[lxc-devel] [lxd/master] lxd/certificates: Make certificate add more robust

stgraber on Github lxc-bot at linuxcontainers.org
Mon Apr 29 17:49:11 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 370 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190429/7b21b34e/attachment.bin>
-------------- next part --------------
From 9e9dbcbed9f31d8b56ed2fa76a929c8cd76a1de7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 29 Apr 2019 13:48:09 -0400
Subject: [PATCH] lxd/certificates: Make certificate add more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #5707

Signed-off-by: St├ęphane Graber <stgraber at ubuntu.com>
---
 lxd/certificates.go | 48 ++++++++++++++++++++++-----------------------
 1 file changed, 23 insertions(+), 25 deletions(-)

diff --git a/lxd/certificates.go b/lxd/certificates.go
index 1e205a9be5..187619f7a8 100644
--- a/lxd/certificates.go
+++ b/lxd/certificates.go
@@ -100,18 +100,6 @@ func readSavedClientCAList(d *Daemon) {
 	}
 }
 
-func saveCert(dbObj *db.Cluster, host string, cert *x509.Certificate) error {
-	baseCert := new(db.CertInfo)
-	baseCert.Fingerprint = shared.CertFingerprint(cert)
-	baseCert.Type = 1
-	baseCert.Name = host
-	baseCert.Certificate = string(
-		pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}),
-	)
-
-	return dbObj.CertSave(baseCert)
-}
-
 func certificatesPost(d *Daemon, r *http.Request) Response {
 	// Parse the request
 	req := api.CertificatesPost{}
@@ -173,19 +161,33 @@ func certificatesPost(d *Daemon, r *http.Request) Response {
 
 	fingerprint := shared.CertFingerprint(cert)
 
+	if d.clientCerts == nil {
+		d.clientCerts = map[string]x509.Certificate{}
+	}
+
 	if !isClusterNotification(r) {
-		// Store the certificate in the cluster database.
-		existingCerts, err := d.cluster.CertificatesGet()
-		if err != nil {
-			return SmartError(err)
-		}
-		for _, existingCert := range existingCerts {
-			if fingerprint == existingCert.Fingerprint {
-				return BadRequest(fmt.Errorf("Certificate already in trust store"))
+		// Check if we already have the certificate
+		existingCert, err := d.cluster.CertificateGet(fingerprint)
+		if existingCert != nil {
+			// Deal with the cache being potentially out of sync
+			_, ok := d.clientCerts[fingerprint]
+			if !ok {
+				d.clientCerts[fingerprint] = *cert
+				return SyncResponseLocation(true, nil, fmt.Sprintf("/%s/certificates/%s", version.APIVersion, fingerprint))
 			}
+
+			return BadRequest(fmt.Errorf("Certificate already in trust store"))
+		}
+
+		// Store the certificate in the cluster database
+		dbCert := db.CertInfo{
+			Fingerprint: shared.CertFingerprint(cert),
+			Type:        1,
+			Name:        name,
+			Certificate: string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})),
 		}
 
-		err = saveCert(d.cluster, name, cert)
+		err = d.cluster.CertSave(&dbCert)
 		if err != nil {
 			return SmartError(err)
 		}
@@ -210,10 +212,6 @@ func certificatesPost(d *Daemon, r *http.Request) Response {
 		}
 	}
 
-	if d.clientCerts == nil {
-		d.clientCerts = map[string]x509.Certificate{}
-	}
-
 	d.clientCerts[shared.CertFingerprint(cert)] = *cert
 
 	return SyncResponseLocation(true, nil, fmt.Sprintf("/%s/certificates/%s", version.APIVersion, fingerprint))


More information about the lxc-devel mailing list