consul/agent/connect/ca/provider_consul_test.go

537 lines
16 KiB
Go
Raw Normal View History

package ca
import (
"crypto/x509"
"fmt"
"testing"
2018-04-27 06:02:18 +00:00
"time"
"github.com/stretchr/testify/require"
2018-04-27 06:02:18 +00:00
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/consul/fsm"
"github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs"
)
type consulCAMockDelegate struct {
state *state.Store
}
func (c *consulCAMockDelegate) ProviderState(id string) (*structs.CAConsulProviderState, error) {
_, s, err := c.state.CAProviderState(id)
return s, err
}
func (c *consulCAMockDelegate) ApplyCARequest(req *structs.CARequest) (interface{}, error) {
idx, _, err := c.state.CAConfig(nil)
if err != nil {
return nil, err
}
result := fsm.ApplyConnectCAOperationFromRequest(c.state, req, idx+1)
if err, ok := result.(error); ok && err != nil {
return nil, err
}
return result, nil
}
func newMockDelegate(t *testing.T, conf *structs.CAConfiguration) *consulCAMockDelegate {
s := state.NewStateStore(nil)
if s == nil {
t.Fatalf("missing state store")
}
if err := s.CASetConfig(conf.RaftIndex.CreateIndex, conf); err != nil {
t.Fatalf("err: %s", err)
}
return &consulCAMockDelegate{s}
}
func testConsulCAConfig() *structs.CAConfiguration {
return &structs.CAConfiguration{
ClusterID: connect.TestClusterID,
Provider: "consul",
Fix CA pruning when CA config uses string durations. (#4669) * Fix CA pruning when CA config uses string durations. The tl;dr here is: - Configuring LeafCertTTL with a string like "72h" is how we do it by default and should be supported - Most of our tests managed to escape this by defining them as time.Duration directly - Out actual default value is a string - Since this is stored in a map[string]interface{} config, when it is written to Raft it goes through a msgpack encode/decode cycle (even though it's written from server not over RPC). - msgpack decode leaves the string as a `[]uint8` - Some of our parsers required string and failed - So after 1 hour, a default configured server would throw an error about pruning old CAs - If a new CA was configured that set LeafCertTTL as a time.Duration, things might be OK after that, but if a new CA was just configured from config file, intialization would cause same issue but always fail still so would never prune the old CA. - Mostly this is just a janky error that got passed tests due to many levels of complicated encoding/decoding. tl;dr of the tl;dr: Yay for type safety. Map[string]interface{} combined with msgpack always goes wrong but we somehow get bitten every time in a new way :D We already fixed this once! The main CA config had the same problem so @kyhavlov already wrote the mapstructure DecodeHook that fixes it. It wasn't used in several places it needed to be and one of those is notw in `structs` which caused a dependency cycle so I've moved them. This adds a whole new test thta explicitly tests the case that broke here. It also adds tests that would have failed in other places before (Consul and Vaul provider parsing functions). I'm not sure if they would ever be affected as it is now as we've not seen things broken with them but it seems better to explicitly test that and support it to not be bitten a third time! * Typo fix * Fix bad Uint8 usage
2018-09-13 14:43:00 +00:00
Config: map[string]interface{}{
// Tests duration parsing after msgpack type mangling during raft apply.
"LeafCertTTL": []byte("72h"),
"IntermediateCertTTL": []byte("288h"),
"RootCertTTL": []byte("87600h"),
Fix CA pruning when CA config uses string durations. (#4669) * Fix CA pruning when CA config uses string durations. The tl;dr here is: - Configuring LeafCertTTL with a string like "72h" is how we do it by default and should be supported - Most of our tests managed to escape this by defining them as time.Duration directly - Out actual default value is a string - Since this is stored in a map[string]interface{} config, when it is written to Raft it goes through a msgpack encode/decode cycle (even though it's written from server not over RPC). - msgpack decode leaves the string as a `[]uint8` - Some of our parsers required string and failed - So after 1 hour, a default configured server would throw an error about pruning old CAs - If a new CA was configured that set LeafCertTTL as a time.Duration, things might be OK after that, but if a new CA was just configured from config file, intialization would cause same issue but always fail still so would never prune the old CA. - Mostly this is just a janky error that got passed tests due to many levels of complicated encoding/decoding. tl;dr of the tl;dr: Yay for type safety. Map[string]interface{} combined with msgpack always goes wrong but we somehow get bitten every time in a new way :D We already fixed this once! The main CA config had the same problem so @kyhavlov already wrote the mapstructure DecodeHook that fixes it. It wasn't used in several places it needed to be and one of those is notw in `structs` which caused a dependency cycle so I've moved them. This adds a whole new test thta explicitly tests the case that broke here. It also adds tests that would have failed in other places before (Consul and Vaul provider parsing functions). I'm not sure if they would ever be affected as it is now as we've not seen things broken with them but it seems better to explicitly test that and support it to not be bitten a third time! * Typo fix * Fix bad Uint8 usage
2018-09-13 14:43:00 +00:00
},
}
}
func testProviderConfig(caCfg *structs.CAConfiguration) ProviderConfig {
return ProviderConfig{
ClusterID: caCfg.ClusterID,
Datacenter: "dc1",
IsPrimary: true,
RawConfig: caCfg.Config,
}
}
func requireNotEncoded(t *testing.T, v []byte) {
t.Helper()
require.False(t, connect.IsHexString(v))
}
2018-06-13 08:40:03 +00:00
func TestConsulCAProvider_Bootstrap(t *testing.T) {
t.Parallel()
conf := testConsulCAConfig()
delegate := newMockDelegate(t, conf)
provider := TestConsulProvider(t, delegate)
require.NoError(t, provider.Configure(testProviderConfig(conf)))
root, err := provider.GenerateRoot()
require.NoError(t, err)
2018-04-27 06:02:18 +00:00
// Intermediate should be the same cert.
inter, err := provider.ActiveIntermediate()
require.NoError(t, err)
require.Equal(t, root.PEM, inter)
2018-04-27 06:02:18 +00:00
// Should be a valid cert
parsed, err := connect.ParseCert(root.PEM)
require.NoError(t, err)
require.Equal(t, parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", conf.ClusterID))
requireNotEncoded(t, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.AuthorityKeyId)
// test that the root cert ttl is the same as the expected value
// notice that we allow a margin of "error" of 10 minutes between the
// generateCA() creation and this check
defaultRootCertTTL, err := time.ParseDuration(structs.DefaultRootCertTTL)
require.NoError(t, err)
expectedNotAfter := time.Now().Add(defaultRootCertTTL).UTC()
require.WithinDuration(t, expectedNotAfter, parsed.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
2018-04-27 06:02:18 +00:00
}
2018-06-13 08:40:03 +00:00
func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) {
2018-04-27 06:02:18 +00:00
t.Parallel()
// Make sure setting a custom private key/root cert works.
rootCA := connect.TestCAWithTTL(t, nil, 5*time.Hour)
conf := testConsulCAConfig()
conf.Config = map[string]interface{}{
"PrivateKey": rootCA.SigningKey,
"RootCert": rootCA.RootCert,
}
delegate := newMockDelegate(t, conf)
2018-04-27 06:02:18 +00:00
provider := TestConsulProvider(t, delegate)
require.NoError(t, provider.Configure(testProviderConfig(conf)))
2018-04-27 06:02:18 +00:00
root, err := provider.GenerateRoot()
require.NoError(t, err)
require.Equal(t, root.PEM, rootCA.RootCert)
// Should be a valid cert
parsed, err := connect.ParseCert(root.PEM)
require.NoError(t, err)
// test that the default root cert ttl was not applied to the provided cert
defaultRootCertTTL, err := time.ParseDuration(structs.DefaultRootCertTTL)
require.NoError(t, err)
defaultNotAfter := time.Now().Add(defaultRootCertTTL).UTC()
// we can't compare given the "delta" between the time the cert is generated
// and when we start the test; so just look at the years for now, given different years
require.NotEqualf(t, defaultNotAfter.Year(), parsed.NotAfter.Year(), "parsed cert ttl expected to be different from default root cert ttl")
2018-04-27 06:02:18 +00:00
}
2018-06-13 08:40:03 +00:00
func TestConsulCAProvider_SignLeaf(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
2018-04-27 06:02:18 +00:00
t.Parallel()
for _, tc := range KeyTestCases {
tc := tc
t.Run(tc.Desc, func(t *testing.T) {
conf := testConsulCAConfig()
conf.Config["LeafCertTTL"] = "1h"
conf.Config["PrivateKeyType"] = tc.KeyType
conf.Config["PrivateKeyBits"] = tc.KeyBits
delegate := newMockDelegate(t, conf)
provider := TestConsulProvider(t, delegate)
require.NoError(t, provider.Configure(testProviderConfig(conf)))
_, err := provider.GenerateRoot()
require.NoError(t, err)
spiffeService := &connect.SpiffeIDService{
Host: connect.TestClusterID + ".consul",
Namespace: "default",
Datacenter: "dc1",
Service: "foo",
}
// Generate a leaf cert for the service.
{
raw, _ := connect.TestCSR(t, spiffeService)
csr, err := connect.ParseCSR(raw)
require.NoError(t, err)
cert, err := provider.Sign(csr)
require.NoError(t, err)
Format certificates properly (rfc7468) with a trailing new line (#10411) * trim carriage return from certificates when inserting rootCA in the inMemDB * format rootCA properly when returning the CA on the connect CA endpoint * Fix linter warnings * Fix providers to trim certs before returning it * trim newlines on write when possible * add changelog * make sure all provider return a trailing newline after the root and intermediate certs * Fix endpoint to return trailing new line * Fix failing test with vault provider * make test more robust * make sure all provider return a trailing newline after the leaf certs * Check for suffix before removing newline and use function * Add comment to consul provider * Update change log Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * fix typo * simplify code callflow Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> * extract requireNewLine as shared func * remove dependency to testify in testing file * remove extra newline in vault provider * Add cert newline fix to envoy xds * remove new line from mock provider * Remove adding a new line from provider and fix it when the cert is read * Add a comment to explain the fix * Add missing for leaf certs * fix missing new line * fix missing new line in leaf certs * remove extra new line in test * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * fix in vault provider and when reading cache (RPC call) * fix AWS provider * fix failing test in the provider * remove comments and empty lines * add check for empty cert in test * fix linter warnings * add new line for leaf and private key * use string concat instead of Sprintf * fix new lines for leaf signing * preallocate slice and remove append * Add new line to `SignIntermediate` and `CrossSignCA` Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-01 00:48:29 +00:00
requireTrailingNewline(t, cert)
parsed, err := connect.ParseCert(cert)
require.NoError(t, err)
require.Equal(t, spiffeService.URI(), parsed.URIs[0])
require.Empty(t, parsed.Subject.CommonName)
require.Equal(t, uint64(3), parsed.SerialNumber.Uint64())
subjectKeyID, err := connect.KeyId(csr.PublicKey)
require.NoError(t, err)
require.Equal(t, subjectKeyID, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.AuthorityKeyId)
// Ensure the cert is valid now and expires within the correct limit.
now := time.Now()
require.True(t, parsed.NotAfter.Sub(now) < time.Hour)
require.True(t, parsed.NotBefore.Before(now))
}
// Generate a new cert for another service and make sure
// the serial number is incremented.
spiffeService.Service = "bar"
{
raw, _ := connect.TestCSR(t, spiffeService)
csr, err := connect.ParseCSR(raw)
require.NoError(t, err)
cert, err := provider.Sign(csr)
require.NoError(t, err)
parsed, err := connect.ParseCert(cert)
require.NoError(t, err)
require.Equal(t, spiffeService.URI(), parsed.URIs[0])
require.Empty(t, parsed.Subject.CommonName)
require.Equal(t, uint64(4), parsed.SerialNumber.Uint64())
requireNotEncoded(t, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.AuthorityKeyId)
// Ensure the cert is valid now and expires within the correct limit.
require.True(t, time.Until(parsed.NotAfter) < 3*24*time.Hour)
require.True(t, parsed.NotBefore.Before(time.Now()))
}
spiffeAgent := &connect.SpiffeIDAgent{
Host: connect.TestClusterID + ".consul",
Datacenter: "dc1",
Agent: "uuid",
}
// Generate a leaf cert for an agent.
{
raw, _ := connect.TestCSR(t, spiffeAgent)
csr, err := connect.ParseCSR(raw)
require.NoError(t, err)
cert, err := provider.Sign(csr)
require.NoError(t, err)
parsed, err := connect.ParseCert(cert)
require.NoError(t, err)
require.Equal(t, spiffeAgent.URI(), parsed.URIs[0])
require.Empty(t, parsed.Subject.CommonName)
require.Equal(t, uint64(5), parsed.SerialNumber.Uint64())
requireNotEncoded(t, parsed.SubjectKeyId)
requireNotEncoded(t, parsed.AuthorityKeyId)
// Ensure the cert is valid now and expires within the correct limit.
now := time.Now()
require.True(t, parsed.NotAfter.Sub(now) < time.Hour)
require.True(t, parsed.NotBefore.Before(now))
}
})
}
2018-04-27 06:02:18 +00:00
}
2018-06-13 08:40:03 +00:00
func TestConsulCAProvider_CrossSignCA(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
2018-04-27 06:02:18 +00:00
t.Parallel()
tests := CASigningKeyTypeCases()
for _, tc := range tests {
tc := tc
t.Run(tc.Desc, func(t *testing.T) {
conf1 := testConsulCAConfig()
delegate1 := newMockDelegate(t, conf1)
provider1 := TestConsulProvider(t, delegate1)
conf1.Config["PrivateKeyType"] = tc.SigningKeyType
conf1.Config["PrivateKeyBits"] = tc.SigningKeyBits
require.NoError(t, provider1.Configure(testProviderConfig(conf1)))
_, err := provider1.GenerateRoot()
require.NoError(t, err)
conf2 := testConsulCAConfig()
conf2.CreateIndex = 10
delegate2 := newMockDelegate(t, conf2)
provider2 := TestConsulProvider(t, delegate2)
conf2.Config["PrivateKeyType"] = tc.CSRKeyType
conf2.Config["PrivateKeyBits"] = tc.CSRKeyBits
require.NoError(t, provider2.Configure(testProviderConfig(conf2)))
_, err = provider2.GenerateRoot()
require.NoError(t, err)
testCrossSignProviders(t, provider1, provider2)
})
}
}
func testCrossSignProviders(t *testing.T, provider1, provider2 Provider) {
// Get the root from the new provider to be cross-signed.
root, err := provider2.GenerateRoot()
require.NoError(t, err)
newRoot, err := connect.ParseCert(root.PEM)
require.NoError(t, err)
oldSubject := newRoot.Subject.CommonName
requireNotEncoded(t, newRoot.SubjectKeyId)
requireNotEncoded(t, newRoot.AuthorityKeyId)
newInterPEM, err := provider2.ActiveIntermediate()
require.NoError(t, err)
newIntermediate, err := connect.ParseCert(newInterPEM)
require.NoError(t, err)
requireNotEncoded(t, newIntermediate.SubjectKeyId)
requireNotEncoded(t, newIntermediate.AuthorityKeyId)
2018-04-27 06:02:18 +00:00
// Have provider1 cross sign our new root cert.
xcPEM, err := provider1.CrossSignCA(newRoot)
require.NoError(t, err)
2018-04-27 06:02:18 +00:00
xc, err := connect.ParseCert(xcPEM)
require.NoError(t, err)
requireNotEncoded(t, xc.SubjectKeyId)
requireNotEncoded(t, xc.AuthorityKeyId)
p1Root, err := provider1.GenerateRoot()
require.NoError(t, err)
oldRoot, err := connect.ParseCert(p1Root.PEM)
require.NoError(t, err)
requireNotEncoded(t, oldRoot.SubjectKeyId)
requireNotEncoded(t, oldRoot.AuthorityKeyId)
2018-04-27 06:02:18 +00:00
// AuthorityKeyID should now be the signing root's, SubjectKeyId should be kept.
require.Equal(t, oldRoot.SubjectKeyId, xc.AuthorityKeyId,
"newSKID=%x\nnewAKID=%x\noldSKID=%x\noldAKID=%x\nxcSKID=%x\nxcAKID=%x",
newRoot.SubjectKeyId, newRoot.AuthorityKeyId,
oldRoot.SubjectKeyId, oldRoot.AuthorityKeyId,
xc.SubjectKeyId, xc.AuthorityKeyId)
require.Equal(t, newRoot.SubjectKeyId, xc.SubjectKeyId)
2018-04-27 06:02:18 +00:00
// Subject name should not have changed.
require.Equal(t, oldSubject, xc.Subject.CommonName)
2018-04-27 06:02:18 +00:00
// Issuer should be the signing root.
require.Equal(t, oldRoot.Issuer.CommonName, xc.Issuer.CommonName)
// Get a leaf cert so we can verify against the cross-signed cert.
spiffeService := &connect.SpiffeIDService{
Host: connect.TestClusterID + ".consul",
Namespace: "default",
Datacenter: "dc1",
Service: "foo",
}
2019-08-27 21:45:58 +00:00
raw, _ := connect.TestCSR(t, spiffeService)
leafCsr, err := connect.ParseCSR(raw)
require.NoError(t, err)
leafPEM, err := provider2.Sign(leafCsr)
require.NoError(t, err)
cert, err := connect.ParseCert(leafPEM)
require.NoError(t, err)
requireNotEncoded(t, cert.SubjectKeyId)
requireNotEncoded(t, cert.AuthorityKeyId)
// Check that the leaf signed by the new cert can be verified by either root
// certificate by using the new intermediate + cross-signed cert.
intermediatePool := x509.NewCertPool()
intermediatePool.AddCert(newIntermediate)
intermediatePool.AddCert(xc)
for _, root := range []*x509.Certificate{oldRoot, newRoot} {
rootPool := x509.NewCertPool()
rootPool.AddCert(root)
_, err = cert.Verify(x509.VerifyOptions{
Intermediates: intermediatePool,
Roots: rootPool,
})
require.NoError(t, err)
}
}
func testCrossSignProvidersShouldFail(t *testing.T, provider1, provider2 Provider) {
t.Helper()
// Get the root from the new provider to be cross-signed.
root, err := provider2.GenerateRoot()
require.NoError(t, err)
newRoot, err := connect.ParseCert(root.PEM)
require.NoError(t, err)
requireNotEncoded(t, newRoot.SubjectKeyId)
requireNotEncoded(t, newRoot.AuthorityKeyId)
newInterPEM, err := provider2.ActiveIntermediate()
require.NoError(t, err)
newIntermediate, err := connect.ParseCert(newInterPEM)
require.NoError(t, err)
requireNotEncoded(t, newIntermediate.SubjectKeyId)
requireNotEncoded(t, newIntermediate.AuthorityKeyId)
// Have provider1 cross sign our new root cert.
_, err = provider1.CrossSignCA(newRoot)
require.Error(t, err)
}
func TestConsulProvider_SignIntermediate(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
tests := CASigningKeyTypeCases()
for _, tc := range tests {
tc := tc
t.Run(tc.Desc, func(t *testing.T) {
conf1 := testConsulCAConfig()
delegate1 := newMockDelegate(t, conf1)
provider1 := TestConsulProvider(t, delegate1)
conf1.Config["PrivateKeyType"] = tc.SigningKeyType
conf1.Config["PrivateKeyBits"] = tc.SigningKeyBits
require.NoError(t, provider1.Configure(testProviderConfig(conf1)))
_, err := provider1.GenerateRoot()
require.NoError(t, err)
conf2 := testConsulCAConfig()
conf2.CreateIndex = 10
delegate2 := newMockDelegate(t, conf2)
provider2 := TestConsulProvider(t, delegate2)
conf2.Config["PrivateKeyType"] = tc.CSRKeyType
conf2.Config["PrivateKeyBits"] = tc.CSRKeyBits
cfg := testProviderConfig(conf2)
cfg.IsPrimary = false
cfg.Datacenter = "dc2"
require.NoError(t, provider2.Configure(cfg))
testSignIntermediateCrossDC(t, provider1, provider2)
})
}
}
func testSignIntermediateCrossDC(t *testing.T, provider1, provider2 Provider) {
// Get the intermediate CSR from provider2.
csrPEM, opaque, err := provider2.GenerateIntermediateCSR()
require.NoError(t, err)
csr, err := connect.ParseCSR(csrPEM)
require.NoError(t, err)
// Sign the CSR with provider1.
intermediatePEM, err := provider1.SignIntermediate(csr)
require.NoError(t, err)
root, err := provider1.GenerateRoot()
require.NoError(t, err)
rootPEM := root.PEM
// Give the new intermediate to provider2 to use.
require.NoError(t, provider2.SetIntermediate(intermediatePEM, rootPEM, opaque))
// Have provider2 sign a leaf cert and make sure the chain is correct.
spiffeService := &connect.SpiffeIDService{
Host: connect.TestClusterID + ".consul",
Namespace: "default",
Datacenter: "dc1",
Service: "foo",
}
2019-08-27 21:45:58 +00:00
raw, _ := connect.TestCSR(t, spiffeService)
leafCsr, err := connect.ParseCSR(raw)
require.NoError(t, err)
leafPEM, err := provider2.Sign(leafCsr)
require.NoError(t, err)
cert, err := connect.ParseCert(leafPEM)
require.NoError(t, err)
requireNotEncoded(t, cert.SubjectKeyId)
requireNotEncoded(t, cert.AuthorityKeyId)
// Check that the leaf signed by the new cert can be verified using the
// returned cert chain (signed intermediate + remote root).
intermediatePool := x509.NewCertPool()
intermediatePool.AppendCertsFromPEM([]byte(intermediatePEM))
rootPool := x509.NewCertPool()
rootPool.AppendCertsFromPEM([]byte(rootPEM))
_, err = cert.Verify(x509.VerifyOptions{
Intermediates: intermediatePool,
Roots: rootPool,
})
require.NoError(t, err)
}
func TestConsulCAProvider_MigrateOldID(t *testing.T) {
cases := []struct {
name string
oldID string
}{
{
name: "original-unhashed",
oldID: ",",
},
{
name: "hash-v1",
oldID: hexStringHash(",,true"),
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
conf := testConsulCAConfig()
delegate := newMockDelegate(t, conf)
// Create an entry with an old-style ID.
_, err := delegate.ApplyCARequest(&structs.CARequest{
Op: structs.CAOpSetProviderState,
ProviderState: &structs.CAConsulProviderState{
ID: tc.oldID,
},
})
require.NoError(t, err)
_, providerState, err := delegate.state.CAProviderState(tc.oldID)
require.NoError(t, err)
require.NotNil(t, providerState)
provider := TestConsulProvider(t, delegate)
require.NoError(t, provider.Configure(testProviderConfig(conf)))
_, err = provider.GenerateRoot()
require.NoError(t, err)
// After running Configure, the old ID entry should be gone.
_, providerState, err = delegate.state.CAProviderState(tc.oldID)
require.NoError(t, err)
require.Nil(t, providerState)
})
}
}