Store migrated issuer, key in migration log (#15449)

If necessary, this will let us correlate migrated values afterwards. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · May 16, 2022 · dbbdb6f · dbbdb6f
1 parent b667aac
commit dbbdb6f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/builtin/logical/pki/storage_migrations.go b/builtin/logical/pki/storage_migrations.go
@@ -22,6 +22,8 @@ const (
 type legacyBundleMigrationLog struct {
 	Hash             string    `json:"hash" structs:"hash" mapstructure:"hash"`
 	Created          time.Time `json:"created" structs:"created" mapstructure:"created"`
+	CreatedIssuer    issuerID  `json:"issuer_id" structs:"issuer_id" mapstructure:"issuer_id"`
+	CreatedKey       keyID     `json:"key_id" structs:"key_id" mapstructure:"key_id"`
 	MigrationVersion int       `json:"migrationVersion" structs:"migrationVersion" mapstructure:"migrationVersion"`
 }
 
@@ -79,6 +81,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
 		return nil
 	}
 
+	var issuerIdentifier issuerID
+	var keyIdentifier keyID
 	b.Logger().Info("performing PKI migration to new keys/issuers layout")
 	if migrationInfo.legacyBundle != nil {
 		anIssuer, aKey, err := writeCaBundle(ctx, b, s, migrationInfo.legacyBundle, "current", "current")
@@ -87,6 +91,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
 		}
 		b.Logger().Debug("Migration generated the following ids and set them as defaults",
 			"issuer id", anIssuer.ID, "key id", aKey.ID)
+		issuerIdentifier = anIssuer.ID
+		keyIdentifier = aKey.ID
 	} else {
 		b.Logger().Debug("No legacy CA certs found, no migration required.")
 	}
@@ -100,6 +106,8 @@ func migrateStorage(ctx context.Context, b *backend, s logical.Storage) error {
 	err = setLegacyBundleMigrationLog(ctx, s, &legacyBundleMigrationLog{
 		Hash:             migrationInfo.legacyBundleHash,
 		Created:          time.Now(),
+		CreatedIssuer:    issuerIdentifier,
+		CreatedKey:       keyIdentifier,
 		MigrationVersion: latestMigrationVersion,
 	})
 	if err != nil {

diff --git a/builtin/logical/pki/storage_migrations_test.go b/builtin/logical/pki/storage_migrations_test.go
@@ -40,6 +40,8 @@ func Test_migrateStorageEmptyStorage(t *testing.T) {
 		"Hash value (%s) should not have been empty", logEntry.Hash)
 	require.True(t, startTime.Before(logEntry.Created),
 		"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
+	require.Empty(t, logEntry.CreatedIssuer)
+	require.Empty(t, logEntry.CreatedKey)
 
 	require.False(t, b.useLegacyBundleCaStorage(), "post migration we are still told to use legacy storage")
 
@@ -91,6 +93,8 @@ func Test_migrateStorageSimpleBundle(t *testing.T) {
 		"Hash value (%s) should not have been empty", logEntry.Hash)
 	require.True(t, startTime.Before(logEntry.Created),
 		"created log entry time (%v) was before our start time(%v)?", logEntry.Created, startTime)
+	require.Equal(t, logEntry.CreatedIssuer, issuerIds[0])
+	require.Equal(t, logEntry.CreatedKey, keyIds[0])
 
 	issuerId := issuerIds[0]
 	keyId := keyIds[0]