status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Avoid returning empty roots with uninitialized CA 

Currently getCARoots could return an empty object with an empty trust
domain before the CA is initialized. This commit returns an error while
there is no CA config or no trust domain.

There could be a CA config and no trust domain because the CA config can
be created in InitializeCA before initialization succeeds.
This commit is contained in:
freddygv 2021-11-08 16:51:49 -07:00
parent d9110136f2
commit cc5a7ed36c
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
agent/consul/server_connect.go
View File

@ -16,19 +16,23 @@ func (s *Server) getCARoots(ws memdb.WatchSet, state *state.Store) (*structs.Ind
if err != nil {
return nil, err
}
if config == nil {
return nil, fmt.Errorf("CA has not finished initializing")
}
indexedRoots := &structs.IndexedCARoots{}
if config != nil {
// Build TrustDomain based on the ClusterID stored.
signingID := connect.SpiffeIDSigningForCluster(config)
if signingID == nil {
// If CA is bootstrapped at all then this should never happen but be
// defensive.
return nil, fmt.Errorf("no cluster trust domain setup")
}
// Build TrustDomain based on the ClusterID stored.
signingID := connect.SpiffeIDSigningForCluster(config)
if signingID == nil {
// If CA is bootstrapped at all then this should never happen but be
// defensive.
return nil, fmt.Errorf("no cluster trust domain setup")
}
indexedRoots.TrustDomain = signingID.Host()
indexedRoots.TrustDomain = signingID.Host()
if indexedRoots.TrustDomain == "" {
return nil, fmt.Errorf("CA has not finished initializing")
}
indexedRoots.Index, indexedRoots.Roots = index, roots