Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Migrate existing PKI mounts that only contains a key into release/1.11.x #16816

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions builtin/logical/pki/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -873,6 +873,12 @@ func writeCaBundle(ctx context.Context, b *backend, s logical.Storage, caBundle
return nil, nil, err
}

// We may have existing mounts that only contained a key with no certificate yet as a signed CSR
// was never setup within the mount.
if caBundle.Certificate == "" {
return &issuerEntry{}, myKey, nil
}

myIssuer, _, err := importIssuer(ctx, b, s, caBundle.Certificate, issuerName)
if err != nil {
return nil, nil, err
Expand Down
81 changes: 81 additions & 0 deletions builtin/logical/pki/storage_migrations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,87 @@ func Test_migrateStorageEmptyStorage(t *testing.T) {
require.Equal(t, logEntry.Hash, logEntry2.Hash)
}

func Test_migrateStorageOnlyKey(t *testing.T) {
t.Parallel()
startTime := time.Now()
ctx := context.Background()
b, s := createBackendWithStorage(t)

// Reset the version the helper above set to 1.
b.pkiStorageVersion.Store(0)
require.True(t, b.useLegacyBundleCaStorage(), "pre migration we should have been told to use legacy storage.")

bundle := genCertBundle(t, b, s)
// Clear everything except for the key
bundle.SerialNumber = ""
bundle.CAChain = []string{}
bundle.Certificate = ""
bundle.IssuingCA = ""

json, err := logical.StorageEntryJSON(legacyCertBundlePath, bundle)
require.NoError(t, err)
err = s.Put(ctx, json)
require.NoError(t, err)

request := &logical.InitializationRequest{Storage: s}
err = b.initialize(ctx, request)
require.NoError(t, err)

issuerIds, err := listIssuers(ctx, s)
require.NoError(t, err)
require.Equal(t, 0, len(issuerIds))

keyIds, err := listKeys(ctx, s)
require.NoError(t, err)
require.Equal(t, 1, len(keyIds))

logEntry, err := getLegacyBundleMigrationLog(ctx, s)
require.NoError(t, err)
require.NotNil(t, logEntry)
require.Equal(t, latestMigrationVersion, logEntry.MigrationVersion)
require.True(t, len(strings.TrimSpace(logEntry.Hash)) > 0,
"Hash value (%s) should not have been empty", logEntry.Hash)
require.True(t, startTime.Before(logEntry.Created),
"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
require.Equal(t, logEntry.CreatedIssuer, issuerID(""))
require.Equal(t, logEntry.CreatedKey, keyIds[0])

keyId := keyIds[0]
key, err := fetchKeyById(ctx, s, keyId)
require.NoError(t, err)
require.True(t, strings.HasPrefix(key.Name, "current-"),
"expected key name to start with current- was %s", key.Name)
require.Equal(t, keyId, key.ID)
require.Equal(t, strings.TrimSpace(bundle.PrivateKey), strings.TrimSpace(key.PrivateKey))
require.Equal(t, bundle.PrivateKeyType, key.PrivateKeyType)

// Make sure we kept the old bundle
_, certBundle, err := getLegacyCertBundle(ctx, s)
require.NoError(t, err)
require.Equal(t, bundle, certBundle)

// Make sure we setup the default values
keysConfig, err := getKeysConfig(ctx, s)
require.NoError(t, err)
require.Equal(t, &keyConfigEntry{DefaultKeyId: keyId}, keysConfig)

issuersConfig, err := getIssuersConfig(ctx, s)
require.NoError(t, err)
require.Equal(t, &issuerConfigEntry{}, issuersConfig)

// Make sure if we attempt to re-run the migration nothing happens...
err = migrateStorage(ctx, b, s)
require.NoError(t, err)
logEntry2, err := getLegacyBundleMigrationLog(ctx, s)
require.NoError(t, err)
require.NotNil(t, logEntry2)

require.Equal(t, logEntry.Created, logEntry2.Created)
require.Equal(t, logEntry.Hash, logEntry2.Hash)

require.False(t, b.useLegacyBundleCaStorage(), "post migration we are still told to use legacy storage")
}

func Test_migrateStorageSimpleBundle(t *testing.T) {
startTime := time.Now()
ctx := context.Background()
Expand Down
3 changes: 3 additions & 0 deletions changelog/16813.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates
```