forked from TrueCloudLab/certificates
all: reformat all go files with the next gofmt (Go 1.19)
There are some changes that manually edited, for example using '-' as default list and grouping imports.
This commit is contained in:
parent
304cc5a70f
commit
fe04f93d7f
15 changed files with 102 additions and 78 deletions
|
@ -107,10 +107,11 @@ func keysAreEqual(x, y *jose.JSONWebKey) bool {
|
||||||
|
|
||||||
// validateEABJWS verifies the contents of the External Account Binding JWS.
|
// validateEABJWS verifies the contents of the External Account Binding JWS.
|
||||||
// The protected header of the JWS MUST meet the following criteria:
|
// The protected header of the JWS MUST meet the following criteria:
|
||||||
// o The "alg" field MUST indicate a MAC-based algorithm
|
//
|
||||||
// o The "kid" field MUST contain the key identifier provided by the CA
|
// - The "alg" field MUST indicate a MAC-based algorithm
|
||||||
// o The "nonce" field MUST NOT be present
|
// - The "kid" field MUST contain the key identifier provided by the CA
|
||||||
// o The "url" field MUST be set to the same value as the outer JWS
|
// - The "nonce" field MUST NOT be present
|
||||||
|
// - The "url" field MUST be set to the same value as the outer JWS
|
||||||
func validateEABJWS(ctx context.Context, jws *jose.JSONWebSignature) (string, *acme.Error) {
|
func validateEABJWS(ctx context.Context, jws *jose.JSONWebSignature) (string, *acme.Error) {
|
||||||
if jws == nil {
|
if jws == nil {
|
||||||
return "", acme.NewErrorISE("no JWS provided")
|
return "", acme.NewErrorISE("no JWS provided")
|
||||||
|
|
|
@ -119,13 +119,13 @@ func parseJWS(next nextHTTP) nextHTTP {
|
||||||
// The JWS Unprotected Header [RFC7515] MUST NOT be used
|
// The JWS Unprotected Header [RFC7515] MUST NOT be used
|
||||||
// The JWS Payload MUST NOT be detached
|
// The JWS Payload MUST NOT be detached
|
||||||
// The JWS Protected Header MUST include the following fields:
|
// The JWS Protected Header MUST include the following fields:
|
||||||
// * “alg” (Algorithm)
|
// - “alg” (Algorithm).
|
||||||
// * This field MUST NOT contain “none” or a Message Authentication Code
|
// This field MUST NOT contain “none” or a Message Authentication Code
|
||||||
// (MAC) algorithm (e.g. one in which the algorithm registry description
|
// (MAC) algorithm (e.g. one in which the algorithm registry description
|
||||||
// mentions MAC/HMAC).
|
// mentions MAC/HMAC).
|
||||||
// * “nonce” (defined in Section 6.5)
|
// - “nonce” (defined in Section 6.5)
|
||||||
// * “url” (defined in Section 6.4)
|
// - “url” (defined in Section 6.4)
|
||||||
// * Either “jwk” (JSON Web Key) or “kid” (Key ID) as specified below<Paste>
|
// - Either “jwk” (JSON Web Key) or “kid” (Key ID) as specified below<Paste>
|
||||||
func validateJWS(next nextHTTP) nextHTTP {
|
func validateJWS(next nextHTTP) nextHTTP {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
|
|
|
@ -51,22 +51,27 @@ const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
|
||||||
// signature.
|
// signature.
|
||||||
//
|
//
|
||||||
// The first certificate is used in:
|
// The first certificate is used in:
|
||||||
// ap-northeast-2, ap-south-1, ap-southeast-1, ap-southeast-2
|
//
|
||||||
// eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3
|
// ap-northeast-2, ap-south-1, ap-southeast-1, ap-southeast-2
|
||||||
// us-east-1, us-east-2, us-west-1, us-west-2
|
// eu-central-1, eu-north-1, eu-west-1, eu-west-2, eu-west-3
|
||||||
// ca-central-1, sa-east-1
|
// us-east-1, us-east-2, us-west-1, us-west-2
|
||||||
|
// ca-central-1, sa-east-1
|
||||||
//
|
//
|
||||||
// The second certificate is used in:
|
// The second certificate is used in:
|
||||||
// eu-south-1
|
//
|
||||||
|
// eu-south-1
|
||||||
//
|
//
|
||||||
// The third certificate is used in:
|
// The third certificate is used in:
|
||||||
// ap-east-1
|
//
|
||||||
|
// ap-east-1
|
||||||
//
|
//
|
||||||
// The fourth certificate is used in:
|
// The fourth certificate is used in:
|
||||||
// af-south-1
|
//
|
||||||
|
// af-south-1
|
||||||
//
|
//
|
||||||
// The fifth certificate is used in:
|
// The fifth certificate is used in:
|
||||||
// me-south-1
|
//
|
||||||
|
// me-south-1
|
||||||
const awsCertificate = `-----BEGIN CERTIFICATE-----
|
const awsCertificate = `-----BEGIN CERTIFICATE-----
|
||||||
MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
|
MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
|
||||||
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
|
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
|
||||||
|
|
|
@ -48,17 +48,18 @@ func Bootstrap(token string) (*Client, error) {
|
||||||
// certificate after 2/3rd of the certificate's lifetime has expired.
|
// certificate after 2/3rd of the certificate's lifetime has expired.
|
||||||
//
|
//
|
||||||
// Usage:
|
// Usage:
|
||||||
// // Default example with certificate rotation.
|
|
||||||
// client, err := ca.BootstrapClient(ctx.Background(), token)
|
|
||||||
//
|
//
|
||||||
// // Example canceling automatic certificate rotation.
|
// // Default example with certificate rotation.
|
||||||
// ctx, cancel := context.WithCancel(context.Background())
|
// client, err := ca.BootstrapClient(ctx.Background(), token)
|
||||||
// defer cancel()
|
//
|
||||||
// client, err := ca.BootstrapClient(ctx, token)
|
// // Example canceling automatic certificate rotation.
|
||||||
// if err != nil {
|
// ctx, cancel := context.WithCancel(context.Background())
|
||||||
// return err
|
// defer cancel()
|
||||||
// }
|
// client, err := ca.BootstrapClient(ctx, token)
|
||||||
// resp, err := client.Get("https://internal.smallstep.com")
|
// if err != nil {
|
||||||
|
// return err
|
||||||
|
// }
|
||||||
|
// resp, err := client.Get("https://internal.smallstep.com")
|
||||||
func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {
|
func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {
|
||||||
b, err := createBootstrap(token)
|
b, err := createBootstrap(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -96,23 +97,24 @@ func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*
|
||||||
// ca.AddClientCA(*x509.Certificate).
|
// ca.AddClientCA(*x509.Certificate).
|
||||||
//
|
//
|
||||||
// Usage:
|
// Usage:
|
||||||
// // Default example with certificate rotation.
|
|
||||||
// srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
|
|
||||||
// Addr: ":443",
|
|
||||||
// Handler: handler,
|
|
||||||
// })
|
|
||||||
//
|
//
|
||||||
// // Example canceling automatic certificate rotation.
|
// // Default example with certificate rotation.
|
||||||
// ctx, cancel := context.WithCancel(context.Background())
|
// srv, err := ca.BootstrapServer(context.Background(), token, &http.Server{
|
||||||
// defer cancel()
|
// Addr: ":443",
|
||||||
// srv, err := ca.BootstrapServer(ctx, token, &http.Server{
|
// Handler: handler,
|
||||||
// Addr: ":443",
|
// })
|
||||||
// Handler: handler,
|
//
|
||||||
// })
|
// // Example canceling automatic certificate rotation.
|
||||||
// if err != nil {
|
// ctx, cancel := context.WithCancel(context.Background())
|
||||||
// return err
|
// defer cancel()
|
||||||
// }
|
// srv, err := ca.BootstrapServer(ctx, token, &http.Server{
|
||||||
// srv.ListenAndServeTLS("", "")
|
// Addr: ":443",
|
||||||
|
// Handler: handler,
|
||||||
|
// })
|
||||||
|
// if err != nil {
|
||||||
|
// return err
|
||||||
|
// }
|
||||||
|
// srv.ListenAndServeTLS("", "")
|
||||||
func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error) {
|
func BootstrapServer(ctx context.Context, token string, base *http.Server, options ...TLSOption) (*http.Server, error) {
|
||||||
if base.TLSConfig != nil {
|
if base.TLSConfig != nil {
|
||||||
return nil, errors.New("server TLSConfig is already set")
|
return nil, errors.New("server TLSConfig is already set")
|
||||||
|
@ -152,19 +154,20 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server, optio
|
||||||
// ca.AddClientCA(*x509.Certificate).
|
// ca.AddClientCA(*x509.Certificate).
|
||||||
//
|
//
|
||||||
// Usage:
|
// Usage:
|
||||||
// inner, err := net.Listen("tcp", ":443")
|
//
|
||||||
// if err != nil {
|
// inner, err := net.Listen("tcp", ":443")
|
||||||
// return nil
|
// if err != nil {
|
||||||
// }
|
// return nil
|
||||||
// ctx, cancel := context.WithCancel(context.Background())
|
// }
|
||||||
// defer cancel()
|
// ctx, cancel := context.WithCancel(context.Background())
|
||||||
// lis, err := ca.BootstrapListener(ctx, token, inner)
|
// defer cancel()
|
||||||
// if err != nil {
|
// lis, err := ca.BootstrapListener(ctx, token, inner)
|
||||||
// return err
|
// if err != nil {
|
||||||
// }
|
// return err
|
||||||
// srv := grpc.NewServer()
|
// }
|
||||||
// ... // register services
|
// srv := grpc.NewServer()
|
||||||
// srv.Serve(lis)
|
// ... // register services
|
||||||
|
// srv.Serve(lis)
|
||||||
func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {
|
func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {
|
||||||
b, err := createBootstrap(token)
|
b, err := createBootstrap(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
2
ca/ca.go
2
ca/ca.go
|
@ -523,7 +523,7 @@ func (ca *CA) shouldServeSCEPEndpoints() bool {
|
||||||
return ca.auth.GetSCEPService() != nil
|
return ca.auth.GetSCEPService() != nil
|
||||||
}
|
}
|
||||||
|
|
||||||
//nolint // ignore linters to allow keeping this function around for debugging
|
// nolint // ignore linters to allow keeping this function around for debugging
|
||||||
func dumpRoutes(mux chi.Routes) {
|
func dumpRoutes(mux chi.Routes) {
|
||||||
// helpful routine for logging all routes //
|
// helpful routine for logging all routes //
|
||||||
walkFunc := func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error {
|
walkFunc := func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error {
|
||||||
|
|
|
@ -32,7 +32,9 @@ func init() {
|
||||||
var now = time.Now
|
var now = time.Now
|
||||||
|
|
||||||
// The actual regular expression that matches a certificate authority is:
|
// The actual regular expression that matches a certificate authority is:
|
||||||
// ^projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/locations/[a-z0-9-]+/caPools/[a-zA-Z0-9-_]+/certificateAuthorities/[a-zA-Z0-9-_]+$
|
//
|
||||||
|
// ^projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/locations/[a-z0-9-]+/caPools/[a-zA-Z0-9-_]+/certificateAuthorities/[a-zA-Z0-9-_]+$
|
||||||
|
//
|
||||||
// But we will allow a more flexible one to fail if this changes.
|
// But we will allow a more flexible one to fail if this changes.
|
||||||
var caRegexp = regexp.MustCompile("^projects/[^/]+/locations/[^/]+/caPools/[^/]+/certificateAuthorities/[^/]+$")
|
var caRegexp = regexp.MustCompile("^projects/[^/]+/locations/[^/]+/caPools/[^/]+/certificateAuthorities/[^/]+$")
|
||||||
|
|
||||||
|
|
|
@ -5,12 +5,13 @@
|
||||||
package cloudcas
|
package cloudcas
|
||||||
|
|
||||||
import (
|
import (
|
||||||
privateca "cloud.google.com/go/security/privateca/apiv1"
|
|
||||||
context "context"
|
context "context"
|
||||||
|
reflect "reflect"
|
||||||
|
|
||||||
|
privateca "cloud.google.com/go/security/privateca/apiv1"
|
||||||
gomock "github.com/golang/mock/gomock"
|
gomock "github.com/golang/mock/gomock"
|
||||||
gax "github.com/googleapis/gax-go/v2"
|
gax "github.com/googleapis/gax-go/v2"
|
||||||
privateca0 "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
|
privateca0 "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
|
||||||
reflect "reflect"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// MockCertificateAuthorityClient is a mock of CertificateAuthorityClient interface
|
// MockCertificateAuthorityClient is a mock of CertificateAuthorityClient interface
|
||||||
|
|
|
@ -6,10 +6,11 @@ package cloudcas
|
||||||
|
|
||||||
import (
|
import (
|
||||||
context "context"
|
context "context"
|
||||||
|
reflect "reflect"
|
||||||
|
|
||||||
gomock "github.com/golang/mock/gomock"
|
gomock "github.com/golang/mock/gomock"
|
||||||
longrunning "google.golang.org/genproto/googleapis/longrunning"
|
longrunning "google.golang.org/genproto/googleapis/longrunning"
|
||||||
emptypb "google.golang.org/protobuf/types/known/emptypb"
|
emptypb "google.golang.org/protobuf/types/known/emptypb"
|
||||||
reflect "reflect"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// MockOperationsServer is a mock of OperationsServer interface
|
// MockOperationsServer is a mock of OperationsServer interface
|
||||||
|
|
|
@ -23,7 +23,8 @@ import (
|
||||||
|
|
||||||
// defaultOnboardingURL is the production onboarding url, to use a development
|
// defaultOnboardingURL is the production onboarding url, to use a development
|
||||||
// url use:
|
// url use:
|
||||||
// export STEP_CA_ONBOARDING_URL=http://localhost:3002/onboarding/
|
//
|
||||||
|
// export STEP_CA_ONBOARDING_URL=http://localhost:3002/onboarding/
|
||||||
const defaultOnboardingURL = "https://api.smallstep.com/onboarding/"
|
const defaultOnboardingURL = "https://api.smallstep.com/onboarding/"
|
||||||
|
|
||||||
type onboardingConfiguration struct {
|
type onboardingConfiguration struct {
|
||||||
|
|
|
@ -6,9 +6,10 @@ package mock
|
||||||
|
|
||||||
import (
|
import (
|
||||||
context "context"
|
context "context"
|
||||||
|
reflect "reflect"
|
||||||
|
|
||||||
keyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
|
keyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
|
||||||
gomock "github.com/golang/mock/gomock"
|
gomock "github.com/golang/mock/gomock"
|
||||||
reflect "reflect"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// KeyVaultClient is a mock of KeyVaultClient interface
|
// KeyVaultClient is a mock of KeyVaultClient interface
|
||||||
|
|
|
@ -279,7 +279,8 @@ func (k *CloudKMS) createKeyRingIfNeeded(name string) error {
|
||||||
|
|
||||||
// GetPublicKey gets from Google's Cloud KMS a public key by name. Key names
|
// GetPublicKey gets from Google's Cloud KMS a public key by name. Key names
|
||||||
// follow the pattern:
|
// follow the pattern:
|
||||||
// projects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})/cryptoKeyVersions/([a-zA-Z0-9_-]{1,63})
|
//
|
||||||
|
// projects/([^/]+)/locations/([a-zA-Z0-9_-]{1,63})/keyRings/([a-zA-Z0-9_-]{1,63})/cryptoKeys/([a-zA-Z0-9_-]{1,63})/cryptoKeyVersions/([a-zA-Z0-9_-]{1,63})
|
||||||
func (k *CloudKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
func (k *CloudKMS) GetPublicKey(req *apiv1.GetPublicKeyRequest) (crypto.PublicKey, error) {
|
||||||
if req.Name == "" {
|
if req.Name == "" {
|
||||||
return nil, errors.New("createKeyRequest 'name' cannot be empty")
|
return nil, errors.New("createKeyRequest 'name' cannot be empty")
|
||||||
|
|
|
@ -14,12 +14,15 @@ var softHSM2Once sync.Once
|
||||||
|
|
||||||
// mustPKCS11 configures a *PKCS11 KMS to be used with OpenSC, using for example
|
// mustPKCS11 configures a *PKCS11 KMS to be used with OpenSC, using for example
|
||||||
// a Nitrokey HSM. To initialize these tests we should run:
|
// a Nitrokey HSM. To initialize these tests we should run:
|
||||||
// sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 123456
|
//
|
||||||
// Or:
|
// sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 123456
|
||||||
// pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so \
|
//
|
||||||
// --init-token --init-pin \
|
// Or:
|
||||||
// --so-pin=3537363231383830 --new-pin=123456 --pin=123456 \
|
//
|
||||||
// --label="pkcs11-test"
|
// pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so \
|
||||||
|
// --init-token --init-pin \
|
||||||
|
// --so-pin=3537363231383830 --new-pin=123456 --pin=123456 \
|
||||||
|
// --label="pkcs11-test"
|
||||||
func mustPKCS11(t TBTesting) *PKCS11 {
|
func mustPKCS11(t TBTesting) *PKCS11 {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
testModule = "OpenSC"
|
testModule = "OpenSC"
|
||||||
|
|
|
@ -14,12 +14,14 @@ var softHSM2Once sync.Once
|
||||||
|
|
||||||
// mustPKCS11 configures a *PKCS11 KMS to be used with SoftHSM2. To initialize
|
// mustPKCS11 configures a *PKCS11 KMS to be used with SoftHSM2. To initialize
|
||||||
// these tests, we should run:
|
// these tests, we should run:
|
||||||
// softhsm2-util --init-token --free \
|
//
|
||||||
// --token pkcs11-test --label pkcs11-test \
|
// softhsm2-util --init-token --free \
|
||||||
// --so-pin password --pin password
|
// --token pkcs11-test --label pkcs11-test \
|
||||||
|
// --so-pin password --pin password
|
||||||
//
|
//
|
||||||
// To delete we should run:
|
// To delete we should run:
|
||||||
// softhsm2-util --delete-token --token pkcs11-test
|
//
|
||||||
|
// softhsm2-util --delete-token --token pkcs11-test
|
||||||
func mustPKCS11(t TBTesting) *PKCS11 {
|
func mustPKCS11(t TBTesting) *PKCS11 {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
testModule = "SoftHSM2"
|
testModule = "SoftHSM2"
|
||||||
|
|
|
@ -14,7 +14,8 @@ var yubiHSM2Once sync.Once
|
||||||
|
|
||||||
// mustPKCS11 configures a *PKCS11 KMS to be used with YubiHSM2. To initialize
|
// mustPKCS11 configures a *PKCS11 KMS to be used with YubiHSM2. To initialize
|
||||||
// these tests, we should run:
|
// these tests, we should run:
|
||||||
// yubihsm-connector -d
|
//
|
||||||
|
// yubihsm-connector -d
|
||||||
func mustPKCS11(t TBTesting) *PKCS11 {
|
func mustPKCS11(t TBTesting) *PKCS11 {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
testModule = "YubiHSM2"
|
testModule = "YubiHSM2"
|
||||||
|
|
|
@ -19,7 +19,9 @@ type CommonLogFormat struct{}
|
||||||
|
|
||||||
// Format implements the logrus.Formatter interface. It returns the given
|
// Format implements the logrus.Formatter interface. It returns the given
|
||||||
// logrus entry as a CLF line with the following format:
|
// logrus entry as a CLF line with the following format:
|
||||||
// <request-id> <remote-address> <name> <user-id> <time> <duration> "<method> <path> <protocol>" <status> <size>
|
//
|
||||||
|
// <request-id> <remote-address> <name> <user-id> <time> <duration> "<method> <path> <protocol>" <status> <size>
|
||||||
|
//
|
||||||
// If a field is not known, the hyphen symbol (-) will be used.
|
// If a field is not known, the hyphen symbol (-) will be used.
|
||||||
func (f *CommonLogFormat) Format(entry *logrus.Entry) ([]byte, error) {
|
func (f *CommonLogFormat) Format(entry *logrus.Entry) ([]byte, error) {
|
||||||
data := make([]string, len(clfFields))
|
data := make([]string, len(clfFields))
|
||||||
|
|
Loading…
Reference in a new issue