Skip to content

Commit

Permalink
Merge 84b6f80 into backport/issue-17886-expose-certs/definitely-wise-…
Browse files Browse the repository at this point in the history 
…sturgeon
  • Loading branch information
@hc-github-team-consul-core
hc-github-team-consul-core authored Jul 4, 2023
2 parents 6efe3dc + 84b6f80 commit 4792d11
Show file tree
Hide file tree
Showing 11 changed files with 109 additions and 109 deletions.
12 changes: 6 additions & 6 deletions agent/proxycfg/proxycfg.deepcopy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,12 @@ func (o *ConfigSnapshot) DeepCopy() *ConfigSnapshot {
cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.CaCertificateProviderInstance = new(structs.JWKSTLSCertProviderInstance)
*cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.CaCertificateProviderInstance = *v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.CaCertificateProviderInstance
}
if v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa != nil {
cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa = new(structs.JWKSTLSCertTrustedCa)
*cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa = *v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa
if v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa.InlineBytes != nil {
cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa.InlineBytes = make([]byte, len(v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa.InlineBytes))
copy(cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa.InlineBytes, v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCa.InlineBytes)
if v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA != nil {
cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA = new(structs.JWKSTLSCertTrustedCA)
*cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA = *v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA
if v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA.InlineBytes != nil {
cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA.InlineBytes = make([]byte, len(v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA.InlineBytes))
copy(cp_JWTProviders_v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA.InlineBytes, v2.JSONWebKeySet.Remote.JWKSCluster.TLSCertificates.TrustedCA.InlineBytes)
}
}
}
Expand Down
58 changes: 29 additions & 29 deletions agent/structs/config_entry_jwt_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ import (
const (
DefaultClockSkewSeconds = 30

StrictDNS ClusterDiscoveryType = "STRICT_DNS"
Static ClusterDiscoveryType = "STATIC"
LogicalDNS ClusterDiscoveryType = "LOGICAL_DNS"
EDS ClusterDiscoveryType = "EDS"
OriginalDST ClusterDiscoveryType = "ORIGINAL_DST"
DiscoveryTypeStrictDNS ClusterDiscoveryType = "STRICT_DNS"
DiscoveryTypeStatic ClusterDiscoveryType = "STATIC"
DiscoveryTypeLogicalDNS ClusterDiscoveryType = "LOGICAL_DNS"
DiscoveryTypeEDS ClusterDiscoveryType = "EDS"
DiscoveryTypeOriginalDST ClusterDiscoveryType = "ORIGINAL_DST"
)

type JWTProviderConfigEntry struct {
Expand Down Expand Up @@ -252,7 +252,7 @@ type RemoteJWKS struct {
// There is no retry by default.
RetryPolicy *JWKSRetryPolicy `json:",omitempty" alias:"retry_policy"`

// JWKSCluster defines how the specified Remote JWKS "URI" is to be fetched.
// JWKSCluster defines how the specified Remote JWKS URI is to be fetched.
JWKSCluster *JWKSCluster `json:",omitempty" alias:"jwks_cluster"`
}

Expand Down Expand Up @@ -282,15 +282,15 @@ func (ks *RemoteJWKS) Validate() error {
type JWKSCluster struct {
// DiscoveryType refers to the service discovery type to use for resolving the cluster.
//
// This defaults to: STRICT_DNS
// other options include: STATIC, LOGICAL_DNS, EDS and ORIGINAL_DST
// This defaults to STRICT_DNS.
// Other options include STATIC, LOGICAL_DNS, EDS or ORIGINAL_DST.
DiscoveryType ClusterDiscoveryType `json:",omitempty" alias:"discovery_type"`

// TLSCertificates refers to the data containing certificate authority certificates to use
// in verifying a presented peer certificate
// in verifying a presented peer certificate.
// If not specified and a peer certificate is presented it will not be verified.
//
// must be one of: CaCertificateProviderInstance or TrustedCa
// Must be either CaCertificateProviderInstance or TrustedCA.
TLSCertificates *JWKSTLSCertificate `json:",omitempty" alias:"tls_certificates"`

// The timeout for new network connections to hosts in the cluster.
Expand All @@ -302,7 +302,7 @@ type ClusterDiscoveryType string

func (d ClusterDiscoveryType) Validate() error {
switch d {
case Static, StrictDNS, LogicalDNS, EDS, OriginalDST:
case DiscoveryTypeStatic, DiscoveryTypeStrictDNS, DiscoveryTypeLogicalDNS, DiscoveryTypeEDS, DiscoveryTypeOriginalDST:
return nil
default:
return fmt.Errorf("unsupported jwks cluster discovery type: %q", d)
Expand All @@ -324,68 +324,68 @@ func (c *JWKSCluster) Validate() error {
}

// JWKSTLSCertificate refers to the data containing certificate authority certificates to use
// in verifying a presented peer certificate
// in verifying a presented peer certificate.
// If not specified and a peer certificate is presented it will not be verified.
//
// must be one of: CaCertificateProviderInstance or TrustedCa
// Must be either CaCertificateProviderInstance or TrustedCA.
type JWKSTLSCertificate struct {
// CaCertificateProviderInstance Certificate provider instance for fetching TLS certificates.
CaCertificateProviderInstance *JWKSTLSCertProviderInstance `json:",omitempty" alias:"ca_certificate_provider_instance"`

// TrustedCa defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate
// TrustedCA defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate.
//
// Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified.
TrustedCa *JWKSTLSCertTrustedCa `json:",omitempty" alias:"trusted_ca"`
TrustedCA *JWKSTLSCertTrustedCA `json:",omitempty" alias:"trusted_ca"`
}

func (c *JWKSTLSCertificate) Validate() error {
hasProviderInstance := c.CaCertificateProviderInstance != nil
hasTrustedCa := c.TrustedCa != nil
hasTrustedCA := c.TrustedCA != nil

if countTrue(hasProviderInstance, hasTrustedCa) != 1 {
return fmt.Errorf("must specify exactly one of: CaCertificateProviderInstance or TrustedCa for JKWS' TLSCertificates")
if countTrue(hasProviderInstance, hasTrustedCA) != 1 {
return fmt.Errorf("must specify exactly one of: CaCertificateProviderInstance or TrustedCA for JKWS' TLSCertificates")
}

if c.TrustedCa != nil {
return c.TrustedCa.Validate()
if c.TrustedCA != nil {
return c.TrustedCA.Validate()
}
return nil
}

type JWKSTLSCertProviderInstance struct {
// InstanceName refers to the certicate provider instance name
// InstanceName refers to the certificate provider instance name
//
// defaults to "default".
// The default value is "default".
InstanceName string `json:",omitempty" alias:"instance_name"`

// CertificateName is used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "example.com" to specify a certificate for a
// particular domain.
//
// default to empty string
// The default value is the empty string.
CertificateName string `json:",omitempty" alias:"certificate_name"`
}

// JWKSTLSCertTrustedCa defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate
// JWKSTLSCertTrustedCA defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate.
//
// Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified.
type JWKSTLSCertTrustedCa struct {
type JWKSTLSCertTrustedCA struct {
Filename string `json:",omitempty" alias:"filename"`
EnvironmentVariable string `json:",omitempty" alias:"environment_variable"`
InlineString string `json:",omitempty" alias:"inline_string"`
InlineBytes []byte `json:",omitempty" alias:"inline_bytes"`
}

func (c *JWKSTLSCertTrustedCa) Validate() error {
func (c *JWKSTLSCertTrustedCA) Validate() error {
hasFilename := c.Filename != ""
hasEnv := c.EnvironmentVariable != ""
hasInlineBytes := len(c.InlineBytes) > 0
hasInlineString := c.InlineString != ""

if countTrue(hasFilename, hasEnv, hasInlineString, hasInlineBytes) != 1 {
return fmt.Errorf("must specify exactly one of: Filename, EnvironmentVariable, InlineString or InlineBytes for JWKS' TrustedCa")
return fmt.Errorf("must specify exactly one of: Filename, EnvironmentVariable, InlineString or InlineBytes for JWKS' TrustedCA")
}
return nil
}
Expand Down
12 changes: 6 additions & 6 deletions agent/structs/config_entry_jwt_provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,14 +250,14 @@ func TestJWTProviderConfigEntry_ValidateAndNormalize(t *testing.T) {
URI: "https://example.com/.well-known/jwks.json",
JWKSCluster: &JWKSCluster{
TLSCertificates: &JWKSTLSCertificate{
TrustedCa: &JWKSTLSCertTrustedCa{},
TrustedCA: &JWKSTLSCertTrustedCA{},
CaCertificateProviderInstance: &JWKSTLSCertProviderInstance{},
},
},
},
},
},
validateErr: "must specify exactly one of: CaCertificateProviderInstance or TrustedCa for JKWS' TLSCertificates",
validateErr: "must specify exactly one of: CaCertificateProviderInstance or TrustedCA for JKWS' TLSCertificates",
},
"invalid jwt-provider - Remote JWKS cluster with multiple trustedCa options": {
entry: &JWTProviderConfigEntry{
Expand All @@ -269,7 +269,7 @@ func TestJWTProviderConfigEntry_ValidateAndNormalize(t *testing.T) {
URI: "https://example.com/.well-known/jwks.json",
JWKSCluster: &JWKSCluster{
TLSCertificates: &JWKSTLSCertificate{
TrustedCa: &JWKSTLSCertTrustedCa{
TrustedCA: &JWKSTLSCertTrustedCA{
Filename: "myfile.cert",
InlineString: "*****",
},
Expand All @@ -278,7 +278,7 @@ func TestJWTProviderConfigEntry_ValidateAndNormalize(t *testing.T) {
},
},
},
validateErr: "must specify exactly one of: Filename, EnvironmentVariable, InlineString or InlineBytes for JWKS' TrustedCa",
validateErr: "must specify exactly one of: Filename, EnvironmentVariable, InlineString or InlineBytes for JWKS' TrustedCA",
},
"invalid jwt-provider - JWT location with 2 fields": {
entry: &JWTProviderConfigEntry{
Expand Down Expand Up @@ -326,7 +326,7 @@ func TestJWTProviderConfigEntry_ValidateAndNormalize(t *testing.T) {
DiscoveryType: "STATIC",
ConnectTimeout: connectTimeout,
TLSCertificates: &JWKSTLSCertificate{
TrustedCa: &JWKSTLSCertTrustedCa{
TrustedCA: &JWKSTLSCertTrustedCA{
Filename: "myfile.cert",
},
},
Expand Down Expand Up @@ -367,7 +367,7 @@ func TestJWTProviderConfigEntry_ValidateAndNormalize(t *testing.T) {
DiscoveryType: "STATIC",
ConnectTimeout: connectTimeout,
TLSCertificates: &JWKSTLSCertificate{
TrustedCa: &JWKSTLSCertTrustedCa{
TrustedCA: &JWKSTLSCertTrustedCA{
Filename: "myfile.cert",
},
},
Expand Down
12 changes: 6 additions & 6 deletions agent/xds/clusters.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,15 +259,15 @@ func makeJWKSDiscoveryClusterType(r *structs.RemoteJWKS) *envoy_cluster_v3.Clust
}

switch r.JWKSCluster.DiscoveryType {
case structs.Static:
case structs.DiscoveryTypeStatic:
ct.Type = envoy_cluster_v3.Cluster_STATIC
case structs.LogicalDNS:
case structs.DiscoveryTypeLogicalDNS:
ct.Type = envoy_cluster_v3.Cluster_LOGICAL_DNS
case structs.EDS:
case structs.DiscoveryTypeEDS:
ct.Type = envoy_cluster_v3.Cluster_EDS
case structs.OriginalDST:
case structs.DiscoveryTypeOriginalDST:
ct.Type = envoy_cluster_v3.Cluster_ORIGINAL_DST
case structs.StrictDNS:
case structs.DiscoveryTypeStrictDNS:
fallthrough // default case so uses the default option
default:
ct.Type = envoy_cluster_v3.Cluster_STRICT_DNS
Expand All @@ -281,7 +281,7 @@ func makeJWTCertValidationContext(p *structs.JWKSCluster) *envoy_tls_v3.Certific
return vc
}

if tc := p.TLSCertificates.TrustedCa; tc != nil {
if tc := p.TLSCertificates.TrustedCA; tc != nil {
vc.TrustedCa = &envoy_core_v3.DataSource{}
if tc.Filename != "" {
vc.TrustedCa.Specifier = &envoy_core_v3.DataSource_Filename{
Expand Down
4 changes: 2 additions & 2 deletions agent/xds/clusters_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1038,10 +1038,10 @@ func makeTestProviderWithJWKS(uri string) *structs.JWTProviderConfigEntry {
FetchAsynchronously: true,
URI: uri,
JWKSCluster: &structs.JWKSCluster{
DiscoveryType: structs.Static,
DiscoveryType: structs.DiscoveryTypeStatic,
ConnectTimeout: time.Duration(5) * time.Second,
TLSCertificates: &structs.JWKSTLSCertificate{
TrustedCa: &structs.JWKSTLSCertTrustedCa{
TrustedCA: &structs.JWKSTLSCertTrustedCA{
Filename: "mycert.crt",
},
},
Expand Down
42 changes: 21 additions & 21 deletions api/config_entry_jwt_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ import (
)

const (
StrictDNS ClusterDiscoveryType = "STRICT_DNS"
Static ClusterDiscoveryType = "STATIC"
LogicalDNS ClusterDiscoveryType = "LOGICAL_DNS"
EDS ClusterDiscoveryType = "EDS"
OriginalDST ClusterDiscoveryType = "ORIGINAL_DST"
DiscoveryTypeStrictDNS ClusterDiscoveryType = "STRICT_DNS"
DiscoveryTypeStatic ClusterDiscoveryType = "STATIC"
DiscoveryTypeLogicalDNS ClusterDiscoveryType = "LOGICAL_DNS"
DiscoveryTypeEDS ClusterDiscoveryType = "EDS"
DiscoveryTypeOriginalDST ClusterDiscoveryType = "ORIGINAL_DST"
)

type JWTProviderConfigEntry struct {
Expand Down Expand Up @@ -197,22 +197,22 @@ type RemoteJWKS struct {
// There is no retry by default.
RetryPolicy *JWKSRetryPolicy `json:",omitempty" alias:"retry_policy"`

// JWKSCluster defines how the specified Remote JWKS "URI" is to be fetched.
// JWKSCluster defines how the specified Remote JWKS URI is to be fetched.
JWKSCluster *JWKSCluster `json:",omitempty" alias:"jwks_cluster"`
}

type JWKSCluster struct {
// DiscoveryType refers to the service discovery type to use for resolving the cluster.
//
// This defaults to: STRICT_DNS
// other options include: STATIC, LOGICAL_DNS, EDS and ORIGINAL_DST
// This defaults to STRICT_DNS.
// Other options include STATIC, LOGICAL_DNS, EDS or ORIGINAL_DST.
DiscoveryType ClusterDiscoveryType `json:",omitempty" alias:"discovery_type"`

// TLSCertificates refers to the data containing certificate authority certificates to use
// in verifying a presented peer certificate
// in verifying a presented peer certificate.
// If not specified and a peer certificate is presented it will not be verified.
//
// must be one of: CaCertificateProviderInstance or TrustedCa
// Must be either CaCertificateProviderInstance or TrustedCA.
TLSCertificates *JWKSTLSCertificate `json:",omitempty" alias:"tls_certificates"`

// The timeout for new network connections to hosts in the cluster.
Expand All @@ -223,43 +223,43 @@ type JWKSCluster struct {
type ClusterDiscoveryType string

// JWKSTLSCertificate refers to the data containing certificate authority certificates to use
// in verifying a presented peer certificate
// in verifying a presented peer certificate.
// If not specified and a peer certificate is presented it will not be verified.
//
// must be one of: CaCertificateProviderInstance or TrustedCa
// Must be either CaCertificateProviderInstance or TrustedCA.
type JWKSTLSCertificate struct {
// CaCertificateProviderInstance Certificate provider instance for fetching TLS certificates.
CaCertificateProviderInstance *JWKSTLSCertProviderInstance `json:",omitempty" alias:"ca_certificate_provider_instance"`

// TrustedCa defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate
// TrustedCA defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate.
//
// Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified.
TrustedCa *JWKSTLSCertTrustedCa `json:",omitempty" alias:"trusted_ca"`
TrustedCA *JWKSTLSCertTrustedCA `json:",omitempty" alias:"trusted_ca"`
}

// JWKSTLSCertTrustedCa defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate
// JWKSTLSCertTrustedCA defines TLS certificate data containing certificate authority certificates
// to use in verifying a presented peer certificate.
//
// Exactly one of Filename, EnvironmentVariable, InlineString or InlineBytes must be specified.
type JWKSTLSCertTrustedCa struct {
type JWKSTLSCertTrustedCA struct {
Filename string `json:",omitempty" alias:"filename"`
EnvironmentVariable string `json:",omitempty" alias:"environment_variable"`
InlineString string `json:",omitempty" alias:"inline_string"`
InlineBytes []byte `json:",omitempty" alias:"inline_bytes"`
}

type JWKSTLSCertProviderInstance struct {
// InstanceName refers to the certicate provider instance name
// InstanceName refers to the certificate provider instance name
//
// defaults to "default".
// The default value is "default".
InstanceName string `json:",omitempty" alias:"instance_name"`

// CertificateName is used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "example.com" to specify a certificate for a
// particular domain.
//
// default to empty string
// The default value is the empty string.
CertificateName string `json:",omitempty" alias:"certificate_name"`
}

Expand Down
2 changes: 1 addition & 1 deletion api/config_entry_jwt_provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func TestAPI_ConfigEntries_JWTProvider(t *testing.T) {
DiscoveryType: "STATIC",
ConnectTimeout: connectTimeout,
TLSCertificates: &JWKSTLSCertificate{
TrustedCa: &JWKSTLSCertTrustedCa{
TrustedCA: &JWKSTLSCertTrustedCA{
Filename: "myfile.cert",
},
},
Expand Down
Loading

0 comments on commit 4792d11

Please sign in to comment.