Skip to content

Commit

Permalink
coordinator: align mesh root naming
Browse files Browse the repository at this point in the history
This also fixes a bug where the intermediate cert is returned and saved as "mesh-root.pem".
  • Loading branch information
3u13r committed Mar 8, 2024
1 parent 63a0f87 commit 96fd136
Show file tree
Hide file tree
Showing 10 changed files with 84 additions and 82 deletions.
18 changes: 9 additions & 9 deletions cli/cmd/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ import (
)

const (
coordHashFilename = "coordinator-policy.sha256"
coordRootPEMFilename = "coordinator-root.pem"
coordIntermPEMFilename = "mesh-root.pem"
workloadOwnerPEM = "workload-owner.pem"
manifestFilename = "manifest.json"
settingsFilename = "settings.json"
rulesFilename = "rules.rego"
verifyDir = "./verify"
cacheDirEnv = "CONTRAST_CACHE_DIR"
coordHashFilename = "coordinator-policy.sha256"
coordRootPEMFilename = "coordinator-root.pem"
meshRootPEMFilename = "mesh-root.pem"
workloadOwnerPEM = "workload-owner.pem"
manifestFilename = "manifest.json"
settingsFilename = "settings.json"
rulesFilename = "rules.rego"
verifyDir = "./verify"
cacheDirEnv = "CONTRAST_CACHE_DIR"
)

var (
Expand Down
4 changes: 2 additions & 2 deletions cli/cmd/set.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,8 @@ func runSet(cmd *cobra.Command, args []string) error {
fmt.Fprintln(cmd.OutOrStdout(), "✔️ Manifest set successfully")

filelist := map[string][]byte{
path.Join(flags.workspaceDir, coordRootPEMFilename): resp.CACert,
path.Join(flags.workspaceDir, coordIntermPEMFilename): resp.IntermCert,
path.Join(flags.workspaceDir, coordRootPEMFilename): resp.CoordinatorRoot,
path.Join(flags.workspaceDir, meshRootPEMFilename): resp.MeshRoot,
}
if err := writeFilelist(".", filelist); err != nil {
return fmt.Errorf("writing filelist: %w", err)
Expand Down
4 changes: 2 additions & 2 deletions cli/cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ func runVerify(cmd *cobra.Command, _ []string) error {
log.Debug("Got response")

filelist := map[string][]byte{
coordRootPEMFilename: resp.CACert,
coordIntermPEMFilename: resp.IntermCert,
coordRootPEMFilename: resp.CoordinatorRoot,
meshRootPEMFilename: resp.MeshRoot,
}
for i, m := range resp.Manifests {
filelist[fmt.Sprintf("manifest.%d.json", i)] = m
Expand Down
4 changes: 2 additions & 2 deletions coordinator/meshapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,12 @@ func (i *meshAPIServer) NewMeshCert(_ context.Context, req *meshapi.NewMeshCertR
"getting certificate with public key hash %q: %v", req.PeerPublicKeyHash, err)
}

meshCACert := i.caChainGetter.GetMeshCACert()
meshCACert := i.caChainGetter.GetMeshRootCert()
intermCert := i.caChainGetter.GetIntermCert()

return &meshapi.NewMeshCertResponse{
MeshCACert: meshCACert,
CertChain: append(cert, intermCert...),
RootCACert: i.caChainGetter.GetRootCACert(),
RootCACert: i.caChainGetter.GetCoordinatorRootCert(),
}, nil
}
16 changes: 8 additions & 8 deletions coordinator/userapi.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,8 @@ func (s *userAPIServer) SetManifest(ctx context.Context, req *userapi.SetManifes
}

resp := &userapi.SetManifestResponse{
CACert: s.caChainGetter.GetRootCACert(),
IntermCert: s.caChainGetter.GetIntermCert(),
CoordinatorRoot: s.caChainGetter.GetCoordinatorRootCert(),
MeshRoot: s.caChainGetter.GetMeshRootCert(),
}

s.logger.Info("SetManifest succeeded")
Expand Down Expand Up @@ -131,10 +131,10 @@ func (s *userAPIServer) GetManifests(_ context.Context, _ *userapi.GetManifestsR
}

resp := &userapi.GetManifestsResponse{
Manifests: manifestBytes,
Policies: policySliceToBytesSlice(policies),
CACert: s.caChainGetter.GetRootCACert(),
IntermCert: s.caChainGetter.GetIntermCert(),
Manifests: manifestBytes,
Policies: policySliceToBytesSlice(policies),
CoordinatorRoot: s.caChainGetter.GetCoordinatorRootCert(),
MeshRoot: s.caChainGetter.GetIntermCert(),
}

s.logger.Info("GetManifest succeeded")
Expand Down Expand Up @@ -210,8 +210,8 @@ func manifestSliceToBytesSlice(s []*manifest.Manifest) ([][]byte, error) {
}

type certChainGetter interface {
GetRootCACert() []byte
GetMeshCACert() []byte
GetCoordinatorRootCert() []byte
GetMeshRootCert() []byte
GetIntermCert() []byte
}

Expand Down
14 changes: 7 additions & 7 deletions coordinator/userapi_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,8 +227,8 @@ func TestManifestSet(t *testing.T) {
return
}
require.NoError(err)
assert.Equal([]byte("root"), resp.CACert)
assert.Equal([]byte("inter"), resp.IntermCert)
assert.Equal([]byte("root"), resp.CoordinatorRoot)
assert.Equal([]byte("mesh"), resp.MeshRoot)
assert.Equal(1, tc.mSGetter.setManifestCount)
})
}
Expand Down Expand Up @@ -293,8 +293,8 @@ func TestGetManifests(t *testing.T) {
return
}
require.NoError(err)
assert.Equal([]byte("root"), resp.CACert)
assert.Equal([]byte("inter"), resp.IntermCert)
assert.Equal([]byte("root"), resp.CoordinatorRoot)
assert.Equal([]byte("inter"), resp.MeshRoot)
assert.Len(resp.Policies, len(tc.policyStoreContent))
})
}
Expand Down Expand Up @@ -394,9 +394,9 @@ func (s *stubManifestSetGetter) LatestManifest() (*manifest.Manifest, error) {

type stubCertChainGetter struct{}

func (s *stubCertChainGetter) GetRootCACert() []byte { return []byte("root") }
func (s *stubCertChainGetter) GetMeshCACert() []byte { return []byte("mesh") }
func (s *stubCertChainGetter) GetIntermCert() []byte { return []byte("inter") }
func (s *stubCertChainGetter) GetCoordinatorRootCert() []byte { return []byte("root") }
func (s *stubCertChainGetter) GetMeshRootCert() []byte { return []byte("mesh") }
func (s *stubCertChainGetter) GetIntermCert() []byte { return []byte("inter") }

func rpcContext(key *ecdsa.PrivateKey) context.Context {
var peerCertificates []*x509.Certificate
Expand Down
8 changes: 4 additions & 4 deletions internal/ca/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,8 +142,8 @@ func (c *CA) RotateIntermCerts() error {
return nil
}

// GetRootCACert returns the root certificate of the CA in PEM format.
func (c *CA) GetRootCACert() []byte {
// GetCoordinatorRootCert returns the root certificate of the CA in PEM format.
func (c *CA) GetCoordinatorRootCert() []byte {
return c.rootPEM
}

Expand All @@ -152,8 +152,8 @@ func (c *CA) GetIntermCert() []byte {
return c.intermPEM
}

// GetMeshCACert returns the mesh root certificate of the CA in PEM format.
func (c *CA) GetMeshCACert() []byte {
// GetMeshRootCert returns the mesh root certificate of the CA in PEM format.
func (c *CA) GetMeshRootCert() []byte {
return c.meshCAPEM
}

Expand Down
4 changes: 2 additions & 2 deletions internal/ca/ca_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -180,11 +180,11 @@ func TestCAConcurrent(t *testing.T) {
}
getMeshCACert := func() {
defer wg.Done()
assert.NotEmpty(ca.GetMeshCACert())
assert.NotEmpty(ca.GetMeshRootCert())
}
getRootCACert := func() {
defer wg.Done()
assert.NotEmpty(ca.GetRootCACert())
assert.NotEmpty(ca.GetCoordinatorRootCert())
}
rotateIntermCerts := func() {
defer wg.Done()
Expand Down
86 changes: 44 additions & 42 deletions internal/userapi/userapi.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions internal/userapi/userapi.proto
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ message SetManifestRequest {

message SetManifestResponse {
// PEM-encoded certificate
bytes CACert = 1;
bytes CoordinatorRoot = 1;
// PEM-encoded certificate
bytes IntermCert = 2;
bytes MeshRoot = 2;
}

message GetManifestsRequest {}
Expand All @@ -27,7 +27,7 @@ message GetManifestsResponse {
repeated bytes Manifests = 1;
repeated bytes Policies = 2;
// PEM-encoded certificate
bytes CACert = 3;
bytes CoordinatorRoot = 3;
// PEM-encoded certificate
bytes IntermCert = 4;
bytes MeshRoot = 4;
}

0 comments on commit 96fd136

Please sign in to comment.