fixes orphaned ottca enrollments

- deletes ottca enrollment when CA is deleted
- adds API tests
- adds migration to remove currently orphaned ottca enrollments
- migration tested on a v15 database with orphaned ottca enrollments

controller/internal/routes/identity_api_model.go

@@ -233,6 +233,7 @@ func MapIdentityToRestModel(ae *env.AppEnv, identity *model.Identity) (*rest_mod
 		if entity.Method == persistence.MethodEnrollUpdb {
 
 			ret.Enrollment.Updb = &rest_model.IdentityEnrollmentsUpdb{
+				ID:        entity.Id,
 				Jwt:       entity.Jwt,
 				Token:     entity.Token,
 				ExpiresAt: expiresAt,
@@ -241,25 +242,25 @@ func MapIdentityToRestModel(ae *env.AppEnv, identity *model.Identity) (*rest_mod
 
 		if entity.Method == persistence.MethodEnrollOtt {
 			ret.Enrollment.Ott = &rest_model.IdentityEnrollmentsOtt{
+				ID:        entity.Id,
 				Jwt:       entity.Jwt,
 				Token:     entity.Token,
 				ExpiresAt: expiresAt,
 			}
 		}
 
 		if entity.Method == persistence.MethodEnrollOttCa {
-			ca, err := ae.Handlers.Ca.Read(*entity.CaId)
-
-			if err != nil {
-				return err
-			}
-
-			ret.Enrollment.Ottca = &rest_model.IdentityEnrollmentsOttca{
-				Ca:        ToEntityRef(ca.Name, ca, CaLinkFactory),
-				CaID:      ca.Id,
-				Jwt:       entity.Jwt,
-				Token:     entity.Token,
-				ExpiresAt: expiresAt,
+			if ca, err := ae.Handlers.Ca.Read(*entity.CaId); err == nil {
+				ret.Enrollment.Ottca = &rest_model.IdentityEnrollmentsOttca{
+					ID:        entity.Id,
+					Ca:        ToEntityRef(ca.Name, ca, CaLinkFactory),
+					CaID:      ca.Id,
+					Jwt:       entity.Jwt,
+					Token:     entity.Token,
+					ExpiresAt: expiresAt,
+				}
+			} else {
+				pfxlog.Logger().Errorf("could not read CA [%s] to render ottca enrollment for identity [%s]: %v", entity.CaId, identity.Id)
 			}
 		}
 

controller/persistence/ca_store.go

@@ -32,6 +32,7 @@ const (
 	FieldCaIsOttCaEnrollmentEnabled  = "isOttCaEnrollmentEnabled"
 	FieldCaIsAuthEnabled             = "isAuthEnabled"
 	FieldCaIdentityNameFormat        = "identityNameFormat"
+	FieldCaEnrollments               = "enrollments"
 )
 
 type Ca struct {
@@ -102,7 +103,8 @@ func newCaStore(stores *stores) *caStoreImpl {
 
 type caStoreImpl struct {
 	*baseStore
-	indexName boltz.ReadIndex
+	indexName         boltz.ReadIndex
+	symbolEnrollments boltz.EntitySetSymbol
 }
 
 func (store *caStoreImpl) NewStoreEntity() boltz.Entity {
@@ -119,6 +121,8 @@ func (store *caStoreImpl) initializeLocal() {
 	store.AddSymbol(FieldCaIsOttCaEnrollmentEnabled, ast.NodeTypeBool)
 	store.AddSymbol(FieldCaIsAuthEnabled, ast.NodeTypeBool)
 	store.AddSetSymbol(FieldIdentityRoles, ast.NodeTypeString)
+	store.symbolEnrollments = store.AddFkSetSymbol(FieldCaEnrollments, store.stores.enrollment)
+
 }
 
 func (store *caStoreImpl) initializeLinked() {
@@ -149,7 +153,12 @@ func (store *caStoreImpl) LoadOneByQuery(tx *bbolt.Tx, query string) (*Ca, error
 }
 
 func (store *caStoreImpl) DeleteById(ctx boltz.MutateContext, id string) error {
-	// TODO: Delete enrollment certs
+	for _, enrollmentId := range store.GetRelatedEntitiesIdList(ctx.Tx(), id, FieldCaEnrollments) {
+		if err := store.stores.enrollment.DeleteById(ctx, enrollmentId); err != nil {
+			return err
+		}
+	}
+
 	return store.baseStore.DeleteById(ctx, id)
 }
 

controller/persistence/enrollment_store.go

@@ -115,6 +115,7 @@ type enrollmentStoreImpl struct {
 	symbolIdentity      boltz.EntitySymbol
 	symbolEdgeRouter    boltz.EntitySymbol
 	symbolTransitRouter boltz.EntitySymbol
+	symbolCa            boltz.EntitySymbol
 }
 
 func (store *enrollmentStoreImpl) NewStoreEntity() boltz.Entity {
@@ -129,12 +130,14 @@ func (store *enrollmentStoreImpl) initializeLocal() {
 	store.symbolIdentity = store.AddFkSymbol(FieldEnrollIdentity, store.stores.identity)
 	store.symbolEdgeRouter = store.AddFkSymbol(FieldEnrollEdgeRouter, store.stores.edgeRouter)
 	store.symbolTransitRouter = store.AddFkSymbol(FieldEnrollTransitRouter, store.stores.transitRouter)
+	store.symbolCa = store.AddFkSymbol(FieldEnrollmentCaId, store.stores.ca)
 }
 
 func (store *enrollmentStoreImpl) initializeLinked() {
 	store.AddNullableFkIndex(store.symbolIdentity, store.stores.identity.symbolEnrollments)
 	store.AddNullableFkIndex(store.symbolEdgeRouter, store.stores.edgeRouter.symbolEnrollments)
 	store.AddNullableFkIndex(store.symbolTransitRouter, store.stores.transitRouter.symbolEnrollments)
+	store.AddNullableFkIndex(store.symbolCa, store.stores.ca.symbolEnrollments)
 }
 
 func (store *enrollmentStoreImpl) LoadOneById(tx *bbolt.Tx, id string) (*Enrollment, error) {

controller/persistence/migration_v16.go

@@ -0,0 +1,55 @@
+package persistence
+
+import (
+	"fmt"
+	"github.com/michaelquigley/pfxlog"
+	"github.com/openziti/foundation/storage/ast"
+	"github.com/openziti/foundation/storage/boltz"
+)
+
+func (m *Migrations) removeOrphanedOttCaEnrollments(step *boltz.MigrationStep) {
+
+	var enrollmentsToDelete []string
+
+	filter, err := ast.Parse(m.stores.Enrollment, "true")
+
+	if err != nil {
+		step.SetError(fmt.Errorf("could not parse query for removing orphaned ottca enrollments: %v", err))
+		return
+	}
+
+	for cursor := m.stores.Enrollment.IterateIds(step.Ctx.Tx(), filter); cursor.IsValid(); cursor.Next() {
+		current := cursor.Current()
+		currentEnrollmentId := string(current)
+
+		enrollment, err := m.stores.Enrollment.LoadOneById(step.Ctx.Tx(), currentEnrollmentId)
+
+		if err != nil {
+			step.SetError(fmt.Errorf("error interating ids of enrollments, enrollment [%s]: %v", currentEnrollmentId, err))
+			return
+		}
+
+		if enrollment.CaId != nil && *enrollment.CaId != "" {
+			_, err := m.stores.Ca.LoadOneById(step.Ctx.Tx(), *enrollment.CaId)
+
+			if err != nil && boltz.IsErrNotFoundErr(err) {
+				enrollmentsToDelete = append(enrollmentsToDelete, currentEnrollmentId)
+			}
+		}
+	}
+
+	//clear caIds that are invalid via CheckIntegrity
+	m.stores.Enrollment.CheckIntegrity(step.Ctx.Tx(), true, func(err error, fixed bool) {
+		if !fixed {
+			pfxlog.Logger().Errorf("unfixable error during orphaned ottca enrollment integrity check: %v", err)
+		}
+	})
+
+	for _, enrollmentId := range enrollmentsToDelete {
+		pfxlog.Logger().Infof("removing invalid ottca enrollment [%s]", enrollmentId)
+		if err := m.stores.Enrollment.DeleteById(step.Ctx, enrollmentId); err != nil {
+
+			step.SetError(fmt.Errorf("could not delete enrollment [%s] with invalid CA reference: %v", enrollmentId, err))
+		}
+	}
+}

controller/persistence/migrations.go

@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	CurrentDbVersion = 15
+	CurrentDbVersion = 16
 	FieldVersion     = "version"
 )
 
@@ -120,6 +120,10 @@ func (m *Migrations) migrate(step *boltz.MigrationStep) int {
 		step.SetError(m.stores.ConfigType.Update(step.Ctx, serverConfigTypeV1, nil))
 	}
 
+	if step.CurrentVersion < 16 {
+		m.removeOrphanedOttCaEnrollments(step)
+	}
+
 	// current version
 	if step.CurrentVersion <= CurrentDbVersion {
 		return CurrentDbVersion

specs/swagger.yml

@@ -4612,6 +4612,8 @@ definitions:
       updb:
         type: object
         properties:
+          id:
+            type: string
           token:
             type: string
           jwt:
@@ -4622,6 +4624,8 @@ definitions:
       ott:
         type: object
         properties:
+          id:
+            type: string
           token:
             type: string
           jwt:
@@ -4632,6 +4636,8 @@ definitions:
       ottca:
         type: object
         properties:
+          id:
+            type: string
           token:
             type: string
           jwt:

tests/authenticate.go

@@ -499,6 +499,13 @@ func (request *authenticatedRequests) RequireNewIdentityWithOtt(isAdmin bool, ro
 	return identity
 }
 
+func (request *authenticatedRequests) RequireNewIdentityWithCaOtt(isAdmin bool, caId string, roleAttributes ...string) *identity {
+	identity := newTestIdentity(isAdmin, roleAttributes...)
+	identity.enrollment = map[string]interface{}{"ottca": caId}
+	request.requireCreateEntity(identity)
+	return identity
+}
+
 func (request *authenticatedRequests) requireCreateEntity(entity entity) string {
 	resp := request.createEntity(entity)
 	standardJsonResponseTests(resp, http.StatusCreated, request.testContext.testing)