Vendor cfssl and cfssljson

vendor/github.com/cloudflare/cfssl/api/client/BUILD

@@ -0,0 +1,34 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "api.go",
+        "client.go",
+        "group.go",
+    ],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/api/client",
+    importpath = "github.com/cloudflare/cfssl/api/client",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/api:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/auth:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/errors:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/info:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/log:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/github.com/cloudflare/cfssl/api/client/api.go

@@ -0,0 +1,6 @@
+package client
+
+// SignResult is the result of signing a CSR.
+type SignResult struct {
+	Certificate []byte `json:"certificate"`
+}

vendor/github.com/cloudflare/cfssl/api/client/client.go

@@ -0,0 +1,356 @@
+// Package client implements a Go client for CFSSL API commands.
+package client
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	stderr "errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/cloudflare/cfssl/api"
+	"github.com/cloudflare/cfssl/auth"
+	"github.com/cloudflare/cfssl/errors"
+	"github.com/cloudflare/cfssl/info"
+	"github.com/cloudflare/cfssl/log"
+)
+
+// A server points to a single remote CFSSL instance.
+type server struct {
+	URL            string
+	TLSConfig      *tls.Config
+	reqModifier    func(*http.Request, []byte)
+	RequestTimeout time.Duration
+	proxy          func(*http.Request) (*url.URL, error)
+}
+
+// A Remote points to at least one (but possibly multiple) remote
+// CFSSL instances. It must be able to perform a authenticated and
+// unauthenticated certificate signing requests, return information
+// about the CA on the other end, and return a list of the hosts that
+// are used by the remote.
+type Remote interface {
+	AuthSign(req, id []byte, provider auth.Provider) ([]byte, error)
+	Sign(jsonData []byte) ([]byte, error)
+	Info(jsonData []byte) (*info.Resp, error)
+	Hosts() []string
+	SetReqModifier(func(*http.Request, []byte))
+	SetRequestTimeout(d time.Duration)
+	SetProxy(func(*http.Request) (*url.URL, error))
+}
+
+// NewServer sets up a new server target. The address should be of
+// The format [protocol:]name[:port] of the remote CFSSL instance.
+// If no protocol is given http is default. If no port
+// is specified, the CFSSL default port (8888) is used. If the name is
+// a comma-separated list of hosts, an ordered group will be returned.
+func NewServer(addr string) Remote {
+	return NewServerTLS(addr, nil)
+}
+
+// NewServerTLS is the TLS version of NewServer
+func NewServerTLS(addr string, tlsConfig *tls.Config) Remote {
+	addrs := strings.Split(addr, ",")
+
+	var remote Remote
+
+	if len(addrs) > 1 {
+		remote, _ = NewGroup(addrs, tlsConfig, StrategyOrderedList)
+	} else {
+		u, err := normalizeURL(addrs[0])
+		if err != nil {
+			log.Errorf("bad url: %v", err)
+			return nil
+		}
+		srv := newServer(u, tlsConfig)
+		if srv != nil {
+			remote = srv
+		}
+	}
+	return remote
+}
+
+func (srv *server) Hosts() []string {
+	return []string{srv.URL}
+}
+
+func (srv *server) SetReqModifier(mod func(*http.Request, []byte)) {
+	srv.reqModifier = mod
+}
+
+func (srv *server) SetRequestTimeout(timeout time.Duration) {
+	srv.RequestTimeout = timeout
+}
+
+func (srv *server) SetProxy(proxy func(*http.Request) (*url.URL, error)) {
+	srv.proxy = proxy
+}
+
+func newServer(u *url.URL, tlsConfig *tls.Config) *server {
+	URL := u.String()
+	return &server{
+		URL:       URL,
+		TLSConfig: tlsConfig,
+	}
+}
+
+func (srv *server) getURL(endpoint string) string {
+	return fmt.Sprintf("%s/api/v1/cfssl/%s", srv.URL, endpoint)
+}
+
+func (srv *server) createTransport() (transport *http.Transport) {
+	transport = new(http.Transport)
+	// Setup HTTPS client
+	tlsConfig := srv.TLSConfig
+	tlsConfig.BuildNameToCertificate()
+	transport.TLSClientConfig = tlsConfig
+	// Setup Proxy
+	transport.Proxy = srv.proxy
+	return transport
+}
+
+// post connects to the remote server and returns a Response struct
+func (srv *server) post(url string, jsonData []byte) (*api.Response, error) {
+	var resp *http.Response
+	var err error
+	client := &http.Client{}
+	if srv.TLSConfig != nil {
+		client.Transport = srv.createTransport()
+	}
+	if srv.RequestTimeout != 0 {
+		client.Timeout = srv.RequestTimeout
+	}
+	req, err := http.NewRequest("POST", url, bytes.NewReader(jsonData))
+	if err != nil {
+		err = fmt.Errorf("failed POST to %s: %v", url, err)
+		return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, err)
+	}
+	req.Close = true
+	req.Header.Set("content-type", "application/json")
+	if srv.reqModifier != nil {
+		srv.reqModifier(req, jsonData)
+	}
+	resp, err = client.Do(req)
+	if err != nil {
+		err = fmt.Errorf("failed POST to %s: %v", url, err)
+		return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, err)
+	}
+	defer req.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, errors.Wrap(errors.APIClientError, errors.IOError, err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		log.Errorf("http error with %s", url)
+		return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New(string(body)))
+	}
+
+	var response api.Response
+	err = json.Unmarshal(body, &response)
+	if err != nil {
+		log.Debug("Unable to parse response body:", string(body))
+		return nil, errors.Wrap(errors.APIClientError, errors.JSONError, err)
+	}
+
+	if !response.Success || response.Result == nil {
+		if len(response.Errors) > 0 {
+			return nil, errors.Wrap(errors.APIClientError, errors.ServerRequestFailed, stderr.New(response.Errors[0].Message))
+		}
+		return nil, errors.New(errors.APIClientError, errors.ServerRequestFailed)
+	}
+
+	return &response, nil
+}
+
+// AuthSign fills out an authenticated signing request to the server,
+// receiving a certificate or error in response.
+// It takes the serialized JSON request to send, remote address and
+// authentication provider.
+func (srv *server) AuthSign(req, id []byte, provider auth.Provider) ([]byte, error) {
+	return srv.authReq(req, id, provider, "sign")
+}
+
+// AuthInfo fills out an authenticated info request to the server,
+// receiving a certificate or error in response.
+// It takes the serialized JSON request to send, remote address and
+// authentication provider.
+func (srv *server) AuthInfo(req, id []byte, provider auth.Provider) ([]byte, error) {
+	return srv.authReq(req, id, provider, "info")
+}
+
+// authReq is the common logic for AuthSign and AuthInfo -- perform the given
+// request, and return the resultant certificate.
+// The target is either 'sign' or 'info'.
+func (srv *server) authReq(req, ID []byte, provider auth.Provider, target string) ([]byte, error) {
+	url := srv.getURL("auth" + target)
+
+	token, err := provider.Token(req)
+	if err != nil {
+		return nil, errors.Wrap(errors.APIClientError, errors.AuthenticationFailure, err)
+	}
+
+	aReq := &auth.AuthenticatedRequest{
+		Timestamp:     time.Now().Unix(),
+		RemoteAddress: ID,
+		Token:         token,
+		Request:       req,
+	}
+
+	jsonData, err := json.Marshal(aReq)
+	if err != nil {
+		return nil, errors.Wrap(errors.APIClientError, errors.JSONError, err)
+	}
+
+	response, err := srv.post(url, jsonData)
+	if err != nil {
+		return nil, err
+	}
+
+	result, ok := response.Result.(map[string]interface{})
+	if !ok {
+		return nil, errors.New(errors.APIClientError, errors.JSONError)
+	}
+
+	cert, ok := result["certificate"].(string)
+	if !ok {
+		return nil, errors.New(errors.APIClientError, errors.JSONError)
+	}
+
+	return []byte(cert), nil
+}
+
+// Sign sends a signature request to the remote CFSSL server,
+// receiving a signed certificate or an error in response.
+// It takes the serialized JSON request to send.
+func (srv *server) Sign(jsonData []byte) ([]byte, error) {
+	return srv.request(jsonData, "sign")
+}
+
+// Info sends an info request to the remote CFSSL server, receiving a
+// response or an error in response.
+// It takes the serialized JSON request to send.
+func (srv *server) Info(jsonData []byte) (*info.Resp, error) {
+	res, err := srv.getResultMap(jsonData, "info")
+	if err != nil {
+		return nil, err
+	}
+
+	info := new(info.Resp)
+
+	if val, ok := res["certificate"]; ok {
+		info.Certificate = val.(string)
+	}
+	var usages []interface{}
+	if val, ok := res["usages"]; ok && val != nil {
+		usages = val.([]interface{})
+	}
+	if val, ok := res["expiry"]; ok && val != nil {
+		info.ExpiryString = val.(string)
+	}
+
+	info.Usage = make([]string, len(usages))
+	for i, s := range usages {
+		info.Usage[i] = s.(string)
+	}
+
+	return info, nil
+}
+
+func (srv *server) getResultMap(jsonData []byte, target string) (result map[string]interface{}, err error) {
+	url := srv.getURL(target)
+	response, err := srv.post(url, jsonData)
+	if err != nil {
+		return
+	}
+	result, ok := response.Result.(map[string]interface{})
+	if !ok {
+		err = errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New("response is formatted improperly"))
+		return
+	}
+	return
+}
+
+// request performs the common logic for Sign and Info, performing the actual
+// request and returning the resultant certificate.
+func (srv *server) request(jsonData []byte, target string) ([]byte, error) {
+	result, err := srv.getResultMap(jsonData, target)
+	if err != nil {
+		return nil, err
+	}
+	cert := result["certificate"].(string)
+	if cert != "" {
+		return []byte(cert), nil
+	}
+
+	return nil, errors.Wrap(errors.APIClientError, errors.ClientHTTPError, stderr.New("response doesn't contain certificate."))
+}
+
+// AuthRemote acts as a Remote with a default Provider for AuthSign.
+type AuthRemote struct {
+	Remote
+	provider auth.Provider
+}
+
+// NewAuthServer sets up a new auth server target with an addr
+// in the same format at NewServer and a default authentication provider to
+// use for Sign requests.
+func NewAuthServer(addr string, tlsConfig *tls.Config, provider auth.Provider) *AuthRemote {
+	return &AuthRemote{
+		Remote:   NewServerTLS(addr, tlsConfig),
+		provider: provider,
+	}
+}
+
+// Sign is overloaded to perform an AuthSign request using the default auth provider.
+func (ar *AuthRemote) Sign(req []byte) ([]byte, error) {
+	return ar.AuthSign(req, nil, ar.provider)
+}
+
+// nomalizeURL checks for http/https protocol, appends "http" as default protocol if not defiend in url
+func normalizeURL(addr string) (*url.URL, error) {
+	addr = strings.TrimSpace(addr)
+
+	u, err := url.Parse(addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if u.Opaque != "" {
+		u.Host = net.JoinHostPort(u.Scheme, u.Opaque)
+		u.Opaque = ""
+	} else if u.Path != "" && !strings.Contains(u.Path, ":") {
+		u.Host = net.JoinHostPort(u.Path, "8888")
+		u.Path = ""
+	} else if u.Scheme == "" {
+		u.Host = u.Path
+		u.Path = ""
+	}
+
+	if u.Scheme != "https" {
+		u.Scheme = "http"
+	}
+
+	_, port, err := net.SplitHostPort(u.Host)
+	if err != nil {
+		_, port, err = net.SplitHostPort(u.Host + ":8888")
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if port != "" {
+		_, err = strconv.Atoi(port)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return u, nil
+}

vendor/github.com/cloudflare/cfssl/api/client/group.go

@@ -0,0 +1,132 @@
+package client
+
+import (
+	"crypto/tls"
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/cloudflare/cfssl/auth"
+	"github.com/cloudflare/cfssl/info"
+)
+
+// Strategy is the means by which the server to use as a remote should
+// be selected.
+type Strategy int
+
+const (
+	// StrategyInvalid indicates any strategy that is unsupported
+	// or returned when no strategy is applicable.
+	StrategyInvalid = iota
+
+	// StrategyOrderedList is a sequential list of servers: if the
+	// first server cannot be reached, the next is used. The
+	// client will proceed in this manner until the list of
+	// servers is exhausted, and then an error is returned.
+	StrategyOrderedList
+)
+
+var strategyStrings = map[string]Strategy{
+	"ordered_list": StrategyOrderedList,
+}
+
+// StrategyFromString takes a string describing a
+func StrategyFromString(s string) Strategy {
+	s = strings.TrimSpace(strings.ToLower(s))
+	strategy, ok := strategyStrings[s]
+	if !ok {
+		return StrategyInvalid
+	}
+	return strategy
+}
+
+// NewGroup will use the collection of remotes specified with the
+// given strategy.
+func NewGroup(remotes []string, tlsConfig *tls.Config, strategy Strategy) (Remote, error) {
+	var servers = make([]*server, len(remotes))
+	for i := range remotes {
+		u, err := normalizeURL(remotes[i])
+		if err != nil {
+			return nil, err
+		}
+		servers[i] = newServer(u, tlsConfig)
+	}
+
+	switch strategy {
+	case StrategyOrderedList:
+		return newOrdererdListGroup(servers)
+	default:
+		return nil, errors.New("unrecognised strategy")
+	}
+}
+
+type orderedListGroup struct {
+	remotes []*server
+}
+
+func (g *orderedListGroup) Hosts() []string {
+	var hosts = make([]string, 0, len(g.remotes))
+	for _, srv := range g.remotes {
+		srvHosts := srv.Hosts()
+		hosts = append(hosts, srvHosts[0])
+	}
+	return hosts
+}
+
+func (g *orderedListGroup) SetRequestTimeout(timeout time.Duration) {
+	for _, srv := range g.remotes {
+		srv.SetRequestTimeout(timeout)
+	}
+}
+
+func (g *orderedListGroup) SetProxy(proxy func(*http.Request) (*url.URL, error)) {
+	for _, srv := range g.remotes {
+		srv.SetProxy(proxy)
+	}
+}
+
+func newOrdererdListGroup(remotes []*server) (Remote, error) {
+	return &orderedListGroup{
+		remotes: remotes,
+	}, nil
+}
+
+func (g *orderedListGroup) AuthSign(req, id []byte, provider auth.Provider) (resp []byte, err error) {
+	for i := range g.remotes {
+		resp, err = g.remotes[i].AuthSign(req, id, provider)
+		if err == nil {
+			return resp, nil
+		}
+	}
+
+	return nil, err
+}
+
+func (g *orderedListGroup) Sign(jsonData []byte) (resp []byte, err error) {
+	for i := range g.remotes {
+		resp, err = g.remotes[i].Sign(jsonData)
+		if err == nil {
+			return resp, nil
+		}
+	}
+
+	return nil, err
+}
+
+func (g *orderedListGroup) Info(jsonData []byte) (resp *info.Resp, err error) {
+	for i := range g.remotes {
+		resp, err = g.remotes[i].Info(jsonData)
+		if err == nil {
+			return resp, nil
+		}
+	}
+
+	return nil, err
+}
+
+// SetReqModifier does nothing because there is no request modifier for group
+func (g *orderedListGroup) SetReqModifier(mod func(*http.Request, []byte)) {
+	// noop
+}