fix aws pca certs (#11470)

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
This commit is contained in:
FFMMM 2021-11-03 12:21:24 -07:00 committed by GitHub
parent 4789e3a4d0
commit e7ffef54ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 8 deletions

View File

@ -359,15 +359,15 @@ func (a *AWSProvider) loadCACerts() error {
if a.isPrimary {
// Just use the cert as a root
a.rootPEM = *output.Certificate
a.rootPEM = EnsureTrailingNewline(*output.Certificate)
} else {
a.intermediatePEM = *output.Certificate
a.intermediatePEM = EnsureTrailingNewline(*output.Certificate)
// TODO(banks) support user-supplied CA being a Subordinate even in the
// primary DC. For now this assumes there is only one cert in the chain
if output.CertificateChain == nil {
return fmt.Errorf("Subordinate CA %s returned no chain", a.arn)
}
a.rootPEM = *output.CertificateChain
a.rootPEM = EnsureTrailingNewline(*output.CertificateChain)
}
return nil
}
@ -485,7 +485,7 @@ func (a *AWSProvider) signCSR(csrPEM string, templateARN string, ttl time.Durati
}
if certOutput.Certificate != nil {
return true, *certOutput.Certificate, nil
return true, EnsureTrailingNewline(*certOutput.Certificate), nil
}
return false, "", nil
@ -540,9 +540,9 @@ func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) er
return err
}
// We succsefully initialized, keep track of the root and intermediate certs.
a.rootPEM = rootPEM
a.intermediatePEM = intermediatePEM
// We successfully initialized, keep track of the root and intermediate certs.
a.rootPEM = EnsureTrailingNewline(rootPEM)
a.intermediatePEM = EnsureTrailingNewline(intermediatePEM)
return nil
}

View File

@ -3,6 +3,7 @@ package ca
import (
"os"
"strconv"
"strings"
"testing"
"github.com/aws/aws-sdk-go/aws"
@ -114,7 +115,7 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
// TEST LOAD FROM PREVIOUS STATE
{
// Now create new providers fromthe state of the first ones simulating
// Now create new providers from the state of the first ones simulating
// leadership change in both DCs
t.Log("Restarting Providers with State")
@ -179,6 +180,28 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
testSignAndValidate(t, p1, rootPEM, nil)
testSignAndValidate(t, p2, rootPEM, []string{intPEM})
}
// Test that SetIntermediate() gives back certs with trailing new lines
{
// "Set" root, intermediate certs without a trailing new line
newIntPEM := strings.TrimSuffix(intPEM, "\n")
newRootPEM := strings.TrimSuffix(rootPEM, "\n")
cfg2 := testProviderConfigSecondary(t, map[string]interface{}{
"ExistingARN": p2State[AWSStateCAARNKey],
})
p2 = testAWSProvider(t, cfg2)
require.NoError(t, p2.SetIntermediate(newIntPEM, newRootPEM))
newRootPEM, err = p1.ActiveRoot()
require.NoError(t, err)
newIntPEM, err = p2.ActiveIntermediate()
require.NoError(t, err)
require.Equal(t, rootPEM, newRootPEM)
require.Equal(t, intPEM, newIntPEM)
}
}
func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) {