Vendor cfssl and cfssljson

2018-08-06 16:30:17 -07:00
parent 1c5b968152
commit 952fc9f6f8
245 changed files with 251725 additions and 4 deletions
--- a/vendor/github.com/cloudflare/cfssl/signer/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/signer/BUILD
@@ -27,6 +27,8 @@ filegroup(
    srcs = [
        ":package-srcs",
        "//vendor/github.com/cloudflare/cfssl/signer/local:all-srcs",
+        "//vendor/github.com/cloudflare/cfssl/signer/remote:all-srcs",
+        "//vendor/github.com/cloudflare/cfssl/signer/universal:all-srcs",
    ],
    tags = ["automanaged"],
    visibility = ["//visibility:public"],
--- a/vendor/github.com/cloudflare/cfssl/signer/remote/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/signer/remote/BUILD
@@ -0,0 +1,32 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["remote.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/signer/remote",
+    importpath = "github.com/cloudflare/cfssl/signer/remote",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/api/client:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/certdb:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/config:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/errors:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/info:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/cloudflare/cfssl/signer/remote/remote.go
+++ b/vendor/github.com/cloudflare/cfssl/signer/remote/remote.go
@@ -0,0 +1,133 @@
+package remote
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/cloudflare/cfssl/api/client"
+	"github.com/cloudflare/cfssl/certdb"
+	"github.com/cloudflare/cfssl/config"
+	cferr "github.com/cloudflare/cfssl/errors"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/info"
+	"github.com/cloudflare/cfssl/signer"
+)
+
+// A Signer represents a CFSSL instance running as signing server.
+// fulfills the signer.Signer interface
+type Signer struct {
+	policy      *config.Signing
+	reqModifier func(*http.Request, []byte)
+}
+
+// NewSigner creates a new remote Signer directly from a
+// signing policy.
+func NewSigner(policy *config.Signing) (*Signer, error) {
+	if policy != nil {
+		if !policy.Valid() {
+			return nil, cferr.New(cferr.PolicyError,
+				cferr.InvalidPolicy)
+		}
+		return &Signer{policy: policy}, nil
+	}
+
+	return nil, cferr.New(cferr.PolicyError,
+		cferr.InvalidPolicy)
+}
+
+// Sign sends a signature request to the remote CFSSL server,
+// receiving a signed certificate or an error in response. The hostname,
+// csr, and profileName are used as with a local signing operation, and
+// the label is used to select a signing root in a multi-root CA.
+func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
+	resp, err := s.remoteOp(req, req.Profile, "sign")
+	if err != nil {
+		return
+	}
+	if cert, ok := resp.([]byte); ok {
+		return cert, nil
+	}
+	return
+}
+
+// Info sends an info request to the remote CFSSL server, receiving an
+// Resp struct or an error in response.
+func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
+	respInterface, err := s.remoteOp(req, req.Profile, "info")
+	if err != nil {
+		return
+	}
+	if resp, ok := respInterface.(*info.Resp); ok {
+		return resp, nil
+	}
+	return
+}
+
+// Helper function to perform a remote sign or info request.
+func (s *Signer) remoteOp(req interface{}, profile, target string) (resp interface{}, err error) {
+	jsonData, err := json.Marshal(req)
+	if err != nil {
+		return nil, cferr.Wrap(cferr.APIClientError, cferr.JSONError, err)
+	}
+
+	p, err := signer.Profile(s, profile)
+	if err != nil {
+		return
+	}
+
+	server := client.NewServerTLS(p.RemoteServer, helpers.CreateTLSConfig(p.RemoteCAs, p.ClientCert))
+	if server == nil {
+		return nil, cferr.Wrap(cferr.PolicyError, cferr.InvalidRequest,
+			errors.New("failed to connect to remote"))
+	}
+
+	server.SetReqModifier(s.reqModifier)
+
+	// There's no auth provider for the "info" method
+	if target == "info" {
+		resp, err = server.Info(jsonData)
+	} else if p.RemoteProvider != nil {
+		resp, err = server.AuthSign(jsonData, nil, p.RemoteProvider)
+	} else {
+		resp, err = server.Sign(jsonData)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return
+}
+
+// SigAlgo returns the RSA signer's signature algorithm.
+func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
+	// TODO: implement this as a remote info call
+	return x509.UnknownSignatureAlgorithm
+}
+
+// SetPolicy sets the signer's signature policy.
+func (s *Signer) SetPolicy(policy *config.Signing) {
+	s.policy = policy
+}
+
+// SetDBAccessor sets the signers' cert db accessor, currently noop.
+func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
+	// noop
+}
+
+// GetDBAccessor returns the signers' cert db accessor, currently noop.
+func (s *Signer) GetDBAccessor() certdb.Accessor {
+	return nil
+}
+
+// SetReqModifier sets the function to call to modify the HTTP request prior to sending it
+func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
+	s.reqModifier = mod
+}
+
+// Policy returns the signer's policy.
+func (s *Signer) Policy() *config.Signing {
+	return s.policy
+}
--- a/vendor/github.com/cloudflare/cfssl/signer/universal/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/signer/universal/BUILD
@@ -0,0 +1,32 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["universal.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/signer/universal",
+    importpath = "github.com/cloudflare/cfssl/signer/universal",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/certdb:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/config:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/errors:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/info:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer/local:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer/remote:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/cloudflare/cfssl/signer/universal/universal.go
+++ b/vendor/github.com/cloudflare/cfssl/signer/universal/universal.go
@@ -0,0 +1,225 @@
+// Package universal implements a signer that can do remote or local
+package universal
+
+import (
+	"crypto/x509"
+	"net/http"
+
+	"github.com/cloudflare/cfssl/certdb"
+	"github.com/cloudflare/cfssl/config"
+	cferr "github.com/cloudflare/cfssl/errors"
+	"github.com/cloudflare/cfssl/info"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+	"github.com/cloudflare/cfssl/signer/remote"
+)
+
+// Signer represents a universal signer which is both local and remote
+// to fulfill the signer.Signer interface.
+type Signer struct {
+	local  signer.Signer
+	remote signer.Signer
+	policy *config.Signing
+}
+
+// Root is used to define where the universal signer gets its public
+// certificate and private keys for signing.
+type Root struct {
+	Config      map[string]string
+	ForceRemote bool
+}
+
+// a localSignerCheck looks at the Config keys in the Root, and
+// decides whether it has enough information to produce a signer.
+type localSignerCheck func(root *Root, policy *config.Signing) (signer.Signer, bool, error)
+
+// fileBackedSigner determines whether a file-backed local signer is supported.
+func fileBackedSigner(root *Root, policy *config.Signing) (signer.Signer, bool, error) {
+	keyFile := root.Config["key-file"]
+	certFile := root.Config["cert-file"]
+
+	if keyFile == "" {
+		return nil, false, nil
+	}
+
+	signer, err := local.NewSignerFromFile(certFile, keyFile, policy)
+	return signer, true, err
+}
+
+var localSignerList = []localSignerCheck{
+	fileBackedSigner,
+}
+
+// PrependLocalSignerToList prepends signer to the local signer's list
+func PrependLocalSignerToList(signer localSignerCheck) {
+	localSignerList = append([]localSignerCheck{signer}, localSignerList...)
+}
+
+func newLocalSigner(root Root, policy *config.Signing) (s signer.Signer, err error) {
+	// shouldProvide indicates whether the
+	// function *should* have produced a key. If
+	// it's true, we should use the signer and
+	// error returned. Otherwise, keep looking for
+	// signers.
+	var shouldProvide bool
+
+	// localSignerList is defined in the
+	// universal_signers*.go files. These activate
+	// and deactivate signers based on build
+	// flags; for example,
+	// universal_signers_pkcs11.go contains a list
+	// of valid signers when PKCS #11 is turned
+	// on.
+	for _, possibleSigner := range localSignerList {
+		s, shouldProvide, err = possibleSigner(&root, policy)
+		if shouldProvide {
+			break
+		}
+	}
+
+	if s == nil {
+		err = cferr.New(cferr.PrivateKeyError, cferr.Unknown)
+	}
+
+	return s, err
+}
+
+func newUniversalSigner(root Root, policy *config.Signing) (*Signer, error) {
+	ls, err := newLocalSigner(root, policy)
+	if err != nil {
+		return nil, err
+	}
+
+	rs, err := remote.NewSigner(policy)
+	if err != nil {
+		return nil, err
+	}
+
+	s := &Signer{
+		policy: policy,
+		local:  ls,
+		remote: rs,
+	}
+	return s, err
+}
+
+// NewSigner generates a new certificate signer from a Root structure.
+// This is one of two standard signers: local or remote. If the root
+// structure specifies a force remote, then a remote signer is created,
+// otherwise either a remote or local signer is generated based on the
+// policy. For a local signer, the CertFile and KeyFile need to be
+// defined in Root.
+func NewSigner(root Root, policy *config.Signing) (signer.Signer, error) {
+	if policy == nil {
+		policy = &config.Signing{
+			Profiles: map[string]*config.SigningProfile{},
+			Default:  config.DefaultConfig(),
+		}
+	}
+
+	if !policy.Valid() {
+		return nil, cferr.New(cferr.PolicyError, cferr.InvalidPolicy)
+	}
+
+	var s signer.Signer
+	var err error
+	if root.ForceRemote {
+		s, err = remote.NewSigner(policy)
+	} else {
+		if policy.NeedsLocalSigner() && policy.NeedsRemoteSigner() {
+			s, err = newUniversalSigner(root, policy)
+		} else {
+			if policy.NeedsLocalSigner() {
+				s, err = newLocalSigner(root, policy)
+			}
+			if policy.NeedsRemoteSigner() {
+				s, err = remote.NewSigner(policy)
+			}
+		}
+	}
+
+	return s, err
+}
+
+// getMatchingProfile returns the SigningProfile that matches the profile passed.
+// if an empty profile string is passed it returns the default profile.
+func (s *Signer) getMatchingProfile(profile string) (*config.SigningProfile, error) {
+	if profile == "" {
+		return s.policy.Default, nil
+	}
+
+	for p, signingProfile := range s.policy.Profiles {
+		if p == profile {
+			return signingProfile, nil
+		}
+	}
+
+	return nil, cferr.New(cferr.PolicyError, cferr.UnknownProfile)
+}
+
+// Sign sends a signature request to either the remote or local signer,
+// receiving a signed certificate or an error in response.
+func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
+	profile, err := s.getMatchingProfile(req.Profile)
+	if err != nil {
+		return cert, err
+	}
+
+	if profile.RemoteServer != "" {
+		return s.remote.Sign(req)
+	}
+	return s.local.Sign(req)
+
+}
+
+// Info sends an info request to the remote or local CFSSL server
+// receiving an Resp struct or an error in response.
+func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
+	profile, err := s.getMatchingProfile(req.Profile)
+	if err != nil {
+		return resp, err
+	}
+
+	if profile.RemoteServer != "" {
+		return s.remote.Info(req)
+	}
+	return s.local.Info(req)
+
+}
+
+// SetDBAccessor sets the signer's cert db accessor.
+func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
+	s.local.SetDBAccessor(dba)
+}
+
+// GetDBAccessor returns the signer's cert db accessor.
+func (s *Signer) GetDBAccessor() certdb.Accessor {
+	return s.local.GetDBAccessor()
+}
+
+// SetReqModifier sets the function to call to modify the HTTP request prior to sending it
+func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
+	s.local.SetReqModifier(mod)
+	s.remote.SetReqModifier(mod)
+}
+
+// SigAlgo returns the RSA signer's signature algorithm.
+func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
+	if s.local != nil {
+		return s.local.SigAlgo()
+	}
+
+	// currently remote.SigAlgo just returns
+	// x509.UnknownSignatureAlgorithm.
+	return s.remote.SigAlgo()
+}
+
+// SetPolicy sets the signer's signature policy.
+func (s *Signer) SetPolicy(policy *config.Signing) {
+	s.policy = policy
+}
+
+// Policy returns the signer's policy.
+func (s *Signer) Policy() *config.Signing {
+	return s.policy
+}