luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Store migrated issuer, key in migration log (#15449) 

If necessary, this will let us correlate migrated values afterwards.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-05-16 16:12:49 -04:00 committed by GitHub
parent 90538739bd
commit 210045cd1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
builtin/logical/pki/storage_migrations.go
View File

@ -22,6 +22,8 @@ const (
type legacyBundleMigrationLog struct { type legacyBundleMigrationLog struct {
Hash string `json:"hash" structs:"hash" mapstructure:"hash"` Hash string `json:"hash" structs:"hash" mapstructure:"hash"`
Created time.Time `json:"created" structs:"created" mapstructure:"created"` Created time.Time `json:"created" structs:"created" mapstructure:"created"`
CreatedIssuer issuerID `json:"issuer_id" structs:"issuer_id" mapstructure:"issuer_id"`
CreatedKey keyID `json:"key_id" structs:"key_id" mapstructure:"key_id"`
MigrationVersion int `json:"migrationVersion" structs:"migrationVersion" mapstructure:"migrationVersion"` MigrationVersion int `json:"migrationVersion" structs:"migrationVersion" mapstructure:"migrationVersion"`
} }
@ -79,6 +81,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
return nil return nil
} }
var issuerIdentifier issuerID
var keyIdentifier keyID
b.Logger().Info("performing PKI migration to new keys/issuers layout") b.Logger().Info("performing PKI migration to new keys/issuers layout")
if migrationInfo.legacyBundle != nil { if migrationInfo.legacyBundle != nil {
anIssuer, aKey, err := writeCaBundle(ctx, b, s, migrationInfo.legacyBundle, "current", "current") anIssuer, aKey, err := writeCaBundle(ctx, b, s, migrationInfo.legacyBundle, "current", "current")
@ -87,6 +91,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
} }
b.Logger().Debug("Migration generated the following ids and set them as defaults", b.Logger().Debug("Migration generated the following ids and set them as defaults",
"issuer id", anIssuer.ID, "key id", aKey.ID) "issuer id", anIssuer.ID, "key id", aKey.ID)
issuerIdentifier = anIssuer.ID
keyIdentifier = aKey.ID
} else { } else {
b.Logger().Debug("No legacy CA certs found, no migration required.") b.Logger().Debug("No legacy CA certs found, no migration required.")
} }
@ -100,6 +106,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
err = setLegacyBundleMigrationLog(ctx, s, &legacyBundleMigrationLog{ err = setLegacyBundleMigrationLog(ctx, s, &legacyBundleMigrationLog{
Hash: migrationInfo.legacyBundleHash, Hash: migrationInfo.legacyBundleHash,
Created: time.Now(), Created: time.Now(),
CreatedIssuer: issuerIdentifier,
CreatedKey: keyIdentifier,
MigrationVersion: latestMigrationVersion, MigrationVersion: latestMigrationVersion,
}) })
if err != nil { if err != nil {

4
builtin/logical/pki/storage_migrations_test.go
View File

@ -40,6 +40,8 @@ func Test_migrateStorageEmptyStorage(t *testing.T) {
"Hash value (%s) should not have been empty", logEntry.Hash) "Hash value (%s) should not have been empty", logEntry.Hash)
require.True(t, startTime.Before(logEntry.Created), require.True(t, startTime.Before(logEntry.Created),
"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime) "created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
require.Empty(t, logEntry.CreatedIssuer)
require.Empty(t, logEntry.CreatedKey)
require.False(t, b.useLegacyBundleCaStorage(), "post migration we are still told to use legacy storage") require.False(t, b.useLegacyBundleCaStorage(), "post migration we are still told to use legacy storage")
@ -91,6 +93,8 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
"Hash value (%s) should not have been empty", logEntry.Hash) "Hash value (%s) should not have been empty", logEntry.Hash)
require.True(t, startTime.Before(logEntry.Created), require.True(t, startTime.Before(logEntry.Created),
"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime) "created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
require.Equal(t, logEntry.CreatedIssuer, issuerIds[0])
require.Equal(t, logEntry.CreatedKey, keyIds[0])
issuerId := issuerIds[0] issuerId := issuerIds[0]
keyId := keyIds[0] keyId := keyIds[0]