another round...

Signed-off-by: Marcos Yacob <[email protected]>

pkg/server/ca/manager/manager.go

@@ -234,6 +234,7 @@ func (m *Manager) PrepareX509CA(ctx context.Context) (err error) {
 		slot = m.nextX509CA
 	}
 
+	fmt.Println("Prepare X509 CA")
 	log := m.c.Log.WithField(telemetry.Slot, slot.id)
 	log.Debug("Preparing X509 CA")
 
@@ -252,6 +253,7 @@ func (m *Manager) PrepareX509CA(ctx context.Context) (err error) {
 		fmt.Println("Upstream Sign X509 CA")
 		x509CA, err = m.upstreamSignX509CA(ctx, signer)
 		if err != nil {
+			fmt.Printf("Unable to sign X509 CA: %v\n", err)
 			return err
 		}
 	} else {
@@ -261,6 +263,7 @@ func (m *Manager) PrepareX509CA(ctx context.Context) (err error) {
 			return err
 		}
 	}
+	fmt.Println("SIGNED!!!!!!!!!!!!!!!!!!!")
 
 	slot.issuedAt = now
 	slot.x509CA = x509CA
@@ -272,10 +275,12 @@ func (m *Manager) PrepareX509CA(ctx context.Context) (err error) {
 	slot.publicKey = slot.x509CA.Certificate.PublicKey
 	slot.notAfter = slot.x509CA.Certificate.NotAfter
 
+	fmt.Println("BEFORE APPEND")
 	if err := m.journal.AppendX509CA(ctx, slot.id, slot.issuedAt, slot.x509CA); err != nil {
 		fmt.Printf("Unable to append X509 CA to journal: %v\n", err)
 		log.WithError(err).Error("Unable to append X509 CA to journal")
 	}
+	fmt.Println("AFTER APPEND")
 
 	m.c.Log.WithFields(logrus.Fields{
 		telemetry.Slot:                slot.id,
@@ -780,13 +785,15 @@ func (m *Manager) fetchOptionalBundle(ctx context.Context) (*common.Bundle, erro
 }
 
 func (m *Manager) upstreamSignX509CA(ctx context.Context, signer crypto.Signer) (*ca.X509CA, error) {
+	fmt.Println("------Upstream Sign X509 CA")
 	template, err := m.c.CredBuilder.BuildUpstreamSignedX509CACSR(ctx, credtemplate.UpstreamSignedX509CAParams{
 		PublicKey: signer.Public(),
 	})
 	if err != nil {
 		return nil, err
 	}
 
+	fmt.Println("------Create CSR")
 	csr, err := x509.CreateCertificateRequest(rand.Reader, template, signer)
 	if err != nil {
 		return nil, err
@@ -799,11 +806,14 @@ func (m *Manager) upstreamSignX509CA(ctx context.Context, signer crypto.Signer)
 		Clock:         m.c.Clock,
 	}
 
+	fmt.Println("------MInting X509 CA")
 	caChain, err := m.upstreamClient.MintX509CA(ctx, csr, m.caTTL, validator.ValidateUpstreamX509CA)
 	if err != nil {
 		return nil, err
 	}
 
+	fmt.Println("------BEfore return")
+
 	return &ca.X509CA{
 		Signer:        signer,
 		Certificate:   caChain[0],
@@ -915,12 +925,14 @@ func (u *bundleUpdater) SyncX509Roots(ctx context.Context, roots []*x509certific
 		TrustDomainId: u.trustDomainID,
 		RootCas:       make([]*common.Certificate, 0, len(roots)),
 	}
+	fmt.Println("??????????????? sync roots")
 
 	x509Authorities, err := u.fetchX509Authorities(ctx)
 	if err != nil {
 		return err
 	}
 
+	fmt.Println("??????????????? after fetch")
 	newAuthorities := make(map[string]struct{}, len(roots))
 	var taintedAuthorities []*x509.Certificate
 	for _, root := range roots {

pkg/server/ca/manager/manager_test.go

@@ -393,12 +393,13 @@ func TestUpstreamProcessTaintedAuthority(t *testing.T) {
 	test.initAndActivateUpstreamSignedManager(ctx, upstreamAuthority)
 	require.True(t, test.m.IsUpstreamAuthority())
 
+	test.m.dropBundleUpdated()
+	go test.m.ProcessBundleUpdates(ctx)
+
 	// Prepared must be tainted too
 	err := test.m.PrepareX509CA(ctx)
 	require.NoError(t, err)
-
-	test.m.dropBundleUpdated()
-	go test.m.ProcessBundleUpdates(ctx)
+	fmt.Println("AGTER PREPARE")
 
 	// Taint first root
 	fmt.Println("Tainting authority")

pkg/server/ca/upstream_client.go

@@ -91,8 +91,10 @@ func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Du
 
 	select {
 	case result := <-firstResultCh:
+		fmt.Println("++++++++++++++++first result channel")
 		return result.x509CA, result.err
 	case <-ctx.Done():
+		fmt.Println("++++++++++++++++context done")
 		return nil, ctx.Err()
 	}
 }
@@ -134,8 +136,10 @@ func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) e
 }
 
 func (u *UpstreamClient) runMintX509CAStream(ctx context.Context, csr []byte, ttl time.Duration, validateX509CA ValidateX509CAFunc, firstResultCh chan<- mintX509CAResult) {
+	fmt.Println("++++++++++++++++Minting X.509 CA")
 	x509CA, x509Roots, x509RootsStream, err := u.c.UpstreamAuthority.MintX509CA(ctx, csr, ttl)
 	if err != nil {
+		fmt.Printf("++++++++++++++++Error minting X.509 CA: %v\n", err)
 		firstResultCh <- mintX509CAResult{err: err}
 		return
 	}
@@ -147,25 +151,29 @@ func (u *UpstreamClient) runMintX509CAStream(ctx context.Context, csr []byte, tt
 		x509RootCerts = append(x509RootCerts, eachRoot.Certificate)
 	}
 
+	fmt.Println("++++++++++++++++Validating X.509 CA")
 	// Before we append the roots and return the response, we must first
 	// validate that the minted intermediate can sign a valid, conformant
 	// X509-SVID chain of trust using the provided callback.
 	if err := validateX509CA(x509CA, x509RootCerts); err != nil {
 		err = status.Errorf(codes.InvalidArgument, "X509 CA minted by upstream authority is invalid: %v", err)
+		fmt.Printf("++++++++++++++++Error validating X.509 CA: %v\n", err)
 		firstResultCh <- mintX509CAResult{err: err}
+		fmt.Printf("++++++++++++++++AFter return")
 		return
 	}
 
-	fmt.Println("Syncing X.509 roots")
+	fmt.Println("++++++++++++++++syncking roots")
 	if err := u.c.BundleUpdater.SyncX509Roots(ctx, x509Roots); err != nil {
+		fmt.Printf("++++++++++++++++Error syncing X.509 roots: %v\n", err)
 		firstResultCh <- mintX509CAResult{err: err}
 		return
 	}
 
 	firstResultCh <- mintX509CAResult{x509CA: x509CA}
 
 	for {
-		fmt.Println("Waiting for x509RootsStream.RecvUpstreamX509Authorities")
+		fmt.Println("++++++++++++++++Waiting for x509RootsStream.RecvUpstreamX509Authorities")
 		x509Roots, err := x509RootsStream.RecvUpstreamX509Authorities()
 		if err != nil {
 			switch {
@@ -182,6 +190,7 @@ func (u *UpstreamClient) runMintX509CAStream(ctx context.Context, csr []byte, tt
 		}
 
 		if err := u.c.BundleUpdater.SyncX509Roots(ctx, x509Roots); err != nil {
+			fmt.Printf("++++++++++++++++Error syncing X.509 roots: %v\n", err)
 			u.c.BundleUpdater.LogError(err, "Failed to store X.509 roots received by the upstream authority plugin.")
 			continue
 		}