internal static bool TryGetStepOne(
X509 currentCerts,
X509 targetCerts,
CertificateClusterUpgradeStep previousStep,
out CertificateClusterUpgradeStep step)
{
// step 1 adds all newly added certs and issuers (if any) to the white list
step = null;
List <string> currentThumbprints = CertificateClusterUpgradeFlow.GetThumbprints(currentCerts.ClusterCertificate);
List <string> addedThumbprints = CertificateClusterUpgradeFlow.GetAddedThumbprints(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate);
Dictionary <string, string> currentCns = CertificateClusterUpgradeFlow.GetCns(currentCerts.ClusterCertificateCommonNames);
Dictionary <string, string> addedCnsAndIssuers = CertificateClusterUpgradeFlow.GetAddedCnsAndIssuers(currentCerts.ClusterCertificateCommonNames, targetCerts.ClusterCertificateCommonNames);
if (addedThumbprints.Any() || addedCnsAndIssuers.Any())
{
step = new CertificateClusterUpgradeStep(
thumbprintWhiteList: currentThumbprints.Concat(addedThumbprints).ToList(),
thumbprintLoadList: currentCerts.ClusterCertificate,
thumbprintFileStoreSvcList: currentCerts.ClusterCertificate,
commonNameWhiteList: CertificateClusterUpgradeFlow.MergeCnsAndIssuers(currentCns, addedCnsAndIssuers),
commonNameLoadList: currentCerts.ClusterCertificateCommonNames,
commonNameFileStoreSvcList: currentCerts.ClusterCertificateCommonNames);
}
return(true);
}
internal static bool TryGetStepThree(
X509 currentCerts,
X509 targetCerts,
CertificateClusterUpgradeStep previousStep,
out CertificateClusterUpgradeStep step)
{
Dictionary <string, string> commonNameWhiteList = targetCerts.ClusterCertificateCommonNames == null || !targetCerts.ClusterCertificateCommonNames.Any() ?
null : targetCerts.ClusterCertificateCommonNames.CommonNames.ToDictionary(p => p.CertificateCommonName, p => p.CertificateIssuerThumbprint);
step = new CertificateClusterUpgradeStep(
thumbprintWhiteList: targetCerts.ClusterCertificate == null ? null : targetCerts.ClusterCertificate.ToThumbprintList(),
thumbprintLoadList: targetCerts.ClusterCertificate,
thumbprintFileStoreSvcList: targetCerts.ClusterCertificate,
commonNameWhiteList: commonNameWhiteList,
commonNameLoadList: targetCerts.ClusterCertificateCommonNames,
commonNameFileStoreSvcList: targetCerts.ClusterCertificateCommonNames);
return(true);
}
public static List <CertificateClusterUpgradeStep> GetUpgradeFlow(X509 currentCerts, X509 targetCerts)
{
List <CertificateClusterUpgradeStep> result = new List <CertificateClusterUpgradeStep>();
CertificateClusterUpgradeStep previousStep = null;
bool shouldContinue = true;
for (int i = 0; i < CertificateClusterUpgradeFlow.upgradeStepDelegateTable.Length && shouldContinue; i++)
{
CertificateClusterUpgradeStep step;
shouldContinue = CertificateClusterUpgradeFlow.upgradeStepDelegateTable[i](currentCerts, targetCerts, previousStep, out step);
previousStep = step;
if (step != null)
{
result.Add(step);
}
}
return(result);
}
private ClusterManifestType UpdateClusterManifest(
ClusterManifestType existingClusterManifest,
FabricSettingsMetadata currentFabricSettingsMetadata,
string clusterManifestVersion,
CertificateClusterUpgradeStep step,
List <NodeDescription> existingSeedNodes)
{
Security nodeTypeSecurity = this.TargetCsmConfig.Security.Clone();
nodeTypeSecurity.CertificateInformation.ClusterCertificate = step.ThumbprintLoadList;
nodeTypeSecurity.CertificateInformation.ClusterCertificateCommonNames = step.CommonNameLoadList;
return(this.UpdateClusterManifest(
this.TargetCsmConfig.Security,
existingClusterManifest,
this.GetNodeTypes(this.TargetCsmConfig.NodeTypes, nodeTypeSecurity),
currentFabricSettingsMetadata,
clusterManifestVersion,
step.ThumbprintFileStoreSvcList,
step.ThumbprintWhiteList,
step.CommonNameFileStoreSvcList,
step.CommonNameWhiteList,
existingSeedNodes));
}
internal static bool TryGetStepTwo(
X509 currentCerts,
X509 targetCerts,
CertificateClusterUpgradeStep previousStep,
out CertificateClusterUpgradeStep step)
{
// step 2:
// white list: inherit from the previous step
// load list: replace all current certs with target certs
// fss list: change if necessary
int changedThumbprintCount = CertificateClusterUpgradeFlow.GetChangedThumbprintCount(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate);
int changedCnCount = CertificateClusterUpgradeFlow.GetChangedCnCount(currentCerts.ClusterCertificateCommonNames, targetCerts.ClusterCertificateCommonNames);
List <string> removedThumbprints = CertificateClusterUpgradeFlow.GetAddedThumbprints(targetCerts.ClusterCertificate, currentCerts.ClusterCertificate);
List <string> removedCns = CertificateClusterUpgradeFlow.GetAddedCns(targetCerts.ClusterCertificateCommonNames, currentCerts.ClusterCertificateCommonNames);
CertificateDescription thumbprintFileStoreSvcCerts = null;
ServerCertificateCommonNames commonNameFileStoreSvcCerts = null;
bool shouldContinue = true;
switch (changedThumbprintCount + changedCnCount)
{
case 1:
{
if (removedThumbprints.Any() || removedCns.Any())
{
// cert removal
thumbprintFileStoreSvcCerts = currentCerts.ClusterCertificate;
commonNameFileStoreSvcCerts = currentCerts.ClusterCertificateCommonNames;
}
else
{
// cert add
thumbprintFileStoreSvcCerts = targetCerts.ClusterCertificate;
commonNameFileStoreSvcCerts = targetCerts.ClusterCertificateCommonNames;
shouldContinue = false;
}
break;
}
case 2:
{
if (CertificateClusterUpgradeFlow.IsSwap(currentCerts.ClusterCertificate, targetCerts.ClusterCertificate))
{
thumbprintFileStoreSvcCerts = new CertificateDescription()
{
Thumbprint = currentCerts.ClusterCertificate.Thumbprint,
ThumbprintSecondary = currentCerts.ClusterCertificate.Thumbprint,
X509StoreName = currentCerts.ClusterCertificate.X509StoreName,
};
}
else
{
if (changedThumbprintCount == 2)
{
// thumbprint replace
thumbprintFileStoreSvcCerts = new CertificateDescription()
{
Thumbprint = currentCerts.ClusterCertificate.Thumbprint,
ThumbprintSecondary = targetCerts.ClusterCertificate.Thumbprint,
X509StoreName = currentCerts.ClusterCertificate.X509StoreName,
};
}
else if (changedCnCount == 2)
{
// cn replace
commonNameFileStoreSvcCerts = new ServerCertificateCommonNames()
{
CommonNames = new List <CertificateCommonNameBase>()
{
currentCerts.ClusterCertificateCommonNames.CommonNames[0],
targetCerts.ClusterCertificateCommonNames.CommonNames[0]
},
X509StoreName = currentCerts.ClusterCertificateCommonNames.X509StoreName
};
}
else
{
// 1 thumbprint <-> 1 cn
CertificateClusterUpgradeFlow.GetFileStoreSvcListForCertTypeChange(
currentCerts,
targetCerts,
out thumbprintFileStoreSvcCerts,
out commonNameFileStoreSvcCerts);
}
}
break;
}
case 3:
case 4:
{
// 1 thumbprints <-> 2 cns, or 2 thumbprints <-> 1 cns, or 2 thumbprints <-> 2 cns
CertificateClusterUpgradeFlow.GetFileStoreSvcListForCertTypeChange(
currentCerts,
targetCerts,
out thumbprintFileStoreSvcCerts,
out commonNameFileStoreSvcCerts);
break;
}
default:
throw new NotSupportedException(string.Format("It's not supported that {0} certificate thumbprints and {1} certificate common names have changed", changedThumbprintCount, changedCnCount));
}
step = new CertificateClusterUpgradeStep(
thumbprintWhiteList: previousStep != null ? previousStep.ThumbprintWhiteList : CertificateClusterUpgradeFlow.GetThumbprints(currentCerts.ClusterCertificate),
thumbprintLoadList: targetCerts.ClusterCertificate,
thumbprintFileStoreSvcList: thumbprintFileStoreSvcCerts,
commonNameWhiteList: previousStep != null ? previousStep.CommonNameWhiteList : CertificateClusterUpgradeFlow.GetCns(currentCerts.ClusterCertificateCommonNames),
commonNameLoadList: targetCerts.ClusterCertificateCommonNames,
commonNameFileStoreSvcList: commonNameFileStoreSvcCerts);
return(shouldContinue);
}
