From ec4e703fef27ac25fa132803d5d9c3ab59bb7162 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 23 Jul 2020 12:12:06 -0400 Subject: [PATCH] Change cert to use expiration --- dependency/vault_common.go | 34 ++++-------------------- dependency/vault_common_test.go | 46 ++++++++++----------------------- 2 files changed, 19 insertions(+), 61 deletions(-) diff --git a/dependency/vault_common.go b/dependency/vault_common.go index 02075df0f..ed71cc789 100644 --- a/dependency/vault_common.go +++ b/dependency/vault_common.go @@ -7,10 +7,7 @@ import ( "strings" "time" - "crypto/x509" "encoding/json" - "encoding/pem" - "github.com/hashicorp/vault/api" ) @@ -115,22 +112,6 @@ func renewSecret(clients *ClientSet, d renewer) error { } } -// durationFrom cert gets the duration of validity from cert data and -// returns that value as an integer number of seconds -func durationFromCert(certData string) int { - block, _ := pem.Decode([]byte(certData)) - if block == nil { - return -1 - } - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - log.Printf("[WARN] Unable to parse certificate data: %s", err) - return -1 - } - - return int(cert.NotAfter.Sub(cert.NotBefore).Seconds()) -} - // leaseCheckWait accepts a secret and returns the recommended amount of // time to sleep. func leaseCheckWait(s *Secret) time.Duration { @@ -141,16 +122,11 @@ func leaseCheckWait(s *Secret) time.Duration { } // Handle if this is a certificate with no lease - if certInterface, ok := s.Data["certificate"]; ok && s.LeaseID == "" { - if certData, ok := certInterface.(string); ok { - // Vault adds a 30 second pad to NotAfter to account for clockskew. - // We're removing the pad here to give additional time for rendering - // before cert expiration when TTL is set to a low value. - newDuration := durationFromCert(certData) - 30 - - if newDuration > 0 { - log.Printf("[DEBUG] Found certificate and set lease duration to %d seconds", newDuration) - base = newDuration + if _, ok := s.Data["certificate"]; ok && s.LeaseID == "" { + if expInterface, ok := s.Data["expiration"]; ok { + if expData, err := expInterface.(json.Number).Int64(); err == nil { + base = int(expData - time.Now().Unix()) + log.Printf("[DEBUG] Found certificate and set lease duration to %d seconds", base) } } } diff --git a/dependency/vault_common_test.go b/dependency/vault_common_test.go index 36272127e..99c6d882a 100644 --- a/dependency/vault_common_test.go +++ b/dependency/vault_common_test.go @@ -2,9 +2,9 @@ package dependency import ( "encoding/json" + "strconv" "testing" - - "github.com/stretchr/testify/assert" + "time" ) func init() { @@ -49,36 +49,18 @@ func TestVaultRenewDuration(t *testing.T) { if nonRenewableRotatedDur != 6 { t.Fatalf("renewable duration is not 6: %f", nonRenewableRotatedDur) } -} - -const testGoodCert = `-----BEGIN CERTIFICATE----- -MIICAjCCAWugAwIBAgIJALDrJbXZKXXnMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV -BAMMD2NvbnN1bC10ZW1wbGF0ZTAeFw0xODA1MjUxNTAzNDdaFw0xODA2MDQxNTAz -NDdaMBoxGDAWBgNVBAMMD2NvbnN1bC10ZW1wbGF0ZTCBnzANBgkqhkiG9w0BAQEF -AAOBjQAwgYkCgYEAuT1yS2FvX2bpNvEkrapt4wC68NIfTU9Xx55DC4/Pq1ZkuI8b -tC64x1oiJdM7ABEmT58rofTXoEpeHxcLTpXtJcrfLdgHUkPxNdrBgLWJi0BGI3m6 -zLF9KLTwEpFfBBTLgM6HIvTqqBD4itFtI0BDS/mqQKqa33Ai6hX0zPAH6AECAwEA -AaNQME4wHQYDVR0OBBYEFLldqcFQ+RF40xBNgSjdNGBN78yHMB8GA1UdIwQYMBaA -FLldqcFQ+RF40xBNgSjdNGBN78yHMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL -BQADgYEAUXeDp5pyGhH3RCxdJgjbQ67D5nqTVbTJnetEw1UdMEDQGrgCIUrbsJWm -G4SbKUjKP+4wVUJLZpmv9PwJcN0ZxntNkJBDzTk+KULu4+8cCj6A27bBhmzeOu1y -zZlyse1m1NECY3ryPtkst4U/0wCiKcI4ZW58RrhXgKucB3Y0C0w= ------END CERTIFICATE-----` - -const testBadCert = `-----BEGIN CERTIFICATE----- -THIS IS NOT A VALID CERT ------END CERTIFICATE-----` - -func TestDurationFromCert(t *testing.T) { - t.Parallel() - dur := durationFromCert(testGoodCert) + rawExpiration := time.Now().Unix() + 100 + expiration := strconv.FormatInt(rawExpiration, 10) - // 10 days in seconds - assert.Equal(t, 864000, dur) - - dur = durationFromCert(testBadCert) + data = map[string]interface{}{ + "expiration": json.Number(expiration), + "certificate": "foobar", + } - // Negative duration means an invalid cert - assert.Equal(t, -1, dur) -} + nonRenewableCert := Secret{LeaseDuration: 100, Data: data} + nonRenewableCertDur := leaseCheckWait(&nonRenewableCert).Seconds() + if nonRenewableCertDur < 85 || nonRenewableCertDur > 95 { + t.Fatalf("non renewable certificate duration is not within 85%% to 95%%: %f", nonRenewableCertDur) + } +} \ No newline at end of file