Improve documentation, remove dead code plus some minor refactorings
This improves our code-to-comments ratio by a lot.
On the refactorings:
- Simplify the cluster join mode to just a single protobuf message -
a node can either join an existing cluster or bootstrap a new one.
All of the node-level setup like hostname and trust backend is done
using the setup call, since those are identical for both cases.
- We don't need a node name separate from the hostname. Ideally, we would
get rid of IP addresses for etcd as well.
- Google API design guidelines suggest the `List` term (vs. `Get`).
- Add username to comments for consistency. I think the names provide
useful context, but git blame is a thing. What do you think?
- Fixed or silenced some ignored error checks in preparation of using
an errcheck linter. Especially during early boot, many errors are
obviously not recoverable, but logging them can provide useful debugging info.
- Split up the common package into smaller subpackages.
- Remove the audit package (this will be a separate service that probably
uses it own database, rather than etcd).
- Move storage constants to storage package.
- Remove the unused KV type.
I also added a bunch of TODO comments with discussion points.
Added both of you as blocking reviewers - please comment if I
misunderstood any of your code.
Test Plan: Everything compiles and scripts:launch works (for whatever that's worth).
X-Origin-Diff: phab/D235
GitOrigin-RevId: 922fec5076e8d683e1138f26d2cb490de64a9777
diff --git a/core/internal/consensus/ca/ca.go b/core/internal/consensus/ca/ca.go
index 925f030..a8cfbd9 100644
--- a/core/internal/consensus/ca/ca.go
+++ b/core/internal/consensus/ca/ca.go
@@ -14,8 +14,16 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+// package ca implements a simple standards-compliant certificate authority.
+// It only supports ed25519 keys, and does not maintain any persistent state.
+//
+// CA and certificates successfully pass https://github.com/zmap/zlint
+// (minus the CA/B rules that a public CA would adhere to, which requires
+// things like OCSP servers, Certificate Policies and ECDSA/RSA-only keys).
package ca
+// TODO(leo): add zlint test
+
import (
"crypto"
"crypto/ed25519"
@@ -48,7 +56,7 @@
// violates Section 4.2.1.2 of RFC 5280 without this. Should eventually be redundant.
//
// Taken from https://github.com/FiloSottile/mkcert/blob/master/cert.go#L295 written by one of Go's
-// crypto engineers
+// crypto engineers (BSD 3-clause).
func calculateSKID(pubKey crypto.PublicKey) ([]byte, error) {
spkiASN1, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
@@ -67,6 +75,7 @@
return skid[:], nil
}
+// New creates a new certificate authority with the given common name.
func New(name string) (*CA, error) {
pubKey, privKey, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
@@ -76,7 +85,7 @@
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
- return nil, fmt.Errorf("Failed to generate serial number: %w", err)
+ return nil, fmt.Errorf("failed to generate serial number: %w", err)
}
skid, err := calculateSKID(pubKey)
@@ -101,7 +110,7 @@
caCertRaw, err := x509.CreateCertificate(rand.Reader, caCert, caCert, pubKey, privKey)
if err != nil {
- return nil, fmt.Errorf("Failed to create root certificate: %w", err)
+ return nil, fmt.Errorf("failed to create root certificate: %w", err)
}
ca := &CA{
@@ -109,16 +118,17 @@
CACertRaw: caCertRaw,
CACert: caCert,
}
- if ca.reissueCRL() != nil {
+ if ca.ReissueCRL() != nil {
return nil, fmt.Errorf("failed to create initial CRL: %w", err)
}
return ca, nil
}
+// FromCertificates restores CA state.
func FromCertificates(caCert []byte, caKey []byte, crl []byte) (*CA, error) {
if len(caKey) != ed25519.PrivateKeySize {
- return nil, errors.New("Invalid CA private key size")
+ return nil, errors.New("invalid CA private key size")
}
privateKey := ed25519.PrivateKey(caKey)
@@ -135,11 +145,11 @@
CACertRaw: caCert,
CACert: caCertVal,
Revoked: crlVal.TBSCertList.RevokedCertificates,
- CRLRaw: crl,
}, nil
}
-func (ca *CA) IssueCertificate(hostname string) (cert []byte, privkey []byte, err error) {
+// IssueCertificate issues a certificate
+func (ca *CA) IssueCertificate(commonName string) (cert []byte, privkey []byte, err error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
@@ -159,7 +169,7 @@
etcdCert := &x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
- CommonName: hostname,
+ CommonName: commonName,
OrganizationalUnit: []string{"etcd"},
},
IsCA: false,
@@ -167,13 +177,13 @@
NotBefore: time.Now(),
NotAfter: unknownNotAfter,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
- DNSNames: []string{hostname},
+ DNSNames: []string{commonName},
}
cert, err = x509.CreateCertificate(rand.Reader, etcdCert, ca.CACert, pubKey, ca.PrivateKey)
return
}
-func (ca *CA) reissueCRL() error {
+func (ca *CA) ReissueCRL() error {
compatCert := CompatCertificate(*ca.CACert)
newCRL, err := compatCert.CreateCRL(rand.Reader, ca.PrivateKey, ca.Revoked, time.Now(), unknownNotAfter)
if err != nil {
@@ -193,5 +203,5 @@
SerialNumber: serial,
RevocationTime: time.Now(),
})
- return ca.reissueCRL()
+ return ca.ReissueCRL()
}