Use provider state table for a global serial index

2018-05-04 16:01:38 -07:00 · 2018-05-04 16:01:38 -07:00 · baf4db1c72
parent 5998623c44
commit baf4db1c72
4 changed files with 30 additions and 38 deletions
--- a/agent/connect/ca/ca_provider_consul.go
+++ b/agent/connect/ca/ca_provider_consul.go
@ -179,7 +179,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 	// Get the provider state
 	state := c.delegate.State()
-	_, providerState, err := state.CAProviderState(c.id)
+	idx, providerState, err := state.CAProviderState(c.id)
 	if err != nil {
 		return "", err
 	}
@ -215,7 +215,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 	// Cert template for generation
 	sn := &big.Int{}
-	sn.SetUint64(providerState.SerialIndex + 1)
+	sn.SetUint64(idx + 1)
 	template := x509.Certificate{
 		SerialNumber:          sn,
 		Subject:               pkix.Name{CommonName: serviceId.Service},
@ -252,7 +252,7 @@ func (c *ConsulCAProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 		return "", fmt.Errorf("error encoding private key: %s", err)
 	}
-	err = c.incrementSerialIndex(providerState)
+	err = c.incrementProviderIndex(providerState)
 	if err != nil {
 		return "", err
 	}
@ -268,7 +268,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
 	// Get the provider state
 	state := c.delegate.State()
-	_, providerState, err := state.CAProviderState(c.id)
+	idx, providerState, err := state.CAProviderState(c.id)
 	if err != nil {
 		return "", err
 	}
@ -290,7 +290,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
 	// Create the cross-signing template from the existing root CA
 	serialNum := &big.Int{}
-	serialNum.SetUint64(providerState.SerialIndex + 1)
+	serialNum.SetUint64(idx + 1)
 	template := *cert
 	template.SerialNumber = serialNum
 	template.SignatureAlgorithm = rootCA.SignatureAlgorithm
@ -309,7 +309,7 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
 		return "", fmt.Errorf("error encoding private key: %s", err)
 	}
-	err = c.incrementSerialIndex(providerState)
+	err = c.incrementProviderIndex(providerState)
 	if err != nil {
 		return "", err
 	}
@ -317,11 +317,10 @@ func (c *ConsulCAProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
 	return buf.String(), nil
 }
-// incrementSerialIndex increments the cert serial number index in the provider
+// incrementProviderIndex does a write to increment the provider state store table index
-// state.
+// used for serial numbers when generating certificates.
-func (c *ConsulCAProvider) incrementSerialIndex(providerState *structs.CAConsulProviderState) error {
+func (c *ConsulCAProvider) incrementProviderIndex(providerState *structs.CAConsulProviderState) error {
 	newState := *providerState
 	newState.SerialIndex++
 	args := &structs.CARequest{
 		Op:            structs.CAOpSetProviderState,
 		ProviderState: &newState,
--- a/agent/consul/fsm/commands_oss_test.go
+++ b/agent/consul/fsm/commands_oss_test.go
@ -1328,10 +1328,9 @@ func TestFSM_CABuiltinProvider(t *testing.T) {
 	// Provider state.
 	expected := &structs.CAConsulProviderState{
-		ID:          "foo",
+		ID:         "foo",
-		PrivateKey:  "a",
+		PrivateKey: "a",
-		RootCert:    "b",
+		RootCert:   "b",
 		SerialIndex: 2,
 		RaftIndex: structs.RaftIndex{
 			CreateIndex: 1,
 			ModifyIndex: 1,
--- a/agent/consul/state/connect_ca_test.go
+++ b/agent/consul/state/connect_ca_test.go
@ -356,10 +356,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
 	{
 		expected := &structs.CAConsulProviderState{
-			ID:          "foo",
+			ID:         "foo",
-			PrivateKey:  "a",
+			PrivateKey: "a",
-			RootCert:    "b",
+			RootCert:   "b",
 			SerialIndex: 1,
 		}
 		ok, err := s.CASetProviderState(0, expected)
@ -374,10 +373,9 @@ func TestStore_CABuiltinProvider(t *testing.T) {
 	{
 		expected := &structs.CAConsulProviderState{
-			ID:          "bar",
+			ID:         "bar",
-			PrivateKey:  "c",
+			PrivateKey: "c",
-			RootCert:    "d",
+			RootCert:   "d",
 			SerialIndex: 2,
 		}
 		ok, err := s.CASetProviderState(1, expected)
@ -398,16 +396,14 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
 	// Create multiple state entries.
 	before := []*structs.CAConsulProviderState{
 		{
-			ID:          "bar",
+			ID:         "bar",
-			PrivateKey:  "y",
+			PrivateKey: "y",
-			RootCert:    "z",
+			RootCert:   "z",
 			SerialIndex: 2,
 		},
 		{
-			ID:          "foo",
+			ID:         "foo",
-			PrivateKey:  "a",
+			PrivateKey: "a",
-			RootCert:    "b",
+			RootCert:   "b",
 			SerialIndex: 1,
 		},
 	}
@ -423,10 +419,9 @@ func TestStore_CABuiltinProvider_Snapshot_Restore(t *testing.T) {
 	// Modify the state store.
 	after := &structs.CAConsulProviderState{
-		ID:          "foo",
+		ID:         "foo",
-		PrivateKey:  "c",
+		PrivateKey: "c",
-		RootCert:    "d",
+		RootCert:   "d",
 		SerialIndex: 1,
 	}
 	ok, err := s.CASetProviderState(100, after)
 	assert.NoError(err)
--- a/agent/structs/connect_ca.go
+++ b/agent/structs/connect_ca.go
@ -168,10 +168,9 @@ type ConsulCAProviderConfig struct {
 // CAConsulProviderState is used to track the built-in Consul CA provider's state.
 type CAConsulProviderState struct {
-	ID          string
+	ID         string
-	PrivateKey  string
+	PrivateKey string
-	RootCert    string
+	RootCert   string
 	SerialIndex uint64
 	RaftIndex
 }