status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix aws pca certs (#11470) 

Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
This commit is contained in:
FFMMM 2021-11-03 12:21:24 -07:00 committed by GitHub
parent 875fa920c9
commit 6004a21f35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
agent/connect/ca/provider_aws.go
View File

@ -359,15 +359,15 @@ func (a *AWSProvider) loadCACerts() error {
if a.isPrimary { if a.isPrimary {
// Just use the cert as a root // Just use the cert as a root
a.rootPEM = *output.Certificate a.rootPEM = EnsureTrailingNewline(*output.Certificate)
} else { } else {
a.intermediatePEM = *output.Certificate a.intermediatePEM = EnsureTrailingNewline(*output.Certificate)
// TODO(banks) support user-supplied CA being a Subordinate even in the // TODO(banks) support user-supplied CA being a Subordinate even in the
// primary DC. For now this assumes there is only one cert in the chain // primary DC. For now this assumes there is only one cert in the chain
if output.CertificateChain == nil { if output.CertificateChain == nil {
return fmt.Errorf("Subordinate CA %s returned no chain", a.arn) return fmt.Errorf("Subordinate CA %s returned no chain", a.arn)
} }
a.rootPEM = *output.CertificateChain a.rootPEM = EnsureTrailingNewline(*output.CertificateChain)
} }
return nil return nil
} }
@ -485,7 +485,7 @@ func (a *AWSProvider) signCSR(csrPEM string, templateARN string, ttl time.Durati
} }
if certOutput.Certificate != nil { if certOutput.Certificate != nil {
return true, *certOutput.Certificate, nil return true, EnsureTrailingNewline(*certOutput.Certificate), nil
} }
return false, "", nil return false, "", nil
@ -540,9 +540,9 @@ func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) er
return err return err
} }
// We succsefully initialized, keep track of the root and intermediate certs. // We successfully initialized, keep track of the root and intermediate certs.
a.rootPEM = rootPEM a.rootPEM = EnsureTrailingNewline(rootPEM)
a.intermediatePEM = intermediatePEM a.intermediatePEM = EnsureTrailingNewline(intermediatePEM)
return nil return nil
} }

25
agent/connect/ca/provider_aws_test.go
View File

@ -3,6 +3,7 @@ package ca
import ( import (
"os" "os"
"strconv" "strconv"
"strings"
"testing" "testing"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
@ -114,7 +115,7 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
// TEST LOAD FROM PREVIOUS STATE // TEST LOAD FROM PREVIOUS STATE
{ {
// Now create new providers fromthe state of the first ones simulating // Now create new providers from the state of the first ones simulating
// leadership change in both DCs // leadership change in both DCs
t.Log("Restarting Providers with State") t.Log("Restarting Providers with State")
@ -179,6 +180,28 @@ func TestAWSBootstrapAndSignSecondary(t *testing.T) {
testSignAndValidate(t, p1, rootPEM, nil) testSignAndValidate(t, p1, rootPEM, nil)
testSignAndValidate(t, p2, rootPEM, []string{intPEM}) testSignAndValidate(t, p2, rootPEM, []string{intPEM})
} }
// Test that SetIntermediate() gives back certs with trailing new lines
{
// "Set" root, intermediate certs without a trailing new line
newIntPEM := strings.TrimSuffix(intPEM, "\n")
newRootPEM := strings.TrimSuffix(rootPEM, "\n")
cfg2 := testProviderConfigSecondary(t, map[string]interface{}{
"ExistingARN": p2State[AWSStateCAARNKey],
})
p2 = testAWSProvider(t, cfg2)
require.NoError(t, p2.SetIntermediate(newIntPEM, newRootPEM))
newRootPEM, err = p1.ActiveRoot()
require.NoError(t, err)
newIntPEM, err = p2.ActiveIntermediate()
require.NoError(t, err)
require.Equal(t, rootPEM, newRootPEM)
require.Equal(t, intPEM, newIntPEM)
}
} }
func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) { func TestAWSBootstrapAndSignSecondaryConsul(t *testing.T) {