AUT-305 - Making adjustments for migration out of S3 to a mounted volume for cert-chain storage

.github/dependabot.yml

@@ -5,12 +5,6 @@ updates:
   schedule:
     interval: "weekly"
     time: "10:00" # UTC
-  groups:
-      aws-sdk-go-v2:
-        applies-to: version-updates
-        patterns:
-          - "github.com/aws/aws-sdk-go-v2/*"
-          - "github.com/aws/aws-sdk-go-v2"
 - package-ecosystem: "docker"
   directories:
     - "/"

Makefile

@@ -59,14 +59,6 @@ showbenchmarkxpi:
 test:
 	go test -v -race -coverprofile coverage.out -covermode=atomic -count=1 ./...
 
-test-in-docker:
-	$(SHELL) -c " \
-		docker compose up 2>&1 | tee test-in-docker.log \
-		| (grep --silent 'autograph-unit-test exited with code' && docker compose down; \
-		grep 'autograph-unit-test' test-in-docker.log >unit-test.log ; \
-		tail -2 unit-test.log)"
-
-
 showcoverage: test
 	go tool cover -html=coverage.out
 
@@ -88,6 +80,13 @@ build: generate
 	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --parallel app-hsm monitor
 	DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 docker compose build --parallel monitor monitor-hsm
 
+test-in-docker: build
+	$(SHELL) -c " \
+		docker compose up 2>&1 | tee test-in-docker.log \
+		| (grep --silent 'autograph-unit-test exited with code' && docker compose down; \
+		grep 'autograph-unit-test' test-in-docker.log >unit-test.log ; \
+		tail -2 unit-test.log)"
+
 # TODO(AUT-287): port this to the Docker compose integration tests
 integration-test:
 	./bin/run_integration_tests.sh

autograph.yaml

@@ -82,7 +82,7 @@ signers:
       type: contentsignaturepki
       validity: 708h
       clockskewtolerance: 1h
-      chainuploadlocation: file:///tmp/autograph/chains/normandydev/
+      chainlocation: /tmp/autograph/chains/normandydev/
       x5u: file:///tmp/autograph/chains/normandydev/
       issuerprivkey: |
         -----BEGIN EC PRIVATE KEY-----
@@ -134,7 +134,7 @@ signers:
       type: contentsignaturepki
       validity: 708h
       clockskewtolerance: 1h
-      chainuploadlocation: file:///tmp/autograph/chains/remotesettingsdev/
+      chainlocation: /tmp/autograph/chains/remotesettingsdev/
       x5u: file:///tmp/autograph/chains/remotesettingsdev/
       issuerprivkey: |
         -----BEGIN EC PRIVATE KEY-----

signer/contentsignaturepki/README.md

@@ -115,10 +115,10 @@ are valid for 90 days (30d of clock skew in the past, 30 days of
 validity, 30 days of clock skew in the future).
 
 Once the end-entity created, it is concatenated to the public
-certificate of the intermediate and root of the PKI, then uploaded to
-*chainuploadlocation*, and retrieved from *x5u* (these two locations may
-actually be different when we upload to an S3 bucket but download from a
-CDN).
+certificate of the intermediate and root of the PKI, then stored at
+*chainlocation*, and retrieved from *x5u* (these two locations may
+actually be different when we upload to a mounted volume but download
+from a CDN or the volume's bucket address).
 
 If this entire procedure succeeds, the signer is initialized with the
 end-entity and starts processing requests.
@@ -134,11 +134,8 @@ signers:
   # give +/- 30d of validity room for clients with bad clocks
   clockskewtolerance: 10m
 
-  # upload cert chains to this location (file:// is really just for local dev)
-  chainuploadlocation: file:///tmp/chains/
-  # when using S3, make sure the relevant AWS credentials are set in the
-  # environment that autograph runs in
-  #chainuploadlocation: s3://net-mozaws-dev-content-signature/chains/
+  # store cert chains to this location
+  chainlocation: /tmp/chains/
 
   # x5u is the path to the public dir where chains are stored. This MUST end
   # with a trailing slash because filenames will be appended to it.

signer/contentsignaturepki/contentsignature.go

@@ -59,7 +59,7 @@ type ContentSigner struct {
 	rand                        io.Reader
 	validity                    time.Duration
 	clockSkewTolerance          time.Duration
-	chainUploadLocation         string
+	chainLocation               string
 	caCert                      string
 	db                          *database.Handler
 	subdomainOverride           string
@@ -80,7 +80,7 @@ func New(conf signer.Configuration) (s *ContentSigner, err error) {
 	s.X5U = conf.X5U
 	s.validity = conf.Validity
 	s.clockSkewTolerance = conf.ClockSkewTolerance
-	s.chainUploadLocation = conf.ChainUploadLocation
+	s.chainLocation = conf.ChainLocation
 	s.caCert = conf.CaCert
 	s.db = conf.DB
 	s.subdomainOverride = conf.SubdomainOverride
@@ -161,8 +161,8 @@ func (s *ContentSigner) initEE(conf signer.Configuration) error {
 		if err != nil {
 			return fmt.Errorf("contentsignaturepki %q: failed to generate end entity: %w", s.ID, err)
 		}
-		// make the certificate and upload the chain
-		err = s.makeAndUploadChain()
+		// make the certificate and save the chain
+		err = s.makeAndSaveChain()
 		if err != nil {
 			return fmt.Errorf("contentsignaturepki %q: failed to make chain and x5u: %w", s.ID, err)
 		}
@@ -185,28 +185,24 @@ func (s *ContentSigner) initEE(conf signer.Configuration) error {
 	default:
 		return fmt.Errorf("contentsignaturepki %q: failed to find suitable end-entity: %w", s.ID, err)
 	}
-	_, _, err = GetX5U(buildHTTPClient(), s.X5U)
-	if err != nil {
-		return fmt.Errorf("contentsignaturepki %q: failed to verify x5u: %w", s.ID, err)
-	}
 	return nil
 }
 
 // Config returns the configuration of the current signer
 func (s *ContentSigner) Config() signer.Configuration {
 	return signer.Configuration{
-		ID:                  s.ID,
-		Type:                s.Type,
-		Mode:                s.Mode,
-		PrivateKey:          s.PrivateKey,
-		PublicKey:           s.PublicKey,
-		IssuerPrivKey:       s.IssuerPrivKey,
-		IssuerCert:          s.IssuerCert,
-		X5U:                 s.X5U,
-		Validity:            s.validity,
-		ClockSkewTolerance:  s.clockSkewTolerance,
-		ChainUploadLocation: s.chainUploadLocation,
-		CaCert:              s.caCert,
+		ID:                 s.ID,
+		Type:               s.Type,
+		Mode:               s.Mode,
+		PrivateKey:         s.PrivateKey,
+		PublicKey:          s.PublicKey,
+		IssuerPrivKey:      s.IssuerPrivKey,
+		IssuerCert:         s.IssuerCert,
+		X5U:                s.X5U,
+		Validity:           s.validity,
+		ClockSkewTolerance: s.clockSkewTolerance,
+		ChainLocation:      s.chainLocation,
+		CaCert:             s.caCert,
 	}
 }
 

signer/contentsignaturepki/contentsignature_test.go

@@ -9,6 +9,7 @@ package contentsignaturepki
 import (
 	"crypto/ecdsa"
 	"errors"
+	"net/http"
 	"strings"
 	"testing"
 
@@ -73,7 +74,7 @@ func TestSign(t *testing.T) {
 		}
 
 		// verify the signature using the public key of the end entity
-		_, certs, err := GetX5U(buildHTTPClient(), s.X5U)
+		_, certs, err := GetX5U(&http.Client{}, s.X5U)
 		if err != nil {
 			t.Fatalf("testcase %d failed to get X5U %q: %v", i, s.X5U, err)
 		}
@@ -94,11 +95,11 @@ var PASSINGTESTCASES = []struct {
 	expectedCommonName string
 }{
 	{cfg: signer.Configuration{
-		Type:                Type,
-		ID:                  "testsigner0",
-		Mode:                P384ECDSA,
-		X5U:                 "file:///tmp/autograph_unit_tests/chains/",
-		ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/",
+		Type:          Type,
+		ID:            "testsigner0",
+		Mode:          P384ECDSA,
+		X5U:           "file:///tmp/autograph_unit_tests/chains/",
+		ChainLocation: "/tmp/autograph_unit_tests/chains/",
 		IssuerPrivKey: `
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDBcwxsHPTSHIVY1qLobCqBtnjRe0UZWOro1xtg2oV4rkypbkkgHHnSA
@@ -141,11 +142,11 @@ nsbYLErV5grBhN+UxzmY9YwlOl6j6CoBiNkCMQCVBh9UBkWNkUfMUGImrCNDLvlw
 		expectedCommonName: "testsigner0.content-signature.mozilla.org",
 	},
 	{cfg: signer.Configuration{
-		Type:                Type,
-		ID:                  "testsigner1",
-		Mode:                P256ECDSA,
-		X5U:                 "file:///tmp/autograph_unit_tests/chains/",
-		ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/",
+		Type:          Type,
+		ID:            "testsigner1",
+		Mode:          P256ECDSA,
+		X5U:           "file:///tmp/autograph_unit_tests/chains/",
+		ChainLocation: "/tmp/autograph_unit_tests/chains/",
 		IssuerPrivKey: `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIEABir6WMfkbG2ZyKKDCij1PlSBldaaJqPQ/9ioWvCM5oAoGCCqGSM49
@@ -185,12 +186,12 @@ mpvOMOT3falDgXh0iOgdIA==
 		expectedCommonName: "testsigner1.content-signature.mozilla.org",
 	},
 	{cfg: signer.Configuration{
-		Type:                Type,
-		ID:                  "testsigner1",
-		SubdomainOverride:   "anothersigner1",
-		Mode:                P256ECDSA,
-		X5U:                 "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1",
-		ChainUploadLocation: "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1",
+		Type:              Type,
+		ID:                "testsigner1",
+		SubdomainOverride: "anothersigner1",
+		Mode:              P256ECDSA,
+		X5U:               "file:///tmp/autograph_unit_tests/chains/dedup-path-anothersigner1",
+		ChainLocation:     "/tmp/autograph_unit_tests/chains/dedup-path-anothersigner1",
 		IssuerPrivKey: `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIEABir6WMfkbG2ZyKKDCij1PlSBldaaJqPQ/9ioWvCM5oAoGCCqGSM49