Skip to content

improve ca cmp#10351

Merged
zmb3 merged 2 commits intomasterfrom
fspmarshall/ca-cmp
Mar 23, 2022
Merged

improve ca cmp#10351
zmb3 merged 2 commits intomasterfrom
fspmarshall/ca-cmp

Conversation

@fspmarshall
Copy link
Copy Markdown
Contributor

@fspmarshall fspmarshall commented Feb 14, 2022

The CompareAndSwapCertAuthorities method currently relies upon deterministic serialization to function correctly. Until #10070 it was possible that serialization wouldn't actually be deterministic. After that PR was merged, @espadolini discovered another potential failure case. If a new field is added to the ca resource and the auth server must be downgraded for some reason, the comparison fails due to the new field being omitted.

This PR changes CompareAndSwapCertAuthorities to instead load the value that actually exists at the target key, perform comparison using deserialized values (avoiding downgrade issues), and pass the original backend.Item back to Backend.CompareAndSwap (further mitigating the risk of non-deterministic serialization).

@github-actions github-actions Bot requested review from lxea and zmb3 February 14, 2022 22:36
espadolini
espadolini approved these changes Feb 15, 2022
View reviewed changes
Comment thread lib/services/local/trust.go Outdated
Comment thread lib/services/local/trust.go Outdated
Copy link
Copy Markdown
Contributor

@espadolini espadolini Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize that it's the exact same message as before, but this is only accurate if the rotation was indeed the only thing different between actual and expected. Would it be too much of a layer violation if we checked for that here?

Copy link
Copy Markdown
Contributor Author

@fspmarshall fspmarshall Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I follow. Are you suggesting we return a different error message based on which elements of the CAs differ?

Copy link
Copy Markdown
Contributor Author

@fspmarshall fspmarshall Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E.g. check rotation state and return something like "rotation state concurrently updated"?

Copy link
Copy Markdown
Contributor

@espadolini espadolini Feb 15, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, and maybe leave the "try again" as that message is displayed verbatim by tctl on a manual auth - whereas if something bad has happened and we are never actually going to recover by waiting, there's no point in telling the user to try again.

Copy link
Copy Markdown
Contributor

@espadolini espadolini Feb 15, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Admittedly the fix could be to actually catch and replace the error on one of the layers between this and the user instead

@espadolini espadolini removed the request for review from lxea February 15, 2022 09:37
@russjones russjones requested review from r0mant and removed request for zmb3 February 17, 2022 01:39
@russjones
Copy link
Copy Markdown
Contributor

russjones commented Mar 3, 2022

@fspmarshall Looks like this is approved, can we merge?

@zmb3 zmb3 enabled auto-merge (squash) March 23, 2022 22:44
@zmb3 zmb3 merged commit 5bd9434 into master Mar 23, 2022
@zmb3 zmb3 deleted the fspmarshall/ca-cmp branch March 23, 2022 23:08
espadolini pushed a commit that referenced this pull request Apr 15, 2022
@fspmarshall @espadolini
improve ca cmp (#10351)
7f3bedf
@espadolini espadolini mentioned this pull request Apr 20, 2022
Merged
espadolini pushed a commit that referenced this pull request Apr 20, 2022
@fspmarshall @espadolini
improve ca cmp (#10351)
900a92d
espadolini pushed a commit that referenced this pull request Apr 20, 2022
@fspmarshall @espadolini
improve ca cmp (#10351)
c13b7a3
espadolini pushed a commit that referenced this pull request Apr 20, 2022
@fspmarshall @espadolini
improve ca cmp (#10351)
09892ef
This was referenced Apr 20, 2022
Merged
Merged
espadolini added a commit that referenced this pull request Apr 20, 2022
@espadolini @fspmarshall
[v7] backport #12057 (panic in CertAuthority.Clone) (#12108)
0342a0c 
* improve ca cmp (#10351)

* Fix panic in `CertAuthority.Clone` because of non-UTC times. (#12057)

Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
espadolini added a commit that referenced this pull request Apr 20, 2022
@espadolini @fspmarshall
[v8] backport #12057 (panic in CertAuthority.Clone) (#12107)
6538551 
* improve ca cmp (#10351)

* Fix panic in `CertAuthority.Clone` because of non-UTC times. (#12057)

Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
espadolini added a commit that referenced this pull request Apr 20, 2022
@espadolini @fspmarshall
[v9] backport #12057 (panic in CertAuthority.Clone) (#12004)
ac1bea3 
* improve ca cmp (#10351)

* Fix panic in `CertAuthority.Clone` because of non-UTC times. (#12057)

Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>
@espadolini espadolini mentioned this pull request Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@espadolini espadolini espadolini approved these changes

@r0mant r0mant r0mant approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fspmarshall @russjones @r0mant @espadolini @zmb3