Avoid returning empty roots with uninitialized CA

Currently getCARoots could return an empty object with an empty trust
domain before the CA is initialized. This commit returns an error while
there is no CA config or no trust domain.

There could be a CA config and no trust domain because the CA config can
be created in InitializeCA before initialization succeeds.
This commit is contained in:
freddygv 2021-11-08 16:51:49 -07:00
parent 69ad7c0544
commit e6622ab0ab
1 changed files with 13 additions and 9 deletions

View File

@ -16,19 +16,23 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
if err != nil { if err != nil {
return nil, err return nil, err
} }
if config == nil {
return nil, fmt.Errorf("CA has not finished initializing")
}
indexedRoots := &structs.IndexedCARoots{} indexedRoots := &structs.IndexedCARoots{}
if config != nil { // Build TrustDomain based on the ClusterID stored.
// Build TrustDomain based on the ClusterID stored. signingID := connect.SpiffeIDSigningForCluster(config)
signingID := connect.SpiffeIDSigningForCluster(config) if signingID == nil {
if signingID == nil { // If CA is bootstrapped at all then this should never happen but be
// If CA is bootstrapped at all then this should never happen but be // defensive.
// defensive. return nil, fmt.Errorf("no cluster trust domain setup")
return nil, fmt.Errorf("no cluster trust domain setup") }
}
indexedRoots.TrustDomain = signingID.Host() indexedRoots.TrustDomain = signingID.Host()
if indexedRoots.TrustDomain == "" {
return nil, fmt.Errorf("CA has not finished initializing")
} }
indexedRoots.Index, indexedRoots.Roots = index, roots indexedRoots.Index, indexedRoots.Roots = index, roots