PKI migration writes out empty migration log entry

builtin/logical/pki/storage_migrations.go

@@ -16,6 +16,12 @@ import (
 // and we need to perform it again...
 const latestMigrationVersion = 1
 
+type legacyBundleMigration struct {
+	Hash             string    `json:"hash" structs:"hash" mapstructure:"hash"`
+	Created          time.Time `json:"created" structs:"created" mapstructure:"created"`
+	MigrationVersion int       `json:"migrationVersion" structs:"migrationVersion" mapstructure:"migrationVersion"`
+}
+
 func migrateStorage(ctx context.Context, req *logical.InitializationRequest, logger log.Logger) error {
 	s := req.Storage
 	legacyBundle, err := getLegacyCertBundle(ctx, s)
@@ -40,27 +46,27 @@ func migrateStorage(ctx context.Context, req *logical.InitializationRequest, log
 
 	if migrationEntry != nil {
 		// At this point we have already migrated something previously.
-		if migrationEntry.hash == hash &&
-			migrationEntry.migrationVersion == latestMigrationVersion {
+		if migrationEntry.Hash == hash &&
+			migrationEntry.MigrationVersion == latestMigrationVersion {
 			// The hashes are the same, no need to try and re-import...
 			logger.Debug("existing migration hash found and matched legacy bundle, skipping migration.")
 			return nil
 		}
 	}
 
-	logger.Warn("performing PKI migration to new keys/issuers layout")
+	logger.Info("performing PKI migration to new keys/issuers layout")
 
 	anIssuer, aKey, err := writeCaBundle(ctx, s, legacyBundle, "current", "current")
 	if err != nil {
 		return err
 	}
-	logger.Info("Migration generated the following ids and set them as defaults",
+	logger.Debug("Migration generated the following ids and set them as defaults",
 		"issuer id", anIssuer.ID, "key id", aKey.ID)
 
 	err = setLegacyBundleMigrationLog(ctx, s, &legacyBundleMigration{
-		hash:             hash,
-		created:          time.Now(),
-		migrationVersion: latestMigrationVersion,
+		Hash:             hash,
+		Created:          time.Now(),
+		MigrationVersion: latestMigrationVersion,
 	})
 	if err != nil {
 		return err
@@ -84,12 +90,6 @@ func computeHashOfLegacyBundle(bundle *certutil.CertBundle) (string, error) {
 	return hex.EncodeToString(hasher.Sum(nil)), nil
 }
 
-type legacyBundleMigration struct {
-	hash             string
-	created          time.Time
-	migrationVersion int
-}
-
 func getLegacyBundleMigrationLog(ctx context.Context, s logical.Storage) (*legacyBundleMigration, error) {
 	entry, err := s.Get(ctx, legacyMigrationBundleLogKey)
 	if err != nil {

builtin/logical/pki/storage_migrations_test.go

@@ -2,7 +2,9 @@ package pki
 
 import (
 	"context"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/require"
@@ -30,6 +32,7 @@ func Test_migrateStorageEmptyStorage(t *testing.T) {
 }
 
 func Test_migrateStorageSimpleBundle(t *testing.T) {
+	startTime := time.Now()
 	ctx := context.Background()
 	b, s := createBackendWithStorage(t)
 
@@ -55,6 +58,11 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 	logEntry, err := getLegacyBundleMigrationLog(ctx, s)
 	require.NoError(t, err)
 	require.NotNil(t, logEntry)
+	require.Equal(t, latestMigrationVersion, logEntry.MigrationVersion)
+	require.True(t, len(strings.TrimSpace(logEntry.Hash)) > 0,
+		"Hash value (%s) should not have been empty", logEntry.Hash)
+	require.True(t, startTime.Before(logEntry.Created),
+		"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
 
 	issuerId := issuerIds[0]
 	keyId := keyIds[0]
@@ -89,4 +97,14 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 	issuersConfig, err := getIssuersConfig(ctx, s)
 	require.NoError(t, err)
 	require.Equal(t, &issuerConfig{DefaultIssuerId: issuerId}, issuersConfig)
+
+	// Make sure if we attempt to re-run the migration nothing happens...
+	err = migrateStorage(ctx, request, b.Logger())
+	require.NoError(t, err)
+	logEntry2, err := getLegacyBundleMigrationLog(ctx, s)
+	require.NoError(t, err)
+	require.NotNil(t, logEntry2)
+
+	require.Equal(t, logEntry.Created, logEntry2.Created)
+	require.Equal(t, logEntry.Hash, logEntry2.Hash)
 }