From 421e27ba7034d83f4cc62626071dfd12f684d2dc Mon Sep 17 00:00:00 2001 From: Raphael 'kena' Poss Date: Sat, 28 May 2022 17:56:16 +0200 Subject: [PATCH] security: move the CertsLocator to the new package 'certnames' Release note: None --- pkg/cli/connect.go | 4 +- pkg/rpc/BUILD.bazel | 1 + pkg/rpc/pg.go | 2 +- pkg/rpc/tls.go | 11 +- pkg/security/certificate_manager.go | 194 +------------------------- pkg/security/certnames/BUILD.bazel | 6 +- pkg/security/certnames/locator.go | 203 ++++++++++++++++++++++++++++ pkg/server/BUILD.bazel | 2 + pkg/server/auto_tls_init.go | 11 +- pkg/server/auto_tls_init_test.go | 8 +- 10 files changed, 236 insertions(+), 206 deletions(-) create mode 100644 pkg/security/certnames/locator.go diff --git a/pkg/cli/connect.go b/pkg/cli/connect.go index 5fa09de61986..2dc81c6cb3bc 100644 --- a/pkg/cli/connect.go +++ b/pkg/cli/connect.go @@ -17,7 +17,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/cli/clierrorplus" "github.com/cockroachdb/cockroach/pkg/cli/cliflags" - "github.com/cockroachdb/cockroach/pkg/security" + "github.com/cockroachdb/cockroach/pkg/security/certnames" "github.com/cockroachdb/cockroach/pkg/server" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/errors" @@ -65,7 +65,7 @@ func runConnectInit(cmd *cobra.Command, args []string) (retErr error) { // If the node cert already exists, skip all the complexity of setting up // servers, etc. - cl := security.MakeCertsLocator(baseCfg.SSLCertsDir) + cl := certnames.MakeLocator(baseCfg.SSLCertsDir) if exists, err := cl.HasNodeCert(); err != nil { return err } else if exists { diff --git a/pkg/rpc/BUILD.bazel b/pkg/rpc/BUILD.bazel index ef82a4b2327b..a7cf01006b31 100644 --- a/pkg/rpc/BUILD.bazel +++ b/pkg/rpc/BUILD.bazel @@ -30,6 +30,7 @@ go_library( "//pkg/keys", "//pkg/roachpb", "//pkg/security", + "//pkg/security/certnames", "//pkg/security/securityassets", "//pkg/security/username", "//pkg/server/pgurl", diff --git a/pkg/rpc/pg.go b/pkg/rpc/pg.go index c8a3aa82b4e7..2bf08951c069 100644 --- a/pkg/rpc/pg.go +++ b/pkg/rpc/pg.go @@ -65,7 +65,7 @@ func (ctx *SecurityContext) LoadSecurityOptions(u *pgurl.URL, user username.SQLU } if ourCACert := cm.CACert(); ourCACert != nil { // The CM has a CA cert. Use that. - caCertPath = cm.FullPath(ourCACert) + caCertPath = cm.FullPath(ourCACert.Filename) } } // Fallback: if caCertPath was not assigned above, either diff --git a/pkg/rpc/tls.go b/pkg/rpc/tls.go index ccd597767672..7469be778e21 100644 --- a/pkg/rpc/tls.go +++ b/pkg/rpc/tls.go @@ -25,6 +25,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/base" "github.com/cockroachdb/cockroach/pkg/roachpb" "github.com/cockroachdb/cockroach/pkg/security" + "github.com/cockroachdb/cockroach/pkg/security/certnames" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/cockroach/pkg/util/log/severity" "github.com/cockroachdb/errors" @@ -55,7 +56,7 @@ func wrapError(err error) error { // SecurityContext is a wrapper providing transport security helpers such as // the certificate manager. type SecurityContext struct { - security.CertsLocator + certnames.Locator security.TLSSettings config *base.Config tenID roachpb.TenantID @@ -77,10 +78,10 @@ func MakeSecurityContext( panic(errors.AssertionFailedf("programming error: tenant ID not defined")) } return SecurityContext{ - CertsLocator: security.MakeCertsLocator(cfg.SSLCertsDir), - TLSSettings: tlsSettings, - config: cfg, - tenID: tenID, + Locator: certnames.MakeLocator(cfg.SSLCertsDir), + TLSSettings: tlsSettings, + config: cfg, + tenID: tenID, } } diff --git a/pkg/security/certificate_manager.go b/pkg/security/certificate_manager.go index e6c56ddbbfaf..b2f5397650f8 100644 --- a/pkg/security/certificate_manager.go +++ b/pkg/security/certificate_manager.go @@ -14,8 +14,6 @@ import ( "context" "crypto/tls" "fmt" - "os" - "path/filepath" "strconv" "github.com/cockroachdb/cockroach/pkg/security/certnames" @@ -27,7 +25,6 @@ import ( "github.com/cockroachdb/cockroach/pkg/util/syncutil" "github.com/cockroachdb/cockroach/pkg/util/sysutil" "github.com/cockroachdb/errors" - "github.com/cockroachdb/errors/oserror" ) var ( @@ -104,7 +101,7 @@ var ( // fall back on 'node.crt'. type CertificateManager struct { tenantIdentifier uint64 - CertsLocator + certnames.Locator tlsSettings TLSSettings @@ -165,7 +162,7 @@ func makeCertificateManager( } return &CertificateManager{ - CertsLocator: MakeCertsLocator(certsDir), + Locator: certnames.MakeLocator(certsDir), tenantIdentifier: o.tenantIdentifier, tlsSettings: tlsSettings, certMetrics: CertificateMetrics{ @@ -215,7 +212,7 @@ func NewCertificateManagerFirstRun( certsDir string, tlsSettings TLSSettings, opts ...Option, ) (*CertificateManager, error) { cm := makeCertificateManager(certsDir, tlsSettings, opts...) - if err := NewCertificateLoader(cm.certsDir).MaybeCreateCertsDir(); err != nil { + if err := NewCertificateLoader(cm.CertsDir()).MaybeCreateCertsDir(); err != nil { return nil, err } @@ -256,185 +253,6 @@ func (cm *CertificateManager) RegisterSignalHandler(stopper *stop.Stopper) { }() } -// A CertsLocator provides locations to certificates. -type CertsLocator struct { - certsDir string -} - -// MakeCertsLocator initializes a CertsLocator. -func MakeCertsLocator(certsDir string) CertsLocator { - return CertsLocator{certsDir: certsDir} -} - -// CACertPath returns the expected file path for the CA certificate. -func (cl CertsLocator) CACertPath() string { - return filepath.Join(cl.certsDir, certnames.CACertFilename()) -} - -// FullPath takes a CertInfo and returns the full path for it. -func (cl CertsLocator) FullPath(ci *CertInfo) string { - return filepath.Join(cl.certsDir, ci.Filename) -} - -// EnsureCertsDirectory ensures that the certs directory exists by -// creating it if does not exist yet. -func (cl CertsLocator) EnsureCertsDirectory() error { - return os.MkdirAll(cl.certsDir, 0700) -} - -// CAKeyPath returns the expected file path for the CA certificate. -func (cl CertsLocator) CAKeyPath() string { - return filepath.Join(cl.certsDir, certnames.CAKeyFilename()) -} - -// TenantCACertPath returns the expected file path for the Tenant client CA -// certificate. -func (cl CertsLocator) TenantCACertPath() string { - return filepath.Join(cl.certsDir, certnames.TenantClientCACertFilename()) -} - -// ClientCACertPath returns the expected file path for the CA certificate -// used to verify client certificates. -func (cl CertsLocator) ClientCACertPath() string { - return filepath.Join(cl.certsDir, certnames.ClientCACertFilename()) -} - -// ClientCAKeyPath returns the expected file path for the CA key -// used to sign client certificates. -func (cl CertsLocator) ClientCAKeyPath() string { - return filepath.Join(cl.certsDir, certnames.ClientCAKeyFilename()) -} - -// ClientNodeCertPath returns the expected file path for the certificate used -// by other nodes to verify outgoing RPCs from this node. -func (cl CertsLocator) ClientNodeCertPath() string { - return filepath.Join(cl.certsDir, certnames.ClientCertFilename(username.NodeUserName())) -} - -// ClientNodeKeyPath returns the expected file path for the key used -// to sign outgoing RPCs. -func (cl CertsLocator) ClientNodeKeyPath() string { - return filepath.Join(cl.certsDir, certnames.ClientKeyFilename(username.NodeUserName())) -} - -// UICACertPath returns the expected file path for the CA certificate -// used to verify Admin UI certificates. -func (cl CertsLocator) UICACertPath() string { - return filepath.Join(cl.certsDir, certnames.UICACertFilename()) -} - -// UICAKeyPath returns the expected file path for the CA certificate -// used to verify Admin UI certificates. -func (cl CertsLocator) UICAKeyPath() string { - return filepath.Join(cl.certsDir, certnames.UICAKeyFilename()) -} - -// NodeCertPath returns the expected file path for the node certificate. -func (cl CertsLocator) NodeCertPath() string { - return filepath.Join(cl.certsDir, certnames.NodeCertFilename()) -} - -// HasNodeCert returns true iff the node certificate file already exists. -func (cl CertsLocator) HasNodeCert() (bool, error) { - _, err := os.Stat(cl.NodeCertPath()) - if err != nil { - if oserror.IsNotExist(err) { - return false, nil - } - return false, err - } - return true, nil -} - -// NodeKeyPath returns the expected file path for the node key. -func (cl CertsLocator) NodeKeyPath() string { - return filepath.Join(cl.certsDir, certnames.NodeKeyFilename()) -} - -// UICertPath returns the expected file path for the UI certificate. -func (cl CertsLocator) UICertPath() string { - return filepath.Join(cl.certsDir, certnames.UIServerCertFilename()) -} - -// UIKeyPath returns the expected file path for the UI key. -func (cl CertsLocator) UIKeyPath() string { - return filepath.Join(cl.certsDir, certnames.UIServerKeyFilename()) -} - -// TenantCertPath returns the expected file path for the user's certificate. -func (cl CertsLocator) TenantCertPath(tenantIdentifier string) string { - return filepath.Join(cl.certsDir, certnames.TenantCertFilename(tenantIdentifier)) -} - -// TenantKeyPath returns the expected file path for the tenant's key. -func (cl CertsLocator) TenantKeyPath(tenantIdentifier string) string { - return filepath.Join(cl.certsDir, certnames.TenantKeyFilename(tenantIdentifier)) -} - -// TenantSigningCertPath returns the expected file path for the node certificate. -func (cl CertsLocator) TenantSigningCertPath(tenantIdentifier string) string { - return filepath.Join(cl.certsDir, certnames.TenantSigningCertFilename(tenantIdentifier)) -} - -// TenantSigningKeyPath returns the expected file path for the node key. -func (cl CertsLocator) TenantSigningKeyPath(tenantIdentifier string) string { - return filepath.Join(cl.certsDir, certnames.TenantSigningKeyFilename(tenantIdentifier)) -} - -// ClientCertPath returns the expected file path for the user's certificate. -func (cl CertsLocator) ClientCertPath(user username.SQLUsername) string { - return filepath.Join(cl.certsDir, certnames.ClientCertFilename(user)) -} - -// ClientKeyPath returns the expected file path for the user's key. -func (cl CertsLocator) ClientKeyPath(user username.SQLUsername) string { - return filepath.Join(cl.certsDir, certnames.ClientKeyFilename(user)) -} - -// SQLServiceCertPath returns the expected file path for the -// SQL service certificate -func (cl CertsLocator) SQLServiceCertPath() string { - return filepath.Join(cl.certsDir, certnames.SQLServiceCertFilename()) -} - -// SQLServiceKeyPath returns the expected file path for the SQL service key -func (cl CertsLocator) SQLServiceKeyPath() string { - return filepath.Join(cl.certsDir, certnames.SQLServiceKeyFilename()) -} - -// SQLServiceCACertPath returns the expected file path for the -// SQL CA certificate -func (cl CertsLocator) SQLServiceCACertPath() string { - return filepath.Join(cl.certsDir, certnames.SQLServiceCACertFilename()) -} - -// SQLServiceCAKeyPath returns the expected file path for the SQL CA key -func (cl CertsLocator) SQLServiceCAKeyPath() string { - return filepath.Join(cl.certsDir, certnames.SQLServiceCAKeyFilename()) -} - -// RPCServiceCertPath returns the expected file path for the -// RPC service certificate -func (cl CertsLocator) RPCServiceCertPath() string { - return filepath.Join(cl.certsDir, certnames.RPCServiceCertFilename()) -} - -// RPCServiceKeyPath returns the expected file path for the RPC service key -func (cl CertsLocator) RPCServiceKeyPath() string { - return filepath.Join(cl.certsDir, certnames.RPCServiceKeyFilename()) -} - -// RPCServiceCACertPath returns the expected file path for the -// RPC service certificate -func (cl CertsLocator) RPCServiceCACertPath() string { - return filepath.Join(cl.certsDir, certnames.RPCServiceCACertFilename()) -} - -// RPCServiceCAKeyPath returns the expected file path for the RPC service key -func (cl CertsLocator) RPCServiceCAKeyPath() string { - return filepath.Join(cl.certsDir, certnames.RPCServiceCAKeyFilename()) -} - // CACert returns the CA cert. May be nil. // Callers should check for an internal Error field. func (cm *CertificateManager) CACert() *CertInfo { @@ -517,9 +335,9 @@ func makeError(err error, s string) *Error { return makeErrorf(err, "%s", s) } // LoadCertificates creates a CertificateLoader to load all certs and keys. // Upon success, it swaps the existing certificates for the new ones. func (cm *CertificateManager) LoadCertificates() error { - cl := NewCertificateLoader(cm.certsDir) + cl := NewCertificateLoader(cm.CertsDir()) if err := cl.Load(); err != nil { - return makeErrorf(err, "problem loading certs directory %s", cm.certsDir) + return makeErrorf(err, "problem loading certs directory %s", cm.CertsDir()) } var caCert, clientCACert, uiCACert, nodeCert, uiCert, nodeClientCert *CertInfo @@ -604,7 +422,7 @@ func (cm *CertificateManager) LoadCertificates() error { } if tenantCert == nil && cm.tenantIdentifier != 0 { - return makeErrorf(errors.New("tenant client cert not found"), "for %d in %s", cm.tenantIdentifier, cm.certsDir) + return makeErrorf(errors.New("tenant client cert not found"), "for %d in %s", cm.tenantIdentifier, cm.CertsDir()) } if nodeClientCert == nil && nodeCert != nil { diff --git a/pkg/security/certnames/BUILD.bazel b/pkg/security/certnames/BUILD.bazel index b21122ff9bd9..4562eda2110a 100644 --- a/pkg/security/certnames/BUILD.bazel +++ b/pkg/security/certnames/BUILD.bazel @@ -5,8 +5,12 @@ go_library( srcs = [ "certnames.go", "doc.go", + "locator.go", ], importpath = "github.com/cockroachdb/cockroach/pkg/security/certnames", visibility = ["//visibility:public"], - deps = ["//pkg/security/username"], + deps = [ + "//pkg/security/username", + "@com_github_cockroachdb_errors//oserror", + ], ) diff --git a/pkg/security/certnames/locator.go b/pkg/security/certnames/locator.go new file mode 100644 index 000000000000..16b8b4d2d0f1 --- /dev/null +++ b/pkg/security/certnames/locator.go @@ -0,0 +1,203 @@ +// Copyright 2022 The Cockroach Authors. +// +// Use of this software is governed by the Business Source License +// included in the file licenses/BSL.txt. +// +// As of the Change Date specified in that file, in accordance with +// the Business Source License, use of this software will be governed +// by the Apache License, Version 2.0, included in the file +// licenses/APL.txt. + +package certnames + +import ( + "os" + "path/filepath" + + "github.com/cockroachdb/cockroach/pkg/security/username" + "github.com/cockroachdb/errors/oserror" +) + +// A Locator provides locations to certificates. +type Locator struct { + certsDir string +} + +// MakeLocator initializes a Locator. +func MakeLocator(certsDir string) Locator { + return Locator{certsDir: certsDir} +} + +// CertsDir retrieves the configured certificate directory. +func (cl Locator) CertsDir() string { + return cl.certsDir +} + +// CACertPath returns the expected file path for the CA certificate. +func (cl Locator) CACertPath() string { + return filepath.Join(cl.certsDir, CACertFilename()) +} + +// FullPath takes a CertInfo and returns the full path for it. +func (cl Locator) FullPath(fileName string) string { + return filepath.Join(cl.certsDir, fileName) +} + +// EnsureCertsDirectory ensures that the certs directory exists by +// creating it if does not exist yet. +func (cl Locator) EnsureCertsDirectory() error { + return os.MkdirAll(cl.certsDir, 0700) +} + +// CAKeyPath returns the expected file path for the CA certificate. +func (cl Locator) CAKeyPath() string { + return filepath.Join(cl.certsDir, CAKeyFilename()) +} + +// TenantCACertPath returns the expected file path for the Tenant client CA +// certificate. +func (cl Locator) TenantCACertPath() string { + return filepath.Join(cl.certsDir, TenantClientCACertFilename()) +} + +// ClientCACertPath returns the expected file path for the CA certificate +// used to verify client certificates. +func (cl Locator) ClientCACertPath() string { + return filepath.Join(cl.certsDir, ClientCACertFilename()) +} + +// ClientCAKeyPath returns the expected file path for the CA key +// used to sign client certificates. +func (cl Locator) ClientCAKeyPath() string { + return filepath.Join(cl.certsDir, ClientCAKeyFilename()) +} + +// ClientNodeCertPath returns the expected file path for the certificate used +// by other nodes to verify outgoing RPCs from this node. +func (cl Locator) ClientNodeCertPath() string { + return filepath.Join(cl.certsDir, ClientCertFilename(username.NodeUserName())) +} + +// ClientNodeKeyPath returns the expected file path for the key used +// to sign outgoing RPCs. +func (cl Locator) ClientNodeKeyPath() string { + return filepath.Join(cl.certsDir, ClientKeyFilename(username.NodeUserName())) +} + +// UICACertPath returns the expected file path for the CA certificate +// used to verify Admin UI certificates. +func (cl Locator) UICACertPath() string { + return filepath.Join(cl.certsDir, UICACertFilename()) +} + +// UICAKeyPath returns the expected file path for the CA certificate +// used to verify Admin UI certificates. +func (cl Locator) UICAKeyPath() string { + return filepath.Join(cl.certsDir, UICAKeyFilename()) +} + +// NodeCertPath returns the expected file path for the node certificate. +func (cl Locator) NodeCertPath() string { + return filepath.Join(cl.certsDir, NodeCertFilename()) +} + +// HasNodeCert returns true iff the node certificate file already exists. +func (cl Locator) HasNodeCert() (bool, error) { + _, err := os.Stat(cl.NodeCertPath()) + if err != nil { + if oserror.IsNotExist(err) { + return false, nil + } + return false, err + } + return true, nil +} + +// NodeKeyPath returns the expected file path for the node key. +func (cl Locator) NodeKeyPath() string { + return filepath.Join(cl.certsDir, NodeKeyFilename()) +} + +// UICertPath returns the expected file path for the UI certificate. +func (cl Locator) UICertPath() string { + return filepath.Join(cl.certsDir, UIServerCertFilename()) +} + +// UIKeyPath returns the expected file path for the UI key. +func (cl Locator) UIKeyPath() string { + return filepath.Join(cl.certsDir, UIServerKeyFilename()) +} + +// TenantCertPath returns the expected file path for the user's certificate. +func (cl Locator) TenantCertPath(tenantIdentifier string) string { + return filepath.Join(cl.certsDir, TenantCertFilename(tenantIdentifier)) +} + +// TenantKeyPath returns the expected file path for the tenant's key. +func (cl Locator) TenantKeyPath(tenantIdentifier string) string { + return filepath.Join(cl.certsDir, TenantKeyFilename(tenantIdentifier)) +} + +// TenantSigningCertPath returns the expected file path for the node certificate. +func (cl Locator) TenantSigningCertPath(tenantIdentifier string) string { + return filepath.Join(cl.certsDir, TenantSigningCertFilename(tenantIdentifier)) +} + +// TenantSigningKeyPath returns the expected file path for the node key. +func (cl Locator) TenantSigningKeyPath(tenantIdentifier string) string { + return filepath.Join(cl.certsDir, TenantSigningKeyFilename(tenantIdentifier)) +} + +// ClientCertPath returns the expected file path for the user's certificate. +func (cl Locator) ClientCertPath(user username.SQLUsername) string { + return filepath.Join(cl.certsDir, ClientCertFilename(user)) +} + +// ClientKeyPath returns the expected file path for the user's key. +func (cl Locator) ClientKeyPath(user username.SQLUsername) string { + return filepath.Join(cl.certsDir, ClientKeyFilename(user)) +} + +// SQLServiceCertPath returns the expected file path for the +// SQL service certificate +func (cl Locator) SQLServiceCertPath() string { + return filepath.Join(cl.certsDir, SQLServiceCertFilename()) +} + +// SQLServiceKeyPath returns the expected file path for the SQL service key +func (cl Locator) SQLServiceKeyPath() string { + return filepath.Join(cl.certsDir, SQLServiceKeyFilename()) +} + +// SQLServiceCACertPath returns the expected file path for the +// SQL CA certificate +func (cl Locator) SQLServiceCACertPath() string { + return filepath.Join(cl.certsDir, SQLServiceCACertFilename()) +} + +// SQLServiceCAKeyPath returns the expected file path for the SQL CA key +func (cl Locator) SQLServiceCAKeyPath() string { + return filepath.Join(cl.certsDir, SQLServiceCAKeyFilename()) +} + +// RPCServiceCertPath returns the expected file path for the +// RPC service certificate +func (cl Locator) RPCServiceCertPath() string { + return filepath.Join(cl.certsDir, RPCServiceCertFilename()) +} + +// RPCServiceKeyPath returns the expected file path for the RPC service key +func (cl Locator) RPCServiceKeyPath() string { + return filepath.Join(cl.certsDir, RPCServiceKeyFilename()) +} + +// RPCServiceCACertPath returns the expected file path for the +// RPC service certificate +func (cl Locator) RPCServiceCACertPath() string { + return filepath.Join(cl.certsDir, RPCServiceCACertFilename()) +} + +// RPCServiceCAKeyPath returns the expected file path for the RPC service key +func (cl Locator) RPCServiceCAKeyPath() string { + return filepath.Join(cl.certsDir, RPCServiceCAKeyFilename()) +} diff --git a/pkg/server/BUILD.bazel b/pkg/server/BUILD.bazel index 1a16311aab22..0cd4e99762ca 100644 --- a/pkg/server/BUILD.bazel +++ b/pkg/server/BUILD.bazel @@ -117,6 +117,7 @@ go_library( "//pkg/rpc/nodedialer", "//pkg/scheduledjobs", "//pkg/security", + "//pkg/security/certnames", "//pkg/security/password", "//pkg/security/username", "//pkg/server/debug", @@ -382,6 +383,7 @@ go_test( "//pkg/roachpb", "//pkg/rpc", "//pkg/security", + "//pkg/security/certnames", "//pkg/security/securityassets", "//pkg/security/securitytest", "//pkg/security/username", diff --git a/pkg/server/auto_tls_init.go b/pkg/server/auto_tls_init.go index e4c8db9f1f4f..8829e95e4d68 100644 --- a/pkg/server/auto_tls_init.go +++ b/pkg/server/auto_tls_init.go @@ -8,7 +8,7 @@ // by the Apache License, Version 2.0, included in the file // licenses/APL.txt. -// TODO(aaron-crl): This uses the CertsLocator from the security package +// TODO(aaron-crl): This uses the Locator from the security package // Getting about half way to integration with the certificate manager // While I'd originally hoped to decouple it completely, I realized // it would create an even larger headache if we maintained default @@ -25,6 +25,7 @@ import ( "github.com/cockroachdb/cockroach/pkg/base" "github.com/cockroachdb/cockroach/pkg/security" + "github.com/cockroachdb/cockroach/pkg/security/certnames" "github.com/cockroachdb/cockroach/pkg/security/username" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/cockroach/pkg/util/netutil/addr" @@ -288,7 +289,7 @@ func writeKeyFile(keyFilePath string, keyPEM *pem.Block, overwrite bool) error { // N.B.: This function fast fails if an inter-node cert/key pair are present // as this should _never_ happen. func (b *CertificateBundle) InitializeFromConfig(ctx context.Context, c base.Config) error { - cl := security.MakeCertsLocator(c.SSLCertsDir) + cl := certnames.MakeLocator(c.SSLCertsDir) // First check to see if host cert is already present // if it is, we should fail to initialize. @@ -433,7 +434,7 @@ func extractHosts(addrs ...string) []string { // It is assumed that a node receiving this has not has TLS initialized. If // an inter-node certificate is found, this function will error. func (b *CertificateBundle) InitializeNodeFromBundle(ctx context.Context, c base.Config) error { - cl := security.MakeCertsLocator(c.SSLCertsDir) + cl := certnames.MakeLocator(c.SSLCertsDir) // First check to see if host cert is already present // if it is, we should fail to initialize. @@ -525,7 +526,7 @@ func (sb *ServiceCertificateBundle) loadCACertAndKeyIfExists( // will skip any CA's where the certificate is not found. Any other read errors // including permissions result in an error. func collectLocalCABundle(SSLCertsDir string) (CertificateBundle, error) { - cl := security.MakeCertsLocator(SSLCertsDir) + cl := certnames.MakeLocator(SSLCertsDir) var b CertificateBundle var err error @@ -575,7 +576,7 @@ func collectLocalCABundle(SSLCertsDir string) (CertificateBundle, error) { // any interface. All existing interfaces will again receive a new // certificate/key pair. func rotateGeneratedCerts(ctx context.Context, c base.Config) error { - cl := security.MakeCertsLocator(c.SSLCertsDir) + cl := certnames.MakeLocator(c.SSLCertsDir) // Fail fast if we can't load the CAs. b, err := collectLocalCABundle(c.SSLCertsDir) diff --git a/pkg/server/auto_tls_init_test.go b/pkg/server/auto_tls_init_test.go index 9a43016b8b38..d7628204420c 100644 --- a/pkg/server/auto_tls_init_test.go +++ b/pkg/server/auto_tls_init_test.go @@ -19,7 +19,7 @@ import ( "time" "github.com/cockroachdb/cockroach/pkg/base" - "github.com/cockroachdb/cockroach/pkg/security" + "github.com/cockroachdb/cockroach/pkg/security/certnames" "github.com/cockroachdb/cockroach/pkg/security/username" "github.com/cockroachdb/cockroach/pkg/util/leaktest" ) @@ -53,7 +53,7 @@ func TestInitializeFromConfig(t *testing.T) { } func loadAllCertsFromDisk(ctx context.Context, cfg base.Config) (CertificateBundle, error) { - cl := security.MakeCertsLocator(cfg.SSLCertsDir) + cl := certnames.MakeLocator(cfg.SSLCertsDir) bundleFromDisk, err := collectLocalCABundle(cfg.SSLCertsDir) if err != nil { return bundleFromDisk, err @@ -323,7 +323,7 @@ func TestRotationOnPartialIntializedNode(t *testing.T) { t.Fatalf("expected err=nil, got: %q", err) } - cl := security.MakeCertsLocator(cfg.SSLCertsDir) + cl := certnames.MakeLocator(cfg.SSLCertsDir) if err = os.Remove(cl.ClientCACertPath()); err != nil { t.Fatalf("failed to remove test cert: %q", err) } @@ -372,7 +372,7 @@ func TestRotationOnBrokenIntializedNode(t *testing.T) { } ctx := context.Background() - cl := security.MakeCertsLocator(cfg.SSLCertsDir) + cl := certnames.MakeLocator(cfg.SSLCertsDir) certBundle := CertificateBundle{} err := certBundle.InitializeFromConfig(ctx, cfg) if err != nil {