Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ConnectCALeafRequest should factor in DNSSAN and IPSAN into its cache key #7514

Closed
mkeeler opened this issue Mar 26, 2020 · 5 comments
Closed

ConnectCALeafRequest should factor in DNSSAN and IPSAN into its cache key #7514

mkeeler opened this issue Mar 26, 2020 · 5 comments
Labels
good first issue A well-defined bug or improvement with sufficient context which should be approachable for new contr theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Milestone
1.7.x

Comments

@mkeeler
Copy link
Member

mkeeler commented Mar 26, 2020

consul/agent/cache-types/connect_ca_leaf.go

Lines 640 to 672 in e5d6273

type ConnectCALeafRequest struct {
Token string
Datacenter string
Service string // Service name, not ID
Agent string // Agent name, not ID
DNSSAN []string
IPSAN []net.IP
MinQueryIndex uint64
MaxQueryTime time.Duration
structs.EnterpriseMeta
}
func (r *ConnectCALeafRequest) Key() string {
if len(r.Agent) > 0 {
return fmt.Sprintf("agent:%s", r.Agent)
}
r.EnterpriseMeta.Normalize()
v, err := hashstructure.Hash([]interface{}{
r.Service,
r.EnterpriseMeta,
}, nil)
if err == nil {
return fmt.Sprintf("service:%d", v)
}
// If there is an error, we don't set the key. A blank key forces
// no cache for this request so the request is forwarded directly
// to the server.
return ""
}

When computing the cache key for this type it should also be including the IPSAN and DNSSAN fields in the hash.

Currently there is no way for user provided input to set these fields and they are only used for auto-encrypt. Therefore this shouldn't be affecting anyone today. If we were to allow for setting these via an API or configuration then it could be problematic.

Regardless the "correct" behavior for this cache type should be to include those two slices in the hash structure call.
@mkeeler mkeeler added the type/bug Feature does not function as expected label Mar 26, 2020
@mkeeler mkeeler added this to the 1.7.x milestone Mar 26, 2020
@mkeeler mkeeler added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies good first issue A well-defined bug or improvement with sufficient context which should be approachable for new contr labels Mar 26, 2020
@sashaaKr
Copy link
Contributor

sashaaKr commented Apr 3, 2020

@mkeeler Hey,
I would like to give a try to take this one.

So if I'm understand the scope of this change in func (r *ConnectCALeafRequest) Key() string function, am I right?

@mkeeler
Copy link
Member Author

mkeeler commented Apr 3, 2020

@sashaaKr Yes that is correct. There is a hashstructure call in that method that should probably include both of those other two fields. Besides that method we would need to add a new test (probably in agent/cache-types/connect_ca_leaf_test.go) to verify that a leaf request for the same service with different SANs outputs different values for the cache key.

One other thing to note here is that the cache key doesn't take the token or datacenter into account as that is information that the cache implementation always pulls out itself.

@sashaaKr
Copy link
Contributor

sashaaKr commented Apr 3, 2020
edited
Loading

@mkeeler great, I think I can handle it

@sashaaKr sashaaKr mentioned this issue Apr 3, 2020
Merged
@sashaaKr
Copy link
Contributor

sashaaKr commented Apr 3, 2020

@mkeeler hope this is ok:
#7597

@crhino
Copy link
Contributor

crhino commented Apr 15, 2020

Fixed by #7597

@crhino crhino closed this as completed Apr 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue A well-defined bug or improvement with sufficient context which should be approachable for new contr theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Projects
None yet
Milestone
1.7.x
Development

No branches or pull requests
3 participants
@mkeeler @crhino @sashaaKr