Use UUIDv4 as automatically generated client request identifier

smallstep · Mar 1, 2024 · 0898c6d · 0898c6d
1 parent b9d6bfc
commit 0898c6d
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/ca/client.go b/ca/client.go
@@ -24,7 +24,6 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/rs/xid"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -35,6 +34,7 @@ import (
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
+	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/net/http2"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -105,6 +105,17 @@ func (c *uaClient) PostWithContext(ctx context.Context, u, contentType string, b
 // the CA client to the CA and back again.
 const requestIDHeader = "X-Request-Id"
 
+// newRequestID generates a new random UUIDv4 request ID. If it fails,
+// the request ID will be the empty string.
+func newRequestID() string {
+	requestID, err := randutil.UUIDv4()
+	if err != nil {
+		return ""
+	}
+
+	return requestID
+}
+
 // enforceRequestID checks if the X-Request-Id HTTP header is filled. If it's
 // empty, the context is searched for a request ID. If that's also empty, a new
 // request ID is generated.
@@ -115,7 +126,7 @@ func enforceRequestID(r *http.Request) {
 			// used before by the client (unless it's a retry for the same request)?
 			requestID = reqID
 		} else {
-			requestID = xid.New().String()
+			requestID = newRequestID()
 		}
 		r.Header.Set(requestIDHeader, requestID)
 	}

diff --git a/ca/client_test.go b/ca/client_test.go
@@ -17,6 +17,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/api/read"
 	"github.com/smallstep/certificates/api/render"
@@ -1056,3 +1057,12 @@ func Test_enforceRequestID(t *testing.T) {
 		})
 	}
 }
+
+func Test_newRequestID(t *testing.T) {
+	requestID := newRequestID()
+	u, err := uuid.Parse(requestID)
+	assert.NoError(t, err)
+	assert.Equal(t, uuid.Version(0x4), u.Version())
+	assert.Equal(t, uuid.RFC4122, u.Variant())
+	assert.Equal(t, requestID, u.String())
+}