Merge branch 'main' into doc-localauthority-upstreamauthority-commands

cmd/spire-server/cli/cli.go

@@ -3,8 +3,6 @@ package cli
 import (
  "context"
  stdlog "log"
- "os"
- "strings"
 
  "github.com/mitchellh/cli"
  "github.com/spiffe/spire/cmd/spire-server/cli/agent"
@@ -21,7 +19,6 @@ import (
  "github.com/spiffe/spire/cmd/spire-server/cli/upstreamauthority"
  "github.com/spiffe/spire/cmd/spire-server/cli/validate"
  "github.com/spiffe/spire/cmd/spire-server/cli/x509"
- "github.com/spiffe/spire/pkg/common/fflag"
  "github.com/spiffe/spire/pkg/common/log"
  "github.com/spiffe/spire/pkg/common/version"
 )
@@ -130,75 +127,47 @@ func (cc *CLI) Run(ctx context.Context, args []string) int {
  "validate": func() (cli.Command, error) {
  return validate.NewValidateCommand(), nil
  },
- }
-
- // TODO: Remove this when the forced_rotation feature flag is no longer
- // needed. Refer to https:/spiffe/spire/issues/5398.
- addCommandsEnabledByFFlags(c.Commands)
-
- exitStatus, err := c.Run()
- if err != nil {
- stdlog.Println(err)
- }
- return exitStatus
-}
-
-// addCommandsEnabledByFFlags adds commands that are currently available only
-// through a feature flag.
-// Feature flags support through the fflag package in SPIRE Server is
-// designed to work only with the run command and the config file.
-// Since feature flags are intended to be used by developers of a specific
-// feature only, exposing them through command line arguments is not
-// convenient. Instead, we use the SPIRE_SERVER_FFLAGS environment variable
-// to read the configured SPIRE Server feature flags from the environment
-// when other commands may be enabled through feature flags.
-func addCommandsEnabledByFFlags(commands map[string]cli.CommandFactory) {
- fflagsEnv := os.Getenv("SPIRE_SERVER_FFLAGS")
- fflags := strings.Split(fflagsEnv, " ")
- flagForcedRotationFound := false
- for _, ff := range fflags {
- if ff == string(fflag.FlagForcedRotation) {
- flagForcedRotationFound = true
- break
- }
- }
-
- if flagForcedRotationFound {
- commands["localauthority x509 show"] = func() (cli.Command, error) {
+ "localauthority x509 show": func() (cli.Command, error) {
  return localauthority_x509.NewX509ShowCommand(), nil
- }
- commands["localauthority x509 prepare"] = func() (cli.Command, error) {
+ },
+ "localauthority x509 prepare": func() (cli.Command, error) {
  return localauthority_x509.NewX509PrepareCommand(), nil
- }
- commands["localauthority x509 activate"] = func() (cli.Command, error) {
+ },
+ "localauthority x509 activate": func() (cli.Command, error) {
  return localauthority_x509.NewX509ActivateCommand(), nil
- }
- commands["localauthority x509 taint"] = func() (cli.Command, error) {
+ },
+ "localauthority x509 taint": func() (cli.Command, error) {
  return localauthority_x509.NewX509TaintCommand(), nil
- }
- commands["localauthority x509 revoke"] = func() (cli.Command, error) {
+ },
+ "localauthority x509 revoke": func() (cli.Command, error) {
  return localauthority_x509.NewX509RevokeCommand(), nil
- }
- commands["localauthority jwt show"] = func() (cli.Command, error) {
+ },
+ "localauthority jwt show": func() (cli.Command, error) {
  return localauthority_jwt.NewJWTShowCommand(), nil
- }
- commands["localauthority jwt prepare"] = func() (cli.Command, error) {
+ },
+ "localauthority jwt prepare": func() (cli.Command, error) {
  return localauthority_jwt.NewJWTPrepareCommand(), nil
- }
- commands["localauthority jwt activate"] = func() (cli.Command, error) {
+ },
+ "localauthority jwt activate": func() (cli.Command, error) {
  return localauthority_jwt.NewJWTActivateCommand(), nil
- }
- commands["localauthority jwt taint"] = func() (cli.Command, error) {
+ },
+ "localauthority jwt taint": func() (cli.Command, error) {
  return localauthority_jwt.NewJWTTaintCommand(), nil
- }
- commands["localauthority jwt revoke"] = func() (cli.Command, error) {
+ },
+ "localauthority jwt revoke": func() (cli.Command, error) {
  return localauthority_jwt.NewJWTRevokeCommand(), nil
- }
- commands["upstreamauthority taint"] = func() (cli.Command, error) {
+ },
+ "upstreamauthority taint": func() (cli.Command, error) {
  return upstreamauthority.NewTaintCommand(), nil
- }
- commands["upstreamauthority revoke"] = func() (cli.Command, error) {
+ },
+ "upstreamauthority revoke": func() (cli.Command, error) {
  return upstreamauthority.NewRevokeCommand(), nil
- }
+ },
  }
+
+ exitStatus, err := c.Run()
+ if err != nil {
+ stdlog.Println(err)
+ }
+ return exitStatus
 }

pkg/common/fflag/fflag.go

@@ -24,11 +24,6 @@ type RawConfig []string
 // false, with the only exception being flags that are in the process of being
 // deprecated.
 const (
- // FlagForcedRotation controls whether or not the new APIs and
- // extensions related to forced rotation and revocation are
- // enabled or not. See #1934 for more information.
- FlagForcedRotation Flag = "forced_rotation"
-
  // FlagTestFlag is defined purely for testing purposes.
  FlagTestFlag Flag = "i_am_a_test_flag"
 )
@@ -40,8 +35,7 @@ var (
  mtx *sync.RWMutex
  }{
  flags: map[Flag]bool{
- FlagForcedRotation: false,
- FlagTestFlag: false,
+ FlagTestFlag: false,
  },
  loaded: false,
  mtx: new(sync.RWMutex),

pkg/common/telemetry/server/datastore/event.go

@@ -4,15 +4,15 @@ import (
  "github.com/spiffe/spire/pkg/common/telemetry"
 )
 
-// StartListRegistrationEntriesEventsCall return metric
+// StartListRegistrationEntryEventsCall return metric
 // for server's datastore, on listing registration entry events.
-func StartListRegistrationEntriesEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
+func StartListRegistrationEntryEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
  return telemetry.StartCall(m, telemetry.Datastore, telemetry.RegistrationEntryEvent, telemetry.List)
 }
 
-// StartPruneRegistrationEntriesEventsCall return metric
+// StartPruneRegistrationEntryEventsCall return metric
 // for server's datastore, on pruning registration entry events.
-func StartPruneRegistrationEntriesEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
+func StartPruneRegistrationEntryEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
  return telemetry.StartCall(m, telemetry.Datastore, telemetry.RegistrationEntryEvent, telemetry.Prune)
 }
 
@@ -34,15 +34,15 @@ func StartFetchRegistrationEntryEventCall(m telemetry.Metrics) *telemetry.CallCo
  return telemetry.StartCall(m, telemetry.Datastore, telemetry.RegistrationEntryEvent, telemetry.Fetch)
 }
 
-// StartListAttestedNodesEventsCall return metric
+// StartListAttestedNodeEventsCall return metric
 // for server's datastore, on listing attested node events.
-func StartListAttestedNodesEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
+func StartListAttestedNodeEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
  return telemetry.StartCall(m, telemetry.Datastore, telemetry.NodeEvent, telemetry.List)
 }
 
-// StartPruneAttestedNodesEventsCall return metric
+// StartPruneAttestedNodeEventsCall return metric
 // for server's datastore, on pruning attested node events.
-func StartPruneAttestedNodesEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
+func StartPruneAttestedNodeEventsCall(m telemetry.Metrics) *telemetry.CallCounter {
  return telemetry.StartCall(m, telemetry.Datastore, telemetry.NodeEvent, telemetry.Prune)
 }
 

pkg/common/telemetry/server/datastore/wrapper.go

@@ -179,10 +179,10 @@ func (w metricsWrapper) ListAttestedNodes(ctx context.Context, req *datastore.Li
  return w.ds.ListAttestedNodes(ctx, req)
 }
 
-func (w metricsWrapper) ListAttestedNodesEvents(ctx context.Context, req *datastore.ListAttestedNodesEventsRequest) (_ *datastore.ListAttestedNodesEventsResponse, err error) {
- callCounter := StartListAttestedNodesEventsCall(w.m)
+func (w metricsWrapper) ListAttestedNodeEvents(ctx context.Context, req *datastore.ListAttestedNodeEventsRequest) (_ *datastore.ListAttestedNodeEventsResponse, err error) {
+ callCounter := StartListAttestedNodeEventsCall(w.m)
  defer callCounter.Done(&err)
- return w.ds.ListAttestedNodesEvents(ctx, req)
+ return w.ds.ListAttestedNodeEvents(ctx, req)
 }
 
 func (w metricsWrapper) ListBundles(ctx context.Context, req *datastore.ListBundlesRequest) (_ *datastore.ListBundlesResponse, err error) {
@@ -203,10 +203,10 @@ func (w metricsWrapper) ListRegistrationEntries(ctx context.Context, req *datast
  return w.ds.ListRegistrationEntries(ctx, req)
 }
 
-func (w metricsWrapper) ListRegistrationEntriesEvents(ctx context.Context, req *datastore.ListRegistrationEntriesEventsRequest) (_ *datastore.ListRegistrationEntriesEventsResponse, err error) {
- callCounter := StartListRegistrationEntriesEventsCall(w.m)
+func (w metricsWrapper) ListRegistrationEntryEvents(ctx context.Context, req *datastore.ListRegistrationEntryEventsRequest) (_ *datastore.ListRegistrationEntryEventsResponse, err error) {
+ callCounter := StartListRegistrationEntryEventsCall(w.m)
  defer callCounter.Done(&err)
- return w.ds.ListRegistrationEntriesEvents(ctx, req)
+ return w.ds.ListRegistrationEntryEvents(ctx, req)
 }
 
 func (w metricsWrapper) CountAttestedNodes(ctx context.Context, req *datastore.CountAttestedNodesRequest) (_ int32, err error) {
@@ -227,10 +227,10 @@ func (w metricsWrapper) CountRegistrationEntries(ctx context.Context, req *datas
  return w.ds.CountRegistrationEntries(ctx, req)
 }
 
-func (w metricsWrapper) PruneAttestedNodesEvents(ctx context.Context, olderThan time.Duration) (err error) {
- callCounter := StartPruneAttestedNodesEventsCall(w.m)
+func (w metricsWrapper) PruneAttestedNodeEvents(ctx context.Context, olderThan time.Duration) (err error) {
+ callCounter := StartPruneAttestedNodeEventsCall(w.m)
  defer callCounter.Done(&err)
- return w.ds.PruneAttestedNodesEvents(ctx, olderThan)
+ return w.ds.PruneAttestedNodeEvents(ctx, olderThan)
 }
 
 func (w metricsWrapper) PruneBundle(ctx context.Context, trustDomainID string, expiresBefore time.Time) (_ bool, err error) {
@@ -251,10 +251,10 @@ func (w metricsWrapper) PruneRegistrationEntries(ctx context.Context, expiresBef
  return w.ds.PruneRegistrationEntries(ctx, expiresBefore)
 }
 
-func (w metricsWrapper) PruneRegistrationEntriesEvents(ctx context.Context, olderThan time.Duration) (err error) {
- callCounter := StartPruneRegistrationEntriesEventsCall(w.m)
+func (w metricsWrapper) PruneRegistrationEntryEvents(ctx context.Context, olderThan time.Duration) (err error) {
+ callCounter := StartPruneRegistrationEntryEventsCall(w.m)
  defer callCounter.Done(&err)
- return w.ds.PruneRegistrationEntriesEvents(ctx, olderThan)
+ return w.ds.PruneRegistrationEntryEvents(ctx, olderThan)
 }
 
 func (w metricsWrapper) SetBundle(ctx context.Context, bundle *common.Bundle) (_ *common.Bundle, err error) {

pkg/common/telemetry/server/datastore/wrapper_test.go

@@ -151,7 +151,7 @@ func TestWithMetrics(t *testing.T) {
  },
  {
  key: "datastore.node_event.list",
- methodName: "ListAttestedNodesEvents",
+ methodName: "ListAttestedNodeEvents",
  },
  {
  key: "datastore.bundle.list",
@@ -167,15 +167,15 @@ func TestWithMetrics(t *testing.T) {
  },
  {
  key: "datastore.registration_entry_event.list",
- methodName: "ListRegistrationEntriesEvents",
+ methodName: "ListRegistrationEntryEvents",
  },
  {
  key: "datastore.federation_relationship.list",
  methodName: "ListFederationRelationships",
  },
  {
  key: "datastore.node_event.prune",
- methodName: "PruneAttestedNodesEvents",
+ methodName: "PruneAttestedNodeEvents",
  },
  {
  key: "datastore.bundle.prune",
@@ -191,7 +191,7 @@ func TestWithMetrics(t *testing.T) {
  },
  {
  key: "datastore.registration_entry_event.prune",
- methodName: "PruneRegistrationEntriesEvents",
+ methodName: "PruneRegistrationEntryEvents",
  },
  {
  key: "datastore.bundle.set",
@@ -445,8 +445,8 @@ func (ds *fakeDataStore) ListAttestedNodes(context.Context, *datastore.ListAttes
  return &datastore.ListAttestedNodesResponse{}, ds.err
 }
 
-func (ds *fakeDataStore) ListAttestedNodesEvents(context.Context, *datastore.ListAttestedNodesEventsRequest) (*datastore.ListAttestedNodesEventsResponse, error) {
- return &datastore.ListAttestedNodesEventsResponse{}, ds.err
+func (ds *fakeDataStore) ListAttestedNodeEvents(context.Context, *datastore.ListAttestedNodeEventsRequest) (*datastore.ListAttestedNodeEventsResponse, error) {
+ return &datastore.ListAttestedNodeEventsResponse{}, ds.err
 }
 
 func (ds *fakeDataStore) ListBundles(context.Context, *datastore.ListBundlesRequest) (*datastore.ListBundlesResponse, error) {
@@ -461,11 +461,11 @@ func (ds *fakeDataStore) ListRegistrationEntries(context.Context, *datastore.Lis
  return &datastore.ListRegistrationEntriesResponse{}, ds.err
 }
 
-func (ds *fakeDataStore) ListRegistrationEntriesEvents(context.Context, *datastore.ListRegistrationEntriesEventsRequest) (*datastore.ListRegistrationEntriesEventsResponse, error) {
- return &datastore.ListRegistrationEntriesEventsResponse{}, ds.err
+func (ds *fakeDataStore) ListRegistrationEntryEvents(context.Context, *datastore.ListRegistrationEntryEventsRequest) (*datastore.ListRegistrationEntryEventsResponse, error) {
+ return &datastore.ListRegistrationEntryEventsResponse{}, ds.err
 }
 
-func (ds *fakeDataStore) PruneAttestedNodesEvents(context.Context, time.Duration) error {
+func (ds *fakeDataStore) PruneAttestedNodeEvents(context.Context, time.Duration) error {
  return ds.err
 }
 
@@ -481,7 +481,7 @@ func (ds *fakeDataStore) PruneRegistrationEntries(context.Context, time.Time) er
  return ds.err
 }
 
-func (ds *fakeDataStore) PruneRegistrationEntriesEvents(context.Context, time.Duration) error {
+func (ds *fakeDataStore) PruneRegistrationEntryEvents(context.Context, time.Duration) error {
  return ds.err
 }
 

pkg/server/authorizedentries/cache.go

@@ -267,8 +267,8 @@ func (c *Cache) removeEntry(entryID string) {
  }
 }
 
-func (c *Cache) Stats() cacheStats {
- return cacheStats{
+func (c *Cache) Stats() CacheStats {
+ return CacheStats{
  AgentsByID: c.agentsByID.Len(),
  AgentsByExpiresAt: c.agentsByExpiresAt.Len(),
  AliasesByEntryID: c.aliasesByEntryID.Len(),
@@ -286,7 +286,7 @@ func isNodeAlias(e *types.Entry) bool {
  return e.ParentId.Path == idutil.ServerIDPath
 }
 
-type cacheStats struct {
+type CacheStats struct {
  AgentsByID int
  AgentsByExpiresAt int
  AliasesByEntryID int

pkg/server/authorizedentries/cache_test.go

@@ -186,27 +186,27 @@ func TestCacheInternalStats(t *testing.T) {
 
  cache := NewCache(clk)
  cache.UpdateEntry(entry1)
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  EntriesByEntryID: 1,
  EntriesByParentID: 1,
  }, cache.Stats())
 
  cache.UpdateEntry(entry2a)
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  EntriesByEntryID: 2,
  EntriesByParentID: 2,
  }, cache.Stats())
 
  cache.UpdateEntry(entry2b)
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  EntriesByEntryID: 1,
  EntriesByParentID: 1,
  AliasesByEntryID: 2, // one for each selector
  AliasesBySelector: 2, // one for each selector
  }, cache.Stats())
 
  cache.RemoveEntry(entry1.Id)
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  AliasesByEntryID: 2, // one for each selector
  AliasesBySelector: 2, // one for each selector
  }, cache.Stats())
@@ -222,25 +222,25 @@ func TestCacheInternalStats(t *testing.T) {
  t.Run("agents", func(t *testing.T) {
  cache := NewCache(clk)
  cache.UpdateAgent(agent1.String(), now.Add(time.Hour), []*types.Selector{sel1})
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  AgentsByID: 1,
  AgentsByExpiresAt: 1,
  }, cache.Stats())
 
  cache.UpdateAgent(agent2.String(), now.Add(time.Hour*2), []*types.Selector{sel2})
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  AgentsByID: 2,
  AgentsByExpiresAt: 2,
  }, cache.Stats())
 
  cache.UpdateAgent(agent2.String(), now.Add(time.Hour*3), []*types.Selector{sel2})
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  AgentsByID: 2,
  AgentsByExpiresAt: 2,
  }, cache.Stats())
 
  cache.RemoveAgent(agent1.String())
- require.Equal(t, cacheStats{
+ require.Equal(t, CacheStats{
  AgentsByID: 1,
  AgentsByExpiresAt: 1,
  }, cache.Stats())