Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v16] Move process storage to separate package #43294

Merged
merged 1 commit into from
Jun 24, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion integration/hsm/hsm_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ import (
"github.com/gravitational/teleport/lib/auth/authclient"
"github.com/gravitational/teleport/lib/auth/keystore"
"github.com/gravitational/teleport/lib/auth/state"
"github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/backend/etcdbk"
"github.com/gravitational/teleport/lib/backend/lite"
Expand Down Expand Up @@ -181,7 +182,7 @@ func TestHSMRotation(t *testing.T) {
}

func getAdminClient(authDataDir string, authAddr string) (*authclient.Client, error) {
identity, err := state.ReadLocalIdentity(
identity, err := storage.ReadLocalIdentity(
filepath.Join(authDataDir, teleport.ComponentProcess),
state.IdentityID{Role: types.RoleAdmin})
if err != nil {
Expand Down
6 changes: 3 additions & 3 deletions integration/instance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
"github.com/gravitational/teleport/api/breaker"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/auth/state"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/cloud/imds"
"github.com/gravitational/teleport/lib/defaults"
Expand Down Expand Up @@ -141,7 +141,7 @@ func TestInstanceCertReissue(t *testing.T) {
authCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()

authRunErrCh := make(chan error, 1)
authIdentitiesCh := make(chan *auth.Identity, 2)
authIdentitiesCh := make(chan *state.Identity, 2)
go func() {
authRunErrCh <- service.Run(ctx, *authCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
Expand Down Expand Up @@ -198,7 +198,7 @@ func TestInstanceCertReissue(t *testing.T) {
agentCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()

agentRunErrCh := make(chan error, 1)
agentIdentitiesCh := make(chan *auth.Identity, 2)
agentIdentitiesCh := make(chan *state.Identity, 2)
go func() {
agentRunErrCh <- service.Run(ctx, *agentCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
Expand Down
14 changes: 0 additions & 14 deletions lib/auth/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -1117,20 +1117,6 @@ func checkResourceConsistency(ctx context.Context, keyStore *keystore.Manager, c
return nil
}

// Identity alias left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
type Identity = state.Identity

// IdentityID alias left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
type IdentityID = state.IdentityID

// ReadLocalIdentity left to prevent breaking builds
// TODO(tross): Delete after teleport.e is updated
func ReadLocalIdentity(dataDir string, id state.IdentityID) (*Identity, error) {
return state.ReadLocalIdentity(dataDir, id)
}

// GenerateIdentity generates identity for the auth server
func GenerateIdentity(a *Server, id state.IdentityID, additionalPrincipals, dnsNames []string) (*state.Identity, error) {
priv, pub, err := native.GenerateKeyPair()
Expand Down
12 changes: 0 additions & 12 deletions lib/auth/state/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package state

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
Expand Down Expand Up @@ -338,14 +337,3 @@ func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
Cert: cert,
}, nil
}

// ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the
// key storage (dataDir).
func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error) {
storage, err := NewProcessStorage(context.TODO(), dataDir)
if err != nil {
return nil, trace.Wrap(err)
}
defer storage.Close()
return storage.ReadIdentity(IdentityCurrent, id.Role)
}
173 changes: 3 additions & 170 deletions lib/auth/state/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,53 +19,12 @@
package state

import (
"context"
"encoding/json"
"strings"

"github.com/coreos/go-semver/semver"
"github.com/gravitational/trace"

"github.com/gravitational/teleport/api/client/proto"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/utils"
)

// backend implements abstraction over local or remote storage backend methods
// required for Identity/State storage.
// As in backend.Backend, Item keys are assumed to be valid UTF8, which may be enforced by the
// various Backend implementations.
type stateBackend interface {
// Create creates item if it does not exist
Create(ctx context.Context, i backend.Item) (*backend.Lease, error)
// Put puts value into backend (creates if it does not
// exists, updates it otherwise)
Put(ctx context.Context, i backend.Item) (*backend.Lease, error)
// Get returns a single item or not found error
Get(ctx context.Context, key []byte) (*backend.Item, error)
}

// ProcessStorage is a backend for local process state,
// it helps to manage rotation for certificate authorities
// and keeps local process credentials - x509 and SSH certs and keys.
type ProcessStorage struct {
// BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
BackendStorage backend.Backend

// stateStorage is the backend to store agents' identities and states.
// it is not required to close stateBackend storage because it's either the same as BackendStorage or it is Kubernetes
// which does not require any close method
stateStorage stateBackend
}

// Close closes all resources used by process storage backend.
func (p *ProcessStorage) Close() error {
// we do not need to close stateBackend storage because it's either the same as backend or it's kubernetes
// which does not require any close method
return p.BackendStorage.Close()
}

const (
// IdentityCurrent is a name for the identity credentials that are
// currently used by the process.
Expand All @@ -75,134 +34,8 @@ const (
IdentityReplacement = "replacement"
// stateName is an internal resource object name
stateName = "state"
// statesPrefix is a key prefix for object states
statesPrefix = "states"
// idsPrefix is a key prefix for identities
idsPrefix = "ids"
)

// GetState reads rotation state from disk.
func (p *ProcessStorage) GetState(ctx context.Context, role types.SystemRole) (*StateV2, error) {
item, err := p.stateStorage.Get(ctx, backend.Key(statesPrefix, strings.ToLower(role.String()), stateName))
if err != nil {
return nil, trace.Wrap(err)
}
var res StateV2
if err := utils.FastUnmarshal(item.Value, &res); err != nil {
return nil, trace.BadParameter(err.Error())
}

// an empty InitialLocalVersion is treated as an error by CheckAndSetDefaults, but if the field
// is missing in the underlying storage, that indicates the state was written by an older version of
// teleport that didn't record InitialLocalVersion. In that case, we set a sentinel value to indicate
// that the version is unknown rather than being erroneously omitted.
if res.Spec.InitialLocalVersion == "" {
res.Spec.InitialLocalVersion = unknownLocalVersion
}

if err := res.CheckAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
return &res, nil
}

// CreateState creates process state if it does not exist yet.
func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error {
if err := state.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(state)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
Value: value,
}
_, err = p.stateStorage.Create(context.TODO(), item)
if err != nil {
return trace.Wrap(err)
}
return nil
}

// WriteState writes local cluster state to the backend.
func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error {
if err := state.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(state)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
Value: value,
}
_, err = p.stateStorage.Put(context.TODO(), item)
if err != nil {
return trace.Wrap(err)
}
return nil
}

// ReadIdentity reads identity using identity name and role.
func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error) {
if name == "" {
return nil, trace.BadParameter("missing parameter name")
}
item, err := p.stateStorage.Get(context.TODO(), backend.Key(idsPrefix, strings.ToLower(role.String()), name))
if err != nil {
return nil, trace.Wrap(err)
}
var res IdentityV2
if err := utils.FastUnmarshal(item.Value, &res); err != nil {
return nil, trace.BadParameter(err.Error())
}
if err := res.CheckAndSetDefaults(); err != nil {
return nil, trace.Wrap(err)
}
return ReadIdentityFromKeyPair(res.Spec.Key, &proto.Certs{
SSH: res.Spec.SSHCert,
TLS: res.Spec.TLSCert,
TLSCACerts: res.Spec.TLSCACerts,
SSHCACerts: res.Spec.SSHCACerts,
})
}

// WriteIdentity writes identity to the backend.
func (p *ProcessStorage) WriteIdentity(name string, id Identity) error {
res := IdentityV2{
ResourceHeader: types.ResourceHeader{
Kind: types.KindIdentity,
Version: types.V2,
Metadata: types.Metadata{
Name: name,
},
},
Spec: IdentitySpecV2{
Key: id.KeyBytes,
SSHCert: id.CertBytes,
TLSCert: id.TLSCertBytes,
TLSCACerts: id.TLSCACertsBytes,
SSHCACerts: id.SSHCACertBytes,
},
}
if err := res.CheckAndSetDefaults(); err != nil {
return trace.Wrap(err)
}
value, err := json.Marshal(res)
if err != nil {
return trace.Wrap(err)
}
item := backend.Item{
Key: backend.Key(idsPrefix, strings.ToLower(id.ID.Role.String()), name),
Value: value,
}
_, err = p.stateStorage.Put(context.TODO(), item)
return trace.Wrap(err)
}

// StateV2 is a local process state.
type StateV2 struct {
// ResourceHeader is a common resource header.
Expand All @@ -214,7 +47,7 @@ type StateV2 struct {
// GetInitialLocalVersion gets the initial local version string. If ok is false it indicates that
// this state value was written by a teleport agent that was too old to record the initial local version.
func (s *StateV2) GetInitialLocalVersion() (v string, ok bool) {
return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != unknownLocalVersion
return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != UnknownLocalVersion
}

// CheckAndSetDefaults checks and sets defaults values.
Expand Down Expand Up @@ -242,10 +75,10 @@ func (s *StateV2) CheckAndSetDefaults() error {
return nil
}

// unknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
// UnknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
// state due to malformed input and InitialLocalVersion being missing due to the state having been created before
// teleport started recording InitialLocalVersion.
const unknownLocalVersion = "unknown"
const UnknownLocalVersion = "unknown"

// StateSpecV2 is a state spec.
type StateSpecV2 struct {
Expand Down
Loading
Loading