Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod

builtin/logical/pki/backend.go

@@ -5,8 +5,11 @@ import (
 	"fmt"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/helper/consts"
+
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
@@ -22,22 +25,27 @@ const (
 
 /*
  * PKI requests are a bit special to keep up with the various failure and load issues.
- * The main ca and intermediate requests are always forwarded to the Primary cluster's active
- * node to write and send the key material/config globally across all clusters.
  *
- * CRL/Revocation and Issued certificate apis are handled by the active node within the cluster
- * they originate. Which means if a request comes into a performance secondary cluster the writes
+ * Any requests to write/delete shared data (such as roles, issuers, keys, and configuration)
+ * are always forwarded to the Primary cluster's active node to write and send the key
+ * material/config globally across all clusters. Reads should be handled locally, to give a
+ * sense of where this cluster's replication state is at.
+ *
+ * CRL/Revocation and Fetch Certificate APIs are handled by the active node within the cluster
+ * they originate. This means, if a request comes into a performance secondary cluster, the writes
  * will be forwarded to that cluster's active node and not go all the way up to the performance primary's
  * active node.
  *
- * If a certificate issue request has a role in which no_store is set to true that node itself
- * will issue the certificate and not forward the request to the active node.
+ * If a certificate issue request has a role in which no_store is set to true, that node itself
+ * will issue the certificate and not forward the request to the active node, as this does not
+ * need to write to storage.
  *
- * Following the same pattern if a managed key is involved to sign an issued certificate request
+ * Following the same pattern, if a managed key is involved to sign an issued certificate request
  * and the local node does not have access for some reason to it, the request will be forwarded to
  * the active node within the cluster only.
  *
  * To make sense of what goes where the following bits need to be analyzed within the codebase.
+ *
  * 1. The backend LocalStorage paths determine what storage paths will remain within a
  *    cluster and not be forwarded to a performance primary
  * 2. Within each path's OperationHandler definition, check to see if ForwardPerformanceStandby &
@@ -69,11 +77,19 @@ func Backend(conf *logical.BackendConfig) *backend {
 				"ca",
 				"crl/pem",
 				"crl",
+				"issuer/+/crl/der",
+				"issuer/+/crl/pem",
+				"issuer/+/crl",
+				"issuer/+/pem",
+				"issuer/+/der",
+				"issuer/+/json",
+				"issuers",
 			},
 
 			LocalStorage: []string{
 				"revoked/",
-				"crl",
+				legacyCRLPath,
+				"crls/",
 				"certs/",
 			},
 
@@ -83,7 +99,8 @@ func Backend(conf *logical.BackendConfig) *backend {
 			},
 
 			SealWrapStorage: []string{
-				"config/ca_bundle",
+				legacyCertBundlePath,
+				keyPrefix,
 			},
 		},
 
@@ -103,43 +120,83 @@ func Backend(conf *logical.BackendConfig) *backend {
 			pathSign(&b),
 			pathIssue(&b),
 			pathRotateCRL(&b),
+			pathRevoke(&b),
+			pathTidy(&b),
+			pathTidyStatus(&b),
+
+			// Issuer APIs
+			pathListIssuers(&b),
+			pathGetIssuer(&b),
+			pathGetIssuerCRL(&b),
+			pathImportIssuer(&b),
+			pathIssuerIssue(&b),
+			pathIssuerSign(&b),
+			pathIssuerSignIntermediate(&b),
+			pathIssuerSignSelfIssued(&b),
+			pathIssuerSignVerbatim(&b),
+			pathIssuerGenerateRoot(&b),
+			pathRotateRoot(&b),
+			pathIssuerGenerateIntermediate(&b),
+			pathCrossSignIntermediate(&b),
+			pathConfigIssuers(&b),
+			pathReplaceRoot(&b),
+
+			// Key APIs
+			pathListKeys(&b),
+			pathKey(&b),
+			pathGenerateKey(&b),
+			pathImportKey(&b),
+			pathConfigKeys(&b),
+
+			// Fetch APIs have been lowered to favor the newer issuer API endpoints
 			pathFetchCA(&b),
 			pathFetchCAChain(&b),
 			pathFetchCRL(&b),
 			pathFetchCRLViaCertPath(&b),
 			pathFetchValidRaw(&b),
 			pathFetchValid(&b),
 			pathFetchListCerts(&b),
-			pathRevoke(&b),
-			pathTidy(&b),
-			pathTidyStatus(&b),
 		},
 
 		Secrets: []*framework.Secret{
 			secretCerts(&b),
 		},
 
-		BackendType: logical.TypeLogical,
+		BackendType:    logical.TypeLogical,
+		InitializeFunc: b.initialize,
+		Invalidate:     b.invalidate,
+		PeriodicFunc:   b.periodicFunc,
 	}
 
 	b.crlLifetime = time.Hour * 72
 	b.tidyCASGuard = new(uint32)
 	b.tidyStatus = &tidyStatus{state: tidyStatusInactive}
 	b.storage = conf.StorageView
+	b.backendUuid = conf.BackendUUID
 
+	b.pkiStorageVersion.Store(0)
+
+	b.crlBuilder = &crlBuilder{}
 	return &b
 }
 
 type backend struct {
 	*framework.Backend
 
+	backendUuid       string
 	storage           logical.Storage
 	crlLifetime       time.Duration
 	revokeStorageLock sync.RWMutex
 	tidyCASGuard      *uint32
 
 	tidyStatusLock sync.RWMutex
 	tidyStatus     *tidyStatus
+
+	pkiStorageVersion atomic.Value
+	crlBuilder        *crlBuilder
+
+	// Write lock around issuers and keys.
+	issuersLock sync.RWMutex
 }
 
 type (
@@ -233,3 +290,72 @@ func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation
 		return resp, err
 	}
 }
+
+// initialize is used to perform a possible PKI storage migration if needed
+func (b *backend) initialize(ctx context.Context, _ *logical.InitializationRequest) error {
+	// Load up our current pki storage state, no matter the host type we are on.
+	b.updatePkiStorageVersion(ctx)
+
+	// Early exit if not a primary cluster or performance secondary with a local mount.
+	if b.System().ReplicationState().HasState(consts.ReplicationDRSecondary|consts.ReplicationPerformanceStandby) ||
+		(!b.System().LocalMount() && b.System().ReplicationState().HasState(consts.ReplicationPerformanceSecondary)) {
+		b.Logger().Debug("skipping PKI migration as we are not on primary or secondary with a local mount")
+		return nil
+	}
+
+	b.issuersLock.Lock()
+	defer b.issuersLock.Unlock()
+
+	if err := migrateStorage(ctx, b, b.storage); err != nil {
+		b.Logger().Error("Error during migration of PKI mount: " + err.Error())
+		return err
+	}
+
+	b.updatePkiStorageVersion(ctx)
+
+	return nil
+}
+
+func (b *backend) useLegacyBundleCaStorage() bool {
+	version := b.pkiStorageVersion.Load()
+	return version == nil || version == 0
+}
+
+func (b *backend) updatePkiStorageVersion(ctx context.Context) {
+	info, err := getMigrationInfo(ctx, b.storage)
+	if err != nil {
+		b.Logger().Error(fmt.Sprintf("Failed loading PKI migration status, staying in legacy mode: %v", err))
+		return
+	}
+
+	if info.isRequired {
+		b.Logger().Info("PKI migration is required, reading cert bundle from legacy ca location")
+		b.pkiStorageVersion.Store(0)
+	} else {
+		b.Logger().Debug("PKI migration completed, reading cert bundle from key/issuer storage")
+		b.pkiStorageVersion.Store(1)
+	}
+}
+
+func (b *backend) invalidate(ctx context.Context, key string) {
+	switch {
+	case strings.HasPrefix(key, legacyMigrationBundleLogKey):
+		// This is for a secondary cluster to pick up that the migration has completed
+		// and reset its compatibility mode and rebuild the CRL locally.
+		b.updatePkiStorageVersion(ctx)
+		b.crlBuilder.requestRebuildIfActiveNode(b)
+	case strings.HasPrefix(key, issuerPrefix):
+		// If an issuer has changed on the primary, we need to schedule an update of our CRL,
+		// the primary cluster would have done it already, but the CRL is cluster specific so
+		// force a rebuild of ours.
+		if !b.useLegacyBundleCaStorage() {
+			b.crlBuilder.requestRebuildIfActiveNode(b)
+		} else {
+			b.Logger().Debug("Ignoring invalidation updates for issuer as the PKI migration has yet to complete.")
+		}
+	}
+}
+
+func (b *backend) periodicFunc(ctx context.Context, request *logical.Request) error {
+	return b.crlBuilder.rebuildIfForced(ctx, b, request)
+}