Fix dependency and linter errors.

This commit is contained in:
Mariano Cano 2019-02-11 20:27:41 -08:00
parent 0eb0c3a21b
commit 852f4ed564
10 changed files with 338 additions and 143 deletions

154
Gopkg.lock generated
View file

@ -35,6 +35,14 @@
revision = "b90dc15cfd220ecf8bbc9043ecb928cef381f011"
version = "v0.3.4"
[[projects]]
digest = "1:2cd7915ab26ede7d95b8749e6b1f933f1c6d5398030684e6505940a10f31cfda"
name = "github.com/ghodss/yaml"
packages = ["."]
pruneopts = "UT"
revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7"
version = "v1.0.0"
[[projects]]
branch = "master"
digest = "1:81fda4d18a16651bf92245ce5d6178cdd99f918db30ae9794732655f0686e895"
@ -43,6 +51,17 @@
pruneopts = "UT"
revision = "0ebf7795c516423a110473652e9ba3a59a504863"
[[projects]]
digest = "1:b402bb9a24d108a9405a6f34675091b036c8b056aac843bf6ef2389a65c5cf48"
name = "github.com/gogo/protobuf"
packages = [
"proto",
"sortkeys",
]
pruneopts = "UT"
revision = "4cbf7e384e768b4e01799441fdf2a706a5635ae7"
version = "v1.2.0"
[[projects]]
branch = "travis-1.9"
digest = "1:e8f5d9c09a7209c740e769713376abda388c41b777ba8e9ed52767e21acf379f"
@ -54,6 +73,28 @@
pruneopts = "UT"
revision = "883fe33ffc4344bad1ecd881f61afd5ec5d80e0a"
[[projects]]
digest = "1:0f1010da61da43ef23bae5c43a619abda82e04f409ec642e6bdeee0d7736530d"
name = "github.com/google/certificate-transparency-go"
packages = [
".",
"asn1",
"tls",
"x509",
"x509/pkix",
]
pruneopts = "UT"
revision = "3629d6846518309d22c16fee15d1007262a459d2"
version = "v1.0.21"
[[projects]]
branch = "master"
digest = "1:3ee90c0d94da31b442dde97c99635aaafec68d0b8a3c12ee2075c6bdabeec6bb"
name = "github.com/google/gofuzz"
packages = ["."]
pruneopts = "UT"
revision = "24818f796faf91cd76ec7bddd72458fbced7a6c1"
[[projects]]
branch = "master"
digest = "1:750e747d0aad97b79f4a4e00034bae415c2ea793fd9e61438d966ee9c79579bf"
@ -70,6 +111,14 @@
pruneopts = "UT"
revision = "1003c8bd00dc2869cb5ca5282e6ce33834fed514"
[[projects]]
digest = "1:3e551bbb3a7c0ab2a2bf4660e7fcad16db089fdcfbb44b0199e62838038623ea"
name = "github.com/json-iterator/go"
packages = ["."]
pruneopts = "UT"
revision = "1624edc4454b8682399def8740d46db5e4362ba4"
version = "v1.1.5"
[[projects]]
branch = "master"
digest = "1:e51f40f0c19b39c1825eadd07d5c0a98a2ad5942b166d9fc4f54750ce9a04810"
@ -125,6 +174,22 @@
revision = "6ca4dbf54d38eea1a992b3c722a76a5d1c4cb25c"
version = "v0.0.4"
[[projects]]
digest = "1:33422d238f147d247752996a26574ac48dcf472976eda7f5134015f06bf16563"
name = "github.com/modern-go/concurrent"
packages = ["."]
pruneopts = "UT"
revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94"
version = "1.0.3"
[[projects]]
digest = "1:e32bdbdb7c377a07a9a46378290059822efdce5c8d96fe71940d87cb4f918855"
name = "github.com/modern-go/reflect2"
packages = ["."]
pruneopts = "UT"
revision = "4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd"
version = "1.0.1"
[[projects]]
digest = "1:266d082179f3a29a4bdcf1dcc49d4a304f5c7107e65bd22d1fecacf45f1ac348"
name = "github.com/newrelic/go-agent"
@ -212,7 +277,7 @@
[[projects]]
branch = "master"
digest = "1:4c9e30abfe7c119eb4d40287f6c23f854f3ad71c69206d8dc6402e1fef14ac88"
digest = "1:17d4424defbc718315d61e296841867ff76b3e03a941b41fdddbae11a7d47746"
name = "github.com/smallstep/cli"
packages = [
"command",
@ -226,6 +291,8 @@
"jose",
"pkg/blackfriday",
"pkg/x509",
"token",
"token/provision",
"ui",
"usage",
"utils",
@ -333,6 +400,14 @@
pruneopts = "UT"
revision = "63abe20a23e29e80bbef8089bd3dee3ac25e5306"
[[projects]]
digest = "1:2d1fbdc6777e5408cabeb02bf336305e724b925ff4546ded0fa8715a7267922a"
name = "gopkg.in/inf.v0"
packages = ["."]
pruneopts = "UT"
revision = "d2d2541c53f18d2a059457998ce2876cc8e67cbf"
version = "v0.9.1"
[[projects]]
digest = "1:7fbe10f3790dc4e6296c7c844c5a9b35513e5521c29c47e10ba99cd2956a2719"
name = "gopkg.in/square/go-jose.v2"
@ -354,20 +429,90 @@
revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183"
version = "v2.2.1"
[[projects]]
branch = "master"
digest = "1:767b6c0b2c1d9487ee50cb8df1d0fdebf06ac0b19b723f6489d388e7b47c962d"
name = "k8s.io/api"
packages = [
"admission/v1beta1",
"authentication/v1",
"core/v1",
]
pruneopts = "UT"
revision = "de494049e22a9ccf748c5bbda7492f42f344d0cd"
[[projects]]
branch = "master"
digest = "1:5eb353533eaebdfec2392210ab218a389965ba5d4dc02b4aef87b9549e5d0f84"
name = "k8s.io/apimachinery"
packages = [
"pkg/api/resource",
"pkg/apis/meta/v1",
"pkg/apis/meta/v1/unstructured",
"pkg/conversion",
"pkg/conversion/queryparams",
"pkg/fields",
"pkg/labels",
"pkg/runtime",
"pkg/runtime/schema",
"pkg/runtime/serializer",
"pkg/runtime/serializer/json",
"pkg/runtime/serializer/protobuf",
"pkg/runtime/serializer/recognizer",
"pkg/runtime/serializer/versioning",
"pkg/selection",
"pkg/types",
"pkg/util/errors",
"pkg/util/framer",
"pkg/util/intstr",
"pkg/util/json",
"pkg/util/naming",
"pkg/util/net",
"pkg/util/runtime",
"pkg/util/sets",
"pkg/util/validation",
"pkg/util/validation/field",
"pkg/util/yaml",
"pkg/watch",
"third_party/forked/golang/reflect",
]
pruneopts = "UT"
revision = "4b3b852955ebe47857fcf134b531b23dd8f3e793"
[[projects]]
digest = "1:72fd56341405f53c745377e0ebc4abeff87f1a048e0eea6568a20212650f5a82"
name = "k8s.io/klog"
packages = ["."]
pruneopts = "UT"
revision = "71442cd4037d612096940ceb0f3fec3f7fff66e0"
version = "v0.2.0"
[[projects]]
digest = "1:7719608fe0b52a4ece56c2dde37bedd95b938677d1ab0f84b8a7852e4c59f849"
name = "sigs.k8s.io/yaml"
packages = ["."]
pruneopts = "UT"
revision = "fd68e9863619f6ec2fdd8625fe1f02e7c877e480"
version = "v1.1.0"
[solve-meta]
analyzer-name = "dep"
analyzer-version = 1
input-imports = [
"github.com/alecthomas/gometalinter",
"github.com/client9/misspell/cmd/misspell",
"github.com/ghodss/yaml",
"github.com/go-chi/chi",
"github.com/golang/lint/golint",
"github.com/google/certificate-transparency-go",
"github.com/google/certificate-transparency-go/x509",
"github.com/gordonklaus/ineffassign",
"github.com/newrelic/go-agent",
"github.com/pkg/errors",
"github.com/rs/xid",
"github.com/sirupsen/logrus",
"github.com/smallstep/assert",
"github.com/smallstep/cli/config",
"github.com/smallstep/cli/crypto/keys",
"github.com/smallstep/cli/crypto/pemutil",
"github.com/smallstep/cli/crypto/randutil",
@ -376,12 +521,19 @@
"github.com/smallstep/cli/errs",
"github.com/smallstep/cli/jose",
"github.com/smallstep/cli/pkg/x509",
"github.com/smallstep/cli/token",
"github.com/smallstep/cli/token/provision",
"github.com/smallstep/cli/usage",
"github.com/tsenart/deadcode",
"github.com/urfave/cli",
"golang.org/x/net/http2",
"gopkg.in/square/go-jose.v2",
"gopkg.in/square/go-jose.v2/jwt",
"k8s.io/api/admission/v1beta1",
"k8s.io/api/core/v1",
"k8s.io/apimachinery/pkg/apis/meta/v1",
"k8s.io/apimachinery/pkg/runtime",
"k8s.io/apimachinery/pkg/runtime/serializer",
]
solver-name = "gps-cdcl"
solver-version = 1

View file

@ -113,12 +113,3 @@ func NewInClusterK8sClient() (Client, error) {
httpClient: httpClient,
}, nil
}
// NewInsecureK8sClient creates an insecure k8s client which is suitable
// to connect kubernetes api behind proxy
func NewInsecureK8sClient(apiURL string) Client {
return &k8sClient{
host: apiURL,
httpClient: http.DefaultClient,
}
}

View file

@ -3,8 +3,8 @@ package main
import (
"context"
"crypto/sha256"
"encoding/json"
"encoding/hex"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
@ -18,8 +18,8 @@ import (
"github.com/smallstep/certificates/ca"
"github.com/smallstep/cli/crypto/pemutil"
"k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
)
@ -46,14 +46,14 @@ const (
// Config options for the autocert admission controller.
type Config struct {
LogFormat string `yaml:"logFormat"`
CaUrl string `yaml:"caUrl"`
CaURL string `yaml:"caUrl"`
CertLifetime string `yaml:"certLifetime"`
Bootstrapper corev1.Container `yaml:"bootstrapper"`
Renewer corev1.Container `yaml:"renewer"`
CertsVolume corev1.Volume `yaml:"certsVolume"`
}
// RFC6902 JSONPatch Operation
// PatchOperation represents a RFC6902 JSONPatch Operation
type PatchOperation struct {
Op string `json:"op"`
Path string `json:"path"`
@ -61,7 +61,7 @@ type PatchOperation struct {
}
// RFC6901 JSONPath Escaping -- https://tools.ietf.org/html/rfc6901
func escapeJsonPath(path string) string {
func escapeJSONPath(path string) string {
// Replace`~` with `~0` then `/` with `~1`. Note that the order
// matters otherwise we'll turn a `/` into a `~/`.
path = strings.Replace(path, "~", "~0", -1)
@ -229,7 +229,7 @@ func mkBootstrapper(config *Config, commonName string, namespace string, provisi
})
b.Env = append(b.Env, corev1.EnvVar{
Name: "STEP_CA_URL",
Value: config.CaUrl,
Value: config.CaURL,
})
b.Env = append(b.Env, corev1.EnvVar{
Name: "STEP_FINGERPRINT",
@ -243,11 +243,11 @@ func mkBootstrapper(config *Config, commonName string, namespace string, provisi
}
// mkRenewer generates a new renewer based on the template provided in Config.
func mkRenewer(config *Config) (corev1.Container) {
func mkRenewer(config *Config) corev1.Container {
r := config.Renewer
r.Env = append(r.Env, corev1.EnvVar{
Name: "STEP_CA_URL",
Value: config.CaUrl,
Value: config.CaURL,
})
return r
}
@ -255,13 +255,14 @@ func mkRenewer(config *Config) (corev1.Container) {
func addContainers(existing, new []corev1.Container, path string) (ops []PatchOperation) {
if len(existing) == 0 {
return []PatchOperation{
PatchOperation {
{
Op: "add",
Path: path,
Value: new,
},
}
} else {
}
for _, add := range new {
ops = append(ops, PatchOperation{
Op: "add",
@ -271,18 +272,18 @@ func addContainers(existing, new []corev1.Container, path string) (ops []PatchOp
}
return ops
}
}
func addVolumes(existing, new []corev1.Volume, path string) (ops []PatchOperation) {
if len(existing) == 0 {
return []PatchOperation{
PatchOperation {
{
Op: "add",
Path: path,
Value: new,
},
}
} else {
}
for _, add := range new {
ops = append(ops, PatchOperation{
Op: "add",
@ -292,7 +293,6 @@ func addVolumes(existing, new []corev1.Volume, path string) (ops []PatchOperatio
}
return ops
}
}
func addCertsVolumeMount(volumeName string, containers []corev1.Container) (ops []PatchOperation) {
volumeMount := corev1.VolumeMount{
@ -321,7 +321,7 @@ func addCertsVolumeMount(volumeName string, containers []corev1.Container) (ops
func addAnnotations(existing, new map[string]string) (ops []PatchOperation) {
if len(existing) == 0 {
return []PatchOperation{
PatchOperation {
{
Op: "add",
Path: "/metadata/annotations",
Value: new,
@ -332,13 +332,13 @@ func addAnnotations(existing, new map[string]string) (ops []PatchOperation) {
if existing[k] == "" {
ops = append(ops, PatchOperation{
Op: "add",
Path: "/metadata/annotations/" + escapeJsonPath(k),
Path: "/metadata/annotations/" + escapeJSONPath(k),
Value: v,
})
} else {
ops = append(ops, PatchOperation{
Op: "replace",
Path: "/metadata/annotations/" + escapeJsonPath(k),
Path: "/metadata/annotations/" + escapeJSONPath(k),
Value: v,
})
}
@ -386,9 +386,9 @@ func shouldMutate(metadata *metav1.ObjectMeta) bool {
// mutated already (status key isn't set).
if annotations[admissionWebhookAnnotationKey] == "" || annotations[admissionWebhookStatusKey] == "injected" {
return false
} else {
return true
}
return true
}
// mutate takes an `AdmissionReview`, determines whether it is subject to mutation, and returns
@ -480,7 +480,7 @@ func main() {
"provisionerKid": provisionerKid,
}).Info("Loaded provisioner configuration")
provisioner, err := NewProvisioner(provisionerName, provisionerKid, config.CaUrl, rootCAPath, provisionerPasswordFile)
provisioner, err := NewProvisioner(provisionerName, provisionerKid, config.CaURL, rootCAPath, provisionerPasswordFile)
if err != nil {
log.Errorf("Error loading provisioner: %v", err)
os.Exit(1)

View file

@ -3,10 +3,13 @@ package main
import (
"encoding/json"
"fmt"
"path/filepath"
"time"
"github.com/pkg/errors"
"github.com/smallstep/cli/crypto/pki"
"github.com/smallstep/certificates/authority"
"github.com/smallstep/certificates/ca"
"github.com/smallstep/cli/config"
"github.com/smallstep/cli/crypto/randutil"
"github.com/smallstep/cli/jose"
"github.com/smallstep/cli/token"
@ -17,6 +20,8 @@ const (
tokenLifetime = 5 * time.Minute
)
// Provisioner is an authorized entity that can sign tokens necessary for
// signature requests.
type Provisioner interface {
Name() string
Kid() string
@ -26,7 +31,7 @@ type Provisioner interface {
type provisioner struct {
name string
kid string
caUrl string
caURL string
caRoot string
jwk *jose.JSONWebKey
tokenLifetime time.Duration
@ -52,13 +57,13 @@ func (p *provisioner) Token(subject string) (string, error) {
notBefore := time.Now()
notAfter := notBefore.Add(tokenLifetime)
signUrl := fmt.Sprintf("%v/1.0/sign", p.caUrl)
signURL := fmt.Sprintf("%v/1.0/sign", p.caURL)
tokOptions := []token.Options{
token.WithJWTID(jwtID),
token.WithKid(p.kid),
token.WithIssuer(p.name),
token.WithAudience(signUrl),
token.WithAudience(signURL),
token.WithValidity(notBefore, notAfter),
token.WithRootCA(p.caRoot),
}
@ -86,8 +91,8 @@ func decryptProvisionerJWK(encryptedKey, passFile string) (*jose.JSONWebKey, err
// loadProvisionerJWKByKid retrieves a provisioner key from the CA by key ID and
// decrypts it using the specified password file.
func loadProvisionerJWKByKid(kid, caUrl, caRoot, passFile string) (*jose.JSONWebKey, error) {
encrypted, err := pki.GetProvisionerKey(caUrl, caRoot, kid)
func loadProvisionerJWKByKid(kid, caURL, caRoot, passFile string) (*jose.JSONWebKey, error) {
encrypted, err := getProvisionerKey(caURL, caRoot, kid)
if err != nil {
return nil, err
}
@ -98,8 +103,8 @@ func loadProvisionerJWKByKid(kid, caUrl, caRoot, passFile string) (*jose.JSONWeb
// loadProvisionerJWKByName retrieves the list of provisioners and encrypted key then
// returns the key of the first provisioner with a matching name that can be successfully
// decrypted with the specified password file.
func loadProvisionerJWKByName(name, caUrl, caRoot, passFile string) (key *jose.JSONWebKey, err error) {
provisioners, err := pki.GetProvisioners(caUrl, caRoot)
func loadProvisionerJWKByName(name, caURL, caRoot, passFile string) (key *jose.JSONWebKey, err error) {
provisioners, err := getProvisioners(caURL, caRoot)
if err != nil {
err = errors.Wrap(err, "error getting the provisioners")
return
@ -113,20 +118,20 @@ func loadProvisionerJWKByName(name, caUrl, caRoot, passFile string) (key *jose.J
}
}
}
return nil, errors.New(fmt.Sprintf("provisioner '%s' not found (or your password is wrong)", name))
return nil, errors.Errorf("provisioner '%s' not found (or your password is wrong)", name)
}
// NewProvisioner loads and decrypts key material from the CA for the named
// provisioner. The key identified by `kid` will be used if specified. If `kid`
// is the empty string we'll use the first key for the named provisioner that
// decrypts using `passFile`.
func NewProvisioner(name, kid, caUrl, caRoot, passFile string) (Provisioner, error) {
func NewProvisioner(name, kid, caURL, caRoot, passFile string) (Provisioner, error) {
var jwk *jose.JSONWebKey
var err error
if kid != "" {
jwk, err = loadProvisionerJWKByKid(kid, caUrl, caRoot, passFile)
jwk, err = loadProvisionerJWKByKid(kid, caURL, caRoot, passFile)
} else {
jwk, err = loadProvisionerJWKByName(name, caUrl, caRoot, passFile)
jwk, err = loadProvisionerJWKByName(name, caURL, caRoot, passFile)
}
if err != nil {
return nil, err
@ -135,9 +140,56 @@ func NewProvisioner(name, kid, caUrl, caRoot, passFile string) (Provisioner, err
return &provisioner{
name: name,
kid: jwk.KeyID,
caUrl: caUrl,
caURL: caURL,
caRoot: caRoot,
jwk: jwk,
tokenLifetime: tokenLifetime,
}, nil
}
// getRootCAPath returns the path where the root CA is stored based on the
// STEPPATH environment variable.
func getRootCAPath() string {
return filepath.Join(config.StepPath(), "certs", "root_ca.crt")
}
// getProvisioners returns the map of provisioners on the given CA.
func getProvisioners(caURL, rootFile string) ([]*authority.Provisioner, error) {
if len(rootFile) == 0 {
rootFile = getRootCAPath()
}
client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile))
if err != nil {
return nil, err
}
cursor := ""
provisioners := []*authority.Provisioner{}
for {
resp, err := client.Provisioners(ca.WithProvisionerCursor(cursor), ca.WithProvisionerLimit(100))
if err != nil {
return nil, err
}
provisioners = append(provisioners, resp.Provisioners...)
if resp.NextCursor == "" {
return provisioners, nil
}
cursor = resp.NextCursor
}
}
// getProvisionerKey returns the encrypted provisioner key with the for the
// given kid.
func getProvisionerKey(caURL, rootFile, kid string) (string, error) {
if len(rootFile) == 0 {
rootFile = getRootCAPath()
}
client, err := ca.NewClient(caURL, ca.WithRootFile(rootFile))
if err != nil {
return "", err
}
resp, err := client.ProvisionerKey(kid)
if err != nil {
return "", err
}
return resp.Key, nil
}