Merge pull request #116 from smallstep/tlsrenewer-race

maraino · web-flow · commit e900eb95dbd8 · 2022-11-02T12:44:56.000-07:00
Fix race conditions on tlsutil
diff --git a/kms/kms_test.go b/kms/kms_test.go
@@ -40,7 +40,6 @@ func TestNew(t *testing.T) {
 		{"uri", false, args{ctx, apiv1.Options{URI: "softkms:foo=bar"}}, &softkms.SoftKMS{}, false},
 		{"awskms", false, args{ctx, apiv1.Options{Type: "awskms"}}, &awskms.KMS{}, false},
 		{"cloudkms", true, args{ctx, apiv1.Options{Type: "cloudkms"}}, &cloudkms.CloudKMS{}, failCloudKMS},
-		{"fail not enabled", false, args{ctx, apiv1.Options{Type: "pkcs11"}}, nil, true}, // not enabled
 		{"fail validation", false, args{ctx, apiv1.Options{Type: "foobar"}}, nil, true},
 	}
 	for _, tt := range tests {
diff --git a/tlsutil/renewer.go b/tlsutil/renewer.go
@@ -116,6 +116,8 @@ func (r *Renewer) RunContext(ctx context.Context) {
 
 // Stop prevents the renew timer from firing.
 func (r *Renewer) Stop() bool {
+	r.Lock()
+	defer r.Unlock()
 	if r.timer != nil {
 		return r.timer.Stop()
 	}
diff --git a/tlsutil/renewer_test.go b/tlsutil/renewer_test.go
@@ -25,6 +25,7 @@ import (
 var (
 	issuerCert *x509.Certificate
 	issuerKey  crypto.Signer
+	leafCsr    *x509.CertificateRequest
 	leafCert   *x509.Certificate
 	leafKey    crypto.Signer
 	tlsCert    *tls.Certificate
@@ -60,7 +61,7 @@ func TestMain(m *testing.M) {
 	if err != nil {
 		panic(err)
 	}
-	leafCsr, err := x509util.CreateCertificateRequest("Leaf", []string{"127.0.0.1", "localhost"}, leafKey)
+	leafCsr, err = x509util.CreateCertificateRequest("Leaf", []string{"127.0.0.1", "localhost"}, leafKey)
 	if err != nil {
 		panic(err)
 	}
@@ -97,18 +98,23 @@ func TestMain(m *testing.M) {
 }
 
 func testRenewFunc() (*tls.Certificate, *tls.Config, error) {
-	var err error
-	leafCert.NotBefore = time.Now()
-	leafCert.NotAfter = leafCert.NotBefore.Add(time.Hour)
-	leafCert.SerialNumber = leafCert.SerialNumber.Add(leafCert.SerialNumber, big.NewInt(1))
-	leafCert, err = x509util.CreateCertificate(leafCert, issuerCert, leafKey.Public(), issuerKey)
+	cert, err := x509util.NewCertificate(leafCsr,
+		x509util.WithTemplate(x509util.DefaultLeafTemplate, x509util.CreateTemplateData("Leaf", []string{"127.0.0.1", "localhost"})))
+	if err != nil {
+		return nil, nil, err
+	}
+	template := cert.GetCertificate()
+	template.NotBefore = time.Now()
+	template.NotAfter = template.NotBefore.Add(time.Hour)
+	template.SerialNumber = big.NewInt(1)
+	leaf, err := x509util.CreateCertificate(template, issuerCert, leafKey.Public(), issuerKey)
 	if err != nil {
 		return nil, nil, err
 	}
 	return &tls.Certificate{
 		Certificate: [][]byte{leafCert.Raw},
 		PrivateKey:  leafKey,
-		Leaf:        leafCert,
+		Leaf:        leaf,
 	}, tlsConfig, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,6 @@ func TestNew(t *testing.T) {`
`40`	`40`	`{"uri", false, args{ctx, apiv1.Options{URI: "softkms:foo=bar"}}, &softkms.SoftKMS{}, false},`
`41`	`41`	`{"awskms", false, args{ctx, apiv1.Options{Type: "awskms"}}, &awskms.KMS{}, false},`
`42`	`42`	`{"cloudkms", true, args{ctx, apiv1.Options{Type: "cloudkms"}}, &cloudkms.CloudKMS{}, failCloudKMS},`
`43`		`- {"fail not enabled", false, args{ctx, apiv1.Options{Type: "pkcs11"}}, nil, true}, // not enabled`
`44`	`43`	`{"fail validation", false, args{ctx, apiv1.Options{Type: "foobar"}}, nil, true},`
`45`	`44`	`}`
`46`	`45`	`for _, tt := range tests {`
Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,8 @@ func (r *Renewer) RunContext(ctx context.Context) {`
`116`	`116`
`117`	`117`	`// Stop prevents the renew timer from firing.`
`118`	`118`	`func (r *Renewer) Stop() bool {`
	`119`	`+ r.Lock()`
	`120`	`+ defer r.Unlock()`
`119`	`121`	`if r.timer != nil {`
`120`	`122`	`return r.timer.Stop()`
`121`	`123`	`}`