From 0d8f47213123c515f3fbf6b3cfc02578a860ac01 Mon Sep 17 00:00:00 2001 From: phbnf Date: Fri, 6 Sep 2024 12:12:18 +0200 Subject: [PATCH] remove root_pem_file from cfg, and only allow a single file (#225) * remove root_pem_file from cfg, and only allow a single file * s/paths/path --- personalities/sctfe/config.go | 8 +- personalities/sctfe/config_test.go | 2 +- personalities/sctfe/configpb/config.pb.go | 95 +++++----- personalities/sctfe/configpb/config.proto | 3 - personalities/sctfe/ct_server_gcp/main.go | 14 +- personalities/sctfe/instance.go | 7 +- personalities/sctfe/instance_test.go | 214 +++++++++++----------- 7 files changed, 164 insertions(+), 179 deletions(-) diff --git a/personalities/sctfe/config.go b/personalities/sctfe/config.go index 68bd1899..81ccdd14 100644 --- a/personalities/sctfe/config.go +++ b/personalities/sctfe/config.go @@ -48,9 +48,9 @@ type LogConfig struct { // origin identifies the log. It will be used in its checkpoint, and // is also its submission prefix, as per https://c2sp.org/static-ct-api Origin string - // Paths to the files containing root certificates that are acceptable to the + // Path to the file containing root certificates that are acceptable to the // log. The certs are served through get-roots endpoint. - RootsPemFile []string + RootsPemFile string // The private key used for signing Checkpoints or SCTs. PrivateKey *anypb.Any // The public key matching the above private key (if both are present). @@ -122,7 +122,7 @@ func LogConfigFromFile(filename string) (*configpb.LogConfig, error) { // - Merge delays (if present) are correct. // // Returns the validated structures (useful to avoid double validation). -func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string) (*ValidatedLogConfig, error) { +func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string, rootsPemFile string) (*ValidatedLogConfig, error) { if origin == "" { return nil, errors.New("empty origin") } @@ -142,7 +142,7 @@ func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, vCfg := ValidatedLogConfig{Config: &LogConfig{ Origin: origin, - RootsPemFile: cfg.RootsPemFile, + RootsPemFile: rootsPemFile, PrivateKey: cfg.PrivateKey, PublicKey: cfg.PublicKey, RejectExpired: cfg.RejectExpired, diff --git a/personalities/sctfe/config_test.go b/personalities/sctfe/config_test.go index 8ab29c15..1887f397 100644 --- a/personalities/sctfe/config_test.go +++ b/personalities/sctfe/config_test.go @@ -317,7 +317,7 @@ func TestValidateLogConfig(t *testing.T) { }, } { t.Run(tc.desc, func(t *testing.T) { - vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB) + vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB, "") if len(tc.wantErr) == 0 && err != nil { t.Errorf("ValidateLogConfig()=%v, want nil", err) } diff --git a/personalities/sctfe/configpb/config.pb.go b/personalities/sctfe/configpb/config.pb.go index 1dae0341..b98c5373 100644 --- a/personalities/sctfe/configpb/config.pb.go +++ b/personalities/sctfe/configpb/config.pb.go @@ -45,9 +45,6 @@ type LogConfig struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Paths to the files containing root certificates that are acceptable to the - // log. The certs are served through get-roots endpoint. - RootsPemFile []string `protobuf:"bytes,2,rep,name=roots_pem_file,json=rootsPemFile,proto3" json:"roots_pem_file,omitempty"` // The private key used for signing Checkpoints or SCTs. PrivateKey *anypb.Any `protobuf:"bytes,3,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"` // The public key matching the above private key (if both are present). @@ -125,13 +122,6 @@ func (*LogConfig) Descriptor() ([]byte, []int) { return file_configpb_config_proto_rawDescGZIP(), []int{0} } -func (x *LogConfig) GetRootsPemFile() []string { - if x != nil { - return x.RootsPemFile - } - return nil -} - func (x *LogConfig) GetPrivateKey() *anypb.Any { if x != nil { return x.PrivateKey @@ -219,50 +209,47 @@ var file_configpb_config_proto_rawDesc = []byte{ 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd5, 0x04, 0x0a, 0x09, 0x4c, 0x6f, - 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0e, 0x72, 0x6f, 0x6f, 0x74, 0x73, - 0x5f, 0x70, 0x65, 0x6d, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x0c, 0x72, 0x6f, 0x6f, 0x74, 0x73, 0x50, 0x65, 0x6d, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x35, 0x0a, - 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, - 0x65, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, - 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x6b, 0x65, 0x79, 0x73, 0x70, - 0x62, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, - 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, - 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x29, 0x0a, - 0x10, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x75, 0x6e, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, - 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x55, - 0x6e, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x24, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x5f, - 0x6b, 0x65, 0x79, 0x5f, 0x75, 0x73, 0x61, 0x67, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x0c, 0x65, 0x78, 0x74, 0x4b, 0x65, 0x79, 0x55, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x42, - 0x0a, 0x0f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x61, 0x72, - 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x53, 0x74, 0x61, - 0x72, 0x74, 0x12, 0x42, 0x0a, 0x0f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, - 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, - 0x72, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x12, 0x24, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, - 0x5f, 0x6f, 0x6e, 0x6c, 0x79, 0x5f, 0x63, 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, - 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x4f, 0x6e, 0x6c, 0x79, 0x43, 0x61, 0x12, 0x2d, 0x0a, 0x13, - 0x6d, 0x61, 0x78, 0x5f, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x5f, - 0x73, 0x65, 0x63, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x4d, 0x65, - 0x72, 0x67, 0x65, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x63, 0x12, 0x37, 0x0a, 0x18, 0x65, - 0x78, 0x70, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x5f, 0x64, 0x65, - 0x6c, 0x61, 0x79, 0x5f, 0x73, 0x65, 0x63, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x15, 0x65, - 0x78, 0x70, 0x65, 0x63, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x72, 0x67, 0x65, 0x44, 0x65, 0x6c, 0x61, - 0x79, 0x53, 0x65, 0x63, 0x12, 0x2b, 0x0a, 0x11, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, - 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x10, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, - 0x73, 0x42, 0x4b, 0x5a, 0x49, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x2d, 0x64, 0x65, 0x76, - 0x2f, 0x74, 0x72, 0x69, 0x6c, 0x6c, 0x69, 0x61, 0x6e, 0x2d, 0x74, 0x65, 0x73, 0x73, 0x65, 0x72, - 0x61, 0x2f, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x2f, - 0x73, 0x63, 0x74, 0x66, 0x65, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70, 0x62, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xaf, 0x04, 0x0a, 0x09, 0x4c, 0x6f, + 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x35, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, + 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, + 0x6e, 0x79, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x30, + 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x6b, 0x65, 0x79, 0x73, 0x70, 0x62, 0x2e, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, + 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, + 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x12, 0x29, 0x0a, 0x10, 0x72, 0x65, 0x6a, 0x65, 0x63, + 0x74, 0x5f, 0x75, 0x6e, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x0f, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x55, 0x6e, 0x65, 0x78, 0x70, 0x69, 0x72, + 0x65, 0x64, 0x12, 0x24, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x75, 0x73, + 0x61, 0x67, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x78, 0x74, 0x4b, + 0x65, 0x79, 0x55, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x42, 0x0a, 0x0f, 0x6e, 0x6f, 0x74, 0x5f, + 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6e, + 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12, 0x42, 0x0a, 0x0f, + 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x52, 0x0d, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x4c, 0x69, 0x6d, 0x69, 0x74, + 0x12, 0x24, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x5f, 0x6f, 0x6e, 0x6c, 0x79, 0x5f, + 0x63, 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, + 0x4f, 0x6e, 0x6c, 0x79, 0x43, 0x61, 0x12, 0x2d, 0x0a, 0x13, 0x6d, 0x61, 0x78, 0x5f, 0x6d, 0x65, + 0x72, 0x67, 0x65, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x5f, 0x73, 0x65, 0x63, 0x18, 0x0b, 0x20, + 0x01, 0x28, 0x05, 0x52, 0x10, 0x6d, 0x61, 0x78, 0x4d, 0x65, 0x72, 0x67, 0x65, 0x44, 0x65, 0x6c, + 0x61, 0x79, 0x53, 0x65, 0x63, 0x12, 0x37, 0x0a, 0x18, 0x65, 0x78, 0x70, 0x65, 0x63, 0x74, 0x65, + 0x64, 0x5f, 0x6d, 0x65, 0x72, 0x67, 0x65, 0x5f, 0x64, 0x65, 0x6c, 0x61, 0x79, 0x5f, 0x73, 0x65, + 0x63, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x15, 0x65, 0x78, 0x70, 0x65, 0x63, 0x74, 0x65, + 0x64, 0x4d, 0x65, 0x72, 0x67, 0x65, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x63, 0x12, 0x2b, + 0x0a, 0x11, 0x72, 0x65, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x0d, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x72, 0x65, 0x6a, 0x65, 0x63, + 0x74, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x4b, 0x5a, 0x49, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, + 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x2d, 0x64, 0x65, 0x76, 0x2f, 0x74, 0x72, 0x69, 0x6c, 0x6c, + 0x69, 0x61, 0x6e, 0x2d, 0x74, 0x65, 0x73, 0x73, 0x65, 0x72, 0x61, 0x2f, 0x70, 0x65, 0x72, 0x73, + 0x6f, 0x6e, 0x61, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x2f, 0x73, 0x63, 0x74, 0x66, 0x65, 0x2f, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/personalities/sctfe/configpb/config.proto b/personalities/sctfe/configpb/config.proto index 69820d85..dda7d78a 100644 --- a/personalities/sctfe/configpb/config.proto +++ b/personalities/sctfe/configpb/config.proto @@ -26,9 +26,6 @@ import "google/protobuf/timestamp.proto"; // // NEXT_ID: 15 message LogConfig { - // Paths to the files containing root certificates that are acceptable to the - // log. The certs are served through get-roots endpoint. - repeated string roots_pem_file = 2; // The private key used for signing Checkpoints or SCTs. google.protobuf.Any private_key = 3; // The public key matching the above private key (if both are present). diff --git a/personalities/sctfe/ct_server_gcp/main.go b/personalities/sctfe/ct_server_gcp/main.go index 34bcd432..129cd156 100644 --- a/personalities/sctfe/ct_server_gcp/main.go +++ b/personalities/sctfe/ct_server_gcp/main.go @@ -61,12 +61,12 @@ var ( tracingProjectID = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.") tracingPercent = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler") pkcs11ModulePath = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface") - // TODO: remove comment above when the config proto has been deleted. - dedupPath = flag.String("dedup_path", "", "Path to the deduplication database") - origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix") - projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix") - bucket = flag.String("bucket", "", "name of the bucket to store the log in") - spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}") + dedupPath = flag.String("dedup_path", "", "Path to the deduplication database") + origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix") + projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix") + bucket = flag.String("bucket", "", "name of the bucket to store the log in") + spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}") + rootsPemFile = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.") ) // nolint:staticcheck @@ -89,7 +89,7 @@ func main() { klog.Exitf("Failed to read config: %v", err) } - vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB) + vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB, *rootsPemFile) if err != nil { klog.Exitf("Invalid config: %v", err) } diff --git a/personalities/sctfe/instance.go b/personalities/sctfe/instance.go index 7322ffa7..719aca81 100644 --- a/personalities/sctfe/instance.go +++ b/personalities/sctfe/instance.go @@ -81,6 +81,7 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) { vCfg := opts.Validated cfg := vCfg.Config + // TODO(phboneff): move to ValidateLogConfig // Check config validity. if len(cfg.RootsPemFile) == 0 { return nil, errors.New("need to specify RootsPemFile") @@ -88,10 +89,8 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) { // Load the trusted roots. roots := x509util.NewPEMCertPool() - for _, pemFile := range cfg.RootsPemFile { - if err := roots.AppendCertsFromPEMFile(pemFile); err != nil { - return nil, fmt.Errorf("failed to read trusted roots: %v", err) - } + if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil { + return nil, fmt.Errorf("failed to read trusted roots: %v", err) } var signer crypto.Signer diff --git a/personalities/sctfe/instance_test.go b/personalities/sctfe/instance_test.go index e8ffcb85..1a8e981f 100644 --- a/personalities/sctfe/instance_test.go +++ b/personalities/sctfe/instance_test.go @@ -50,26 +50,27 @@ func TestSetUpInstance(t *testing.T) { wrongPassPrivKey := mustMarshalAny(&keyspb.PEMKeyFile{Path: "./testdata/ct-http-server.privkey.pem", Password: "dirkly"}) var tests = []struct { - desc string - cfg *configpb.LogConfig - origin string - projectID string - bucket string - spannerDB string - ctStorage func(context.Context, note.Signer) (*CTStorage, error) - wantErr string + desc string + cfg *configpb.LogConfig + origin string + projectID string + bucket string + spannerDB string + rootsPemFile string + ctStorage func(context.Context, note.Signer) (*CTStorage, error) + wantErr string }{ { desc: "valid", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: privKey, + PrivateKey: privKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, }, { desc: "no-roots", @@ -86,117 +87,117 @@ func TestSetUpInstance(t *testing.T) { { desc: "missing-root-cert", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"../testdata/bogus.cert"}, - PrivateKey: privKey, + PrivateKey: privKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, - wantErr: "failed to read trusted roots", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + ctStorage: fakeCTStorage, + rootsPemFile: "./testdata/bogus.cert", + wantErr: "failed to read trusted roots", }, { desc: "missing-privkey", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: missingPrivKey, + PrivateKey: missingPrivKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, - wantErr: "failed to load private key", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, + wantErr: "failed to load private key", }, { desc: "privkey-wrong-password", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: wrongPassPrivKey, + PrivateKey: wrongPassPrivKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, - wantErr: "failed to load private key", + origin: "log", + projectID: "projeot", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, + wantErr: "failed to load private key", }, { desc: "valid-ekus-1", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, ExtKeyUsages: []string{"Any"}, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, }, { desc: "valid-ekus-2", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, ExtKeyUsages: []string{"Any", "ServerAuth", "TimeStamping"}, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, }, { desc: "valid-reject-ext", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, RejectExtensions: []string{"1.2.3.4", "5.6.7.8"}, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + ctStorage: fakeCTStorage, }, { desc: "invalid-reject-ext", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, RejectExtensions: []string{"1.2.3.4", "one.banana.two.bananas"}, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - ctStorage: fakeCTStorage, - wantErr: "one", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + ctStorage: fakeCTStorage, + rootsPemFile: "./testdata/fake-ca.cert", + wantErr: "one", }, { desc: "missing-create-storage", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: privKey, + PrivateKey: privKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", - wantErr: "failed to initiate storage backend", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", + wantErr: "failed to initiate storage backend", }, { desc: "failing-create-storage", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: privKey, + PrivateKey: privKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", ctStorage: func(_ context.Context, _ note.Signer) (*CTStorage, error) { return nil, fmt.Errorf("I failed") }, @@ -206,7 +207,7 @@ func TestSetUpInstance(t *testing.T) { for _, test := range tests { t.Run(test.desc, func(t *testing.T) { - vCfg, err := ValidateLogConfig(test.cfg, test.origin, test.projectID, test.bucket, test.spannerDB) + vCfg, err := ValidateLogConfig(test.cfg, test.origin, test.projectID, test.bucket, test.spannerDB, test.rootsPemFile) if err != nil { t.Fatalf("ValidateLogConfig(): %v", err) } @@ -250,66 +251,67 @@ func TestSetUpInstanceSetsValidationOpts(t *testing.T) { t.Fatalf("Could not marshal private key proto: %v", err) } var tests = []struct { - desc string - cfg *configpb.LogConfig - origin string - projectID string - bucket string - spannerDB string + desc string + cfg *configpb.LogConfig + origin string + projectID string + bucket string + spannerDB string + rootsPemFile string }{ { desc: "no validation opts", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, - PrivateKey: privKey, + PrivateKey: privKey, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", }, { desc: "notAfterStart only", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, NotAfterStart: start, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", }, { desc: "notAfter range", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, NotAfterStart: start, NotAfterLimit: limit, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", }, { desc: "caOnly", cfg: &configpb.LogConfig{ - RootsPemFile: []string{"./testdata/fake-ca.cert"}, PrivateKey: privKey, AcceptOnlyCa: true, }, - origin: "log", - projectID: "project", - bucket: "bucket", - spannerDB: "spanner", + origin: "log", + projectID: "project", + bucket: "bucket", + spannerDB: "spanner", + rootsPemFile: "./testdata/fake-ca.cert", }, } for _, test := range tests { t.Run(test.desc, func(t *testing.T) { - vCfg, err := ValidateLogConfig(test.cfg, test.origin, test.projectID, test.bucket, test.spannerDB) + vCfg, err := ValidateLogConfig(test.cfg, test.origin, test.projectID, test.bucket, test.spannerDB, test.rootsPemFile) if err != nil { t.Fatalf("ValidateLogConfig(): %v", err) }