pki: Do not use a static issuer/key name within the migration (#15886)

- Selecting a constant default value exposed a possible edge case that the migration would fail if a previous migration contained the same issuer or key name.
2022-06-08 15:31:30 -04:00 · 2022-06-08 15:31:30 -04:00 · 3b9f29fedd
parent 91b298d274
commit 3b9f29fedd
2 changed files with 24 additions and 3 deletions
--- a/builtin/logical/pki/storage_migrations.go
+++ b/builtin/logical/pki/storage_migrations.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
 	"time"

 	"github.com/hashicorp/vault/sdk/helper/certutil"
@ -83,8 +84,12 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
 	var issuerIdentifier issuerID
 	var keyIdentifier keyID
 	if migrationInfo.legacyBundle != nil {
+		// Generate a unique name for the migrated items in case things were to be re-migrated again
+		// for some weird reason in the future...
+		migrationName := fmt.Sprintf("current-%d", time.Now().Unix())
+
 		b.Logger().Info("performing PKI migration to new keys/issuers layout")
-		anIssuer, aKey, err := writeCaBundle(ctx, b, s, migrationInfo.legacyBundle, "current", "current")
+		anIssuer, aKey, err := writeCaBundle(ctx, b, s, migrationInfo.legacyBundle, migrationName, migrationName)
 		if err != nil {
 			return err
 		}
--- a/builtin/logical/pki/storage_migrations_test.go
+++ b/builtin/logical/pki/storage_migrations_test.go
@ -100,12 +100,14 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 	keyId := keyIds[0]
 	issuer, err := fetchIssuerById(ctx, s, issuerId)
 	require.NoError(t, err)
-	require.Equal(t, "current", issuer.Name) // RFC says we should import with Name=current
+	require.True(t, strings.HasPrefix(issuer.Name, "current-"),
+		"expected issuer name to start with current- was %s", issuer.Name)
 	require.Equal(t, certutil.ErrNotAfterBehavior, issuer.LeafNotAfterBehavior)

 	key, err := fetchKeyById(ctx, s, keyId)
 	require.NoError(t, err)
-	require.Equal(t, "current", key.Name) // RFC says we should import with Name=current
+	require.True(t, strings.HasPrefix(key.Name, "current-"),
+		"expected key name to start with current- was %s", key.Name)

 	require.Equal(t, issuerId, issuer.ID)
 	require.Equal(t, bundle.SerialNumber, issuer.SerialNumber)
@ -145,6 +147,20 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 	require.Equal(t, logEntry.Hash, logEntry2.Hash)

 	require.False(t, b.useLegacyBundleCaStorage(), "post migration we are still told to use legacy storage")
+
+	// Make sure we can re-process a migration from scratch for whatever reason
+	err = s.Delete(ctx, legacyMigrationBundleLogKey)
+	require.NoError(t, err)
+
+	err = migrateStorage(ctx, b, s)
+	require.NoError(t, err)
+
+	logEntry3, err := getLegacyBundleMigrationLog(ctx, s)
+	require.NoError(t, err)
+	require.NotNil(t, logEntry3)
+
+	require.NotEqual(t, logEntry.Created, logEntry3.Created)
+	require.Equal(t, logEntry.Hash, logEntry3.Hash)
 }

 func TestExpectedOpsWork_PreMigration(t *testing.T) {