Manual Backport of [Cloud][CC-6925] Updates to pushing server state into release/1.17.x (#19810)

* [Cloud][CC-6925] Updates to pushing server state (#19682)

* Upgrade hcp-sdk-go to latest version v0.73

Changes:
- go get github.com/hashicorp/hcp-sdk-go
- go mod tidy

* From upgrade: regenerate protobufs for upgrade from 1.30 to 1.31

Ran: `make proto`

Slack: https://hashicorp.slack.com/archives/C0253EQ5B40/p1701105418579429

* From upgrade: fix mock interface implementation

After upgrading, there is the following compile error:

cannot use &mockHCPCfg{} (value of type *mockHCPCfg) as "github.com/hashicorp/hcp-sdk-go/config".HCPConfig value in return statement: *mockHCPCfg does not implement "github.com/hashicorp/hcp-sdk-go/config".HCPConfig (missing method Logout)

Solution: update the mock to have the missing Logout method

* From upgrade: Lint: remove usage of deprecated req.ServerState.TLS

Due to upgrade, linting is erroring due to usage of a newly deprecated field

22:47:56 [consul]: make lint
--> Running golangci-lint (.)
agent/hcp/testing.go:157:24: SA1019: req.ServerState.TLS is deprecated: use server_tls.internal_rpc instead. (staticcheck)
                time.Until(time.Time(req.ServerState.TLS.CertExpiry)).Hours()/24,
                                     ^

* From upgrade: adjust oidc error message

From the upgrade, this test started failing:

=== FAIL: internal/go-sso/oidcauth TestOIDC_ClaimsFromAuthCode/failed_code_exchange (re-run 2) (0.01s)
    oidc_test.go:393: unexpected error: Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

Prior to the upgrade, the error returned was:
```
Provider login failed: Error exchanging oidc code: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"unexpected auth code\"}\n
```

Now the error returned is as below and does not contain "cannot fetch token"
```
Provider login failed: Error exchanging oidc code: oauth2: "invalid_grant" "unexpected auth code"

```

* Update AgentPushServerState structs with new fields

HCP-side changes for the new fields are in:
https://github.com/hashicorp/cloud-global-network-manager-service/pull/1195/files

* Minor refactor for hcpServerStatus to abstract tlsInfo into struct

This will make it easier to set the same tls-info information to both
 - status.TLS (deprecated field)
 - status.ServerTLSMetadata (new field to use instead)

* Update hcpServerStatus to parse out information for new fields

Changes:
 - Improve error message and handling (encountered some issues and was confused)
 - Set new field TLSInfo.CertIssuer
 - Collect certificate authority metadata and set on TLSInfo.CertificateAuthorities
 - Set TLSInfo on both server.TLS and server.ServerTLSMetadata.InternalRPC

* Update serverStatusToHCP to convert new fields to GNM rpc

* Add changelog

* Feedback: connect.ParseCert, caCerts

* Feedback: refactor and unit test server status

* Feedback: test to use expected struct

* Feedback: certificate with intermediate

* Feedback: catch no leaf, remove expectedErr

* Feedback: update todos with jira ticket

* Feedback: mock tlsConfigurator

* make proto for additional file in 1.17 not in main

Author: lornasong

.changelog/19682.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+cloud: push additional server TLS metadata to HCP
+```

agent/consul/server.go

@@ -40,6 +40,7 @@ import (
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/acl/resolver"
 	"github.com/hashicorp/consul/agent/blockingquery"
+	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul/authmethod"
 	"github.com/hashicorp/consul/agent/consul/authmethod/ssoauth"
 	"github.com/hashicorp/consul/agent/consul/fsm"
@@ -2215,24 +2216,9 @@ func (s *Server) hcpServerStatus(deps Deps) hcp.StatusCallback {
 		status.RPCPort = s.config.RPCAddr.Port
 		status.Datacenter = s.config.Datacenter
 
-		tlsCert := s.tlsConfigurator.Cert()
-		if tlsCert != nil {
-			status.TLS.Enabled = true
-			leaf := tlsCert.Leaf
-			if leaf == nil {
-				// Parse the leaf cert
-				leaf, err = x509.ParseCertificate(tlsCert.Certificate[0])
-				if err != nil {
-					// Shouldn't be possible
-					return
-				}
-			}
-			status.TLS.CertName = leaf.Subject.CommonName
-			status.TLS.CertSerial = leaf.SerialNumber.String()
-			status.TLS.CertExpiry = leaf.NotAfter
-			status.TLS.VerifyIncoming = s.tlsConfigurator.VerifyIncomingRPC()
-			status.TLS.VerifyOutgoing = s.tlsConfigurator.Base().InternalRPC.VerifyOutgoing
-			status.TLS.VerifyServerHostname = s.tlsConfigurator.VerifyServerHostname()
+		err = addServerTLSInfo(&status, s.tlsConfigurator)
+		if err != nil {
+			return status, fmt.Errorf("error adding server tls info: %w", err)
 		}
 
 		status.Raft.IsLeader = s.raft.State() == raft.Leader
@@ -2321,6 +2307,83 @@ func convertConsulConfigToRateLimitHandlerConfig(limitsConfig RequestLimits, mul
 	return hc
 }
 
+// addServerTLSInfo adds the server's TLS information if available to the status
+func addServerTLSInfo(status *hcpclient.ServerStatus, tlsConfigurator tlsutil.ConfiguratorIface) error {
+	tlsCert := tlsConfigurator.Cert()
+	if tlsCert == nil {
+		return nil
+	}
+
+	leaf := tlsCert.Leaf
+	var err error
+	if leaf == nil {
+		// Parse the leaf cert
+		if len(tlsCert.Certificate) == 0 {
+			return fmt.Errorf("expected a leaf certificate but there was none")
+		}
+		leaf, err = x509.ParseCertificate(tlsCert.Certificate[0])
+		if err != nil {
+			// Shouldn't be possible
+			return fmt.Errorf("error parsing leaf cert: %w", err)
+		}
+	}
+
+	tlsInfo := hcpclient.ServerTLSInfo{
+		Enabled:              true,
+		CertIssuer:           leaf.Issuer.CommonName,
+		CertName:             leaf.Subject.CommonName,
+		CertSerial:           leaf.SerialNumber.String(),
+		CertExpiry:           leaf.NotAfter,
+		VerifyIncoming:       tlsConfigurator.VerifyIncomingRPC(),
+		VerifyOutgoing:       tlsConfigurator.Base().InternalRPC.VerifyOutgoing,
+		VerifyServerHostname: tlsConfigurator.VerifyServerHostname(),
+	}
+
+	// Collect metadata for all CA certs used for internal RPC
+	metadata := make([]hcpclient.CertificateMetadata, 0)
+	for _, pemStr := range tlsConfigurator.ManualCAPems() {
+		cert, err := connect.ParseCert(pemStr)
+		if err != nil {
+			return fmt.Errorf("error parsing manual ca pem: %w", err)
+		}
+
+		metadatum := hcpclient.CertificateMetadata{
+			CertExpiry: cert.NotAfter,
+			CertName:   cert.Subject.CommonName,
+			CertSerial: cert.SerialNumber.String(),
+		}
+		metadata = append(metadata, metadatum)
+	}
+	for ix, certBytes := range tlsCert.Certificate {
+		if ix == 0 {
+			// Skip the leaf cert at index 0. Only collect intermediates
+			continue
+		}
+
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return fmt.Errorf("error parsing tls cert index %d: %w", ix, err)
+		}
+
+		metadatum := hcpclient.CertificateMetadata{
+			CertExpiry: cert.NotAfter,
+			CertName:   cert.Subject.CommonName,
+			CertSerial: cert.SerialNumber.String(),
+		}
+		metadata = append(metadata, metadatum)
+	}
+	tlsInfo.CertificateAuthorities = metadata
+
+	status.ServerTLSMetadata.InternalRPC = tlsInfo
+
+	// TODO: remove status.TLS in preference for server.ServerTLSMetadata.InternalRPC
+	// when deprecation path is ready
+	// https://hashicorp.atlassian.net/browse/CC-7015
+	status.TLS = tlsInfo
+
+	return nil
+}
+
 // peersInfoContent is used to help operators understand what happened to the
 // peers.json file. This is written to a file called peers.info in the same
 // location.

agent/consul/server_test.go

@@ -5,6 +5,7 @@ package consul
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net"
@@ -2101,3 +2102,147 @@ func TestServer_hcpManager(t *testing.T) {
 	hcp1.AssertExpectations(t)
 
 }
+
+func TestServer_addServerTLSInfo(t *testing.T) {
+	testCases := map[string]struct {
+		errMsg            string
+		setupConfigurator func(*testing.T) tlsutil.ConfiguratorIface
+		checkStatus       func(*testing.T, hcpclient.ServerStatus)
+	}{
+		"Success": {
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				tlsConfig := tlsutil.Config{
+					InternalRPC: tlsutil.ProtocolConfig{
+						CAFile:               "../../test/ca/root.cer",
+						CertFile:             "../../test/key/ourdomain_with_intermediate.cer",
+						KeyFile:              "../../test/key/ourdomain.key",
+						VerifyIncoming:       true,
+						VerifyOutgoing:       true,
+						VerifyServerHostname: true,
+					},
+				}
+
+				tlsConfigurator, err := tlsutil.NewConfigurator(tlsConfig, hclog.NewNullLogger())
+				require.NoError(t, err)
+				return tlsConfigurator
+			},
+			checkStatus: func(t *testing.T, s hcpclient.ServerStatus) {
+				expected := hcpclient.ServerTLSInfo{
+					Enabled:              true,
+					CertIssuer:           "test.internal",
+					CertName:             "testco.internal",
+					CertSerial:           "40",
+					CertExpiry:           time.Date(2123, time.October, 9, 17, 20, 16, 0, time.UTC),
+					VerifyIncoming:       true,
+					VerifyOutgoing:       true,
+					VerifyServerHostname: true,
+					CertificateAuthorities: []hcpclient.CertificateMetadata{
+						{ // manual ca pem
+							CertExpiry: time.Date(2033, time.October, 30, 15, 50, 29, 0, time.UTC),
+							CertName:   "test.internal",
+							CertSerial: "191297809789001034260919865367524695178070761520",
+						},
+						{ // certificate intermediate
+							CertExpiry: time.Date(2033, time.October, 30, 15, 50, 29, 0, time.UTC),
+							CertName:   "test.internal",
+							CertSerial: "191297809789001034260919865367524695178070761520",
+						},
+					},
+				}
+
+				require.Equal(t, expected, s.ServerTLSMetadata.InternalRPC)
+
+				// TODO: remove check for status.TLS once deprecation is ready
+				// https://hashicorp.atlassian.net/browse/CC-7015
+				require.Equal(t, expected, s.TLS)
+			},
+		},
+		"Nil Cert": {
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				tlsConfigurator, err := tlsutil.NewConfigurator(tlsutil.Config{},
+					hclog.NewNullLogger())
+				require.NoError(t, err)
+				return tlsConfigurator
+			},
+			checkStatus: func(t *testing.T, s hcpclient.ServerStatus) {
+				require.Empty(t, s.TLS)
+				require.Empty(t, s.ServerTLSMetadata.InternalRPC)
+			},
+		},
+		"Fail: No leaf": {
+			errMsg: "expected a leaf certificate",
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				return tlsutil.MockConfigurator{
+					TlsCert: &tls.Certificate{},
+				}
+			},
+		},
+		"Fail: Parse leaf cert": {
+			errMsg: "error parsing leaf cert",
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				return tlsutil.MockConfigurator{
+					TlsCert: &tls.Certificate{
+						Certificate: [][]byte{{}},
+					},
+				}
+			},
+		},
+		"Fail: Parse manual ca pems": {
+			errMsg: "error parsing manual ca pem",
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				tlsConfig := tlsutil.Config{
+					InternalRPC: tlsutil.ProtocolConfig{
+						CertFile: "../../test/key/ourdomain.cer",
+						KeyFile:  "../../test/key/ourdomain.key",
+					},
+				}
+				tlsConfigurator, err := tlsutil.NewConfigurator(tlsConfig, hclog.NewNullLogger())
+				require.NoError(t, err)
+
+				return tlsutil.MockConfigurator{
+					TlsCert:         tlsConfigurator.Cert(),
+					ManualCAPemsArr: []string{"invalid-format"},
+				}
+			},
+		},
+		"Fail: Parse tls cert intermediate": {
+			errMsg: "error parsing tls cert",
+			setupConfigurator: func(t *testing.T) tlsutil.ConfiguratorIface {
+				tlsConfig := tlsutil.Config{
+					InternalRPC: tlsutil.ProtocolConfig{
+						CertFile: "../../test/key/ourdomain.cer",
+						KeyFile:  "../../test/key/ourdomain.key",
+					},
+				}
+				tlsConfigurator, err := tlsutil.NewConfigurator(tlsConfig, hclog.NewNullLogger())
+				require.NoError(t, err)
+				cert := tlsConfigurator.Cert().Certificate
+				cert = append(cert, []byte{})
+				return tlsutil.MockConfigurator{
+					TlsCert: &tls.Certificate{
+						Certificate: cert,
+					},
+				}
+			},
+		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			require.NotNil(t, tc.setupConfigurator)
+			tlsConfigurator := tc.setupConfigurator(t)
+
+			status := hcpclient.ServerStatus{}
+			err := addServerTLSInfo(&status, tlsConfigurator)
+
+			if len(tc.errMsg) > 0 {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.errMsg)
+				require.Empty(t, status)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, tc.checkStatus)
+				tc.checkStatus(t, status)
+			}
+		})
+	}
+}