workerauth: satisfy NodeIdLoader interface (#4870)

* workerauth: satisfy NodeIdLoader interface

go.mod

@@ -95,7 +95,7 @@ require (
 	github.com/hashicorp/go-kms-wrapping/extras/kms/v2 v2.0.0-20231219183231-6bac757bb482
 	github.com/hashicorp/go-rate v0.0.0-20231204194614-cc8d401f70ab
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/nodeenrollment v0.2.10
+	github.com/hashicorp/nodeenrollment v0.2.12
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/jimlambrt/gldap v0.1.10
 	github.com/kelseyhightower/envconfig v1.4.0

go.sum

@@ -270,8 +270,8 @@ github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31
 github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/mql v0.1.3 h1:SZdOsocDPovwp3Q5AzoH6s000BD5zcr+hV8xAobOvuo=
 github.com/hashicorp/mql v0.1.3/go.mod h1:CrbXH2f2ndS1X35x0E8aHdNYc3POYrEWpx/1Q+pq+iw=
-github.com/hashicorp/nodeenrollment v0.2.10 h1:KDp5z3wJ3cRmfnNdMmiDrEqN1V4FTtFaeM4AFg8FYfo=
-github.com/hashicorp/nodeenrollment v0.2.10/go.mod h1:3TcYV0L7N4EmeGHIQWr/JFAAsV+yHJaX9IQjeff/w5Q=
+github.com/hashicorp/nodeenrollment v0.2.12 h1:x5kaSvsXHZ2Y8j9CsRURh4V2/GZtdOFLu/HPeV4zGz8=
+github.com/hashicorp/nodeenrollment v0.2.12/go.mod h1:3TcYV0L7N4EmeGHIQWr/JFAAsV+yHJaX9IQjeff/w5Q=
 github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
 github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
 github.com/hashicorp/vault/sdk v0.11.0 h1:KP/tBUywaVcvOebAfMPNCCiXKeCNEbm3JauYmrZd7RI=

internal/db/sqltest/Makefile

@@ -37,7 +37,7 @@ TESTS ?= tests/setup/*.sql \
 		 tests/purge/*.sql \
 		 tests/pagination/*.sql \
 		 tests/policy/*.sql \
-		 tests/worker/*.sql
+		 tests/server/*.sql
 
 POSTGRES_DOCKER_IMAGE_BASE ?= postgres
 

internal/db/sqltest/tests/server/server_worker_worker_auth.sql

@@ -0,0 +1,80 @@
+-- Copyright (c) HashiCorp, Inc.
+-- SPDX-License-Identifier: BUSL-1.1
+
+begin;
+select plan(15);
+select wtt_load('widgets', 'iam', 'kms');
+
+insert into server_worker
+(public_id, scope_id, type)
+values
+    ('w_1234567891', 'global', 'pki');
+
+insert into server_worker
+(public_id, scope_id, type)
+values
+    ('w_9876543210', 'global', 'pki');
+
+select is(count(*), 1::bigint) from server_worker where public_id = 'w_1234567891';
+select is(count(*), 1::bigint) from server_worker where public_id = 'w_9876543210';
+
+-- Insert worker auth records, expect them to be current
+insert into worker_auth_authorized
+(worker_key_identifier, worker_id, worker_signing_pub_key, worker_encryption_pub_key, controller_encryption_priv_key, key_id)
+values
+    ('key_id_w11', 'w_1234567891', 'signing_pub_key_w11', 'encryption_pub_key_w11', 'controller_encryption_priv_key_w11', 'kdkv___widget');
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w11' and state='current';
+
+insert into worker_auth_authorized
+(worker_key_identifier, worker_id, worker_signing_pub_key, worker_encryption_pub_key, controller_encryption_priv_key, key_id)
+values
+    ('key_id_w21', 'w_9876543210', 'signing_pub_key_w21', 'encryption_pub_key_w21', 'controller_encryption_priv_key_w21', 'kdkv___widget');
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w21' and state='current';
+
+-- Test rotation logic. Insert another worker auth record, expect it to be current.
+-- The previous record should be marked as previous
+insert into worker_auth_authorized
+(worker_key_identifier, worker_id, worker_signing_pub_key, worker_encryption_pub_key, controller_encryption_priv_key, key_id)
+values
+    ('key_id_w12', 'w_1234567891', 'signing_pub_key_w12', 'encryption_pub_key_w12', 'controller_encryption_priv_key_w12', 'kdkv___widget');
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w11' and state='previous';
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w12' and state='current';
+
+insert into worker_auth_authorized
+(worker_key_identifier, worker_id, worker_signing_pub_key, worker_encryption_pub_key, controller_encryption_priv_key, key_id)
+values
+    ('key_id_w22', 'w_9876543210', 'signing_pub_key_w22', 'encryption_pub_key_w22', 'controller_encryption_priv_key_w22', 'kdkv___widget');
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w21' and state='previous';
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w22' and state='current';
+
+-- Perform an update, attempting to set key_id_w11's state to current. This should fail
+select throws_ok($$ update worker_auth_authorized
+        set state = 'current'
+        where worker_key_identifier = 'key_id_w11'$$);
+
+-- Perform an update, attempting to set key_id_w12's state to previous. This should fail
+select throws_ok($$ update worker_auth_authorized
+        set state = 'previous'
+        where worker_key_identifier = 'key_id_w12'$$);
+
+-- Delete key_id_2 and attempt to set key_id_1 to current. This should succeed
+delete from worker_auth_authorized
+where worker_key_identifier = 'key_id_w12';
+update worker_auth_authorized
+set state = 'current'
+where worker_key_identifier = 'key_id_w11';
+
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w11' and state='current';
+select is(count(*), 0::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w12';
+
+-- The other worker auth records are unaffected
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w21' and state='previous';
+select is(count(*), 1::bigint) from worker_auth_authorized where worker_key_identifier = 'key_id_w22' and state='current';
+
+-- Attempt to set a bogus state. This should fail
+select throws_ok($$ update worker_auth_authorized
+        set state = 'Alaska'
+        where worker_key_identifier = 'key_id_w11'$$);
+
+select * from finish();
+rollback;

internal/server/query.go

@@ -29,9 +29,44 @@ const (
 
 	getWorkerAuthsByWorkerKeyIdQuery = `
 		with key_id_to_worker_id as (
-		 select worker_id from worker_auth_authorized where worker_key_identifier = @worker_key_identifier
+		    select worker_id 
+     		  from worker_auth_authorized 
+			 where worker_key_identifier = @worker_key_identifier
 		)
-		select * from worker_auth_authorized where worker_id in (select * from key_id_to_worker_id)
+		select * 
+		  from worker_auth_authorized 
+		 where worker_id in (select * 
+ 						       from key_id_to_worker_id)
+	`
+
+	getWorkerAuthStateByKeyIdQuery = `
+		select state 
+		  from worker_auth_authorized 
+		 where worker_key_identifier = @worker_key_identifier
+	`
+
+	deleteWorkerAuthByKeyId = `
+		with key_id_to_worker_id as (
+			select worker_id 
+			from worker_auth_authorized 
+			where worker_key_identifier = @worker_key_identifier
+		)
+		delete 
+			 from worker_auth_authorized 
+			where state = 'current' and worker_id in (select * 
+												        from key_id_to_worker_id)
+	`
+
+	updateWorkerAuthStateByKeyId = `
+		update worker_auth_authorized 
+		set state = 'current' 
+		where worker_key_identifier = @worker_key_identifier
+	`
+
+	getWorkerAuthsByWorkerIdQuery = `
+		select * 
+		  from worker_auth_authorized 
+		where worker_id = @worker_id
 	`
 
 	authorizedWorkerQuery = `