(PE-36952) ensure infra-serial is up to date #2781
Conversation
This updates the code that initializes and updates the infra-serial file to ensure that the content contains all possible valid matches for a given certname. Expired certs are removed as well. Some extra checks were added to prevent trying to read files when they don't exist.
| @@ -523,8 +523,6 @@ | |||
| {} | |||
| auth-exts))) | |||
|
|
|||
| (defn seq-contains? [coll target] (some #(= target %) coll)) | |||
There was a problem hiding this comment.
This wasn't used, so I removed it.
| @@ -658,15 +656,64 @@ | |||
| ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |||
| ;;; Inventory File | |||
|
|
|||
| (def inventory-date-formatter | |||
There was a problem hiding this comment.
Making the formatter once and reusing it saves some time and memory churn.
| (def buffer-copy-size (* 64 1024)) | ||
|
|
||
| (schema/defn read-infra-nodes |
There was a problem hiding this comment.
This was moved up from below.
| (.write writer (str infra-serial)) | ||
| (.newLine writer)))) | ||
|
|
||
| (schema/defn generate-infra-serials! |
There was a problem hiding this comment.
Renamed this by adding the ! suffix to indicate that it makes changes.
There was a problem hiding this comment.
Just a sanity check here:
When a cert is renewed the new serial will be appended to the infra-serials file, but when the CA restarts, reloads, or the infra node certname file is updated the whole infra-serials file will be rewritten with the latest serial for each infra node. That's the intended behavior?
There was a problem hiding this comment.
In the startup case, with these changes to generate-infra-serials! we are now looking in the inventory as well for matching serial numbers and adding them. So at startup there should be technically no work to do, unless someone manually changed the files. The idea is that the infra-serial should always be more correct now
There was a problem hiding this comment.
So to answer your question, the intent is that we append the infra-serial on demand when a new one is generated, and when we restart, we update the state based on the current state on the filesystem, including all known valid serial numbers for the infra-nodes, not just the most recent one. This helps at revocation time to ensure the infra-crl is updated with all possible certs for the host being revoked.
| @@ -73,7 +73,7 @@ | |||
| :serial (str cadir "/serial") | |||
| :ruby-load-path jruby-testutils/ruby-load-path | |||
| :gem-path jruby-testutils/gem-path | |||
| :infra-nodes-path (str cadir "/ca/infra_inventory.txt") | |||
| :infra-nodes-path (str cadir "/infra_inventory.txt") | |||
There was a problem hiding this comment.
This was a typo.
| (.clear copy-buffer) | ||
| (recur (.read reader copy-buffer))))) | ||
| ;; theoretically read can return 0, which means try again | ||
| (when (<= 0 read-length) |
There was a problem hiding this comment.
This was incorrectly handling the 0 result case.
| (.write writer (str infra-serial)) | ||
| (.newLine writer)))) | ||
|
|
||
| (schema/defn generate-infra-serials! |
There was a problem hiding this comment.
Just a sanity check here:
When a cert is renewed the new serial will be appended to the infra-serials file, but when the CA restarts, reloads, or the infra node certname file is updated the whole infra-serials file will be rewritten with the latest serial for each infra node. That's the intended behavior?
This adds a new behavior such that when a renewal or signing is done and the host in question is in the infrastructure list, the serial number for that signed cert is immediately written to the infra-serial file. This has the benefit of ensuring that all certs will be correctly revoked in the infra-crl when it is updated on revocation.
jonathannewman
force-pushed
the
PE-36952/main/infra-inventory-updates
branch
from
82305eb
to
83bc33b
Compare
|
Updated to address the two issues mentioned. |
Please see individual commit comments.