := bytes.NewBuffer([]byte(conf)) req, _ := http.NewRequest("PUT", "/v1/connect/ca/configuration", body) resp := httptest.NewRecorder() _, err := a.srv.ConnectCAConfiguration(resp, req) @@ -100,7 +104,8 @@ func TestConnectCAConfig(t *testing.T) { // The config should be updated now. { - expected.RotationPeriod = time.Hour + expected.PrivateKey = "hidden" + expected.RootCert = root.RootCert req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil) resp := httptest.NewRecorder() obj, err := a.srv.ConnectCAConfiguration(resp, req) diff --git a/api/connect_ca_test.go b/api/connect_ca_test.go index 77d047e95..ec5d5a0f3 100644 --- a/api/connect_ca_test.go +++ b/api/connect_ca_test.go @@ -1,10 +1,8 @@ package api import ( + "strings" "testing" - "time" - - "github.com/pascaldekloe/goe/verify" "github.com/hashicorp/consul/testutil" "github.com/hashicorp/consul/testutil/retry" @@ -61,10 +59,6 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) { c, s := makeClient(t) defer s.Stop() - expected := &ConsulCAProviderConfig{ - RotationPeriod: 90 * 24 * time.Hour, - } - // This fails occasionally if server doesn't have time to bootstrap CA so // retry retry.Run(t, func(r *retry.R) { @@ -75,21 +69,15 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) { if conf.Provider != "consul" { r.Fatalf("expected default provider, got %q", conf.Provider) } - parsed, err := ParseConsulCAConfig(conf.Config) + _, err = ParseConsulCAConfig(conf.Config) r.Check(err) - verify.Values(r, "", parsed, expected) // Change a config value and update - conf.Config["PrivateKey"] = "" - conf.Config["RotationPeriod"] = 120 * 24 * time.Hour + conf.Config["PrivateKey"] = "invalid" _, err = connect.CASetConfig(conf, nil) - r.Check(err) - - updated, _, err := connect.CAGetConfig(nil) - r.Check(err) - expected.RotationPeriod = 120 * 24 * time.Hour - parsed, err = ParseConsulCAConfig(updated.Config) - r.Check(err) - verify.Values(r, "", parsed, expected) + if err == nil || !strings.Contains(err.Error(), + "error parsing private key \"invalid\": no PEM-encoded data found") { + r.Fatal(err) + } }) } diff --git a/website/source/api/connect/ca.html.md b/website/source/api/connect/ca.html.md index 522dd0927..00fdda13c 100644 --- a/website/source/api/connect/ca.html.md +++ b/website/source/api/connect/ca.html.md @@ -135,7 +135,6 @@ providers, see [Provider Config](/docs/connect/ca.html). "Config": { "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----...", "RootCert": "-----BEGIN CERTIFICATE-----...", - "RotationPeriod": "720h" } } ``` diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md index cd16f90f3..e5fdc1e8c 100644 --- a/website/source/docs/agent/options.html.md +++ b/website/source/docs/agent/options.html.md @@ -698,11 +698,6 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass * `root_cert` The PEM contents of the root certificate to use for the CA. - * `rotation_period` The - frequency with which to re-generate and rotate the private key and root certificate, in the form of a - duration value such as `720h`. Only applies in the case where the private key or root certificate are - left blank. Defaults to `2160h` (90 days). - #### Vault CA Provider (`ca_provider = "vault"`) * `address` The address of the Vault diff --git a/website/source/docs/commands/connect/ca.html.md.erb b/website/source/docs/commands/connect/ca.html.md.erb index 6f77b478c..e279d74fd 100644 --- a/website/source/docs/commands/connect/ca.html.md.erb +++ b/website/source/docs/commands/connect/ca.html.md.erb @@ -55,11 +55,7 @@ The output looks like this: ``` { "Provider": "consul", - "Config": { - "PrivateKey": null, - "RootCert": null, - "RotationPeriod": "2160h" - }, + "Config": {}, "CreateIndex": 5, "ModifyIndex": 197 }