Temporarily remove imgcrypt in CRI to fix circular dependency

Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-10-27 15:24:15 -07:00
parent 192168038e
commit 638b474c81
171 changed files with 39 additions and 47811 deletions
--- a/vendor/github.com/containers/ocicrypt/config/config.go
+++ b/vendor/github.com/containers/ocicrypt/config/config.go
@@ -1,114 +0,0 @@
-/*
-   Copyright The ocicrypt Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package config
-
-// EncryptConfig is the container image PGP encryption configuration holding
-// the identifiers of those that will be able to decrypt the container and
-// the PGP public keyring file data that contains their public keys.
-type EncryptConfig struct {
-	// map holding 'gpg-recipients', 'gpg-pubkeyringfile', 'pubkeys', 'x509s'
-	Parameters map[string][][]byte
-
-	DecryptConfig DecryptConfig
-}
-
-// DecryptConfig wraps the Parameters map that holds the decryption key
-type DecryptConfig struct {
-	// map holding 'privkeys', 'x509s', 'gpg-privatekeys'
-	Parameters map[string][][]byte
-}
-
-// CryptoConfig is a common wrapper for EncryptConfig and DecrypConfig that can
-// be passed through functions that share much code for encryption and decryption
-type CryptoConfig struct {
-	EncryptConfig *EncryptConfig
-	DecryptConfig *DecryptConfig
-}
-
-// InitDecryption initialized a CryptoConfig object with parameters used for decryption
-func InitDecryption(dcparameters map[string][][]byte) CryptoConfig {
-	return CryptoConfig{
-		DecryptConfig: &DecryptConfig{
-			Parameters: dcparameters,
-		},
-	}
-}
-
-// InitEncryption initializes a CryptoConfig object with parameters used for encryption
-// It also takes dcparameters that may be needed for decryption when adding a recipient
-// to an already encrypted image
-func InitEncryption(parameters, dcparameters map[string][][]byte) CryptoConfig {
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters: parameters,
-			DecryptConfig: DecryptConfig{
-				Parameters: dcparameters,
-			},
-		},
-	}
-}
-
-// CombineCryptoConfigs takes a CryptoConfig list and creates a single CryptoConfig
-// containing the crypto configuration of all the key bundles
-func CombineCryptoConfigs(ccs []CryptoConfig) CryptoConfig {
-	ecparam := map[string][][]byte{}
-	ecdcparam := map[string][][]byte{}
-	dcparam := map[string][][]byte{}
-
-	for _, cc := range ccs {
-		if ec := cc.EncryptConfig; ec != nil {
-			addToMap(ecparam, ec.Parameters)
-			addToMap(ecdcparam, ec.DecryptConfig.Parameters)
-		}
-
-		if dc := cc.DecryptConfig; dc != nil {
-			addToMap(dcparam, dc.Parameters)
-		}
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters: ecparam,
-			DecryptConfig: DecryptConfig{
-				Parameters: ecdcparam,
-			},
-		},
-		DecryptConfig: &DecryptConfig{
-			Parameters: dcparam,
-		},
-	}
-
-}
-
-// AttachDecryptConfig adds DecryptConfig to the field of EncryptConfig so that
-// the decryption parameters can be used to add recipients to an existing image
-// if the user is able to decrypt it.
-func (ec *EncryptConfig) AttachDecryptConfig(dc *DecryptConfig) {
-	if dc != nil {
-		addToMap(ec.DecryptConfig.Parameters, dc.Parameters)
-	}
-}
-
-func addToMap(orig map[string][][]byte, add map[string][][]byte) {
-	for k, v := range add {
-		if ov, ok := orig[k]; ok {
-			orig[k] = append(ov, v...)
-		} else {
-			orig[k] = v
-		}
-	}
-}
--- a/vendor/github.com/containers/ocicrypt/config/constructors.go
+++ b/vendor/github.com/containers/ocicrypt/config/constructors.go
@@ -1,245 +0,0 @@
-/*
-   Copyright The ocicrypt Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package config
-
-import (
-	"github.com/containers/ocicrypt/crypto/pkcs11"
-	"strings"
-
-	"github.com/pkg/errors"
-	"gopkg.in/yaml.v3"
-)
-
-// EncryptWithJwe returns a CryptoConfig to encrypt with jwe public keys
-func EncryptWithJwe(pubKeys [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{}
-	ep := map[string][][]byte{
-		"pubkeys": pubKeys,
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// EncryptWithPkcs7 returns a CryptoConfig to encrypt with pkcs7 x509 certs
-func EncryptWithPkcs7(x509s [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{}
-
-	ep := map[string][][]byte{
-		"x509s": x509s,
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// EncryptWithGpg returns a CryptoConfig to encrypt with configured gpg parameters
-func EncryptWithGpg(gpgRecipients [][]byte, gpgPubRingFile []byte) (CryptoConfig, error) {
-	dc := DecryptConfig{}
-	ep := map[string][][]byte{
-		"gpg-recipients":     gpgRecipients,
-		"gpg-pubkeyringfile": {gpgPubRingFile},
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// EncryptWithPkcs11 returns a CryptoConfig to encrypt with configured pkcs11 parameters
-func EncryptWithPkcs11(pkcs11Config *pkcs11.Pkcs11Config, pkcs11Pubkeys, pkcs11Yamls [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{}
-	ep := map[string][][]byte{}
-
-	if len(pkcs11Yamls) > 0 {
-		if pkcs11Config == nil {
-			return CryptoConfig{}, errors.New("pkcs11Config must not be nil")
-		}
-		p11confYaml, err := yaml.Marshal(pkcs11Config)
-		if err != nil {
-			return CryptoConfig{}, errors.Wrapf(err, "Could not marshal Pkcs11Config to Yaml")
-		}
-
-		dc = DecryptConfig{
-			Parameters: map[string][][]byte{
-				"pkcs11-config": {p11confYaml},
-			},
-		}
-		ep["pkcs11-yamls"] = pkcs11Yamls
-	}
-	if len(pkcs11Pubkeys) > 0 {
-		ep["pkcs11-pubkeys"] = pkcs11Pubkeys
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// EncryptWithKeyProvider returns a CryptoConfig to encrypt with configured keyprovider parameters
-func EncryptWithKeyProvider(keyProviders [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{}
-	ep := make(map[string][][]byte)
-	for _, keyProvider := range keyProviders {
-		keyProvidersStr := string(keyProvider)
-		idx := strings.Index(keyProvidersStr, ":")
-		if idx > 0 {
-			ep[keyProvidersStr[:idx]] = append(ep[keyProvidersStr[:idx]], []byte(keyProvidersStr[idx+1:]))
-		} else {
-			ep[keyProvidersStr] = append(ep[keyProvidersStr], []byte("Enabled"))
-		}
-	}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// DecryptWithKeyProvider returns a CryptoConfig to decrypt with configured keyprovider parameters
-func DecryptWithKeyProvider(keyProviders [][]byte) (CryptoConfig, error) {
-	dp := make(map[string][][]byte)
-	ep := map[string][][]byte{}
-	for _, keyProvider := range keyProviders {
-		keyProvidersStr := string(keyProvider)
-		idx := strings.Index(keyProvidersStr, ":")
-		if idx > 0 {
-			dp[keyProvidersStr[:idx]] = append(dp[keyProvidersStr[:idx]], []byte(keyProvidersStr[idx+1:]))
-		} else {
-			dp[keyProvidersStr] = append(dp[keyProvidersStr], []byte("Enabled"))
-		}
-	}
-	dc := DecryptConfig{
-		Parameters: dp,
-	}
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// DecryptWithPrivKeys returns a CryptoConfig to decrypt with configured private keys
-func DecryptWithPrivKeys(privKeys [][]byte, privKeysPasswords [][]byte) (CryptoConfig, error) {
-	if len(privKeys) != len(privKeysPasswords) {
-		return CryptoConfig{}, errors.New("Length of privKeys should match length of privKeysPasswords")
-	}
-
-	dc := DecryptConfig{
-		Parameters: map[string][][]byte{
-			"privkeys":           privKeys,
-			"privkeys-passwords": privKeysPasswords,
-		},
-	}
-
-	ep := map[string][][]byte{}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// DecryptWithX509s returns a CryptoConfig to decrypt with configured x509 certs
-func DecryptWithX509s(x509s [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{
-		Parameters: map[string][][]byte{
-			"x509s": x509s,
-		},
-	}
-
-	ep := map[string][][]byte{}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// DecryptWithGpgPrivKeys returns a CryptoConfig to decrypt with configured gpg private keys
-func DecryptWithGpgPrivKeys(gpgPrivKeys, gpgPrivKeysPwds [][]byte) (CryptoConfig, error) {
-	dc := DecryptConfig{
-		Parameters: map[string][][]byte{
-			"gpg-privatekeys":           gpgPrivKeys,
-			"gpg-privatekeys-passwords": gpgPrivKeysPwds,
-		},
-	}
-
-	ep := map[string][][]byte{}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
-
-// DecryptWithPkcs11Yaml returns a CryptoConfig to decrypt with pkcs11 YAML formatted key files
-func DecryptWithPkcs11Yaml(pkcs11Config *pkcs11.Pkcs11Config, pkcs11Yamls [][]byte) (CryptoConfig, error) {
-	p11confYaml, err := yaml.Marshal(pkcs11Config)
-	if err != nil {
-		return CryptoConfig{}, errors.Wrapf(err, "Could not marshal Pkcs11Config to Yaml")
-	}
-
-	dc := DecryptConfig{
-		Parameters: map[string][][]byte{
-			"pkcs11-yamls":  pkcs11Yamls,
-			"pkcs11-config": {p11confYaml},
-		},
-	}
-
-	ep := map[string][][]byte{}
-
-	return CryptoConfig{
-		EncryptConfig: &EncryptConfig{
-			Parameters:    ep,
-			DecryptConfig: dc,
-		},
-		DecryptConfig: &dc,
-	}, nil
-}
--- a/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
+++ b/vendor/github.com/containers/ocicrypt/config/keyprovider-config/config.go
@@ -1,81 +0,0 @@
-/*
-   Copyright The ocicrypt Authors.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package config
-
-import (
-	"encoding/json"
-	"github.com/pkg/errors"
-	"io/ioutil"
-	"os"
-)
-
-// Command describes the structure of command, it consist of path and args, where path defines the location of
-// binary executable and args are passed on to the binary executable
-type Command struct {
-	Path string   `json:"path,omitempty"`
-	Args []string `json:"args,omitempty"`
-}
-
-// KeyProviderAttrs describes the structure of key provider, it defines the way of invocation to key provider
-type KeyProviderAttrs struct {
-	Command *Command `json:"cmd,omitempty"`
-	Grpc    string   `json:"grpc,omitempty"`
-}
-
-// OcicryptConfig represents the format of an ocicrypt_provider.conf config file
-type OcicryptConfig struct {
-	KeyProviderConfig map[string]KeyProviderAttrs `json:"key-providers"`
-}
-
-const ENVVARNAME = "OCICRYPT_KEYPROVIDER_CONFIG"
-
-// parseConfigFile parses a configuration file; it is not an error if the configuration file does
-// not exist, so no error is returned.
-func parseConfigFile(filename string) (*OcicryptConfig, error) {
-	// a non-existent config file is not an error
-	_, err := os.Stat(filename)
-	if os.IsNotExist(err) {
-		return nil, nil
-	}
-
-	data, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, err
-	}
-
-	ic := &OcicryptConfig{}
-	err = json.Unmarshal(data, ic)
-	return ic, err
-}
-
-// getConfiguration tries to read the configuration file at the following locations
-// ${OCICRYPT_KEYPROVIDER_CONFIG} == "/etc/ocicrypt_keyprovider.yaml"
-// If no configuration file could be found or read a null pointer is returned
-func GetConfiguration() (*OcicryptConfig, error) {
-	var ic *OcicryptConfig
-	var err error
-	filename := os.Getenv(ENVVARNAME)
-	if len(filename) > 0 {
-		ic, err = parseConfigFile(filename)
-		if err != nil {
-			return nil, errors.Wrap(err, "Error while parsing keyprovider config file")
-		}
-	} else {
-		return nil, nil
-	}
-	return ic, nil
-}