Beispiel #1
0
// NewCFSSLProvider takes the configuration information from an
// Identity (and an optional default remote), returning a CFSSL
// instance. There should be a profile in id called "cfssl", which
// should contain label and profile fields as needed.
func NewCFSSLProvider(id *core.Identity, defaultRemote client.Remote) (*CFSSL, error) {
	if id == nil {
		return nil, errors.New("transport: the identity hasn't been initialised. Has it been loaded from disk?")
	}

	cap := &CFSSL{
		DefaultRemote: defaultRemote,
	}

	cfssl := id.Profiles["cfssl"]
	if cfssl != nil {
		cap.Label = cfssl["label"]
		cap.Profile = cfssl["profile"]

		if cap.DefaultRemote == nil {
			cap.DefaultRemote = client.NewServer(cfssl["remote"])
		}

		cap.DefaultAuth.Type = cfssl["auth-type"]
		cap.DefaultAuth.Key = cfssl["auth-key"]
	}

	err := cap.setRemoteAndAuth()
	if err != nil {
		return nil, err
	}

	return cap, nil
}
Beispiel #2
0
// Helper function to perform a remote sign or info request.
func (s *Signer) remoteOp(req interface{}, profile, target string) (resp interface{}, err error) {
	jsonData, err := json.Marshal(req)
	if err != nil {
		return nil, cferr.Wrap(cferr.APIClientError, cferr.JSONError, err)
	}

	p, err := signer.Profile(s, profile)
	if err != nil {
		return
	}

	server := client.NewServer(p.RemoteServer)
	if server == nil {
		return nil, cferr.Wrap(cferr.PolicyError, cferr.InvalidRequest,
			errors.New("failed to connect to remote"))
	}

	// There's no auth provider for the "info" method
	if target == "info" {
		resp, err = server.Info(jsonData)
	} else if p.RemoteProvider != nil {
		resp, err = server.AuthSign(jsonData, nil, p.RemoteProvider)
	} else {
		resp, err = server.Sign(jsonData)
	}

	if err != nil {
		return nil, err
	}

	return
}
Beispiel #3
0
func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
	req := new(info.Req)
	req.Label = c.Label
	req.Profile = c.Profile

	serv := client.NewServer(c.Remote)

	reqJSON, _ := json.Marshal(req)
	resp, err = serv.Info(reqJSON)
	if err != nil {
		return
	}

	_, err = helpers.ParseCertificatePEM([]byte(resp.Certificate))
	if err != nil {
		return
	}

	return
}
Beispiel #4
0
func cfsslIsAvailable() bool {
	defaultRemote := client.NewServer(testRemote)

	infoReq := info.Req{
		Profile: testProfile,
		Label:   testLabel,
	}

	out, err := json.Marshal(infoReq)
	if err != nil {
		return false
	}

	_, err = defaultRemote.Info(out)
	if err != nil {
		log.Debug("CFSSL remote is unavailable, skipping tests")
		return false
	}

	return true
}
Beispiel #5
0
// NewCFSSL produces a new CFSSL root.
func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
	host, ok := metadata["host"]
	if !ok {
		return nil, errors.New("transport: CFSSL root provider requires a host")
	}

	label := metadata["label"]
	profile := metadata["profile"]

	srv := client.NewServer(host)
	data, err := json.Marshal(info.Req{Label: label, Profile: profile})
	if err != nil {
		return nil, err
	}

	resp, err := srv.Info(data)
	if err != nil {
		return nil, err
	}

	return helpers.ParseCertificatesPEM([]byte(resp.Certificate))
}
Beispiel #6
0
func (cap *CFSSL) setRemoteAndAuth() error {
	if cap.Label != "" {
		cfsslConfig := findLabel(cap.Label)
		profile, ok := getProfile(cfsslConfig, cap.Profile)
		if ok {
			remote, ok := getRemote(cfsslConfig, profile)
			if ok {
				cap.remote = client.NewServer(remote)
				cap.provider = profile.Provider
				return nil
			}

			// The profile may not have a remote set, but
			// it may have an authentication provider.
			cap.provider = profile.Provider
		}
	}

	cap.remote = cap.DefaultRemote
	if cap.provider != nil {
		return nil
	}
	return cap.loadAuth()
}