luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

connect/ca: add Configure/GenerateRoot to provider interface

This commit is contained in:
Kyle Havlovitz 2018-09-06 19:18:54 -07:00
parent c9011c071f
commit e184a18e4b
No known key found for this signature in database
GPG Key ID: 8A5E6B173056AD6C
8 changed files with 168 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
agent/connect/ca/provider.go
View File

@ -8,7 +8,16 @@ import (
// an external CA that provides leaf certificate signing for // an external CA that provides leaf certificate signing for
// given SpiffeIDServices. // given SpiffeIDServices.
type Provider interface { type Provider interface {
// Active root returns the currently active root CA for this // Configure initializes the provider based on the given cluster ID, root status
// and configuration values.
Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error
// GenerateRoot causes the creation of a new root certificate for this provider.
// This can also be a no-op if a root certificate already exists for the given
// config. If isRoot is false, calling this method is an error.
GenerateRoot() error
// ActiveRoot returns the currently active root CA for this
// provider. This should be a parent of the certificate returned by // provider. This should be a parent of the certificate returned by
// ActiveIntermediate() // ActiveIntermediate()
ActiveRoot() (string, error) ActiveRoot() (string, error)

136
agent/connect/ca/provider_consul.go
View File

@ -6,6 +6,7 @@ import (
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"errors"
"fmt" "fmt"
"math/big" "math/big"
"net/url" "net/url"
@ -17,6 +18,8 @@ import (
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
) )
var ErrNotInitialized = errors.New("provider not initialized")
type ConsulProvider struct { type ConsulProvider struct {
config *structs.ConsulCAProviderConfig config *structs.ConsulCAProviderConfig
id string id string
@ -31,83 +34,46 @@ type ConsulProviderStateDelegate interface {
// NewConsulProvider returns a new instance of the Consul CA provider, // NewConsulProvider returns a new instance of the Consul CA provider,
// bootstrapping its state in the state store necessary // bootstrapping its state in the state store necessary
func NewConsulProvider(rawConfig map[string]interface{}, delegate ConsulProviderStateDelegate) (*ConsulProvider, error) { func NewConsulProvider(delegate ConsulProviderStateDelegate) *ConsulProvider {
conf, err := ParseConsulCAConfig(rawConfig) return &ConsulProvider{
if err != nil {
return nil, err
}
provider := &ConsulProvider{
config: conf,
delegate: delegate, delegate: delegate,
id: fmt.Sprintf("%s,%s", conf.PrivateKey, conf.RootCert), }
} }
// Check if this configuration of the provider has already been func (c *ConsulProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error {
// initialized in the state store. // Parse the raw config and update our ID.
state := delegate.State() config, err := ParseConsulCAConfig(rawConfig)
_, providerState, err := state.CAProviderState(provider.id)
if err != nil { if err != nil {
return nil, err return err
}
c.config = config
c.id = fmt.Sprintf("%s,%s", config.PrivateKey, config.RootCert)
// Exit early if the state store has an entry for this provider's config.
_, providerState, err := c.delegate.State().CAProviderState(c.id)
if err != nil {
return err
} }
// Exit early if the state store has already been populated for this config.
if providerState != nil { if providerState != nil {
return provider, nil return nil
} }
// Write the provider state to the state store.
newState := structs.CAConsulProviderState{ newState := structs.CAConsulProviderState{
ID: provider.id, ID: c.id,
IsRoot: isRoot,
} }
// Write the initial provider state to get the index to use for the
// CA serial number.
{
args := &structs.CARequest{ args := &structs.CARequest{
Op: structs.CAOpSetProviderState, Op: structs.CAOpSetProviderState,
ProviderState: &newState, ProviderState: &newState,
} }
if err := delegate.ApplyCARequest(args); err != nil { if err := c.delegate.ApplyCARequest(args); err != nil {
return nil, err return err
}
} }
idx, _, err := state.CAProviderState(provider.id) return nil
if err != nil {
return nil, err
}
// Generate a private key if needed
if conf.PrivateKey == "" {
_, pk, err := connect.GeneratePrivateKey()
if err != nil {
return nil, err
}
newState.PrivateKey = pk
} else {
newState.PrivateKey = conf.PrivateKey
}
// Generate the root CA if necessary
if conf.RootCert == "" {
ca, err := provider.generateCA(newState.PrivateKey, idx+1)
if err != nil {
return nil, fmt.Errorf("error generating CA: %v", err)
}
newState.RootCert = ca
} else {
newState.RootCert = conf.RootCert
}
// Write the provider state
args := &structs.CARequest{
Op: structs.CAOpSetProviderState,
ProviderState: &newState,
}
if err := delegate.ApplyCARequest(args); err != nil {
return nil, err
}
return provider, nil
} }
// Return the active root CA and generate a new one if needed // Return the active root CA and generate a new one if needed
@ -121,6 +87,58 @@ func (c *ConsulProvider) ActiveRoot() (string, error) {
return providerState.RootCert, nil return providerState.RootCert, nil
} }
func (c *ConsulProvider) GenerateRoot() error {
state := c.delegate.State()
idx, providerState, err := state.CAProviderState(c.id)
if err != nil {
return err
}
if providerState == nil {
return ErrNotInitialized
}
if !providerState.IsRoot {
return fmt.Errorf("provider is not the root certificate authority")
}
if providerState.RootCert != "" {
return nil
}
// Generate a private key if needed
newState := *providerState
if c.config.PrivateKey == "" {
_, pk, err := connect.GeneratePrivateKey()
if err != nil {
return err
}
newState.PrivateKey = pk
} else {
newState.PrivateKey = c.config.PrivateKey
}
// Generate the root CA if necessary
if c.config.RootCert == "" {
ca, err := c.generateCA(newState.PrivateKey, idx+1)
if err != nil {
return fmt.Errorf("error generating CA: %v", err)
}
newState.RootCert = ca
} else {
newState.RootCert = c.config.RootCert
}
// Write the provider state
args := &structs.CARequest{
Op: structs.CAOpSetProviderState,
ProviderState: &newState,
}
if err := c.delegate.ApplyCARequest(args); err != nil {
return err
}
return nil
}
// We aren't maintaining separate root/intermediate CAs for the builtin // We aren't maintaining separate root/intermediate CAs for the builtin
// provider, so just return the root. // provider, so just return the root.
func (c *ConsulProvider) ActiveIntermediate() (string, error) { func (c *ConsulProvider) ActiveIntermediate() (string, error) {

45
agent/connect/ca/provider_consul_test.go
View File

@ -9,7 +9,6 @@ import (
"github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/consul/state" "github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )
@ -72,32 +71,33 @@ func testConsulCAConfig() *structs.CAConfiguration {
func TestConsulCAProvider_Bootstrap(t *testing.T) { func TestConsulCAProvider_Bootstrap(t *testing.T) {
t.Parallel() t.Parallel()
assert := assert.New(t) require := require.New(t)
conf := testConsulCAConfig() conf := testConsulCAConfig()
delegate := newMockDelegate(t, conf) delegate := newMockDelegate(t, conf)
provider, err := NewConsulProvider(conf.Config, delegate) provider := NewConsulProvider(delegate)
assert.NoError(err) require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
require.NoError(provider.GenerateRoot())
root, err := provider.ActiveRoot() root, err := provider.ActiveRoot()
assert.NoError(err) require.NoError(err)
// Intermediate should be the same cert. // Intermediate should be the same cert.
inter, err := provider.ActiveIntermediate() inter, err := provider.ActiveIntermediate()
assert.NoError(err) require.NoError(err)
assert.Equal(root, inter) require.Equal(root, inter)
// Should be a valid cert // Should be a valid cert
parsed, err := connect.ParseCert(root) parsed, err := connect.ParseCert(root)
assert.NoError(err) require.NoError(err)
assert.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", conf.ClusterID)) require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", conf.ClusterID))
} }
func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) { func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) {
t.Parallel() t.Parallel()
// Make sure setting a custom private key/root cert works. // Make sure setting a custom private key/root cert works.
assert := assert.New(t) require := require.New(t)
rootCA := connect.TestCA(t, nil) rootCA := connect.TestCA(t, nil)
conf := testConsulCAConfig() conf := testConsulCAConfig()
conf.Config = map[string]interface{}{ conf.Config = map[string]interface{}{
@ -106,12 +106,13 @@ func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) {
} }
delegate := newMockDelegate(t, conf) delegate := newMockDelegate(t, conf)
provider, err := NewConsulProvider(conf.Config, delegate) provider := NewConsulProvider(delegate)
assert.NoError(err) require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
require.NoError(provider.GenerateRoot())
root, err := provider.ActiveRoot() root, err := provider.ActiveRoot()
assert.NoError(err) require.NoError(err)
assert.Equal(root, rootCA.RootCert) require.Equal(root, rootCA.RootCert)
} }
func TestConsulCAProvider_SignLeaf(t *testing.T) { func TestConsulCAProvider_SignLeaf(t *testing.T) {
@ -122,8 +123,9 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
conf.Config["LeafCertTTL"] = "1h" conf.Config["LeafCertTTL"] = "1h"
delegate := newMockDelegate(t, conf) delegate := newMockDelegate(t, conf)
provider, err := NewConsulProvider(conf.Config, delegate) provider := NewConsulProvider(delegate)
require.NoError(err) require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
require.NoError(provider.GenerateRoot())
spiffeService := &connect.SpiffeIDService{ spiffeService := &connect.SpiffeIDService{
Host: "node1", Host: "node1",
@ -180,17 +182,20 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
func TestConsulCAProvider_CrossSignCA(t *testing.T) { func TestConsulCAProvider_CrossSignCA(t *testing.T) {
t.Parallel() t.Parallel()
require := require.New(t)
conf1 := testConsulCAConfig() conf1 := testConsulCAConfig()
delegate1 := newMockDelegate(t, conf1) delegate1 := newMockDelegate(t, conf1)
provider1, err := NewConsulProvider(conf1.Config, delegate1) provider1 := NewConsulProvider(delegate1)
require.NoError(t, err) require.NoError(provider1.Configure(conf1.ClusterID, true, conf1.Config))
require.NoError(provider1.GenerateRoot())
conf2 := testConsulCAConfig() conf2 := testConsulCAConfig()
conf2.CreateIndex = 10 conf2.CreateIndex = 10
delegate2 := newMockDelegate(t, conf2) delegate2 := newMockDelegate(t, conf2)
provider2, err := NewConsulProvider(conf2.Config, delegate2) provider2 := NewConsulProvider(delegate2)
require.NoError(t, err) require.NoError(provider2.Configure(conf2.ClusterID, true, conf2.Config))
require.NoError(provider2.GenerateRoot())
testCrossSignProviders(t, provider1, provider2) testCrossSignProviders(t, provider1, provider2)
} }

57
agent/connect/ca/provider_vault.go
View File

@ -24,6 +24,7 @@ var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
type VaultProvider struct { type VaultProvider struct {
config *structs.VaultCAProviderConfig config *structs.VaultCAProviderConfig
client *vaultapi.Client client *vaultapi.Client
isRoot bool
clusterId string clusterId string
} }
@ -31,34 +32,43 @@ type VaultProvider struct {
// backends mounted and initialized. If the root backend is not set up already, // backends mounted and initialized. If the root backend is not set up already,
// it will be mounted/generated as needed, but any existing state will not be // it will be mounted/generated as needed, but any existing state will not be
// overwritten. // overwritten.
func NewVaultProvider(rawConfig map[string]interface{}, clusterId string) (*VaultProvider, error) { func NewVaultProvider() *VaultProvider {
conf, err := ParseVaultCAConfig(rawConfig) return &VaultProvider{}
if err != nil { }
return nil, err
func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error {
config, err := ParseVaultCAConfig(rawConfig)
if err != nil {
return err
} }
// todo(kyhavlov): figure out the right way to pass the TLS config
clientConf := &vaultapi.Config{ clientConf := &vaultapi.Config{
Address: conf.Address, Address: config.Address,
} }
client, err := vaultapi.NewClient(clientConf) client, err := vaultapi.NewClient(clientConf)
if err != nil { if err != nil {
return nil, err return err
} }
client.SetToken(conf.Token) client.SetToken(config.Token)
v.config = config
v.client = client
v.isRoot = isRoot
v.clusterId = clusterId
provider := &VaultProvider{ return nil
config: conf, }
client: client,
clusterId: clusterId, func (v *VaultProvider) GenerateRoot() error {
if !v.isRoot {
return fmt.Errorf("provider is not the root certificate authority")
} }
// Set up the root PKI backend if necessary. // Set up the root PKI backend if necessary.
_, err = provider.ActiveRoot() _, err := v.ActiveRoot()
switch err { switch err {
case ErrBackendNotMounted: case ErrBackendNotMounted:
err := client.Sys().Mount(conf.RootPKIPath, &vaultapi.MountInput{ err := v.client.Sys().Mount(v.config.RootPKIPath, &vaultapi.MountInput{
Type: "pki", Type: "pki",
Description: "root CA backend for Consul Connect", Description: "root CA backend for Consul Connect",
Config: vaultapi.MountConfigInput{ Config: vaultapi.MountConfigInput{
@ -67,35 +77,30 @@ func NewVaultProvider(rawConfig map[string]interface{}, clusterId string) (*Vaul
}) })
if err != nil { if err != nil {
return nil, err return err
} }
fallthrough fallthrough
case ErrBackendNotInitialized: case ErrBackendNotInitialized:
spiffeID := connect.SpiffeIDSigning{ClusterID: clusterId, Domain: "consul"} spiffeID := connect.SpiffeIDSigning{ClusterID: v.clusterId, Domain: "consul"}
uuid, err := uuid.GenerateUUID() uuid, err := uuid.GenerateUUID()
if err != nil { if err != nil {
return nil, err return err
} }
_, err = client.Logical().Write(conf.RootPKIPath+"root/generate/internal", map[string]interface{}{ _, err = v.client.Logical().Write(v.config.RootPKIPath+"root/generate/internal", map[string]interface{}{
"common_name": fmt.Sprintf("Vault CA Root Authority %s", uuid), "common_name": fmt.Sprintf("Vault CA Root Authority %s", uuid),
"uri_sans": spiffeID.URI().String(), "uri_sans": spiffeID.URI().String(),
}) })
if err != nil { if err != nil {
return nil, err return err
} }
default: default:
if err != nil { if err != nil {
return nil, err return err
} }
} }
// Set up the intermediate backend. return nil
if _, err := provider.GenerateIntermediate(); err != nil {
return nil, err
}
return provider, nil
} }
func (v *VaultProvider) ActiveRoot() (string, error) { func (v *VaultProvider) ActiveRoot() (string, error) {

10
agent/connect/ca/provider_vault_test.go
View File

@ -37,10 +37,12 @@ func testVaultClusterWithConfig(t *testing.T, rawConf map[string]interface{}) (*
conf[k] = v conf[k] = v
} }
provider, err := NewVaultProvider(conf, "asdf") require := require.New(t)
if err != nil { provider := NewVaultProvider()
t.Fatal(err) require.NoError(provider.Configure("asdf", true, conf))
} require.NoError(provider.GenerateRoot())
_, err := provider.GenerateIntermediate()
require.NoError(err)
return provider, core, ln return provider, core, ln
} }

6
agent/consul/connect_ca_endpoint.go
View File

@ -95,6 +95,12 @@ func (s *ConnectCA) ConfigurationSet(
if err != nil { if err != nil {
return fmt.Errorf("could not initialize provider: %v", err) return fmt.Errorf("could not initialize provider: %v", err)
} }
if err := newProvider.Configure(args.Config.ClusterID, true, args.Config.Config); err != nil {
return fmt.Errorf("error configuring provider: %v", err)
}
if err := newProvider.GenerateRoot(); err != nil {
return fmt.Errorf("error generating CA root certificate: %v", err)
}
newRootPEM, err := newProvider.ActiveRoot() newRootPEM, err := newProvider.ActiveRoot()
if err != nil { if err != nil {

12
agent/consul/leader.go
View File

@ -427,11 +427,17 @@ func (s *Server) initializeCA() error {
return err return err
} }
// Initialize the right provider based on the config // Initialize the provider based on the current config.
provider, err := s.createCAProvider(conf) provider, err := s.createCAProvider(conf)
if err != nil { if err != nil {
return err return err
} }
if err := provider.Configure(conf.ClusterID, true, conf.Config); err != nil {
return fmt.Errorf("error configuring provider: %v", err)
}
if err := provider.GenerateRoot(); err != nil {
return fmt.Errorf("error generating CA root certificate: %v", err)
}
// Get the active root cert from the CA // Get the active root cert from the CA
rootPEM, err := provider.ActiveRoot() rootPEM, err := provider.ActiveRoot()
@ -520,9 +526,9 @@ func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
func (s *Server) createCAProvider(conf *structs.CAConfiguration) (ca.Provider, error) { func (s *Server) createCAProvider(conf *structs.CAConfiguration) (ca.Provider, error) {
switch conf.Provider { switch conf.Provider {
case structs.ConsulCAProvider: case structs.ConsulCAProvider:
return ca.NewConsulProvider(conf.Config, &consulCADelegate{s}) return ca.NewConsulProvider(&consulCADelegate{s}), nil
case structs.VaultCAProvider: case structs.VaultCAProvider:
return ca.NewVaultProvider(conf.Config, conf.ClusterID) return ca.NewVaultProvider(), nil
default: default:
return nil, fmt.Errorf("unknown CA provider %q", conf.Provider) return nil, fmt.Errorf("unknown CA provider %q", conf.Provider)
} }

2
agent/structs/connect_ca.go
View File

@ -253,6 +253,8 @@ type CAConsulProviderState struct {
ID string ID string
PrivateKey string PrivateKey string
RootCert string RootCert string
IsRoot bool
IntermediateCert string
RaftIndex RaftIndex
} }