// Helper function to perform a remote sign or info request.
func (s *Signer) remoteOp(req interface{}, profile, target string) (resp interface{}, err error) {
jsonData, err := json.Marshal(req)
if err != nil {
return nil, cferr.Wrap(cferr.APIClientError, cferr.JSONError, err)
}
p, err := signer.Profile(s, profile)
if err != nil {
return
}
server := client.NewServer(p.RemoteServer)
if server == nil {
return nil, cferr.Wrap(cferr.PolicyError, cferr.InvalidRequest,
errors.New("failed to connect to remote"))
}
// There's no auth provider for the "info" method
if target == "info" {
resp, err = server.Info(jsonData)
} else if p.RemoteProvider != nil {
resp, err = server.AuthSign(jsonData, nil, p.RemoteProvider)
} else {
resp, err = server.Sign(jsonData)
}
if err != nil {
return nil, err
}
return
}
// NewCFSSLProvider takes the configuration information from an
// Identity (and an optional default remote), returning a CFSSL
// instance. There should be a profile in id called "cfssl", which
// should contain label and profile fields as needed.
func NewCFSSLProvider(id *core.Identity, defaultRemote client.Remote) (*CFSSL, error) {
if id == nil {
return nil, errors.New("transport: the identity hasn't been initialised. Has it been loaded from disk?")
}
cap := &CFSSL{
DefaultRemote: defaultRemote,
}
cfssl := id.Profiles["cfssl"]
if cfssl != nil {
cap.Label = cfssl["label"]
cap.Profile = cfssl["profile"]
if cap.DefaultRemote == nil {
cap.DefaultRemote = client.NewServer(cfssl["remote"])
}
cap.DefaultAuth.Type = cfssl["auth-type"]
cap.DefaultAuth.Key = cfssl["auth-key"]
}
err := cap.setRemoteAndAuth()
if err != nil {
return nil, err
}
return cap, nil
}
func NewRemoteCertGenerator(validator Validator, remote string) (http.Handler, error) {
log.Info("setting up a new remote certificate generator")
cg := new(RemoteCertGeneratorHandler)
if cg.remote = client.NewServer(remote); cg.remote == nil {
log.Errorf("invalid address for remote server")
return nil, errors.New(errors.DialError, errors.Unknown, nil)
}
cg.generator = &csr.Generator{validator}
return HttpHandler{cg, "POST"}, nil
}
func gencertRemotely(req csr.CertificateRequest) error {
srv := client.NewServer(Config.remote)
g := &csr.Generator{validator}
csrPEM, key, err := g.ProcessRequest(&req)
if err != nil {
key = nil
return err
}
var cert []byte
cert, err = srv.Sign(Config.hostname, csrPEM, Config.profile)
if err != nil {
return err
}
printCert(key, csrPEM, cert)
return nil
}
func getInfoFromRemote(c cli.Config) (resp *info.Resp, err error) {
req := new(info.Req)
req.Label = c.Label
req.Profile = c.Profile
serv := client.NewServer(c.Remote)
reqJSON, _ := json.Marshal(req)
resp, err = serv.Info(reqJSON)
if err != nil {
return
}
_, err = helpers.ParseCertificatePEM([]byte(resp.Certificate))
if err != nil {
return
}
return
}
func cfsslIsAvailable() bool {
defaultRemote := client.NewServer(testRemote)
infoReq := info.Req{
Profile: testProfile,
Label: testLabel,
}
out, err := json.Marshal(infoReq)
if err != nil {
return false
}
_, err = defaultRemote.Info(out)
if err != nil {
log.Debug("CFSSL remote is unavailable, skipping tests")
return false
}
return true
}
// NewCFSSL produces a new CFSSL root.
func NewCFSSL(metadata map[string]string) ([]*x509.Certificate, error) {
host, ok := metadata["host"]
if !ok {
return nil, errors.New("transport: CFSSL root provider requires a host")
}
label := metadata["label"]
profile := metadata["profile"]
srv := client.NewServer(host)
data, err := json.Marshal(info.Req{Label: label, Profile: profile})
if err != nil {
return nil, err
}
resp, err := srv.Info(data)
if err != nil {
return nil, err
}
return helpers.ParseCertificatesPEM([]byte(resp.Certificate))
}
func (cap *CFSSL) setRemoteAndAuth() error {
if cap.Label != "" {
cfsslConfig := findLabel(cap.Label)
profile, ok := getProfile(cfsslConfig, cap.Profile)
if ok {
remote, ok := getRemote(cfsslConfig, profile)
if ok {
cap.remote = client.NewServer(remote)
cap.provider = profile.Provider
return nil
}
// The profile may not have a remote set, but
// it may have an authentication provider.
cap.provider = profile.Provider
}
}
cap.remote = cap.DefaultRemote
if cap.provider != nil {
return nil
}
return cap.loadAuth()
}
