Introduce support to save and load the CA journal from the datastore (#…

…4690) * Save and load the CA journal from datastore Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
spiffe · Jan 3, 2024 · 1c8dc49 · 1c8dc49
1 parent 54897d1
commit 1c8dc49
Show file tree

Hide file tree

Showing 20 changed files with 1,341 additions and 386 deletions.
diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go
@@ -175,6 +175,12 @@ const (
 	// BySelectors tags selectors used when filtering
 	BySelectors = "by_selectors"
 
+	// CAJournal is a CA journal record
+	CAJournal = "ca_journal"
+
+	// CAJournalID tags a CA journal ID
+	CAJournalID = "ca_journal_id"
+
 	// CallerAddr labels an API caller address
 	CallerAddr = "caller_addr"
 

diff --git a/pkg/common/telemetry/server/datastore/ca_journal.go b/pkg/common/telemetry/server/datastore/ca_journal.go
@@ -0,0 +1,29 @@
+package datastore
+
+import (
+	"github.com/spiffe/spire/pkg/common/telemetry"
+)
+
+// StartSetCAJournal return metric for server's datastore, on setting a CA
+// journal.
+func StartSetCAJournal(m telemetry.Metrics) *telemetry.CallCounter {
+	return telemetry.StartCall(m, telemetry.Datastore, telemetry.CAJournal, telemetry.Set)
+}
+
+// StartFetchCAJournal return metric
+// for server's datastore, on fetching a CA journal.
+func StartFetchCAJournal(m telemetry.Metrics) *telemetry.CallCounter {
+	return telemetry.StartCall(m, telemetry.Datastore, telemetry.CAJournal, telemetry.Fetch)
+}
+
+// StartPruneCAJournalsCall return metric for server's datastore, on pruning CA
+// journals.
+func StartPruneCAJournalsCall(m telemetry.Metrics) *telemetry.CallCounter {
+	return telemetry.StartCall(m, telemetry.Datastore, telemetry.CAJournal, telemetry.Prune)
+}
+
+// StartListCAJournalsForTesting return metric
+// for server's datastore, on listing CA journals for testing.
+func StartListCAJournalsForTesting(m telemetry.Metrics) *telemetry.CallCounter {
+	return telemetry.StartCall(m, telemetry.Datastore, telemetry.CAJournal, telemetry.List)
+}
diff --git a/pkg/common/telemetry/server/datastore/wrapper.go b/pkg/common/telemetry/server/datastore/wrapper.go
@@ -293,3 +293,27 @@ func (w metricsWrapper) UpdateFederationRelationship(ctx context.Context, fr *da
 	defer callCounter.Done(&err)
 	return w.ds.UpdateFederationRelationship(ctx, fr, mask)
 }
+
+func (w metricsWrapper) SetCAJournal(ctx context.Context, caJournal *datastore.CAJournal) (_ *datastore.CAJournal, err error) {
+	callCounter := StartSetCAJournal(w.m)
+	defer callCounter.Done(&err)
+	return w.ds.SetCAJournal(ctx, caJournal)
+}
+
+func (w metricsWrapper) FetchCAJournal(ctx context.Context, activeX509AuthorityID string) (_ *datastore.CAJournal, err error) {
+	callCounter := StartFetchCAJournal(w.m)
+	defer callCounter.Done(&err)
+	return w.ds.FetchCAJournal(ctx, activeX509AuthorityID)
+}
+
+func (w metricsWrapper) ListCAJournalsForTesting(ctx context.Context) (_ []*datastore.CAJournal, err error) {
+	callCounter := StartListCAJournalsForTesting(w.m)
+	defer callCounter.Done(&err)
+	return w.ds.ListCAJournalsForTesting(ctx)
+}
+
+func (w metricsWrapper) PruneCAJournals(ctx context.Context, allCAsExpireBefore int64) (err error) {
+	callCounter := StartPruneCAJournalsCall(w.m)
+	defer callCounter.Done(&err)
+	return w.ds.PruneCAJournals(ctx, allCAsExpireBefore)
+}
diff --git a/pkg/common/telemetry/server/datastore/wrapper_test.go b/pkg/common/telemetry/server/datastore/wrapper_test.go
@@ -218,6 +218,22 @@ func TestWithMetrics(t *testing.T) {
 			key:        "datastore.registration_entry.update",
 			methodName: "UpdateRegistrationEntry",
 		},
+		{
+			key:        "datastore.ca_journal.set",
+			methodName: "SetCAJournal",
+		},
+		{
+			key:        "datastore.ca_journal.fetch",
+			methodName: "FetchCAJournal",
+		},
+		{
+			key:        "datastore.ca_journal.prune",
+			methodName: "PruneCAJournals",
+		},
+		{
+			key:        "datastore.ca_journal.list",
+			methodName: "ListCAJournalsForTesting",
+		},
 	} {
 		tt := tt
 		methodType, ok := wt.MethodByName(tt.methodName)
@@ -477,3 +493,19 @@ func (ds *fakeDataStore) UpdateRegistrationEntry(context.Context, *common.Regist
 func (ds *fakeDataStore) UpdateFederationRelationship(context.Context, *datastore.FederationRelationship, *types.FederationRelationshipMask) (*datastore.FederationRelationship, error) {
 	return &datastore.FederationRelationship{}, ds.err
 }
+
+func (ds *fakeDataStore) SetCAJournal(context.Context, *datastore.CAJournal) (*datastore.CAJournal, error) {
+	return &datastore.CAJournal{}, ds.err
+}
+
+func (ds *fakeDataStore) FetchCAJournal(context.Context, string) (*datastore.CAJournal, error) {
+	return &datastore.CAJournal{}, ds.err
+}
+
+func (ds *fakeDataStore) ListCAJournalsForTesting(context.Context) ([]*datastore.CAJournal, error) {
+	return []*datastore.CAJournal{}, ds.err
+}
+
+func (ds *fakeDataStore) PruneCAJournals(context.Context, int64) error {
+	return ds.err
+}
diff --git a/pkg/server/api/localauthority/v1/service.go b/pkg/server/api/localauthority/v1/service.go
@@ -25,13 +25,13 @@ type CAManager interface {
 	GetCurrentJWTKeySlot() manager.Slot
 	GetNextJWTKeySlot() manager.Slot
 	PrepareJWTKey(ctx context.Context) error
-	RotateJWTKey()
+	RotateJWTKey(ctx context.Context)
 
 	// X509
 	GetCurrentX509CASlot() manager.Slot
 	GetNextX509CASlot() manager.Slot
 	PrepareX509CA(ctx context.Context) error
-	RotateX509CA()
+	RotateX509CA(ctx context.Context)
 }
 
 // Config is the service configuration
@@ -140,7 +140,7 @@ func (s *Service) ActivateJWTAuthority(ctx context.Context, req *localauthorityv
 		return nil, api.MakeErr(log, codes.Internal, "only Prepared authorities can be activated", fmt.Errorf("unsupported local authority status: %v", nextSlot.Status()))
 	}
 
-	s.ca.RotateJWTKey()
+	s.ca.RotateJWTKey(ctx)
 
 	current := s.ca.GetCurrentJWTKeySlot()
 	state := &localauthorityv1.AuthorityState{
@@ -308,7 +308,7 @@ func (s *Service) ActivateX509Authority(ctx context.Context, req *localauthority
 	}
 
 	// Move next into current and reset next to clean CA
-	s.ca.RotateX509CA()
+	s.ca.RotateX509CA(ctx)
 
 	current := s.ca.GetCurrentX509CASlot()
 	state := &localauthorityv1.AuthorityState{

diff --git a/pkg/server/api/localauthority/v1/service_test.go b/pkg/server/api/localauthority/v1/service_test.go
@@ -1865,7 +1865,7 @@ func (m *fakeCAManager) PrepareJWTKey(context.Context) error {
 	return m.prepareJWTKeyErr
 }
 
-func (m *fakeCAManager) RotateJWTKey() {
+func (m *fakeCAManager) RotateJWTKey(context.Context) {
 	m.rotateJWTKeyCalled = true
 }
 
@@ -1881,7 +1881,7 @@ func (m *fakeCAManager) PrepareX509CA(context.Context) error {
 	return m.prepareX509CAErr
 }
 
-func (m *fakeCAManager) RotateX509CA() {
+func (m *fakeCAManager) RotateX509CA(context.Context) {
 	m.rotateX509CACalled = true
 }