fix aws pca certs (#11470)

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
2021-11-03 12:21:24 -07:00 · 2021-11-03 12:21:24 -07:00 · 6004a21f35
parent 875fa920c9
commit 6004a21f35
2 changed files with 31 additions and 8 deletions
--- a/agent/connect/ca/provider_aws.go
+++ b/agent/connect/ca/provider_aws.go
@ -359,15 +359,15 @@ func (a *AWSProvider) loadCACerts() error {

 	if a.isPrimary {
 		// Just use the cert as a root
-		a.rootPEM = *output.Certificate
+		a.rootPEM = EnsureTrailingNewline(*output.Certificate)
 	} else {
-		a.intermediatePEM = *output.Certificate
+		a.intermediatePEM = EnsureTrailingNewline(*output.Certificate)
 		// TODO(banks) support user-supplied CA being a Subordinate even in the
 		// primary DC. For now this assumes there is only one cert in the chain
 		if output.CertificateChain == nil {
 			return fmt.Errorf("Subordinate CA %s returned no chain", a.arn)
 		}
-		a.rootPEM = *output.CertificateChain
+		a.rootPEM = EnsureTrailingNewline(*output.CertificateChain)
 	}
 	return nil
 }
@ -485,7 +485,7 @@ func (a *AWSProvider) signCSR(csrPEM string, templateARN string, ttl time.Durati
 			}

 			if certOutput.Certificate != nil {
-				return true, *certOutput.Certificate, nil
+				return true, EnsureTrailingNewline(*certOutput.Certificate), nil
 			}

 			return false, "", nil
@ -540,9 +540,9 @@ func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) er
 		return err
 	}

-	// We succsefully initialized, keep track of the root and intermediate certs.
-	a.rootPEM = rootPEM
-	a.intermediatePEM = intermediatePEM
+	// We successfully initialized, keep track of the root and intermediate certs.
+	a.rootPEM = EnsureTrailingNewline(rootPEM)
+	a.intermediatePEM = EnsureTrailingNewline(intermediatePEM)

 	return nil
 }
--- a/agent/connect/ca/provider_aws_test.go
+++ b/agent/connect/ca/provider_aws_test.go
@ -3,6 +3,7 @@ package ca
 import (
 	"os"
 	"strconv"
+	"strings"
 	"testing"

 	"github.com/aws/aws-sdk-go/aws"
@ -114,7 +115,7 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {

 	// TEST LOAD FROM PREVIOUS STATE
 	{
-		// Now create new providers fromthe state of the first ones simulating
+		// Now create new providers from the state of the first ones simulating
 		// leadership change in both DCs
 		t.Log("Restarting Providers with State")

@ -179,6 +180,28 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
 		testSignAndValidate(t, p1, rootPEM, nil)
 		testSignAndValidate(t, p2, rootPEM, []string{intPEM})
 	}
+
+	// Test that SetIntermediate() gives back certs with trailing new lines
+	{
+
+		// "Set" root, intermediate certs without a trailing new line
+		newIntPEM := strings.TrimSuffix(intPEM, "\n")
+		newRootPEM := strings.TrimSuffix(rootPEM, "\n")
+
+		cfg2 := testProviderConfigSecondary(t, map[string]interface{}{
+			"ExistingARN": p2State[AWSStateCAARNKey],
+		})
+		p2 = testAWSProvider(t, cfg2)
+		require.NoError(t, p2.SetIntermediate(newIntPEM, newRootPEM))
+
+		newRootPEM, err = p1.ActiveRoot()
+		require.NoError(t, err)
+		newIntPEM, err = p2.ActiveIntermediate()
+		require.NoError(t, err)
+
+		require.Equal(t, rootPEM, newRootPEM)
+		require.Equal(t, intPEM, newIntPEM)
+	}
 }

 func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) {