From d56128bbce1d068e6da5f7d5914537f29e80575e Mon Sep 17 00:00:00 2001
From: Xopherus <craborg@zerofox.com>
Date: Mon, 11 Nov 2019 15:27:07 -0500
Subject: [PATCH] Reload VaultConfig if CAFile, CertFile, KeyFile have changed

Fixes #4395, #6052
---
 nomad/structs/config/vault.go | 60 +++++++++++++++++++++++++----------
 nomad/vault.go                |  5 ++-
 2 files changed, 47 insertions(+), 18 deletions(-)

diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go
index 67dd618d26b1..0ab5ab372b55 100644
--- a/nomad/structs/config/vault.go
+++ b/nomad/structs/config/vault.go
@@ -78,6 +78,9 @@ type VaultConfig struct {
 
 	// TLSServerName, if set, is used to set the SNI host when connecting via TLS.
 	TLSServerName string `hcl:"tls_server_name"`
+
+	// Checksum is a MD5 hash of the TLSCaFile, TLSCertFile, and TLSKeyFile.
+	Checksum string
 }
 
 // DefaultVaultConfig() returns the canonical defaults for the Nomad
@@ -191,52 +194,75 @@ func (c *VaultConfig) Copy() *VaultConfig {
 
 // IsEqual compares two Vault configurations and returns a boolean indicating
 // if they are equal.
-func (a *VaultConfig) IsEqual(b *VaultConfig) bool {
+func (a *VaultConfig) IsEqual(b *VaultConfig) (bool, error) {
 	if a == nil && b != nil {
-		return false
+		return false, nil
 	}
 	if a != nil && b == nil {
-		return false
+		return false, nil
 	}
 
 	if a.Token != b.Token {
-		return false
+		return false, nil
 	}
 	if a.Role != b.Role {
-		return false
+		return false, nil
 	}
 	if a.TaskTokenTTL != b.TaskTokenTTL {
-		return false
+		return false, nil
 	}
 	if a.Addr != b.Addr {
-		return false
+		return false, nil
 	}
 	if a.ConnectionRetryIntv.Nanoseconds() != b.ConnectionRetryIntv.Nanoseconds() {
-		return false
+		return false, nil
 	}
 	if a.TLSCaFile != b.TLSCaFile {
-		return false
+		return false, nil
 	}
 	if a.TLSCaPath != b.TLSCaPath {
-		return false
+		return false, nil
 	}
 	if a.TLSCertFile != b.TLSCertFile {
-		return false
+		return false, nil
 	}
 	if a.TLSKeyFile != b.TLSKeyFile {
-		return false
+		return false, nil
 	}
 	if a.TLSServerName != b.TLSServerName {
-		return false
+		return false, nil
 	}
 	if a.AllowUnauthenticated != b.AllowUnauthenticated {
-		return false
+		return false, nil
 	}
 	if a.TLSSkipVerify != b.TLSSkipVerify {
-		return false
+		return false, nil
 	}
 	if a.Enabled != b.Enabled {
-		return false
+		return false, nil
+	}
+
+	if a.Checksum == "" {
+		if err := a.SetChecksum(); err != nil {
+			return true, err
+		}
+	}
+
+	if b.Checksum == "" {
+		if err := b.SetChecksum(); err != nil {
+			return true, err
+		}
 	}
-	return true
+	return a.Checksum == b.Checksum, nil
+}
+
+// SetChecksum generates and sets the checksum for a Vault configuration.
+func (a *VaultConfig) SetChecksum() error {
+	newChecksum, err := createChecksumOfFiles(a.TLSCaFile, a.TLSCertFile, a.TLSKeyFile)
+	if err != nil {
+		return err
+	}
+
+	a.Checksum = newChecksum
+	return nil
 }
diff --git a/nomad/vault.go b/nomad/vault.go
index 2c58e7e59e46..d1580b84e192 100644
--- a/nomad/vault.go
+++ b/nomad/vault.go
@@ -342,7 +342,10 @@ func (v *vaultClient) SetConfig(config *config.VaultConfig) error {
 	defer v.l.Unlock()
 
 	// If reloading the same config, no-op
-	if v.config.IsEqual(config) {
+	isEqual, err := v.config.IsEqual(config)
+	if err != nil
+		return err
+	} else if isEqual {
 		return nil
 	}