hashicorp · DanStough · Apr 18, 2022 · Apr 14, 2022
@@ -0,0 +1,3 @@
+```release-note:note
+dependency: Upgrade to use Go 1.18.1
+```
@@ -15,7 +15,7 @@ references:
   images:
     # When updating the Go version, remember to also update the versions in the
     # workflows section for go-test-lib jobs.
-    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.17.5
+    go: &GOLANG_IMAGE docker.mirror.hashicorp.services/cimg/go:1.18.1
     ember: &EMBER_IMAGE docker.mirror.hashicorp.services/circleci/node:14-browsers
 
   paths:
@@ -188,7 +188,7 @@ jobs:
           name: Install golangci-lint
           command: |
             download=https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh
-            wget -O- -q $download | sh -x -s -- -d -b /home/circleci/go/bin v1.40.1
+            wget -O- -q $download | sh -x -s -- -d -b /home/circleci/go/bin v1.45.2
       - run: go mod download
       - run:
           name: lint
@@ -1061,24 +1061,24 @@ workflows:
       - go-test:
           requires: [ dev-build ]
       - go-test-lib:
-          name: "go-test-api go1.16"
+          name: "go-test-api go1.17"
           path: api
-          go-version: "1.16"
+          go-version: "1.17"
           requires: [ dev-build ]
       - go-test-lib:
-          name: "go-test-api go1.17"
+          name: "go-test-api go1.18"
           path: api
-          go-version: "1.17"
+          go-version: "1.18"
           requires: [ dev-build ]
       - go-test-lib:
-          name: "go-test-sdk go1.16"
+          name: "go-test-sdk go1.17"
           path: sdk
-          go-version: "1.16"
+          go-version: "1.17"
           <<: *filter-ignore-non-go-branches
       - go-test-lib:
-          name: "go-test-sdk go1.17"
+          name: "go-test-sdk go1.18"
           path: sdk
-          go-version: "1.17"
+          go-version: "1.18"
           <<: *filter-ignore-non-go-branches
       - go-test-race: *filter-ignore-non-go-branches
       - go-test-32bit: *filter-ignore-non-go-branches

@@ -65,15 +65,15 @@ jobs:
     strategy:
       matrix:
         include:
-          - {go: "1.17.5", goos: "linux", goarch: "386"}
-          - {go: "1.17.5", goos: "linux", goarch: "amd64"}
-          - {go: "1.17.5", goos: "linux", goarch: "arm"}
-          - {go: "1.17.5", goos: "linux", goarch: "arm64"}
-          - {go: "1.17.5", goos: "freebsd", goarch: "386"}
-          - {go: "1.17.5", goos: "freebsd", goarch: "amd64"}
-          - {go: "1.17.5", goos: "windows", goarch: "386"}
-          - {go: "1.17.5", goos: "windows", goarch: "amd64"}
-          - {go: "1.17.5", goos: "solaris", goarch: "amd64"}
+          - {go: "1.18.1", goos: "linux", goarch: "386"}
+          - {go: "1.18.1", goos: "linux", goarch: "amd64"}
+          - {go: "1.18.1", goos: "linux", goarch: "arm"}
+          - {go: "1.18.1", goos: "linux", goarch: "arm64"}
+          - {go: "1.18.1", goos: "freebsd", goarch: "386"}
+          - {go: "1.18.1", goos: "freebsd", goarch: "amd64"}
+          - {go: "1.18.1", goos: "windows", goarch: "386"}
+          - {go: "1.18.1", goos: "windows", goarch: "amd64"}
+          - {go: "1.18.1", goos: "solaris", goarch: "amd64"}
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build
@@ -173,7 +173,7 @@ jobs:
       matrix:
         goos: [ darwin ]
         goarch: [ "amd64", "arm64" ]
-        go: [ "1.17.5" ]
+        go: [ "1.18.1" ]
       fail-fast: true
 
     name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} build

@@ -6,7 +6,7 @@ GOTOOLS = \
 	github.com/elazarl/go-bindata-assetfs/go-bindata-assetfs@master \
 	github.com/hashicorp/go-bindata/go-bindata@master \
 	github.com/vektra/mockery/cmd/mockery@master \
-	github.com/golangci/golangci-lint/cmd/golangci-lint@v1.40.1 \
+	github.com/golangci/golangci-lint/cmd/golangci-lint@v1.45.2 \
 	github.com/hashicorp/lint-consul-retry@master
 
 PROTOC_VERSION=3.15.8
@@ -15,7 +15,7 @@ PROTOC_VERSION=3.15.8
 # MOG_VERSION can be either a valid string for "go install <module>@<version>"
 # or the string @DEV to imply use whatever is currently installed locally.
 ###
-MOG_VERSION='v0.2.0'
+MOG_VERSION='v0.3.0'
 ###
 # PROTOC_GO_INJECT_TAG_VERSION can be either a valid string for "go install <module>@<version>"
 # or the string @DEV to imply use whatever is currently installed locally.

@@ -16,6 +16,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
@@ -24,6 +25,8 @@ import (
 	"time"
 
 	"github.com/golang/protobuf/jsonpb"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/tcpproxy"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/serf/coordinate"
@@ -3931,9 +3934,11 @@ func TestAgent_ReloadConfigOutgoingRPCConfig(t *testing.T) {
 	a := NewTestAgent(t, hcl)
 	defer a.Shutdown()
 	tlsConf := a.tlsConfigurator.OutgoingRPCConfig()
+
 	require.True(t, tlsConf.InsecureSkipVerify)
-	require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
-	require.Len(t, tlsConf.RootCAs.Subjects(), 1)
+	expectedCaPoolByFile := getExpectedCaPoolByFile(t)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.RootCAs, cmpCertPool)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.ClientCAs, cmpCertPool)
 
 	hcl = `
 		data_dir = "` + dataDir + `"
@@ -3946,9 +3951,11 @@ func TestAgent_ReloadConfigOutgoingRPCConfig(t *testing.T) {
 	c := TestConfig(testutil.Logger(t), config.FileSource{Name: t.Name(), Format: "hcl", Data: hcl})
 	require.NoError(t, a.reloadConfigInternal(c))
 	tlsConf = a.tlsConfigurator.OutgoingRPCConfig()
+
 	require.False(t, tlsConf.InsecureSkipVerify)
-	require.Len(t, tlsConf.RootCAs.Subjects(), 2)
-	require.Len(t, tlsConf.ClientCAs.Subjects(), 2)
+	expectedCaPoolByDir := getExpectedCaPoolByDir(t)
+	assertDeepEqual(t, expectedCaPoolByDir, tlsConf.RootCAs, cmpCertPool)
+	assertDeepEqual(t, expectedCaPoolByDir, tlsConf.ClientCAs, cmpCertPool)
 }
 
 func TestAgent_ReloadConfigAndKeepChecksStatus(t *testing.T) {
@@ -4018,8 +4025,9 @@ func TestAgent_ReloadConfigIncomingRPCConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, tlsConf)
 	require.True(t, tlsConf.InsecureSkipVerify)
-	require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
-	require.Len(t, tlsConf.RootCAs.Subjects(), 1)
+	expectedCaPoolByFile := getExpectedCaPoolByFile(t)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.RootCAs, cmpCertPool)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.ClientCAs, cmpCertPool)
 
 	hcl = `
 		data_dir = "` + dataDir + `"
@@ -4034,8 +4042,9 @@ func TestAgent_ReloadConfigIncomingRPCConfig(t *testing.T) {
 	tlsConf, err = tlsConf.GetConfigForClient(nil)
 	require.NoError(t, err)
 	require.False(t, tlsConf.InsecureSkipVerify)
-	require.Len(t, tlsConf.ClientCAs.Subjects(), 2)
-	require.Len(t, tlsConf.RootCAs.Subjects(), 2)
+	expectedCaPoolByDir := getExpectedCaPoolByDir(t)
+	assertDeepEqual(t, expectedCaPoolByDir, tlsConf.RootCAs, cmpCertPool)
+	assertDeepEqual(t, expectedCaPoolByDir, tlsConf.ClientCAs, cmpCertPool)
 }
 
 func TestAgent_ReloadConfigTLSConfigFailure(t *testing.T) {
@@ -4066,8 +4075,10 @@ func TestAgent_ReloadConfigTLSConfigFailure(t *testing.T) {
 	tlsConf, err := tlsConf.GetConfigForClient(nil)
 	require.NoError(t, err)
 	require.Equal(t, tls.NoClientCert, tlsConf.ClientAuth)
-	require.Len(t, tlsConf.ClientCAs.Subjects(), 1)
-	require.Len(t, tlsConf.RootCAs.Subjects(), 1)
+
+	expectedCaPoolByFile := getExpectedCaPoolByFile(t)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.RootCAs, cmpCertPool)
+	assertDeepEqual(t, expectedCaPoolByFile, tlsConf.ClientCAs, cmpCertPool)
 }
 
 func TestAgent_consulConfig_AutoEncryptAllowTLS(t *testing.T) {
@@ -5845,3 +5856,45 @@ func Test_coalesceTimerTwoPeriods(t *testing.T) {
 	})
 
 }
+
+func getExpectedCaPoolByFile(t *testing.T) *x509.CertPool {
+	pool := x509.NewCertPool()
+	data, err := ioutil.ReadFile("../test/ca/root.cer")
+	require.NoError(t, err)
+	if !pool.AppendCertsFromPEM(data) {
+		t.Fatal("could not add test ca ../test/ca/root.cer to pool")
+	}
+	return pool
+}
+
+func getExpectedCaPoolByDir(t *testing.T) *x509.CertPool {
+	pool := x509.NewCertPool()
+	entries, err := os.ReadDir("../test/ca_path")
+	require.NoError(t, err)
+
+	for _, entry := range entries {
+		filename := path.Join("../test/ca_path", entry.Name())
+
+		data, err := ioutil.ReadFile(filename)
+		require.NoError(t, err)
+
+		if !pool.AppendCertsFromPEM(data) {
+			t.Fatalf("could not add test ca %s to pool", filename)
+		}
+	}
+
+	return pool
+}
+
+// lazyCerts has a func field which can't be compared.
+var cmpCertPool = cmp.Options{
+	cmpopts.IgnoreFields(x509.CertPool{}, "lazyCerts"),
+	cmp.AllowUnexported(x509.CertPool{}),
+}
+
+func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) {
+	t.Helper()
+	if diff := cmp.Diff(x, y, opts...); diff != "" {
+		t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff)
+	}
+}
@@ -3,6 +3,7 @@ package agent
 import (
 	"bytes"
 	"crypto/x509"
+	"encoding/pem"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -288,8 +289,13 @@ func TestConnectCARoots_PEMEncoding(t *testing.T) {
 
 	data, err := ioutil.ReadAll(resp.Body)
 	require.NoError(t, err)
-	pool := x509.NewCertPool()
-	require.True(t, pool.AppendCertsFromPEM(data))
+
 	// expecting the root cert from dc1 and an intermediate in dc2
-	require.Len(t, pool.Subjects(), 2)
+	block, rest := pem.Decode(data)
+	_, err = x509.ParseCertificate(block.Bytes)
+	require.NoError(t, err)
+
+	block, _ = pem.Decode(rest)
+	_, err = x509.ParseCertificate(block.Bytes)
+	require.NoError(t, err)
 }
@@ -266,7 +266,7 @@ func newCARoot(pemValue, provider, clusterID string) (*structs.CARoot, error) {
 	}
 	return &structs.CARoot{
 		ID:                  connect.CalculateCertFingerprint(primaryCert.Raw),
-		Name:                fmt.Sprintf("%s CA Primary Cert", strings.Title(provider)),
+		Name:                fmt.Sprintf("%s CA Primary Cert", providerPrettyName(provider)),
 		SerialNumber:        primaryCert.SerialNumber.Uint64(),
 		SigningKeyID:        connect.EncodeSigningKeyID(primaryCert.SubjectKeyId),
 		ExternalTrustDomain: clusterID,
@@ -1581,3 +1581,18 @@ func (c *CAManager) isIntermediateUsedToSignLeaf() bool {
 	provider, _ := c.getCAProvider()
 	return primaryUsesIntermediate(provider)
 }
+
+func providerPrettyName(provider string) string {
+	switch provider {
+	case "consul":
+		return "Consul"
+	case "vault":
+		return "Vault"
+	case "aws-pca":
+		return "Aws-Pca"
+	case "provider-name":
+		return "Provider-Name"
+	default:
+		return provider
+	}
+}
@@ -3,19 +3,23 @@ package api
 import (
 	crand "crypto/rand"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"reflect"
 	"runtime"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -589,9 +593,8 @@ func TestAPI_SetupTLSConfig(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if len(cc.RootCAs.Subjects()) != 2 {
-		t.Fatalf("didn't load root CAs")
-	}
+	expectedCaPoolByDir := getExpectedCaPoolByDir(t)
+	assertDeepEqual(t, expectedCaPoolByDir, cc.RootCAs, cmpCertPool)
 
 	// Load certs in-memory
 	certPEM, err := ioutil.ReadFile("../test/hostname/Alice.crt")
@@ -1098,3 +1101,35 @@ func TestAPI_GenerateEnvHTTPS(t *testing.T) {
 
 	require.Equal(t, expected, c.GenerateEnv())
 }
+
+func getExpectedCaPoolByDir(t *testing.T) *x509.CertPool {
+	pool := x509.NewCertPool()
+	entries, err := os.ReadDir("../test/ca_path")
+	require.NoError(t, err)
+
+	for _, entry := range entries {
+		filename := path.Join("../test/ca_path", entry.Name())
+
+		data, err := ioutil.ReadFile(filename)
+		require.NoError(t, err)
+
+		if !pool.AppendCertsFromPEM(data) {
+			t.Fatalf("could not add test ca %s to pool", filename)
+		}
+	}
+
+	return pool
+}
+
+// lazyCerts has a func field which can't be compared.
+var cmpCertPool = cmp.Options{
+	cmpopts.IgnoreFields(x509.CertPool{}, "lazyCerts"),
+	cmp.AllowUnexported(x509.CertPool{}),
+}
+
+func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) {
+	t.Helper()
+	if diff := cmp.Diff(x, y, opts...); diff != "" {
+		t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff)
+	}
+}
@@ -5,6 +5,7 @@ go 1.12
 replace github.com/hashicorp/consul/sdk => ../sdk
 
 require (
+	github.com/google/go-cmp v0.5.7
 	github.com/hashicorp/consul/sdk v0.8.0
 	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/hashicorp/go-hclog v0.12.0