This commit is contained in:
commit
a7d4f06285
36
.drone.yml
Normal file
36
.drone.yml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: docker
|
||||||
|
name: default-linux-amd64
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: build
|
||||||
|
image: golang
|
||||||
|
commands:
|
||||||
|
- ./ci-build.sh build
|
||||||
|
environment:
|
||||||
|
GOOS: linux
|
||||||
|
GOARCH: amd64
|
||||||
|
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: docker
|
||||||
|
name: gitea-release
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: release
|
||||||
|
image: plugins/gitea-release
|
||||||
|
settings:
|
||||||
|
base_url: https://git.paulbsd.com
|
||||||
|
api_key:
|
||||||
|
from_secret: gitea_token
|
||||||
|
files: "*.tar.gz"
|
||||||
|
title: ./VERSION
|
||||||
|
checksum:
|
||||||
|
- sha256
|
||||||
|
- sha512
|
||||||
|
when:
|
||||||
|
event: tag
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- default-linux-amd64
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/pki
|
||||||
|
*.ini
|
||||||
|
/test
|
18
Makefile
Normal file
18
Makefile
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# pki Makefile
|
||||||
|
|
||||||
|
GOCMD=go
|
||||||
|
GOBUILDCMD=${GOCMD} build
|
||||||
|
GOOPTIONS=-mod=vendor -ldflags="-s -w"
|
||||||
|
|
||||||
|
RMCMD=rm
|
||||||
|
BINNAME=pki
|
||||||
|
|
||||||
|
SRCFILES=cmd/pki/*.go
|
||||||
|
|
||||||
|
all: build
|
||||||
|
|
||||||
|
build:
|
||||||
|
${GOBUILDCMD} ${GOOPTIONS} ${SRCFILES}
|
||||||
|
|
||||||
|
clean:
|
||||||
|
${RMCMD} -f ${BINNAME}
|
69
README.md
Normal file
69
README.md
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
# pki
|
||||||
|
[![Build Status](https://drone.paulbsd.com/api/badges/paulbsd/pki/status.svg)](https://drone.paulbsd.com/paulbsd/pki)
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
PKI is a centralized Letsencrypt database server and renewer for certificate management
|
||||||
|
|
||||||
|
## Howto
|
||||||
|
|
||||||
|
### Build
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample config in pki.ini
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[pki]
|
||||||
|
db_hostname="hostname"
|
||||||
|
db_name="database"
|
||||||
|
db_username="username"
|
||||||
|
db_password="password"
|
||||||
|
db_table="pki_test"
|
||||||
|
email="test@example.com"
|
||||||
|
maxdaysbefore="3"
|
||||||
|
env="staging"
|
||||||
|
ovhendpoint=
|
||||||
|
ovhak=
|
||||||
|
ovhas=
|
||||||
|
ovhck=
|
||||||
|
```
|
||||||
|
|
||||||
|
### Run
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./pki -configfile pki.ini -port 8080
|
||||||
|
```
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
```text
|
||||||
|
Copyright (c) 2020 PaulBSD
|
||||||
|
All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are met:
|
||||||
|
|
||||||
|
1. Redistributions of source code must retain the above copyright notice, this
|
||||||
|
list of conditions and the following disclaimer.
|
||||||
|
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
this list of conditions and the following disclaimer in the documentation
|
||||||
|
and/or other materials provided with the distribution.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||||
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||||
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||||
|
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
||||||
|
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||||
|
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||||
|
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||||
|
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||||
|
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
The views and conclusions contained in the software and documentation are those
|
||||||
|
of the authors and should not be interpreted as representing official policies,
|
||||||
|
either expressed or implied, of this project.
|
||||||
|
```
|
50
ci-build.sh
Executable file
50
ci-build.sh
Executable file
@ -0,0 +1,50 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
PROJECTNAME=pki
|
||||||
|
RELEASENAME=${PROJECTNAME}
|
||||||
|
VERSION="0"
|
||||||
|
|
||||||
|
GOOPTIONS="-mod=vendor"
|
||||||
|
SRCFILES=cmd/pki/*.go
|
||||||
|
|
||||||
|
build() {
|
||||||
|
if [[ ! -z $DRONE_TAG ]]
|
||||||
|
then
|
||||||
|
VERSION=$DRONE_TAG
|
||||||
|
echo $DRONE_TAG > ./VERSION
|
||||||
|
elif [[ ! -z $DRONE_TAG ]]
|
||||||
|
then
|
||||||
|
VERSION=$DRONE_COMMIT
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -z $VERSION && ! -z $GOOS && ! -z $GOARCH ]]
|
||||||
|
then
|
||||||
|
RELEASENAME=${PROJECTNAME}-${VERSION}-${GOOS}-${GOARCH}
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Building project"
|
||||||
|
go build -o ${PROJECTNAME} ${GOOPTIONS} ${SRCFILES}
|
||||||
|
|
||||||
|
if [[ ! -z $DRONE_TAG ]]
|
||||||
|
then
|
||||||
|
tar -czvf ${RELEASENAME}.tar.gz ${PROJECTNAME}
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Removing binary file"
|
||||||
|
rm ${PROJECTNAME}
|
||||||
|
}
|
||||||
|
|
||||||
|
clean() {
|
||||||
|
rm -rf $RELEASEDIR
|
||||||
|
}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
"build")
|
||||||
|
build
|
||||||
|
;;
|
||||||
|
"clean")
|
||||||
|
clean
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
;;
|
||||||
|
esac
|
40
cmd/pki/pki.go
Normal file
40
cmd/pki/pki.go
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"log"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/database"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pki"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pkiws"
|
||||||
|
_ "github.com/lib/pq"
|
||||||
|
)
|
||||||
|
|
||||||
|
//var version string
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
var PKICtx pki.User
|
||||||
|
|
||||||
|
var cfg config.Config
|
||||||
|
cfg.GetConfig()
|
||||||
|
//cfg.Options.Version = version
|
||||||
|
|
||||||
|
// Initialize database app context
|
||||||
|
err := database.Init(&cfg)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln(err)
|
||||||
|
}
|
||||||
|
defer cfg.Db.Close()
|
||||||
|
|
||||||
|
// Initialize PKI app context
|
||||||
|
err = PKICtx.Init(&cfg)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Run the PKI web service
|
||||||
|
err = pkiws.RunServer(&cfg)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln(err)
|
||||||
|
}
|
||||||
|
}
|
11
go.mod
Normal file
11
go.mod
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
module git.paulbsd.com/paulbsd/pki
|
||||||
|
|
||||||
|
go 1.15
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/go-acme/lego/v4 v4.1.0
|
||||||
|
github.com/labstack/echo/v4 v4.1.17
|
||||||
|
github.com/lib/pq v1.8.0
|
||||||
|
gopkg.in/ini.v1 v1.62.0
|
||||||
|
xorm.io/xorm v1.0.5
|
||||||
|
)
|
558
go.sum
Normal file
558
go.sum
Normal file
@ -0,0 +1,558 @@
|
|||||||
|
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||||
|
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||||
|
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
|
||||||
|
cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
|
||||||
|
cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
|
||||||
|
cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
|
||||||
|
cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
|
||||||
|
cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
|
||||||
|
cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
|
||||||
|
cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
|
||||||
|
cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
|
||||||
|
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
|
||||||
|
cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
|
||||||
|
cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
|
||||||
|
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
|
||||||
|
cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
|
||||||
|
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
|
||||||
|
cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
|
||||||
|
cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
|
||||||
|
cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
|
||||||
|
cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
|
||||||
|
cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
|
||||||
|
contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
|
||||||
|
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||||
|
gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
|
||||||
|
gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:EXuID2Zs0pAQhH8yz+DNjUbjppKQzKFAn28TMYPB6IU=
|
||||||
|
github.com/Azure/azure-sdk-for-go v32.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
|
||||||
|
github.com/Azure/go-autorest/autorest v0.1.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg=
|
||||||
|
github.com/Azure/go-autorest/autorest v0.5.0/go.mod h1:9HLKlQjVBH6U3oDfsXOeVc56THsLPw1L03yban4xThw=
|
||||||
|
github.com/Azure/go-autorest/autorest/adal v0.1.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E=
|
||||||
|
github.com/Azure/go-autorest/autorest/adal v0.2.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E=
|
||||||
|
github.com/Azure/go-autorest/autorest/azure/auth v0.1.0/go.mod h1:Gf7/i2FUpyb/sGBLIFxTBzrNzBo7aPXXE3ZVeDRwdpM=
|
||||||
|
github.com/Azure/go-autorest/autorest/azure/cli v0.1.0/go.mod h1:Dk8CUAt/b/PzkfeRsWzVG9Yj3ps8mS8ECztu43rdU8U=
|
||||||
|
github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
|
||||||
|
github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
|
||||||
|
github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc=
|
||||||
|
github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
|
||||||
|
github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
|
||||||
|
github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88=
|
||||||
|
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||||
|
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||||
|
github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:iGLljf5n9GjT6kc0HBvyI1nOKnGQbNB66VzSNbK5iks=
|
||||||
|
github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
|
||||||
|
github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
|
||||||
|
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
|
||||||
|
github.com/akamai/AkamaiOPEN-edgegrid-golang v0.9.18/go.mod h1:L+HB2uBoDgi3+r1pJEJcbGwyyHhd2QXaGsKLbDwtm8Q=
|
||||||
|
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||||
|
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||||
|
github.com/aliyun/alibaba-cloud-sdk-go v1.61.458/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
|
||||||
|
github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
|
||||||
|
github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
|
||||||
|
github.com/aws/aws-sdk-go v1.30.20/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
|
||||||
|
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
|
||||||
|
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
||||||
|
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||||
|
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
|
||||||
|
github.com/cenkalti/backoff/v4 v4.0.2 h1:JIufpQLbh4DkbQoii76ItQIUFzevQSqOLZca4eamEDs=
|
||||||
|
github.com/cenkalti/backoff/v4 v4.0.2/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
|
||||||
|
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||||
|
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||||
|
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
|
||||||
|
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
|
||||||
|
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
|
||||||
|
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||||
|
github.com/cloudflare/cloudflare-go v0.13.2/go.mod h1:27kfc1apuifUmJhp069y0+hwlKDg4bd8LWlu7oKeZvM=
|
||||||
|
github.com/cpu/goacmedns v0.0.3/go.mod h1:4MipLkI+qScwqtVxcNO6okBhbgRrr7/tKXUSgSL0teQ=
|
||||||
|
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
|
||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
|
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/denisenkom/go-mssqldb v0.0.0-20200428022330-06a60b6afbbc/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
|
||||||
|
github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
|
||||||
|
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
|
||||||
|
github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
|
||||||
|
github.com/dnsimple/dnsimple-go v0.63.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
|
||||||
|
github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
|
||||||
|
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
|
||||||
|
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
|
||||||
|
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||||
|
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||||
|
github.com/exoscale/egoscale v0.23.0/go.mod h1:hRo78jkjkCDKpivQdRBEpNYF5+cVpCJCPDg2/r45KaY=
|
||||||
|
github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
|
||||||
|
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
|
||||||
|
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
|
||||||
|
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
|
||||||
|
github.com/go-acme/lego/v4 v4.1.0 h1:/9pMjaeaLq6m0n+io+kv2ySs2ZfrmH6eazuMoN18GHo=
|
||||||
|
github.com/go-acme/lego/v4 v4.1.0/go.mod h1:pIFm5tWkXSgiAEfJ/XQCQIvX1cEvHFwbgLZyx8OVSUE=
|
||||||
|
github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
|
||||||
|
github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
|
||||||
|
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
|
||||||
|
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
|
||||||
|
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
|
||||||
|
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
|
||||||
|
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
|
||||||
|
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
|
||||||
|
github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8=
|
||||||
|
github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
|
||||||
|
github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
|
||||||
|
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
|
||||||
|
github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
|
||||||
|
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||||
|
github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||||
|
github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
|
||||||
|
github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
|
||||||
|
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
|
||||||
|
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||||
|
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||||
|
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||||
|
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||||
|
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||||
|
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
|
||||||
|
github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
|
||||||
|
github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
|
||||||
|
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||||
|
github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
|
||||||
|
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||||
|
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||||
|
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
|
||||||
|
github.com/golang/protobuf v1.3.4 h1:87PNWwrRvUSnqS4dlcBU/ftvOIBep4sYuBLlh6rX2wk=
|
||||||
|
github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
|
||||||
|
github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db h1:woRePGFeVFfLKN/pOkfl+p/TAqKOfFu+7KPlMVpok/w=
|
||||||
|
github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
|
||||||
|
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||||
|
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||||
|
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||||
|
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||||
|
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||||
|
github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
|
||||||
|
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||||
|
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
|
||||||
|
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
|
||||||
|
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
|
||||||
|
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||||
|
github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
|
||||||
|
github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||||
|
github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||||
|
github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||||
|
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
|
||||||
|
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||||
|
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||||
|
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||||
|
github.com/gophercloud/gophercloud v0.6.1-0.20191122030953-d8ac278c1c9d/go.mod h1:ozGNgr9KYOVATV5jsgHl/ceCDXGuguqOZAzoQ/2vcNM=
|
||||||
|
github.com/gophercloud/gophercloud v0.7.0/go.mod h1:gmC5oQqMDOMO1t1gq5DquX/yAU808e/4mzjjDA76+Ss=
|
||||||
|
github.com/gophercloud/utils v0.0.0-20200508015959-b0167b94122c/go.mod h1:ehWUbLQJPqS0Ep+CxeD559hsm9pthPXadJNKwZkp43w=
|
||||||
|
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
|
||||||
|
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
||||||
|
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
|
||||||
|
github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
||||||
|
github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
||||||
|
github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
|
||||||
|
github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
|
||||||
|
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
|
||||||
|
github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
|
||||||
|
github.com/hashicorp/go-retryablehttp v0.6.7/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
|
||||||
|
github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
|
||||||
|
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
|
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||||
|
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
|
||||||
|
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
|
||||||
|
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
|
||||||
|
github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4=
|
||||||
|
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
|
||||||
|
github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
|
||||||
|
github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||||
|
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||||
|
github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
|
||||||
|
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
|
||||||
|
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
|
||||||
|
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
|
||||||
|
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
|
||||||
|
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
|
||||||
|
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||||
|
github.com/kolo/xmlrpc v0.0.0-20200310150728-e0350524596b/go.mod h1:o03bZfuBwAXHetKXuInt4S7omeXUu62/A845kiycsSQ=
|
||||||
|
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||||
|
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||||
|
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
|
||||||
|
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
|
||||||
|
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||||
|
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||||
|
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
|
||||||
|
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||||
|
github.com/labbsr0x/bindman-dns-webhook v1.0.2/go.mod h1:p6b+VCXIR8NYKpDr8/dg1HKfQoRHCdcsROXKvmoehKA=
|
||||||
|
github.com/labbsr0x/goh v1.0.1/go.mod h1:8K2UhVoaWXcCU7Lxoa2omWnC8gyW8px7/lmO61c027w=
|
||||||
|
github.com/labstack/echo v1.4.4 h1:1bEiBNeGSUKxcPDGfZ/7IgdhJJZx8wV/pICJh4W2NJI=
|
||||||
|
github.com/labstack/echo v3.3.10+incompatible h1:pGRcYk231ExFAyoAjAfD85kQzRJCRI8bbnE7CX5OEgg=
|
||||||
|
github.com/labstack/echo/v4 v4.1.17 h1:PQIBaRplyRy3OjwILGkPg89JRtH2x5bssi59G2EL3fo=
|
||||||
|
github.com/labstack/echo/v4 v4.1.17/go.mod h1:Tn2yRQL/UclUalpb5rPdXDevbkJ+lp/2svdyFBg6CHQ=
|
||||||
|
github.com/labstack/gommon v0.3.0 h1:JEeO0bvc78PKdyHxloTKiF8BD5iGrH8T6MSeGvSgob0=
|
||||||
|
github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k=
|
||||||
|
github.com/lib/pq v1.7.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
|
||||||
|
github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
|
||||||
|
github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
|
||||||
|
github.com/linode/linodego v0.21.0/go.mod h1:UTpq1JUZD0CZsJ8rt+0CRkqbzrp1MbGakVPt2DXY5Mk=
|
||||||
|
github.com/liquidweb/liquidweb-go v1.6.1/go.mod h1:UDcVnAMDkZxpw4Y7NOHkqoeiGacVLEIG/i5J9cyixzQ=
|
||||||
|
github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
|
||||||
|
github.com/mattn/go-colorable v0.1.7 h1:bQGKb3vps/j0E9GfJQ03JyhRuxsvdAanXlT9BTw3mdw=
|
||||||
|
github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
|
||||||
|
github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
|
||||||
|
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
|
||||||
|
github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
|
||||||
|
github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
|
||||||
|
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||||
|
github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
|
||||||
|
github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
|
||||||
|
github.com/mattn/go-sqlite3 v1.14.0 h1:mLyGNKR8+Vv9CAU7PphKa2hkEqxxhn8i32J6FPj1/QA=
|
||||||
|
github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus=
|
||||||
|
github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
|
||||||
|
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||||
|
github.com/miekg/dns v1.1.31 h1:sJFOl9BgwbYAWOGEwr61FU28pqsBNdpRBnhGXtO06Oo=
|
||||||
|
github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
|
||||||
|
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||||
|
github.com/mitchellh/go-vnc v0.0.0-20150629162542-723ed9867aed/go.mod h1:3rdaFaCv4AyBgu5ALFM0+tSuHrBh6v692nyQe3ikrq0=
|
||||||
|
github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
|
||||||
|
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||||
|
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||||
|
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||||
|
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
|
||||||
|
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||||
|
github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04/go.mod h1:5sN+Lt1CaY4wsPvgQH/jsuJi4XO2ssZbdsIizr4CVC8=
|
||||||
|
github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
|
||||||
|
github.com/nrdcg/auroradns v1.0.1/go.mod h1:y4pc0i9QXYlFCWrhWrUSIETnZgrf4KuwjDIWmmXo3JI=
|
||||||
|
github.com/nrdcg/desec v0.5.0/go.mod h1:2ejvMazkav1VdDbv2HeQO7w+Ta1CGHqzQr27ZBYTuEQ=
|
||||||
|
github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
|
||||||
|
github.com/nrdcg/goinwx v0.8.1/go.mod h1:tILVc10gieBp/5PMvbcYeXM6pVQ+c9jxDZnpaR1UW7c=
|
||||||
|
github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw=
|
||||||
|
github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA=
|
||||||
|
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||||
|
github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
|
||||||
|
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||||
|
github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
|
||||||
|
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
|
||||||
|
github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
|
||||||
|
github.com/oracle/oci-go-sdk v24.2.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
|
||||||
|
github.com/ovh/go-ovh v1.1.0 h1:bHXZmw8nTgZin4Nv7JuaLs0KG5x54EQR7migYTd1zrk=
|
||||||
|
github.com/ovh/go-ovh v1.1.0/go.mod h1:AxitLZ5HBRPyUd+Zl60Ajaag+rNTdVXWIkzfrVuTXWA=
|
||||||
|
github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
|
||||||
|
github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
|
||||||
|
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||||
|
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
|
||||||
|
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
|
||||||
|
github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
|
||||||
|
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
|
||||||
|
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
|
||||||
|
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
|
||||||
|
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
|
||||||
|
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||||
|
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||||
|
github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
|
||||||
|
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
|
||||||
|
github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
|
||||||
|
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
|
||||||
|
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
|
||||||
|
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
|
||||||
|
github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
|
||||||
|
github.com/rainycape/memcache v0.0.0-20150622160815-1031fa0ce2f2/go.mod h1:7tZKcyumwBO6qip7RNQ5r77yrssm9bfCowcLEBcU5IA=
|
||||||
|
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
|
||||||
|
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
|
||||||
|
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||||
|
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||||
|
github.com/sacloud/libsacloud v1.36.2/go.mod h1:P7YAOVmnIn3DKHqCZcUKYUXmSwGBm3yS7IBEjKVSrjg=
|
||||||
|
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
|
||||||
|
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
|
||||||
|
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
|
||||||
|
github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
|
||||||
|
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
|
||||||
|
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
|
||||||
|
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
|
||||||
|
github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
|
||||||
|
github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
|
||||||
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||||
|
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||||
|
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
|
||||||
|
github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
|
||||||
|
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
||||||
|
github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
|
||||||
|
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||||
|
github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
|
||||||
|
github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
|
||||||
|
github.com/transip/gotransip/v6 v6.2.0/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
|
||||||
|
github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
|
||||||
|
github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
|
||||||
|
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
|
||||||
|
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
|
||||||
|
github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
|
||||||
|
github.com/valyala/fasttemplate v1.2.1 h1:TVEnxayobAdVkhQfrfes2IzOB6o+z4roRkPF52WA1u4=
|
||||||
|
github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
|
||||||
|
github.com/vultr/govultr v0.5.0/go.mod h1:wZZXZbYbqyY1n3AldoeYNZK4Wnmmoq6dNFkvd5TV3ss=
|
||||||
|
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
|
||||||
|
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
|
||||||
|
github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
|
||||||
|
github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
|
||||||
|
go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
|
||||||
|
go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
|
||||||
|
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
|
||||||
|
go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
|
||||||
|
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
|
||||||
|
go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
|
||||||
|
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||||
|
go.uber.org/ratelimit v0.0.0-20180316092928-c15da0234277/go.mod h1:2X8KaoNd1J0lZV+PxJk/5+DGbO/tpwLR1m++a7FnB/Y=
|
||||||
|
golang.org/x/crypto v0.0.0-20180621125126-a49355c7e3f8/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||||
|
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
|
||||||
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||||
|
golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||||
|
golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
|
||||||
|
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
|
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
|
golang.org/x/crypto v0.0.0-20191202143827-86a70503ff7e/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a h1:vclmkQCjlDX5OydZ9wv8rBCcS0QyQY66Mpf/7BZbInM=
|
||||||
|
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
|
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
|
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||||
|
golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
|
||||||
|
golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
|
||||||
|
golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
|
||||||
|
golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
|
||||||
|
golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
|
||||||
|
golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
|
||||||
|
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
|
||||||
|
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
|
||||||
|
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
|
||||||
|
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||||
|
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
|
||||||
|
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
|
||||||
|
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||||
|
golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||||
|
golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||||
|
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||||
|
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
|
||||||
|
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||||
|
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||||
|
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
|
||||||
|
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
|
||||||
|
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
|
||||||
|
golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
|
||||||
|
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
||||||
|
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
||||||
|
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||||
|
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||||
|
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||||
|
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||||
|
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||||
|
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||||
|
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
|
||||||
|
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||||
|
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
|
||||||
|
golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
|
||||||
|
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
|
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||||
|
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
|
||||||
|
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||||
|
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/sys v0.0.0-20200826173525-f9321e4c35a6 h1:DvY3Zkh7KabQE/kfzMvYvKirSiguP9Q/veMtkYyf0o8=
|
||||||
|
golang.org/x/sys v0.0.0-20200826173525-f9321e4c35a6/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
|
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||||
|
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||||
|
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||||
|
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||||
|
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
|
||||||
|
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||||
|
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
|
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
|
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
|
golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||||
|
golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||||
|
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||||
|
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||||
|
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
|
||||||
|
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
|
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
|
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
|
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
|
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||||
|
golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||||
|
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||||
|
golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||||
|
golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||||
|
golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
|
||||||
|
golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191203134012-c197fd4bf371/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
|
||||||
|
golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
|
||||||
|
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
|
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
|
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
|
||||||
|
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||||
|
google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
|
||||||
|
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
|
||||||
|
google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
|
||||||
|
google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
|
||||||
|
google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
|
||||||
|
google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
|
||||||
|
google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
|
||||||
|
google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
|
||||||
|
google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
|
||||||
|
google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
|
||||||
|
google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
|
||||||
|
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
|
||||||
|
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||||
|
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||||
|
google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
|
||||||
|
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
|
||||||
|
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
|
||||||
|
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
|
google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
|
google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
|
google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
|
||||||
|
google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
||||||
|
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
|
||||||
|
google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
|
||||||
|
google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
|
||||||
|
google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
|
||||||
|
google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
|
||||||
|
google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
|
||||||
|
google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
|
||||||
|
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
|
||||||
|
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||||
|
google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||||
|
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||||
|
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||||
|
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
|
||||||
|
google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||||
|
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||||
|
google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
|
||||||
|
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||||
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||||
|
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
|
||||||
|
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||||
|
gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
|
||||||
|
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
|
||||||
|
gopkg.in/h2non/gock.v1 v1.0.15/go.mod h1:sX4zAkdYX1TRGJ2JY156cFspQn4yRWn6p9EMdODlynE=
|
||||||
|
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||||
|
gopkg.in/ini.v1 v1.51.1/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||||
|
gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||||
|
gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU=
|
||||||
|
gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||||
|
gopkg.in/ns1/ns1-go.v2 v2.4.2/go.mod h1:GMnKY+ZuoJ+lVLL+78uSTjwTz2jMazq6AfGKQOYhsPk=
|
||||||
|
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
|
||||||
|
gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
|
||||||
|
gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
||||||
|
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
|
||||||
|
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
|
||||||
|
gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
|
||||||
|
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
|
||||||
|
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
|
||||||
|
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
|
honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||||
|
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
|
||||||
|
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
|
||||||
|
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
|
||||||
|
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
|
||||||
|
xorm.io/builder v0.3.7 h1:2pETdKRK+2QG4mLX4oODHEhn5Z8j1m8sXa7jfu+/SZI=
|
||||||
|
xorm.io/builder v0.3.7/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
|
||||||
|
xorm.io/xorm v1.0.5 h1:LRr5PfOUb4ODPR63YwbowkNDwcolT2LnkwP/TUaMaB0=
|
||||||
|
xorm.io/xorm v1.0.5/go.mod h1:uF9EtbhODq5kNWxMbnBEj8hRRZnlcNSz2t2N7HW/+A4=
|
15
pki.ini.sample
Normal file
15
pki.ini.sample
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
[pki]
|
||||||
|
db_hostname="hostname"
|
||||||
|
db_name="database"
|
||||||
|
db_username="username"
|
||||||
|
db_password="password"
|
||||||
|
db_table="pki_test"
|
||||||
|
username=username
|
||||||
|
password=password
|
||||||
|
email="test@example.com"
|
||||||
|
maxdaysbefore="3"
|
||||||
|
env="staging"
|
||||||
|
ovhendpoint=
|
||||||
|
ovhak=
|
||||||
|
ovhas=
|
||||||
|
ovhck=
|
16
src/cert/main.go
Normal file
16
src/cert/main.go
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
package cert
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
// Entry is the main struct for stored certificates
|
||||||
|
type Entry struct {
|
||||||
|
ID int `xorm:"pk autoincr"`
|
||||||
|
Domain string `xorm:"notnull"`
|
||||||
|
Certificate string `xorm:"text notnull"`
|
||||||
|
PrivateKey string `xorm:"text notnull"`
|
||||||
|
AuthURL string
|
||||||
|
ValidityBegin time.Time
|
||||||
|
ValidityEnd time.Time
|
||||||
|
Created time.Time `xorm:"created notnull"`
|
||||||
|
Updated time.Time `xorm:"updated notnull"`
|
||||||
|
}
|
111
src/config/main.go
Normal file
111
src/config/main.go
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
package config
|
||||||
|
|
||||||
|
import (
|
||||||
|
"flag"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/utils"
|
||||||
|
"github.com/go-acme/lego/v4/lego"
|
||||||
|
"gopkg.in/ini.v1"
|
||||||
|
"xorm.io/xorm"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetConfig fetch configuration
|
||||||
|
func (cfg *Config) GetConfig() error {
|
||||||
|
var configfile string
|
||||||
|
var debug bool
|
||||||
|
var drop bool
|
||||||
|
var port int
|
||||||
|
var init bool
|
||||||
|
|
||||||
|
flag.Usage = utils.Usage
|
||||||
|
|
||||||
|
flag.StringVar(&configfile, "configfile", "pki.ini", "Configuration file to use with pki section")
|
||||||
|
flag.IntVar(&port, "port", 8080, "Web service port to use")
|
||||||
|
flag.BoolVar(&debug, "debug", false, "If debug logging must be enabled")
|
||||||
|
flag.BoolVar(&drop, "drop", false, "If dropping tables must occur")
|
||||||
|
flag.BoolVar(&init, "init", false, "If init of database must be done")
|
||||||
|
|
||||||
|
flag.Parse()
|
||||||
|
|
||||||
|
cfg.Switchs.Port = port
|
||||||
|
cfg.Switchs.Debug = debug
|
||||||
|
cfg.Switchs.Drop = drop
|
||||||
|
cfg.Switchs.Init = init
|
||||||
|
|
||||||
|
inicfg, err := ini.Load(configfile)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
pkisection := inicfg.Section("pki")
|
||||||
|
options := make(map[string]string)
|
||||||
|
|
||||||
|
cfg.DbParams.DbHostname = pkisection.Key("db_hostname").MustString("localhost")
|
||||||
|
cfg.DbParams.DbName = pkisection.Key("db_name").MustString("database")
|
||||||
|
cfg.DbParams.DbUsername = pkisection.Key("db_username").MustString("username")
|
||||||
|
cfg.DbParams.DbPassword = pkisection.Key("db_password").MustString("password")
|
||||||
|
|
||||||
|
cfg.Options.HideBanner = pkisection.Key("hidebanner").MustBool(true)
|
||||||
|
|
||||||
|
cfg.Init.Email = pkisection.Key("email").MustString("email@email.com")
|
||||||
|
cfg.Init.Username = pkisection.Key("username").MustString("pki")
|
||||||
|
cfg.Init.Password = pkisection.Key("password").MustString("P@ssw0rd!")
|
||||||
|
|
||||||
|
cfg.ACME.Env = pkisection.Key("env").MustString("prod")
|
||||||
|
cfg.ACME.MaxDaysBefore = pkisection.Key("maxdaysbefore").MustInt(0)
|
||||||
|
|
||||||
|
options["ovhendpoint"] = pkisection.Key("ovhendpoint").MustString("ovh-eu")
|
||||||
|
options["ovhak"] = pkisection.Key("ovhak").MustString("")
|
||||||
|
options["ovhas"] = pkisection.Key("ovhas").MustString("")
|
||||||
|
options["ovhck"] = pkisection.Key("ovhck").MustString("")
|
||||||
|
|
||||||
|
cfg.ACME.ProviderOptions = options
|
||||||
|
for k, v := range options {
|
||||||
|
if v == "" {
|
||||||
|
utils.Advice(fmt.Sprintf("OVH provider parameter %s not set", k))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
switch cfg.ACME.Env {
|
||||||
|
case "prod":
|
||||||
|
cfg.ACME.AuthURL = lego.LEDirectoryProduction
|
||||||
|
case "staging":
|
||||||
|
cfg.ACME.AuthURL = lego.LEDirectoryStaging
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Config is the global config
|
||||||
|
type Config struct {
|
||||||
|
Db *xorm.Engine `json:"-"`
|
||||||
|
DbParams struct {
|
||||||
|
DbHostname string `json:"dbhostname"`
|
||||||
|
DbName string `json:"dbname"`
|
||||||
|
DbUsername string `json:"dbusername"`
|
||||||
|
DbPassword string `json:"dbpassword"`
|
||||||
|
} `json:"dbparams"`
|
||||||
|
Options struct {
|
||||||
|
Version string `json:"version"`
|
||||||
|
HideBanner bool `json:"hidebanner"`
|
||||||
|
} `json:"-"`
|
||||||
|
Switchs struct {
|
||||||
|
Port int `json:"port"`
|
||||||
|
NoFeed bool `json:"nofeed"`
|
||||||
|
Debug bool `json:"debug"`
|
||||||
|
Drop bool `json:"drop"`
|
||||||
|
Init bool `json:"init"`
|
||||||
|
} `json:"-"`
|
||||||
|
ACME struct {
|
||||||
|
Env string `json:"env"`
|
||||||
|
AuthURL string `json:"authurl"`
|
||||||
|
ProviderOptions map[string]string `json:"provideroptions"`
|
||||||
|
MaxDaysBefore int `json:"maxdaysbefore"`
|
||||||
|
}
|
||||||
|
Init struct {
|
||||||
|
Email string `json:"email"`
|
||||||
|
Username string `json:"username"`
|
||||||
|
Password string `json:"password"`
|
||||||
|
} `json:"-"`
|
||||||
|
}
|
48
src/database/main.go
Normal file
48
src/database/main.go
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
package database
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"os"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/cert"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pki"
|
||||||
|
_ "github.com/lib/pq"
|
||||||
|
"xorm.io/xorm"
|
||||||
|
"xorm.io/xorm/names"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Init creates connection to database and exec Schema
|
||||||
|
func Init(cfg *config.Config) (err error) {
|
||||||
|
var databaseEngine = "postgres"
|
||||||
|
tables := []interface{}{cert.Entry{},
|
||||||
|
pki.User{}}
|
||||||
|
|
||||||
|
cfg.Db, err = xorm.NewEngine(databaseEngine,
|
||||||
|
fmt.Sprintf("%s://%s:%s@%s/%s",
|
||||||
|
databaseEngine,
|
||||||
|
cfg.DbParams.DbUsername,
|
||||||
|
cfg.DbParams.DbPassword,
|
||||||
|
cfg.DbParams.DbHostname,
|
||||||
|
cfg.DbParams.DbName))
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalln(err)
|
||||||
|
}
|
||||||
|
cfg.Db.SetMapper(names.GonicMapper{})
|
||||||
|
cfg.Db.ShowSQL(cfg.Switchs.Debug)
|
||||||
|
|
||||||
|
if cfg.Switchs.Drop {
|
||||||
|
for _, table := range tables {
|
||||||
|
cfg.Db.DropTables(table)
|
||||||
|
}
|
||||||
|
os.Exit(0)
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Println("Syncing tables")
|
||||||
|
for _, table := range tables {
|
||||||
|
cfg.Db.CreateTables(table)
|
||||||
|
cfg.Db.Sync2(table)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
159
src/pki/acme.go
Normal file
159
src/pki/acme.go
Normal file
@ -0,0 +1,159 @@
|
|||||||
|
package pki
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/cert"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
|
"github.com/go-acme/lego/v4/certificate"
|
||||||
|
"github.com/go-acme/lego/v4/lego"
|
||||||
|
"github.com/go-acme/lego/v4/registration"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Init initialize user table
|
||||||
|
func (u *User) Init(cfg *config.Config) (err error) {
|
||||||
|
if cfg.Switchs.Init {
|
||||||
|
err = u.CreateInitialUser(cfg)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEntry returns requested acme ressource in database relative to domain
|
||||||
|
func (u *User) GetEntry(cfg *config.Config, domain string) (Entry cert.Entry, err error) {
|
||||||
|
has, err := cfg.Db.Where("domain = ?", domain).Get(&Entry)
|
||||||
|
if !has {
|
||||||
|
err = fmt.Errorf("Entry doesn't exists")
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// HandleRegistration get existing registration if exists, else fetch a new registration
|
||||||
|
func (u *User) HandleRegistration(cfg *config.Config, client *lego.Client) (err error) {
|
||||||
|
reg, err := client.Registration.ResolveAccountByKey()
|
||||||
|
if err != nil {
|
||||||
|
log.Println(u.key, reg, err)
|
||||||
|
} else {
|
||||||
|
u.Registration = reg
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
|
||||||
|
if err != nil {
|
||||||
|
log.Println(err)
|
||||||
|
}
|
||||||
|
u.Registration = reg
|
||||||
|
|
||||||
|
// Saving private key
|
||||||
|
u.SavePrivateKey()
|
||||||
|
_, err = cfg.Db.Update(u)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequestNewCert returns a newly requested certificate to letsencrypt
|
||||||
|
func (u *User) RequestNewCert(cfg *config.Config, domain string) (certificates *certificate.Resource, err error) {
|
||||||
|
legoconfig := lego.NewConfig(u)
|
||||||
|
legoconfig.CADirURL = cfg.ACME.AuthURL
|
||||||
|
legoconfig.Certificate.KeyType = certcrypto.RSA2048
|
||||||
|
|
||||||
|
ovhprovider, err := initProvider(cfg)
|
||||||
|
|
||||||
|
client, err := lego.NewClient(legoconfig)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = client.Challenge.SetDNS01Provider(ovhprovider)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If PKICtx doesn't exists, get existing of fetch registration
|
||||||
|
if u.Registration == nil {
|
||||||
|
err = u.HandleRegistration(cfg, client)
|
||||||
|
if err != nil {
|
||||||
|
log.Println(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
request := certificate.ObtainRequest{
|
||||||
|
Domains: []string{domain},
|
||||||
|
Bundle: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
certificates, err = client.Certificate.Obtain(request)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEmail returns User Email
|
||||||
|
func (u *User) GetEmail() string {
|
||||||
|
return u.Email
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRegistration returns User Registration
|
||||||
|
func (u *User) GetRegistration() *registration.Resource {
|
||||||
|
return u.Registration
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetPrivateKey returns User key
|
||||||
|
func (u *User) GetPrivateKey() crypto.PrivateKey {
|
||||||
|
if u.key == nil {
|
||||||
|
if u.PrivateKey == "" {
|
||||||
|
u.key, _ = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
|
return u.key
|
||||||
|
}
|
||||||
|
block, _ := pem.Decode([]byte(u.PrivateKey))
|
||||||
|
switch block.Type {
|
||||||
|
case "RSA PRIVATE KEY":
|
||||||
|
u.key, _ = x509.ParsePKCS1PrivateKey(block.Bytes)
|
||||||
|
case "EC PRIVATE KEY":
|
||||||
|
u.key, _ = x509.ParseECPrivateKey(block.Bytes)
|
||||||
|
}
|
||||||
|
return u.key
|
||||||
|
}
|
||||||
|
return u.key
|
||||||
|
}
|
||||||
|
|
||||||
|
// SavePrivateKey returns User key
|
||||||
|
func (u *User) SavePrivateKey() (err error) {
|
||||||
|
if u.key != nil {
|
||||||
|
pemKey := certcrypto.PEMBlock(u.key)
|
||||||
|
u.PrivateKey = string(pem.EncodeToMemory(pemKey))
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
// ReadConfig reads accounting config to file
|
||||||
|
func (u *User) ReadConfig(cfg *config.Config, filename string) (err error) {
|
||||||
|
f, err := os.Open(filename)
|
||||||
|
defer f.Close()
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
d, err := ioutil.ReadAll(f)
|
||||||
|
err = json.Unmarshal(d, u)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// WriteConfig writes accounting config to file
|
||||||
|
func (u *User) WriteConfig(filename string) (err error) {
|
||||||
|
file, err := json.MarshalIndent(u, "", " ")
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
err = ioutil.WriteFile(filename, file, 0644)
|
||||||
|
return
|
||||||
|
}*/
|
20
src/pki/provider.go
Normal file
20
src/pki/provider.go
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
package pki
|
||||||
|
|
||||||
|
import (
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"github.com/go-acme/lego/v4/providers/dns/ovh"
|
||||||
|
)
|
||||||
|
|
||||||
|
// initProvider initialize DNS provider configuration
|
||||||
|
func initProvider(cfg *config.Config) (ovhprovider *ovh.DNSProvider, err error) {
|
||||||
|
ovhconfig := ovh.NewDefaultConfig()
|
||||||
|
|
||||||
|
ovhconfig.APIEndpoint = cfg.ACME.ProviderOptions["ovhendpoint"]
|
||||||
|
ovhconfig.ApplicationKey = cfg.ACME.ProviderOptions["ovhak"]
|
||||||
|
ovhconfig.ApplicationSecret = cfg.ACME.ProviderOptions["ovhas"]
|
||||||
|
ovhconfig.ConsumerKey = cfg.ACME.ProviderOptions["ovhck"]
|
||||||
|
|
||||||
|
ovhprovider, err = ovh.NewDNSProviderConfig(ovhconfig)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
43
src/pki/utils.go
Normal file
43
src/pki/utils.go
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
package pki
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/sha512"
|
||||||
|
"encoding/hex"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"github.com/go-acme/lego/v4/registration"
|
||||||
|
)
|
||||||
|
|
||||||
|
// CreateInitialUser creates initial user with password
|
||||||
|
func (u *User) CreateInitialUser(cfg *config.Config) (err error) {
|
||||||
|
*u = User{Username: cfg.Init.Username}
|
||||||
|
|
||||||
|
has, err := cfg.Db.Get(u)
|
||||||
|
|
||||||
|
if !has {
|
||||||
|
hashedPassword := sha512.Sum512([]byte(cfg.Init.Password))
|
||||||
|
base64Password := hex.EncodeToString(hashedPassword[:])
|
||||||
|
|
||||||
|
*u = User{
|
||||||
|
Username: cfg.Init.Username,
|
||||||
|
PasswordSHA512: base64Password,
|
||||||
|
Email: cfg.Init.Email}
|
||||||
|
cfg.Db.Insert(u)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// User describe accounts
|
||||||
|
type User struct {
|
||||||
|
ID int `xorm:"pk autoincr"`
|
||||||
|
Username string `xorm:"text notnull unique"`
|
||||||
|
PasswordSHA512 string `xorm:"text notnull"`
|
||||||
|
Email string `xorm:"text"`
|
||||||
|
PrivateKey string `xorm:"text"`
|
||||||
|
Created time.Time `xorm:"created notnull"`
|
||||||
|
Updated time.Time `xorm:"updated notnull"`
|
||||||
|
Registration *registration.Resource `xorm:"-"`
|
||||||
|
key crypto.PrivateKey `xorm:"-"`
|
||||||
|
}
|
51
src/pkiws/server.go
Normal file
51
src/pkiws/server.go
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
package pkiws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pki"
|
||||||
|
|
||||||
|
"github.com/labstack/echo/v4"
|
||||||
|
"github.com/labstack/echo/v4/middleware"
|
||||||
|
)
|
||||||
|
|
||||||
|
// RunServer runs the main echo HTTP server
|
||||||
|
func RunServer(cfg *config.Config) (err error) {
|
||||||
|
e := echo.New()
|
||||||
|
|
||||||
|
e.Use(middleware.BasicAuth(func(username, password string, c echo.Context) (bool, error) {
|
||||||
|
res, user, err := Auth(cfg, username, password, c)
|
||||||
|
if res {
|
||||||
|
c.Set("username", username)
|
||||||
|
c.Set("user", user)
|
||||||
|
}
|
||||||
|
return res, err
|
||||||
|
}))
|
||||||
|
e.HideBanner = cfg.Options.HideBanner
|
||||||
|
|
||||||
|
e.GET("/", func(c echo.Context) error {
|
||||||
|
username := c.Get("username")
|
||||||
|
return c.String(http.StatusOK, fmt.Sprintf("username: %s", username))
|
||||||
|
})
|
||||||
|
e.GET("/domain/:domain", func(c echo.Context) (err error) {
|
||||||
|
var result EntryResponse
|
||||||
|
log.Println(fmt.Sprintf("Providing %s to user %s at %s", c.Param("domain"), c.Get("username"), c.RealIP()))
|
||||||
|
result, err = GetCertificate(cfg, c.Get("user").(*pki.User), c.Param("domain"))
|
||||||
|
if err != nil {
|
||||||
|
return c.String(http.StatusInternalServerError, fmt.Sprintf("%s %s", result, err))
|
||||||
|
}
|
||||||
|
return c.JSON(http.StatusOK, result)
|
||||||
|
})
|
||||||
|
e.GET("/config", func(c echo.Context) (err error) {
|
||||||
|
if ConfigAccess(*cfg, c.RealIP()) {
|
||||||
|
return c.JSON(http.StatusOK, cfg)
|
||||||
|
}
|
||||||
|
return c.String(http.StatusForbidden, "Forbidden")
|
||||||
|
})
|
||||||
|
|
||||||
|
e.Logger.Fatal(e.Start(fmt.Sprintf(":%d", cfg.Switchs.Port)))
|
||||||
|
return
|
||||||
|
}
|
95
src/pkiws/serverhandle.go
Normal file
95
src/pkiws/serverhandle.go
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
package pkiws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"regexp"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/cert"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pki"
|
||||||
|
)
|
||||||
|
|
||||||
|
// GetCertificate get certificate from database if exists, of request it from ACME
|
||||||
|
func GetCertificate(cfg *config.Config, user *pki.User, domain string) (result EntryResponse, err error) {
|
||||||
|
err = CheckDomain(domain)
|
||||||
|
if err != nil {
|
||||||
|
return result, err
|
||||||
|
}
|
||||||
|
|
||||||
|
entry, err := user.GetEntry(cfg, domain)
|
||||||
|
if err != nil {
|
||||||
|
certs, err := user.RequestNewCert(cfg, domain)
|
||||||
|
if err != nil {
|
||||||
|
log.Println(fmt.Sprintf("Error fetching new certificate %s", err))
|
||||||
|
return result, err
|
||||||
|
}
|
||||||
|
NotBefore, NotAfter, err := GetDates(certs.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
log.Println("Error where parsing dates")
|
||||||
|
return result, err
|
||||||
|
}
|
||||||
|
entry := cert.Entry{Domain: domain,
|
||||||
|
Certificate: string(certs.Certificate),
|
||||||
|
PrivateKey: string(certs.PrivateKey),
|
||||||
|
ValidityBegin: NotBefore,
|
||||||
|
ValidityEnd: NotAfter,
|
||||||
|
AuthURL: cfg.ACME.AuthURL}
|
||||||
|
cfg.Db.Insert(entry)
|
||||||
|
result = convertEntryToResponse(entry)
|
||||||
|
return result, err
|
||||||
|
}
|
||||||
|
result = convertEntryToResponse(entry)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckDomain check if requested domain is valid
|
||||||
|
func CheckDomain(domain string) (err error) {
|
||||||
|
res, err := regexp.Match(`^[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6}$`, []byte(domain))
|
||||||
|
if !res {
|
||||||
|
return fmt.Errorf("Domain has not a valid syntax")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetDates decodes NotBefore and NotAfter date of cert
|
||||||
|
func GetDates(cert []byte) (NotBefore time.Time, NotAfter time.Time, err error) {
|
||||||
|
block, _ := pem.Decode(cert)
|
||||||
|
if block.Type == "CERTIFICATE" {
|
||||||
|
ce, err := x509.ParseCertificate(block.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal("Error when parsing certificate")
|
||||||
|
}
|
||||||
|
NotBefore = ce.NotBefore
|
||||||
|
NotAfter = ce.NotAfter
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// NeedRenewal is an unimplemented method
|
||||||
|
func NeedRenewal(cfg config.Config) (res bool, err error) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// convertEntryToResponse converts database ACME entry to JSON ACME entry
|
||||||
|
func convertEntryToResponse(in cert.Entry) (out EntryResponse) {
|
||||||
|
out.Domain = in.Domain
|
||||||
|
out.Certificate = in.Certificate
|
||||||
|
out.PrivateKey = in.PrivateKey
|
||||||
|
out.ValidityBegin = in.ValidityBegin
|
||||||
|
out.ValidityEnd = in.ValidityEnd
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// EntryResponse is the struct defining JSON response from webservice
|
||||||
|
type EntryResponse struct {
|
||||||
|
Domain string `json:"domain"`
|
||||||
|
Certificate string `json:"certificate"`
|
||||||
|
PrivateKey string `json:"privatekey"`
|
||||||
|
ValidityBegin time.Time `json:"validitybegin"`
|
||||||
|
ValidityEnd time.Time `json:"validityend"`
|
||||||
|
}
|
43
src/pkiws/utils.go
Normal file
43
src/pkiws/utils.go
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
package pkiws
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/sha512"
|
||||||
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/config"
|
||||||
|
"git.paulbsd.com/paulbsd/pki/src/pki"
|
||||||
|
"github.com/labstack/echo/v4"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Auth make authentication to webservice
|
||||||
|
func Auth(cfg *config.Config, username string, password string, c echo.Context) (res bool, user *pki.User, err error) {
|
||||||
|
user = &pki.User{Username: username}
|
||||||
|
_, err = cfg.Db.Get(user)
|
||||||
|
if err != nil {
|
||||||
|
res = false
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
hashedPassword := sha512.Sum512([]byte(password))
|
||||||
|
base64Password := hex.EncodeToString(hashedPassword[:])
|
||||||
|
|
||||||
|
if base64Password == user.PasswordSHA512 {
|
||||||
|
res = true
|
||||||
|
} else {
|
||||||
|
err = fmt.Errorf("Password doesn't match")
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// ConfigAccess make ip authorization to configuration
|
||||||
|
func ConfigAccess(cfg config.Config, ip string) (ret bool) {
|
||||||
|
switch ip {
|
||||||
|
case "127.0.0.1":
|
||||||
|
return true
|
||||||
|
case "::1":
|
||||||
|
return true
|
||||||
|
default:
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
21
utils/main.go
Normal file
21
utils/main.go
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
package utils
|
||||||
|
|
||||||
|
import (
|
||||||
|
"flag"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Usage displays possible arguments
|
||||||
|
func Usage() {
|
||||||
|
flag.PrintDefaults()
|
||||||
|
log.Fatal()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Advice displays possible arguments with warning advices
|
||||||
|
func Advice(advice string) {
|
||||||
|
flag.PrintDefaults()
|
||||||
|
if advice != "" {
|
||||||
|
log.Fatalln(advice)
|
||||||
|
}
|
||||||
|
log.Fatal()
|
||||||
|
}
|
22
vendor/github.com/cenkalti/backoff/v4/.gitignore
generated
vendored
Normal file
22
vendor/github.com/cenkalti/backoff/v4/.gitignore
generated
vendored
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# Compiled Object files, Static and Dynamic libs (Shared Objects)
|
||||||
|
*.o
|
||||||
|
*.a
|
||||||
|
*.so
|
||||||
|
|
||||||
|
# Folders
|
||||||
|
_obj
|
||||||
|
_test
|
||||||
|
|
||||||
|
# Architecture specific extensions/prefixes
|
||||||
|
*.[568vq]
|
||||||
|
[568vq].out
|
||||||
|
|
||||||
|
*.cgo1.go
|
||||||
|
*.cgo2.c
|
||||||
|
_cgo_defun.c
|
||||||
|
_cgo_gotypes.go
|
||||||
|
_cgo_export.*
|
||||||
|
|
||||||
|
_testmain.go
|
||||||
|
|
||||||
|
*.exe
|
10
vendor/github.com/cenkalti/backoff/v4/.travis.yml
generated
vendored
Normal file
10
vendor/github.com/cenkalti/backoff/v4/.travis.yml
generated
vendored
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
language: go
|
||||||
|
go:
|
||||||
|
- 1.12
|
||||||
|
- 1.x
|
||||||
|
- tip
|
||||||
|
before_install:
|
||||||
|
- go get github.com/mattn/goveralls
|
||||||
|
- go get golang.org/x/tools/cmd/cover
|
||||||
|
script:
|
||||||
|
- $HOME/gopath/bin/goveralls -service=travis-ci
|
20
vendor/github.com/cenkalti/backoff/v4/LICENSE
generated
vendored
Normal file
20
vendor/github.com/cenkalti/backoff/v4/LICENSE
generated
vendored
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2014 Cenk Altı
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||||
|
this software and associated documentation files (the "Software"), to deal in
|
||||||
|
the Software without restriction, including without limitation the rights to
|
||||||
|
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||||
|
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||||
|
subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||||
|
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||||
|
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||||
|
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
33
vendor/github.com/cenkalti/backoff/v4/README.md
generated
vendored
Normal file
33
vendor/github.com/cenkalti/backoff/v4/README.md
generated
vendored
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# Exponential Backoff [![GoDoc][godoc image]][godoc] [![Build Status][travis image]][travis] [![Coverage Status][coveralls image]][coveralls]
|
||||||
|
|
||||||
|
This is a Go port of the exponential backoff algorithm from [Google's HTTP Client Library for Java][google-http-java-client].
|
||||||
|
|
||||||
|
[Exponential backoff][exponential backoff wiki]
|
||||||
|
is an algorithm that uses feedback to multiplicatively decrease the rate of some process,
|
||||||
|
in order to gradually find an acceptable rate.
|
||||||
|
The retries exponentially increase and stop increasing when a certain threshold is met.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Import path is `github.com/cenkalti/backoff/v4`. Please note the version part at the end.
|
||||||
|
|
||||||
|
godoc.org does not support modules yet,
|
||||||
|
so you can use https://godoc.org/gopkg.in/cenkalti/backoff.v4 to view the documentation.
|
||||||
|
|
||||||
|
## Contributing
|
||||||
|
|
||||||
|
* I would like to keep this library as small as possible.
|
||||||
|
* Please don't send a PR without opening an issue and discussing it first.
|
||||||
|
* If proposed change is not a common use case, I will probably not accept it.
|
||||||
|
|
||||||
|
[godoc]: https://godoc.org/github.com/cenkalti/backoff
|
||||||
|
[godoc image]: https://godoc.org/github.com/cenkalti/backoff?status.png
|
||||||
|
[travis]: https://travis-ci.org/cenkalti/backoff
|
||||||
|
[travis image]: https://travis-ci.org/cenkalti/backoff.png?branch=master
|
||||||
|
[coveralls]: https://coveralls.io/github/cenkalti/backoff?branch=master
|
||||||
|
[coveralls image]: https://coveralls.io/repos/github/cenkalti/backoff/badge.svg?branch=master
|
||||||
|
|
||||||
|
[google-http-java-client]: https://github.com/google/google-http-java-client/blob/da1aa993e90285ec18579f1553339b00e19b3ab5/google-http-client/src/main/java/com/google/api/client/util/ExponentialBackOff.java
|
||||||
|
[exponential backoff wiki]: http://en.wikipedia.org/wiki/Exponential_backoff
|
||||||
|
|
||||||
|
[advanced example]: https://godoc.org/github.com/cenkalti/backoff#example_
|
66
vendor/github.com/cenkalti/backoff/v4/backoff.go
generated
vendored
Normal file
66
vendor/github.com/cenkalti/backoff/v4/backoff.go
generated
vendored
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
// Package backoff implements backoff algorithms for retrying operations.
|
||||||
|
//
|
||||||
|
// Use Retry function for retrying operations that may fail.
|
||||||
|
// If Retry does not meet your needs,
|
||||||
|
// copy/paste the function into your project and modify as you wish.
|
||||||
|
//
|
||||||
|
// There is also Ticker type similar to time.Ticker.
|
||||||
|
// You can use it if you need to work with channels.
|
||||||
|
//
|
||||||
|
// See Examples section below for usage examples.
|
||||||
|
package backoff
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
// BackOff is a backoff policy for retrying an operation.
|
||||||
|
type BackOff interface {
|
||||||
|
// NextBackOff returns the duration to wait before retrying the operation,
|
||||||
|
// or backoff. Stop to indicate that no more retries should be made.
|
||||||
|
//
|
||||||
|
// Example usage:
|
||||||
|
//
|
||||||
|
// duration := backoff.NextBackOff();
|
||||||
|
// if (duration == backoff.Stop) {
|
||||||
|
// // Do not retry operation.
|
||||||
|
// } else {
|
||||||
|
// // Sleep for duration and retry operation.
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
NextBackOff() time.Duration
|
||||||
|
|
||||||
|
// Reset to initial state.
|
||||||
|
Reset()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Stop indicates that no more retries should be made for use in NextBackOff().
|
||||||
|
const Stop time.Duration = -1
|
||||||
|
|
||||||
|
// ZeroBackOff is a fixed backoff policy whose backoff time is always zero,
|
||||||
|
// meaning that the operation is retried immediately without waiting, indefinitely.
|
||||||
|
type ZeroBackOff struct{}
|
||||||
|
|
||||||
|
func (b *ZeroBackOff) Reset() {}
|
||||||
|
|
||||||
|
func (b *ZeroBackOff) NextBackOff() time.Duration { return 0 }
|
||||||
|
|
||||||
|
// StopBackOff is a fixed backoff policy that always returns backoff.Stop for
|
||||||
|
// NextBackOff(), meaning that the operation should never be retried.
|
||||||
|
type StopBackOff struct{}
|
||||||
|
|
||||||
|
func (b *StopBackOff) Reset() {}
|
||||||
|
|
||||||
|
func (b *StopBackOff) NextBackOff() time.Duration { return Stop }
|
||||||
|
|
||||||
|
// ConstantBackOff is a backoff policy that always returns the same backoff delay.
|
||||||
|
// This is in contrast to an exponential backoff policy,
|
||||||
|
// which returns a delay that grows longer as you call NextBackOff() over and over again.
|
||||||
|
type ConstantBackOff struct {
|
||||||
|
Interval time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *ConstantBackOff) Reset() {}
|
||||||
|
func (b *ConstantBackOff) NextBackOff() time.Duration { return b.Interval }
|
||||||
|
|
||||||
|
func NewConstantBackOff(d time.Duration) *ConstantBackOff {
|
||||||
|
return &ConstantBackOff{Interval: d}
|
||||||
|
}
|
66
vendor/github.com/cenkalti/backoff/v4/context.go
generated
vendored
Normal file
66
vendor/github.com/cenkalti/backoff/v4/context.go
generated
vendored
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// BackOffContext is a backoff policy that stops retrying after the context
|
||||||
|
// is canceled.
|
||||||
|
type BackOffContext interface { // nolint: golint
|
||||||
|
BackOff
|
||||||
|
Context() context.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
type backOffContext struct {
|
||||||
|
BackOff
|
||||||
|
ctx context.Context
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithContext returns a BackOffContext with context ctx
|
||||||
|
//
|
||||||
|
// ctx must not be nil
|
||||||
|
func WithContext(b BackOff, ctx context.Context) BackOffContext { // nolint: golint
|
||||||
|
if ctx == nil {
|
||||||
|
panic("nil context")
|
||||||
|
}
|
||||||
|
|
||||||
|
if b, ok := b.(*backOffContext); ok {
|
||||||
|
return &backOffContext{
|
||||||
|
BackOff: b.BackOff,
|
||||||
|
ctx: ctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &backOffContext{
|
||||||
|
BackOff: b,
|
||||||
|
ctx: ctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func getContext(b BackOff) context.Context {
|
||||||
|
if cb, ok := b.(BackOffContext); ok {
|
||||||
|
return cb.Context()
|
||||||
|
}
|
||||||
|
if tb, ok := b.(*backOffTries); ok {
|
||||||
|
return getContext(tb.delegate)
|
||||||
|
}
|
||||||
|
return context.Background()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *backOffContext) Context() context.Context {
|
||||||
|
return b.ctx
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *backOffContext) NextBackOff() time.Duration {
|
||||||
|
select {
|
||||||
|
case <-b.ctx.Done():
|
||||||
|
return Stop
|
||||||
|
default:
|
||||||
|
}
|
||||||
|
next := b.BackOff.NextBackOff()
|
||||||
|
if deadline, ok := b.ctx.Deadline(); ok && deadline.Sub(time.Now()) < next { // nolint: gosimple
|
||||||
|
return Stop
|
||||||
|
}
|
||||||
|
return next
|
||||||
|
}
|
158
vendor/github.com/cenkalti/backoff/v4/exponential.go
generated
vendored
Normal file
158
vendor/github.com/cenkalti/backoff/v4/exponential.go
generated
vendored
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import (
|
||||||
|
"math/rand"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
ExponentialBackOff is a backoff implementation that increases the backoff
|
||||||
|
period for each retry attempt using a randomization function that grows exponentially.
|
||||||
|
|
||||||
|
NextBackOff() is calculated using the following formula:
|
||||||
|
|
||||||
|
randomized interval =
|
||||||
|
RetryInterval * (random value in range [1 - RandomizationFactor, 1 + RandomizationFactor])
|
||||||
|
|
||||||
|
In other words NextBackOff() will range between the randomization factor
|
||||||
|
percentage below and above the retry interval.
|
||||||
|
|
||||||
|
For example, given the following parameters:
|
||||||
|
|
||||||
|
RetryInterval = 2
|
||||||
|
RandomizationFactor = 0.5
|
||||||
|
Multiplier = 2
|
||||||
|
|
||||||
|
the actual backoff period used in the next retry attempt will range between 1 and 3 seconds,
|
||||||
|
multiplied by the exponential, that is, between 2 and 6 seconds.
|
||||||
|
|
||||||
|
Note: MaxInterval caps the RetryInterval and not the randomized interval.
|
||||||
|
|
||||||
|
If the time elapsed since an ExponentialBackOff instance is created goes past the
|
||||||
|
MaxElapsedTime, then the method NextBackOff() starts returning backoff.Stop.
|
||||||
|
|
||||||
|
The elapsed time can be reset by calling Reset().
|
||||||
|
|
||||||
|
Example: Given the following default arguments, for 10 tries the sequence will be,
|
||||||
|
and assuming we go over the MaxElapsedTime on the 10th try:
|
||||||
|
|
||||||
|
Request # RetryInterval (seconds) Randomized Interval (seconds)
|
||||||
|
|
||||||
|
1 0.5 [0.25, 0.75]
|
||||||
|
2 0.75 [0.375, 1.125]
|
||||||
|
3 1.125 [0.562, 1.687]
|
||||||
|
4 1.687 [0.8435, 2.53]
|
||||||
|
5 2.53 [1.265, 3.795]
|
||||||
|
6 3.795 [1.897, 5.692]
|
||||||
|
7 5.692 [2.846, 8.538]
|
||||||
|
8 8.538 [4.269, 12.807]
|
||||||
|
9 12.807 [6.403, 19.210]
|
||||||
|
10 19.210 backoff.Stop
|
||||||
|
|
||||||
|
Note: Implementation is not thread-safe.
|
||||||
|
*/
|
||||||
|
type ExponentialBackOff struct {
|
||||||
|
InitialInterval time.Duration
|
||||||
|
RandomizationFactor float64
|
||||||
|
Multiplier float64
|
||||||
|
MaxInterval time.Duration
|
||||||
|
// After MaxElapsedTime the ExponentialBackOff returns Stop.
|
||||||
|
// It never stops if MaxElapsedTime == 0.
|
||||||
|
MaxElapsedTime time.Duration
|
||||||
|
Stop time.Duration
|
||||||
|
Clock Clock
|
||||||
|
|
||||||
|
currentInterval time.Duration
|
||||||
|
startTime time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
// Clock is an interface that returns current time for BackOff.
|
||||||
|
type Clock interface {
|
||||||
|
Now() time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
// Default values for ExponentialBackOff.
|
||||||
|
const (
|
||||||
|
DefaultInitialInterval = 500 * time.Millisecond
|
||||||
|
DefaultRandomizationFactor = 0.5
|
||||||
|
DefaultMultiplier = 1.5
|
||||||
|
DefaultMaxInterval = 60 * time.Second
|
||||||
|
DefaultMaxElapsedTime = 15 * time.Minute
|
||||||
|
)
|
||||||
|
|
||||||
|
// NewExponentialBackOff creates an instance of ExponentialBackOff using default values.
|
||||||
|
func NewExponentialBackOff() *ExponentialBackOff {
|
||||||
|
b := &ExponentialBackOff{
|
||||||
|
InitialInterval: DefaultInitialInterval,
|
||||||
|
RandomizationFactor: DefaultRandomizationFactor,
|
||||||
|
Multiplier: DefaultMultiplier,
|
||||||
|
MaxInterval: DefaultMaxInterval,
|
||||||
|
MaxElapsedTime: DefaultMaxElapsedTime,
|
||||||
|
Stop: Stop,
|
||||||
|
Clock: SystemClock,
|
||||||
|
}
|
||||||
|
b.Reset()
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
type systemClock struct{}
|
||||||
|
|
||||||
|
func (t systemClock) Now() time.Time {
|
||||||
|
return time.Now()
|
||||||
|
}
|
||||||
|
|
||||||
|
// SystemClock implements Clock interface that uses time.Now().
|
||||||
|
var SystemClock = systemClock{}
|
||||||
|
|
||||||
|
// Reset the interval back to the initial retry interval and restarts the timer.
|
||||||
|
// Reset must be called before using b.
|
||||||
|
func (b *ExponentialBackOff) Reset() {
|
||||||
|
b.currentInterval = b.InitialInterval
|
||||||
|
b.startTime = b.Clock.Now()
|
||||||
|
}
|
||||||
|
|
||||||
|
// NextBackOff calculates the next backoff interval using the formula:
|
||||||
|
// Randomized interval = RetryInterval * (1 ± RandomizationFactor)
|
||||||
|
func (b *ExponentialBackOff) NextBackOff() time.Duration {
|
||||||
|
// Make sure we have not gone over the maximum elapsed time.
|
||||||
|
elapsed := b.GetElapsedTime()
|
||||||
|
next := getRandomValueFromInterval(b.RandomizationFactor, rand.Float64(), b.currentInterval)
|
||||||
|
b.incrementCurrentInterval()
|
||||||
|
if b.MaxElapsedTime != 0 && elapsed+next > b.MaxElapsedTime {
|
||||||
|
return b.Stop
|
||||||
|
}
|
||||||
|
return next
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetElapsedTime returns the elapsed time since an ExponentialBackOff instance
|
||||||
|
// is created and is reset when Reset() is called.
|
||||||
|
//
|
||||||
|
// The elapsed time is computed using time.Now().UnixNano(). It is
|
||||||
|
// safe to call even while the backoff policy is used by a running
|
||||||
|
// ticker.
|
||||||
|
func (b *ExponentialBackOff) GetElapsedTime() time.Duration {
|
||||||
|
return b.Clock.Now().Sub(b.startTime)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Increments the current interval by multiplying it with the multiplier.
|
||||||
|
func (b *ExponentialBackOff) incrementCurrentInterval() {
|
||||||
|
// Check for overflow, if overflow is detected set the current interval to the max interval.
|
||||||
|
if float64(b.currentInterval) >= float64(b.MaxInterval)/b.Multiplier {
|
||||||
|
b.currentInterval = b.MaxInterval
|
||||||
|
} else {
|
||||||
|
b.currentInterval = time.Duration(float64(b.currentInterval) * b.Multiplier)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Returns a random value from the following interval:
|
||||||
|
// [currentInterval - randomizationFactor * currentInterval, currentInterval + randomizationFactor * currentInterval].
|
||||||
|
func getRandomValueFromInterval(randomizationFactor, random float64, currentInterval time.Duration) time.Duration {
|
||||||
|
var delta = randomizationFactor * float64(currentInterval)
|
||||||
|
var minInterval = float64(currentInterval) - delta
|
||||||
|
var maxInterval = float64(currentInterval) + delta
|
||||||
|
|
||||||
|
// Get a random value from the range [minInterval, maxInterval].
|
||||||
|
// The formula used below has a +1 because if the minInterval is 1 and the maxInterval is 3 then
|
||||||
|
// we want a 33% chance for selecting either 1, 2 or 3.
|
||||||
|
return time.Duration(minInterval + (random * (maxInterval - minInterval + 1)))
|
||||||
|
}
|
3
vendor/github.com/cenkalti/backoff/v4/go.mod
generated
vendored
Normal file
3
vendor/github.com/cenkalti/backoff/v4/go.mod
generated
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
module github.com/cenkalti/backoff/v4
|
||||||
|
|
||||||
|
go 1.12
|
96
vendor/github.com/cenkalti/backoff/v4/retry.go
generated
vendored
Normal file
96
vendor/github.com/cenkalti/backoff/v4/retry.go
generated
vendored
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
// An Operation is executing by Retry() or RetryNotify().
|
||||||
|
// The operation will be retried using a backoff policy if it returns an error.
|
||||||
|
type Operation func() error
|
||||||
|
|
||||||
|
// Notify is a notify-on-error function. It receives an operation error and
|
||||||
|
// backoff delay if the operation failed (with an error).
|
||||||
|
//
|
||||||
|
// NOTE that if the backoff policy stated to stop retrying,
|
||||||
|
// the notify function isn't called.
|
||||||
|
type Notify func(error, time.Duration)
|
||||||
|
|
||||||
|
// Retry the operation o until it does not return error or BackOff stops.
|
||||||
|
// o is guaranteed to be run at least once.
|
||||||
|
//
|
||||||
|
// If o returns a *PermanentError, the operation is not retried, and the
|
||||||
|
// wrapped error is returned.
|
||||||
|
//
|
||||||
|
// Retry sleeps the goroutine for the duration returned by BackOff after a
|
||||||
|
// failed operation returns.
|
||||||
|
func Retry(o Operation, b BackOff) error {
|
||||||
|
return RetryNotify(o, b, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RetryNotify calls notify function with the error and wait duration
|
||||||
|
// for each failed attempt before sleep.
|
||||||
|
func RetryNotify(operation Operation, b BackOff, notify Notify) error {
|
||||||
|
return RetryNotifyWithTimer(operation, b, notify, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RetryNotifyWithTimer calls notify function with the error and wait duration using the given Timer
|
||||||
|
// for each failed attempt before sleep.
|
||||||
|
// A default timer that uses system timer is used when nil is passed.
|
||||||
|
func RetryNotifyWithTimer(operation Operation, b BackOff, notify Notify, t Timer) error {
|
||||||
|
var err error
|
||||||
|
var next time.Duration
|
||||||
|
if t == nil {
|
||||||
|
t = &defaultTimer{}
|
||||||
|
}
|
||||||
|
|
||||||
|
defer func() {
|
||||||
|
t.Stop()
|
||||||
|
}()
|
||||||
|
|
||||||
|
ctx := getContext(b)
|
||||||
|
|
||||||
|
b.Reset()
|
||||||
|
for {
|
||||||
|
if err = operation(); err == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if permanent, ok := err.(*PermanentError); ok {
|
||||||
|
return permanent.Err
|
||||||
|
}
|
||||||
|
|
||||||
|
if next = b.NextBackOff(); next == Stop {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if notify != nil {
|
||||||
|
notify(err, next)
|
||||||
|
}
|
||||||
|
|
||||||
|
t.Start(next)
|
||||||
|
|
||||||
|
select {
|
||||||
|
case <-ctx.Done():
|
||||||
|
return ctx.Err()
|
||||||
|
case <-t.C():
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// PermanentError signals that the operation should not be retried.
|
||||||
|
type PermanentError struct {
|
||||||
|
Err error
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PermanentError) Error() string {
|
||||||
|
return e.Err.Error()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e *PermanentError) Unwrap() error {
|
||||||
|
return e.Err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Permanent wraps the given err in a *PermanentError.
|
||||||
|
func Permanent(err error) *PermanentError {
|
||||||
|
return &PermanentError{
|
||||||
|
Err: err,
|
||||||
|
}
|
||||||
|
}
|
97
vendor/github.com/cenkalti/backoff/v4/ticker.go
generated
vendored
Normal file
97
vendor/github.com/cenkalti/backoff/v4/ticker.go
generated
vendored
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Ticker holds a channel that delivers `ticks' of a clock at times reported by a BackOff.
|
||||||
|
//
|
||||||
|
// Ticks will continue to arrive when the previous operation is still running,
|
||||||
|
// so operations that take a while to fail could run in quick succession.
|
||||||
|
type Ticker struct {
|
||||||
|
C <-chan time.Time
|
||||||
|
c chan time.Time
|
||||||
|
b BackOff
|
||||||
|
ctx context.Context
|
||||||
|
timer Timer
|
||||||
|
stop chan struct{}
|
||||||
|
stopOnce sync.Once
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewTicker returns a new Ticker containing a channel that will send
|
||||||
|
// the time at times specified by the BackOff argument. Ticker is
|
||||||
|
// guaranteed to tick at least once. The channel is closed when Stop
|
||||||
|
// method is called or BackOff stops. It is not safe to manipulate the
|
||||||
|
// provided backoff policy (notably calling NextBackOff or Reset)
|
||||||
|
// while the ticker is running.
|
||||||
|
func NewTicker(b BackOff) *Ticker {
|
||||||
|
return NewTickerWithTimer(b, &defaultTimer{})
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewTickerWithTimer returns a new Ticker with a custom timer.
|
||||||
|
// A default timer that uses system timer is used when nil is passed.
|
||||||
|
func NewTickerWithTimer(b BackOff, timer Timer) *Ticker {
|
||||||
|
if timer == nil {
|
||||||
|
timer = &defaultTimer{}
|
||||||
|
}
|
||||||
|
c := make(chan time.Time)
|
||||||
|
t := &Ticker{
|
||||||
|
C: c,
|
||||||
|
c: c,
|
||||||
|
b: b,
|
||||||
|
ctx: getContext(b),
|
||||||
|
timer: timer,
|
||||||
|
stop: make(chan struct{}),
|
||||||
|
}
|
||||||
|
t.b.Reset()
|
||||||
|
go t.run()
|
||||||
|
return t
|
||||||
|
}
|
||||||
|
|
||||||
|
// Stop turns off a ticker. After Stop, no more ticks will be sent.
|
||||||
|
func (t *Ticker) Stop() {
|
||||||
|
t.stopOnce.Do(func() { close(t.stop) })
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *Ticker) run() {
|
||||||
|
c := t.c
|
||||||
|
defer close(c)
|
||||||
|
|
||||||
|
// Ticker is guaranteed to tick at least once.
|
||||||
|
afterC := t.send(time.Now())
|
||||||
|
|
||||||
|
for {
|
||||||
|
if afterC == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
select {
|
||||||
|
case tick := <-afterC:
|
||||||
|
afterC = t.send(tick)
|
||||||
|
case <-t.stop:
|
||||||
|
t.c = nil // Prevent future ticks from being sent to the channel.
|
||||||
|
return
|
||||||
|
case <-t.ctx.Done():
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *Ticker) send(tick time.Time) <-chan time.Time {
|
||||||
|
select {
|
||||||
|
case t.c <- tick:
|
||||||
|
case <-t.stop:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
next := t.b.NextBackOff()
|
||||||
|
if next == Stop {
|
||||||
|
t.Stop()
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
t.timer.Start(next)
|
||||||
|
return t.timer.C()
|
||||||
|
}
|
35
vendor/github.com/cenkalti/backoff/v4/timer.go
generated
vendored
Normal file
35
vendor/github.com/cenkalti/backoff/v4/timer.go
generated
vendored
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
type Timer interface {
|
||||||
|
Start(duration time.Duration)
|
||||||
|
Stop()
|
||||||
|
C() <-chan time.Time
|
||||||
|
}
|
||||||
|
|
||||||
|
// defaultTimer implements Timer interface using time.Timer
|
||||||
|
type defaultTimer struct {
|
||||||
|
timer *time.Timer
|
||||||
|
}
|
||||||
|
|
||||||
|
// C returns the timers channel which receives the current time when the timer fires.
|
||||||
|
func (t *defaultTimer) C() <-chan time.Time {
|
||||||
|
return t.timer.C
|
||||||
|
}
|
||||||
|
|
||||||
|
// Start starts the timer to fire after the given duration
|
||||||
|
func (t *defaultTimer) Start(duration time.Duration) {
|
||||||
|
if t.timer == nil {
|
||||||
|
t.timer = time.NewTimer(duration)
|
||||||
|
} else {
|
||||||
|
t.timer.Reset(duration)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Stop is called when the timer is not used anymore and resources may be freed.
|
||||||
|
func (t *defaultTimer) Stop() {
|
||||||
|
if t.timer != nil {
|
||||||
|
t.timer.Stop()
|
||||||
|
}
|
||||||
|
}
|
38
vendor/github.com/cenkalti/backoff/v4/tries.go
generated
vendored
Normal file
38
vendor/github.com/cenkalti/backoff/v4/tries.go
generated
vendored
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
package backoff
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
/*
|
||||||
|
WithMaxRetries creates a wrapper around another BackOff, which will
|
||||||
|
return Stop if NextBackOff() has been called too many times since
|
||||||
|
the last time Reset() was called
|
||||||
|
|
||||||
|
Note: Implementation is not thread-safe.
|
||||||
|
*/
|
||||||
|
func WithMaxRetries(b BackOff, max uint64) BackOff {
|
||||||
|
return &backOffTries{delegate: b, maxTries: max}
|
||||||
|
}
|
||||||
|
|
||||||
|
type backOffTries struct {
|
||||||
|
delegate BackOff
|
||||||
|
maxTries uint64
|
||||||
|
numTries uint64
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *backOffTries) NextBackOff() time.Duration {
|
||||||
|
if b.maxTries == 0 {
|
||||||
|
return Stop
|
||||||
|
}
|
||||||
|
if b.maxTries > 0 {
|
||||||
|
if b.maxTries <= b.numTries {
|
||||||
|
return Stop
|
||||||
|
}
|
||||||
|
b.numTries++
|
||||||
|
}
|
||||||
|
return b.delegate.NextBackOff()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (b *backOffTries) Reset() {
|
||||||
|
b.numTries = 0
|
||||||
|
b.delegate.Reset()
|
||||||
|
}
|
4
vendor/github.com/dgrijalva/jwt-go/.gitignore
generated
vendored
Normal file
4
vendor/github.com/dgrijalva/jwt-go/.gitignore
generated
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
.DS_Store
|
||||||
|
bin
|
||||||
|
|
||||||
|
|
13
vendor/github.com/dgrijalva/jwt-go/.travis.yml
generated
vendored
Normal file
13
vendor/github.com/dgrijalva/jwt-go/.travis.yml
generated
vendored
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
language: go
|
||||||
|
|
||||||
|
script:
|
||||||
|
- go vet ./...
|
||||||
|
- go test -v ./...
|
||||||
|
|
||||||
|
go:
|
||||||
|
- 1.3
|
||||||
|
- 1.4
|
||||||
|
- 1.5
|
||||||
|
- 1.6
|
||||||
|
- 1.7
|
||||||
|
- tip
|
8
vendor/github.com/dgrijalva/jwt-go/LICENSE
generated
vendored
Normal file
8
vendor/github.com/dgrijalva/jwt-go/LICENSE
generated
vendored
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
Copyright (c) 2012 Dave Grijalva
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
97
vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
generated
vendored
Normal file
97
vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
generated
vendored
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
## Migration Guide from v2 -> v3
|
||||||
|
|
||||||
|
Version 3 adds several new, frequently requested features. To do so, it introduces a few breaking changes. We've worked to keep these as minimal as possible. This guide explains the breaking changes and how you can quickly update your code.
|
||||||
|
|
||||||
|
### `Token.Claims` is now an interface type
|
||||||
|
|
||||||
|
The most requested feature from the 2.0 verison of this library was the ability to provide a custom type to the JSON parser for claims. This was implemented by introducing a new interface, `Claims`, to replace `map[string]interface{}`. We also included two concrete implementations of `Claims`: `MapClaims` and `StandardClaims`.
|
||||||
|
|
||||||
|
`MapClaims` is an alias for `map[string]interface{}` with built in validation behavior. It is the default claims type when using `Parse`. The usage is unchanged except you must type cast the claims property.
|
||||||
|
|
||||||
|
The old example for parsing a token looked like this..
|
||||||
|
|
||||||
|
```go
|
||||||
|
if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil {
|
||||||
|
fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"])
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
is now directly mapped to...
|
||||||
|
|
||||||
|
```go
|
||||||
|
if token, err := jwt.Parse(tokenString, keyLookupFunc); err == nil {
|
||||||
|
claims := token.Claims.(jwt.MapClaims)
|
||||||
|
fmt.Printf("Token for user %v expires %v", claims["user"], claims["exp"])
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
`StandardClaims` is designed to be embedded in your custom type. You can supply a custom claims type with the new `ParseWithClaims` function. Here's an example of using a custom claims type.
|
||||||
|
|
||||||
|
```go
|
||||||
|
type MyCustomClaims struct {
|
||||||
|
User string
|
||||||
|
*StandardClaims
|
||||||
|
}
|
||||||
|
|
||||||
|
if token, err := jwt.ParseWithClaims(tokenString, &MyCustomClaims{}, keyLookupFunc); err == nil {
|
||||||
|
claims := token.Claims.(*MyCustomClaims)
|
||||||
|
fmt.Printf("Token for user %v expires %v", claims.User, claims.StandardClaims.ExpiresAt)
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### `ParseFromRequest` has been moved
|
||||||
|
|
||||||
|
To keep this library focused on the tokens without becoming overburdened with complex request processing logic, `ParseFromRequest` and its new companion `ParseFromRequestWithClaims` have been moved to a subpackage, `request`. The method signatues have also been augmented to receive a new argument: `Extractor`.
|
||||||
|
|
||||||
|
`Extractors` do the work of picking the token string out of a request. The interface is simple and composable.
|
||||||
|
|
||||||
|
This simple parsing example:
|
||||||
|
|
||||||
|
```go
|
||||||
|
if token, err := jwt.ParseFromRequest(tokenString, req, keyLookupFunc); err == nil {
|
||||||
|
fmt.Printf("Token for user %v expires %v", token.Claims["user"], token.Claims["exp"])
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
is directly mapped to:
|
||||||
|
|
||||||
|
```go
|
||||||
|
if token, err := request.ParseFromRequest(req, request.OAuth2Extractor, keyLookupFunc); err == nil {
|
||||||
|
claims := token.Claims.(jwt.MapClaims)
|
||||||
|
fmt.Printf("Token for user %v expires %v", claims["user"], claims["exp"])
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
There are several concrete `Extractor` types provided for your convenience:
|
||||||
|
|
||||||
|
* `HeaderExtractor` will search a list of headers until one contains content.
|
||||||
|
* `ArgumentExtractor` will search a list of keys in request query and form arguments until one contains content.
|
||||||
|
* `MultiExtractor` will try a list of `Extractors` in order until one returns content.
|
||||||
|
* `AuthorizationHeaderExtractor` will look in the `Authorization` header for a `Bearer` token.
|
||||||
|
* `OAuth2Extractor` searches the places an OAuth2 token would be specified (per the spec): `Authorization` header and `access_token` argument
|
||||||
|
* `PostExtractionFilter` wraps an `Extractor`, allowing you to process the content before it's parsed. A simple example is stripping the `Bearer ` text from a header
|
||||||
|
|
||||||
|
|
||||||
|
### RSA signing methods no longer accept `[]byte` keys
|
||||||
|
|
||||||
|
Due to a [critical vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/), we've decided the convenience of accepting `[]byte` instead of `rsa.PublicKey` or `rsa.PrivateKey` isn't worth the risk of misuse.
|
||||||
|
|
||||||
|
To replace this behavior, we've added two helper methods: `ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error)` and `ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error)`. These are just simple helpers for unpacking PEM encoded PKCS1 and PKCS8 keys. If your keys are encoded any other way, all you need to do is convert them to the `crypto/rsa` package's types.
|
||||||
|
|
||||||
|
```go
|
||||||
|
func keyLookupFunc(*Token) (interface{}, error) {
|
||||||
|
// Don't forget to validate the alg is what you expect:
|
||||||
|
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
|
||||||
|
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
|
||||||
|
}
|
||||||
|
|
||||||
|
// Look up key
|
||||||
|
key, err := lookupPublicKey(token.Header["kid"])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Unpack key from PEM encoded PKCS8
|
||||||
|
return jwt.ParseRSAPublicKeyFromPEM(key)
|
||||||
|
}
|
||||||
|
```
|
100
vendor/github.com/dgrijalva/jwt-go/README.md
generated
vendored
Normal file
100
vendor/github.com/dgrijalva/jwt-go/README.md
generated
vendored
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
# jwt-go
|
||||||
|
|
||||||
|
[![Build Status](https://travis-ci.org/dgrijalva/jwt-go.svg?branch=master)](https://travis-ci.org/dgrijalva/jwt-go)
|
||||||
|
[![GoDoc](https://godoc.org/github.com/dgrijalva/jwt-go?status.svg)](https://godoc.org/github.com/dgrijalva/jwt-go)
|
||||||
|
|
||||||
|
A [go](http://www.golang.org) (or 'golang' for search engine friendliness) implementation of [JSON Web Tokens](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html)
|
||||||
|
|
||||||
|
**NEW VERSION COMING:** There have been a lot of improvements suggested since the version 3.0.0 released in 2016. I'm working now on cutting two different releases: 3.2.0 will contain any non-breaking changes or enhancements. 4.0.0 will follow shortly which will include breaking changes. See the 4.0.0 milestone to get an idea of what's coming. If you have other ideas, or would like to participate in 4.0.0, now's the time. If you depend on this library and don't want to be interrupted, I recommend you use your dependency mangement tool to pin to version 3.
|
||||||
|
|
||||||
|
**SECURITY NOTICE:** Some older versions of Go have a security issue in the cryotp/elliptic. Recommendation is to upgrade to at least 1.8.3. See issue #216 for more detail.
|
||||||
|
|
||||||
|
**SECURITY NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage. See the examples provided.
|
||||||
|
|
||||||
|
## What the heck is a JWT?
|
||||||
|
|
||||||
|
JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.
|
||||||
|
|
||||||
|
In short, it's a signed JSON object that does something useful (for example, authentication). It's commonly used for `Bearer` tokens in Oauth 2. A token is made of three parts, separated by `.`'s. The first two parts are JSON objects, that have been [base64url](http://tools.ietf.org/html/rfc4648) encoded. The last part is the signature, encoded the same way.
|
||||||
|
|
||||||
|
The first part is called the header. It contains the necessary information for verifying the last part, the signature. For example, which encryption method was used for signing and what key was used.
|
||||||
|
|
||||||
|
The part in the middle is the interesting bit. It's called the Claims and contains the actual stuff you care about. Refer to [the RFC](http://self-issued.info/docs/draft-jones-json-web-token.html) for information about reserved keys and the proper way to add your own.
|
||||||
|
|
||||||
|
## What's in the box?
|
||||||
|
|
||||||
|
This library supports the parsing and verification as well as the generation and signing of JWTs. Current supported signing algorithms are HMAC SHA, RSA, RSA-PSS, and ECDSA, though hooks are present for adding your own.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
See [the project documentation](https://godoc.org/github.com/dgrijalva/jwt-go) for examples of usage:
|
||||||
|
|
||||||
|
* [Simple example of parsing and validating a token](https://godoc.org/github.com/dgrijalva/jwt-go#example-Parse--Hmac)
|
||||||
|
* [Simple example of building and signing a token](https://godoc.org/github.com/dgrijalva/jwt-go#example-New--Hmac)
|
||||||
|
* [Directory of Examples](https://godoc.org/github.com/dgrijalva/jwt-go#pkg-examples)
|
||||||
|
|
||||||
|
## Extensions
|
||||||
|
|
||||||
|
This library publishes all the necessary components for adding your own signing methods. Simply implement the `SigningMethod` interface and register a factory method using `RegisterSigningMethod`.
|
||||||
|
|
||||||
|
Here's an example of an extension that integrates with the Google App Engine signing tools: https://github.com/someone1/gcp-jwt-go
|
||||||
|
|
||||||
|
## Compliance
|
||||||
|
|
||||||
|
This library was last reviewed to comply with [RTF 7519](http://www.rfc-editor.org/info/rfc7519) dated May 2015 with a few notable differences:
|
||||||
|
|
||||||
|
* In order to protect against accidental use of [Unsecured JWTs](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#UnsecuredJWT), tokens using `alg=none` will only be accepted if the constant `jwt.UnsafeAllowNoneSignatureType` is provided as the key.
|
||||||
|
|
||||||
|
## Project Status & Versioning
|
||||||
|
|
||||||
|
This library is considered production ready. Feedback and feature requests are appreciated. The API should be considered stable. There should be very few backwards-incompatible changes outside of major version updates (and only with good reason).
|
||||||
|
|
||||||
|
This project uses [Semantic Versioning 2.0.0](http://semver.org). Accepted pull requests will land on `master`. Periodically, versions will be tagged from `master`. You can find all the releases on [the project releases page](https://github.com/dgrijalva/jwt-go/releases).
|
||||||
|
|
||||||
|
While we try to make it obvious when we make breaking changes, there isn't a great mechanism for pushing announcements out to users. You may want to use this alternative package include: `gopkg.in/dgrijalva/jwt-go.v3`. It will do the right thing WRT semantic versioning.
|
||||||
|
|
||||||
|
**BREAKING CHANGES:***
|
||||||
|
* Version 3.0.0 includes _a lot_ of changes from the 2.x line, including a few that break the API. We've tried to break as few things as possible, so there should just be a few type signature changes. A full list of breaking changes is available in `VERSION_HISTORY.md`. See `MIGRATION_GUIDE.md` for more information on updating your code.
|
||||||
|
|
||||||
|
## Usage Tips
|
||||||
|
|
||||||
|
### Signing vs Encryption
|
||||||
|
|
||||||
|
A token is simply a JSON object that is signed by its author. this tells you exactly two things about the data:
|
||||||
|
|
||||||
|
* The author of the token was in the possession of the signing secret
|
||||||
|
* The data has not been modified since it was signed
|
||||||
|
|
||||||
|
It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library.
|
||||||
|
|
||||||
|
### Choosing a Signing Method
|
||||||
|
|
||||||
|
There are several signing methods available, and you should probably take the time to learn about the various options before choosing one. The principal design decision is most likely going to be symmetric vs asymmetric.
|
||||||
|
|
||||||
|
Symmetric signing methods, such as HSA, use only a single secret. This is probably the simplest signing method to use since any `[]byte` can be used as a valid secret. They are also slightly computationally faster to use, though this rarely is enough to matter. Symmetric signing methods work the best when both producers and consumers of tokens are trusted, or even the same system. Since the same secret is used to both sign and validate tokens, you can't easily distribute the key for validation.
|
||||||
|
|
||||||
|
Asymmetric signing methods, such as RSA, use different keys for signing and verifying tokens. This makes it possible to produce tokens with a private key, and allow any consumer to access the public key for verification.
|
||||||
|
|
||||||
|
### Signing Methods and Key Types
|
||||||
|
|
||||||
|
Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones:
|
||||||
|
|
||||||
|
* The [HMAC signing method](https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
|
||||||
|
* The [RSA signing method](https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
|
||||||
|
* The [ECDSA signing method](https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
|
||||||
|
|
||||||
|
### JWT and OAuth
|
||||||
|
|
||||||
|
It's worth mentioning that OAuth and JWT are not the same thing. A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful. There is some confusion, though, as JWT is the most common type of bearer token used in OAuth2 authentication.
|
||||||
|
|
||||||
|
Without going too far down the rabbit hole, here's a description of the interaction of these technologies:
|
||||||
|
|
||||||
|
* OAuth is a protocol for allowing an identity provider to be separate from the service a user is logging in to. For example, whenever you use Facebook to log into a different service (Yelp, Spotify, etc), you are using OAuth.
|
||||||
|
* OAuth defines several options for passing around authentication data. One popular method is called a "bearer token". A bearer token is simply a string that _should_ only be held by an authenticated user. Thus, simply presenting this token proves your identity. You can probably derive from here why a JWT might make a good bearer token.
|
||||||
|
* Because bearer tokens are used for authentication, it's important they're kept secret. This is why transactions that use bearer tokens typically happen over SSL.
|
||||||
|
|
||||||
|
## More
|
||||||
|
|
||||||
|
Documentation can be found [on godoc.org](http://godoc.org/github.com/dgrijalva/jwt-go).
|
||||||
|
|
||||||
|
The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
|
118
vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
generated
vendored
Normal file
118
vendor/github.com/dgrijalva/jwt-go/VERSION_HISTORY.md
generated
vendored
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
## `jwt-go` Version History
|
||||||
|
|
||||||
|
#### 3.2.0
|
||||||
|
|
||||||
|
* Added method `ParseUnverified` to allow users to split up the tasks of parsing and validation
|
||||||
|
* HMAC signing method returns `ErrInvalidKeyType` instead of `ErrInvalidKey` where appropriate
|
||||||
|
* Added options to `request.ParseFromRequest`, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include `WithClaims` and `WithParser`. Existing usage of this function will continue to work as before.
|
||||||
|
* Deprecated `ParseFromRequestWithClaims` to simplify API in the future.
|
||||||
|
|
||||||
|
#### 3.1.0
|
||||||
|
|
||||||
|
* Improvements to `jwt` command line tool
|
||||||
|
* Added `SkipClaimsValidation` option to `Parser`
|
||||||
|
* Documentation updates
|
||||||
|
|
||||||
|
#### 3.0.0
|
||||||
|
|
||||||
|
* **Compatibility Breaking Changes**: See MIGRATION_GUIDE.md for tips on updating your code
|
||||||
|
* Dropped support for `[]byte` keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.
|
||||||
|
* `ParseFromRequest` has been moved to `request` subpackage and usage has changed
|
||||||
|
* The `Claims` property on `Token` is now type `Claims` instead of `map[string]interface{}`. The default value is type `MapClaims`, which is an alias to `map[string]interface{}`. This makes it possible to use a custom type when decoding claims.
|
||||||
|
* Other Additions and Changes
|
||||||
|
* Added `Claims` interface type to allow users to decode the claims into a custom type
|
||||||
|
* Added `ParseWithClaims`, which takes a third argument of type `Claims`. Use this function instead of `Parse` if you have a custom type you'd like to decode into.
|
||||||
|
* Dramatically improved the functionality and flexibility of `ParseFromRequest`, which is now in the `request` subpackage
|
||||||
|
* Added `ParseFromRequestWithClaims` which is the `FromRequest` equivalent of `ParseWithClaims`
|
||||||
|
* Added new interface type `Extractor`, which is used for extracting JWT strings from http requests. Used with `ParseFromRequest` and `ParseFromRequestWithClaims`.
|
||||||
|
* Added several new, more specific, validation errors to error type bitmask
|
||||||
|
* Moved examples from README to executable example files
|
||||||
|
* Signing method registry is now thread safe
|
||||||
|
* Added new property to `ValidationError`, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)
|
||||||
|
|
||||||
|
#### 2.7.0
|
||||||
|
|
||||||
|
This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
|
||||||
|
|
||||||
|
* Added new option `-show` to the `jwt` command that will just output the decoded token without verifying
|
||||||
|
* Error text for expired tokens includes how long it's been expired
|
||||||
|
* Fixed incorrect error returned from `ParseRSAPublicKeyFromPEM`
|
||||||
|
* Documentation updates
|
||||||
|
|
||||||
|
#### 2.6.0
|
||||||
|
|
||||||
|
* Exposed inner error within ValidationError
|
||||||
|
* Fixed validation errors when using UseJSONNumber flag
|
||||||
|
* Added several unit tests
|
||||||
|
|
||||||
|
#### 2.5.0
|
||||||
|
|
||||||
|
* Added support for signing method none. You shouldn't use this. The API tries to make this clear.
|
||||||
|
* Updated/fixed some documentation
|
||||||
|
* Added more helpful error message when trying to parse tokens that begin with `BEARER `
|
||||||
|
|
||||||
|
#### 2.4.0
|
||||||
|
|
||||||
|
* Added new type, Parser, to allow for configuration of various parsing parameters
|
||||||
|
* You can now specify a list of valid signing methods. Anything outside this set will be rejected.
|
||||||
|
* You can now opt to use the `json.Number` type instead of `float64` when parsing token JSON
|
||||||
|
* Added support for [Travis CI](https://travis-ci.org/dgrijalva/jwt-go)
|
||||||
|
* Fixed some bugs with ECDSA parsing
|
||||||
|
|
||||||
|
#### 2.3.0
|
||||||
|
|
||||||
|
* Added support for ECDSA signing methods
|
||||||
|
* Added support for RSA PSS signing methods (requires go v1.4)
|
||||||
|
|
||||||
|
#### 2.2.0
|
||||||
|
|
||||||
|
* Gracefully handle a `nil` `Keyfunc` being passed to `Parse`. Result will now be the parsed token and an error, instead of a panic.
|
||||||
|
|
||||||
|
#### 2.1.0
|
||||||
|
|
||||||
|
Backwards compatible API change that was missed in 2.0.0.
|
||||||
|
|
||||||
|
* The `SignedString` method on `Token` now takes `interface{}` instead of `[]byte`
|
||||||
|
|
||||||
|
#### 2.0.0
|
||||||
|
|
||||||
|
There were two major reasons for breaking backwards compatibility with this update. The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations. There will likely be no required code changes to support this change.
|
||||||
|
|
||||||
|
The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods. Not all keys used for all signing methods have a single standard on-disk representation. Requiring `[]byte` as the type for all keys proved too limiting. Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys. Backwards compatibilty has been maintained for passing `[]byte` to the RSA signing methods, but they will also accept `*rsa.PublicKey` and `*rsa.PrivateKey`.
|
||||||
|
|
||||||
|
It is likely the only integration change required here will be to change `func(t *jwt.Token) ([]byte, error)` to `func(t *jwt.Token) (interface{}, error)` when calling `Parse`.
|
||||||
|
|
||||||
|
* **Compatibility Breaking Changes**
|
||||||
|
* `SigningMethodHS256` is now `*SigningMethodHMAC` instead of `type struct`
|
||||||
|
* `SigningMethodRS256` is now `*SigningMethodRSA` instead of `type struct`
|
||||||
|
* `KeyFunc` now returns `interface{}` instead of `[]byte`
|
||||||
|
* `SigningMethod.Sign` now takes `interface{}` instead of `[]byte` for the key
|
||||||
|
* `SigningMethod.Verify` now takes `interface{}` instead of `[]byte` for the key
|
||||||
|
* Renamed type `SigningMethodHS256` to `SigningMethodHMAC`. Specific sizes are now just instances of this type.
|
||||||
|
* Added public package global `SigningMethodHS256`
|
||||||
|
* Added public package global `SigningMethodHS384`
|
||||||
|
* Added public package global `SigningMethodHS512`
|
||||||
|
* Renamed type `SigningMethodRS256` to `SigningMethodRSA`. Specific sizes are now just instances of this type.
|
||||||
|
* Added public package global `SigningMethodRS256`
|
||||||
|
* Added public package global `SigningMethodRS384`
|
||||||
|
* Added public package global `SigningMethodRS512`
|
||||||
|
* Moved sample private key for HMAC tests from an inline value to a file on disk. Value is unchanged.
|
||||||
|
* Refactored the RSA implementation to be easier to read
|
||||||
|
* Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
|
||||||
|
|
||||||
|
#### 1.0.2
|
||||||
|
|
||||||
|
* Fixed bug in parsing public keys from certificates
|
||||||
|
* Added more tests around the parsing of keys for RS256
|
||||||
|
* Code refactoring in RS256 implementation. No functional changes
|
||||||
|
|
||||||
|
#### 1.0.1
|
||||||
|
|
||||||
|
* Fixed panic if RS256 signing method was passed an invalid key
|
||||||
|
|
||||||
|
#### 1.0.0
|
||||||
|
|
||||||
|
* First versioned release
|
||||||
|
* API stabilized
|
||||||
|
* Supports creating, signing, parsing, and validating JWT tokens
|
||||||
|
* Supports RS256 and HS256 signing methods
|
134
vendor/github.com/dgrijalva/jwt-go/claims.go
generated
vendored
Normal file
134
vendor/github.com/dgrijalva/jwt-go/claims.go
generated
vendored
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/subtle"
|
||||||
|
"fmt"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// For a type to be a Claims object, it must just have a Valid method that determines
|
||||||
|
// if the token is invalid for any supported reason
|
||||||
|
type Claims interface {
|
||||||
|
Valid() error
|
||||||
|
}
|
||||||
|
|
||||||
|
// Structured version of Claims Section, as referenced at
|
||||||
|
// https://tools.ietf.org/html/rfc7519#section-4.1
|
||||||
|
// See examples for how to use this with your own claim types
|
||||||
|
type StandardClaims struct {
|
||||||
|
Audience string `json:"aud,omitempty"`
|
||||||
|
ExpiresAt int64 `json:"exp,omitempty"`
|
||||||
|
Id string `json:"jti,omitempty"`
|
||||||
|
IssuedAt int64 `json:"iat,omitempty"`
|
||||||
|
Issuer string `json:"iss,omitempty"`
|
||||||
|
NotBefore int64 `json:"nbf,omitempty"`
|
||||||
|
Subject string `json:"sub,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validates time based claims "exp, iat, nbf".
|
||||||
|
// There is no accounting for clock skew.
|
||||||
|
// As well, if any of the above claims are not in the token, it will still
|
||||||
|
// be considered a valid claim.
|
||||||
|
func (c StandardClaims) Valid() error {
|
||||||
|
vErr := new(ValidationError)
|
||||||
|
now := TimeFunc().Unix()
|
||||||
|
|
||||||
|
// The claims below are optional, by default, so if they are set to the
|
||||||
|
// default value in Go, let's not fail the verification for them.
|
||||||
|
if c.VerifyExpiresAt(now, false) == false {
|
||||||
|
delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
|
||||||
|
vErr.Inner = fmt.Errorf("token is expired by %v", delta)
|
||||||
|
vErr.Errors |= ValidationErrorExpired
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.VerifyIssuedAt(now, false) == false {
|
||||||
|
vErr.Inner = fmt.Errorf("Token used before issued")
|
||||||
|
vErr.Errors |= ValidationErrorIssuedAt
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.VerifyNotBefore(now, false) == false {
|
||||||
|
vErr.Inner = fmt.Errorf("token is not valid yet")
|
||||||
|
vErr.Errors |= ValidationErrorNotValidYet
|
||||||
|
}
|
||||||
|
|
||||||
|
if vErr.valid() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return vErr
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the aud claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
|
||||||
|
return verifyAud(c.Audience, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the exp claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
|
||||||
|
return verifyExp(c.ExpiresAt, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the iat claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
|
||||||
|
return verifyIat(c.IssuedAt, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the iss claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
|
||||||
|
return verifyIss(c.Issuer, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the nbf claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
|
||||||
|
return verifyNbf(c.NotBefore, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ----- helpers
|
||||||
|
|
||||||
|
func verifyAud(aud string, cmp string, required bool) bool {
|
||||||
|
if aud == "" {
|
||||||
|
return !required
|
||||||
|
}
|
||||||
|
if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 {
|
||||||
|
return true
|
||||||
|
} else {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyExp(exp int64, now int64, required bool) bool {
|
||||||
|
if exp == 0 {
|
||||||
|
return !required
|
||||||
|
}
|
||||||
|
return now <= exp
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyIat(iat int64, now int64, required bool) bool {
|
||||||
|
if iat == 0 {
|
||||||
|
return !required
|
||||||
|
}
|
||||||
|
return now >= iat
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyIss(iss string, cmp string, required bool) bool {
|
||||||
|
if iss == "" {
|
||||||
|
return !required
|
||||||
|
}
|
||||||
|
if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
|
||||||
|
return true
|
||||||
|
} else {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func verifyNbf(nbf int64, now int64, required bool) bool {
|
||||||
|
if nbf == 0 {
|
||||||
|
return !required
|
||||||
|
}
|
||||||
|
return now >= nbf
|
||||||
|
}
|
4
vendor/github.com/dgrijalva/jwt-go/doc.go
generated
vendored
Normal file
4
vendor/github.com/dgrijalva/jwt-go/doc.go
generated
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
// Package jwt is a Go implementation of JSON Web Tokens: http://self-issued.info/docs/draft-jones-json-web-token.html
|
||||||
|
//
|
||||||
|
// See README.md for more info.
|
||||||
|
package jwt
|
148
vendor/github.com/dgrijalva/jwt-go/ecdsa.go
generated
vendored
Normal file
148
vendor/github.com/dgrijalva/jwt-go/ecdsa.go
generated
vendored
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/rand"
|
||||||
|
"errors"
|
||||||
|
"math/big"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
// Sadly this is missing from crypto/ecdsa compared to crypto/rsa
|
||||||
|
ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
|
||||||
|
)
|
||||||
|
|
||||||
|
// Implements the ECDSA family of signing methods signing methods
|
||||||
|
// Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
|
||||||
|
type SigningMethodECDSA struct {
|
||||||
|
Name string
|
||||||
|
Hash crypto.Hash
|
||||||
|
KeySize int
|
||||||
|
CurveBits int
|
||||||
|
}
|
||||||
|
|
||||||
|
// Specific instances for EC256 and company
|
||||||
|
var (
|
||||||
|
SigningMethodES256 *SigningMethodECDSA
|
||||||
|
SigningMethodES384 *SigningMethodECDSA
|
||||||
|
SigningMethodES512 *SigningMethodECDSA
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// ES256
|
||||||
|
SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}
|
||||||
|
RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodES256
|
||||||
|
})
|
||||||
|
|
||||||
|
// ES384
|
||||||
|
SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}
|
||||||
|
RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodES384
|
||||||
|
})
|
||||||
|
|
||||||
|
// ES512
|
||||||
|
SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}
|
||||||
|
RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodES512
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *SigningMethodECDSA) Alg() string {
|
||||||
|
return m.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Verify method from SigningMethod
|
||||||
|
// For this verify method, key must be an ecdsa.PublicKey struct
|
||||||
|
func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Decode the signature
|
||||||
|
var sig []byte
|
||||||
|
if sig, err = DecodeSegment(signature); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get the key
|
||||||
|
var ecdsaKey *ecdsa.PublicKey
|
||||||
|
switch k := key.(type) {
|
||||||
|
case *ecdsa.PublicKey:
|
||||||
|
ecdsaKey = k
|
||||||
|
default:
|
||||||
|
return ErrInvalidKeyType
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(sig) != 2*m.KeySize {
|
||||||
|
return ErrECDSAVerification
|
||||||
|
}
|
||||||
|
|
||||||
|
r := big.NewInt(0).SetBytes(sig[:m.KeySize])
|
||||||
|
s := big.NewInt(0).SetBytes(sig[m.KeySize:])
|
||||||
|
|
||||||
|
// Create hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return ErrHashUnavailable
|
||||||
|
}
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
// Verify the signature
|
||||||
|
if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus == true {
|
||||||
|
return nil
|
||||||
|
} else {
|
||||||
|
return ErrECDSAVerification
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Sign method from SigningMethod
|
||||||
|
// For this signing method, key must be an ecdsa.PrivateKey struct
|
||||||
|
func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string, error) {
|
||||||
|
// Get the key
|
||||||
|
var ecdsaKey *ecdsa.PrivateKey
|
||||||
|
switch k := key.(type) {
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
ecdsaKey = k
|
||||||
|
default:
|
||||||
|
return "", ErrInvalidKeyType
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create the hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return "", ErrHashUnavailable
|
||||||
|
}
|
||||||
|
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
// Sign the string and return r, s
|
||||||
|
if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {
|
||||||
|
curveBits := ecdsaKey.Curve.Params().BitSize
|
||||||
|
|
||||||
|
if m.CurveBits != curveBits {
|
||||||
|
return "", ErrInvalidKey
|
||||||
|
}
|
||||||
|
|
||||||
|
keyBytes := curveBits / 8
|
||||||
|
if curveBits%8 > 0 {
|
||||||
|
keyBytes += 1
|
||||||
|
}
|
||||||
|
|
||||||
|
// We serialize the outpus (r and s) into big-endian byte arrays and pad
|
||||||
|
// them with zeros on the left to make sure the sizes work out. Both arrays
|
||||||
|
// must be keyBytes long, and the output must be 2*keyBytes long.
|
||||||
|
rBytes := r.Bytes()
|
||||||
|
rBytesPadded := make([]byte, keyBytes)
|
||||||
|
copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
|
||||||
|
|
||||||
|
sBytes := s.Bytes()
|
||||||
|
sBytesPadded := make([]byte, keyBytes)
|
||||||
|
copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
|
||||||
|
|
||||||
|
out := append(rBytesPadded, sBytesPadded...)
|
||||||
|
|
||||||
|
return EncodeSegment(out), nil
|
||||||
|
} else {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
67
vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go
generated
vendored
Normal file
67
vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go
generated
vendored
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
ErrNotECPublicKey = errors.New("Key is not a valid ECDSA public key")
|
||||||
|
ErrNotECPrivateKey = errors.New("Key is not a valid ECDSA private key")
|
||||||
|
)
|
||||||
|
|
||||||
|
// Parse PEM encoded Elliptic Curve Private Key Structure
|
||||||
|
func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Parse PEM block
|
||||||
|
var block *pem.Block
|
||||||
|
if block, _ = pem.Decode(key); block == nil {
|
||||||
|
return nil, ErrKeyMustBePEMEncoded
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the key
|
||||||
|
var parsedKey interface{}
|
||||||
|
if parsedKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkey *ecdsa.PrivateKey
|
||||||
|
var ok bool
|
||||||
|
if pkey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
|
||||||
|
return nil, ErrNotECPrivateKey
|
||||||
|
}
|
||||||
|
|
||||||
|
return pkey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse PEM encoded PKCS1 or PKCS8 public key
|
||||||
|
func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error) {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Parse PEM block
|
||||||
|
var block *pem.Block
|
||||||
|
if block, _ = pem.Decode(key); block == nil {
|
||||||
|
return nil, ErrKeyMustBePEMEncoded
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the key
|
||||||
|
var parsedKey interface{}
|
||||||
|
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
|
||||||
|
if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
|
||||||
|
parsedKey = cert.PublicKey
|
||||||
|
} else {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkey *ecdsa.PublicKey
|
||||||
|
var ok bool
|
||||||
|
if pkey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
|
||||||
|
return nil, ErrNotECPublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
return pkey, nil
|
||||||
|
}
|
59
vendor/github.com/dgrijalva/jwt-go/errors.go
generated
vendored
Normal file
59
vendor/github.com/dgrijalva/jwt-go/errors.go
generated
vendored
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Error constants
|
||||||
|
var (
|
||||||
|
ErrInvalidKey = errors.New("key is invalid")
|
||||||
|
ErrInvalidKeyType = errors.New("key is of invalid type")
|
||||||
|
ErrHashUnavailable = errors.New("the requested hash function is unavailable")
|
||||||
|
)
|
||||||
|
|
||||||
|
// The errors that might occur when parsing and validating a token
|
||||||
|
const (
|
||||||
|
ValidationErrorMalformed uint32 = 1 << iota // Token is malformed
|
||||||
|
ValidationErrorUnverifiable // Token could not be verified because of signing problems
|
||||||
|
ValidationErrorSignatureInvalid // Signature validation failed
|
||||||
|
|
||||||
|
// Standard Claim validation errors
|
||||||
|
ValidationErrorAudience // AUD validation failed
|
||||||
|
ValidationErrorExpired // EXP validation failed
|
||||||
|
ValidationErrorIssuedAt // IAT validation failed
|
||||||
|
ValidationErrorIssuer // ISS validation failed
|
||||||
|
ValidationErrorNotValidYet // NBF validation failed
|
||||||
|
ValidationErrorId // JTI validation failed
|
||||||
|
ValidationErrorClaimsInvalid // Generic claims validation error
|
||||||
|
)
|
||||||
|
|
||||||
|
// Helper for constructing a ValidationError with a string error message
|
||||||
|
func NewValidationError(errorText string, errorFlags uint32) *ValidationError {
|
||||||
|
return &ValidationError{
|
||||||
|
text: errorText,
|
||||||
|
Errors: errorFlags,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// The error from Parse if token is not valid
|
||||||
|
type ValidationError struct {
|
||||||
|
Inner error // stores the error returned by external dependencies, i.e.: KeyFunc
|
||||||
|
Errors uint32 // bitfield. see ValidationError... constants
|
||||||
|
text string // errors that do not have a valid error just have text
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validation error is an error type
|
||||||
|
func (e ValidationError) Error() string {
|
||||||
|
if e.Inner != nil {
|
||||||
|
return e.Inner.Error()
|
||||||
|
} else if e.text != "" {
|
||||||
|
return e.text
|
||||||
|
} else {
|
||||||
|
return "token is invalid"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No errors
|
||||||
|
func (e *ValidationError) valid() bool {
|
||||||
|
return e.Errors == 0
|
||||||
|
}
|
95
vendor/github.com/dgrijalva/jwt-go/hmac.go
generated
vendored
Normal file
95
vendor/github.com/dgrijalva/jwt-go/hmac.go
generated
vendored
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/hmac"
|
||||||
|
"errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Implements the HMAC-SHA family of signing methods signing methods
|
||||||
|
// Expects key type of []byte for both signing and validation
|
||||||
|
type SigningMethodHMAC struct {
|
||||||
|
Name string
|
||||||
|
Hash crypto.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
// Specific instances for HS256 and company
|
||||||
|
var (
|
||||||
|
SigningMethodHS256 *SigningMethodHMAC
|
||||||
|
SigningMethodHS384 *SigningMethodHMAC
|
||||||
|
SigningMethodHS512 *SigningMethodHMAC
|
||||||
|
ErrSignatureInvalid = errors.New("signature is invalid")
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// HS256
|
||||||
|
SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
|
||||||
|
RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodHS256
|
||||||
|
})
|
||||||
|
|
||||||
|
// HS384
|
||||||
|
SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
|
||||||
|
RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodHS384
|
||||||
|
})
|
||||||
|
|
||||||
|
// HS512
|
||||||
|
SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
|
||||||
|
RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodHS512
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *SigningMethodHMAC) Alg() string {
|
||||||
|
return m.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify the signature of HSXXX tokens. Returns nil if the signature is valid.
|
||||||
|
func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
|
||||||
|
// Verify the key is the right type
|
||||||
|
keyBytes, ok := key.([]byte)
|
||||||
|
if !ok {
|
||||||
|
return ErrInvalidKeyType
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decode signature, for comparison
|
||||||
|
sig, err := DecodeSegment(signature)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Can we use the specified hashing method?
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return ErrHashUnavailable
|
||||||
|
}
|
||||||
|
|
||||||
|
// This signing method is symmetric, so we validate the signature
|
||||||
|
// by reproducing the signature from the signing string and key, then
|
||||||
|
// comparing that against the provided signature.
|
||||||
|
hasher := hmac.New(m.Hash.New, keyBytes)
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
if !hmac.Equal(sig, hasher.Sum(nil)) {
|
||||||
|
return ErrSignatureInvalid
|
||||||
|
}
|
||||||
|
|
||||||
|
// No validation errors. Signature is good.
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Sign method from SigningMethod for this signing method.
|
||||||
|
// Key must be []byte
|
||||||
|
func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) (string, error) {
|
||||||
|
if keyBytes, ok := key.([]byte); ok {
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return "", ErrHashUnavailable
|
||||||
|
}
|
||||||
|
|
||||||
|
hasher := hmac.New(m.Hash.New, keyBytes)
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
return EncodeSegment(hasher.Sum(nil)), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", ErrInvalidKeyType
|
||||||
|
}
|
94
vendor/github.com/dgrijalva/jwt-go/map_claims.go
generated
vendored
Normal file
94
vendor/github.com/dgrijalva/jwt-go/map_claims.go
generated
vendored
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
// "fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Claims type that uses the map[string]interface{} for JSON decoding
|
||||||
|
// This is the default claims type if you don't supply one
|
||||||
|
type MapClaims map[string]interface{}
|
||||||
|
|
||||||
|
// Compares the aud claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
|
||||||
|
aud, _ := m["aud"].(string)
|
||||||
|
return verifyAud(aud, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the exp claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool {
|
||||||
|
switch exp := m["exp"].(type) {
|
||||||
|
case float64:
|
||||||
|
return verifyExp(int64(exp), cmp, req)
|
||||||
|
case json.Number:
|
||||||
|
v, _ := exp.Int64()
|
||||||
|
return verifyExp(v, cmp, req)
|
||||||
|
}
|
||||||
|
return req == false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the iat claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool {
|
||||||
|
switch iat := m["iat"].(type) {
|
||||||
|
case float64:
|
||||||
|
return verifyIat(int64(iat), cmp, req)
|
||||||
|
case json.Number:
|
||||||
|
v, _ := iat.Int64()
|
||||||
|
return verifyIat(v, cmp, req)
|
||||||
|
}
|
||||||
|
return req == false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the iss claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
|
||||||
|
iss, _ := m["iss"].(string)
|
||||||
|
return verifyIss(iss, cmp, req)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compares the nbf claim against cmp.
|
||||||
|
// If required is false, this method will return true if the value matches or is unset
|
||||||
|
func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool {
|
||||||
|
switch nbf := m["nbf"].(type) {
|
||||||
|
case float64:
|
||||||
|
return verifyNbf(int64(nbf), cmp, req)
|
||||||
|
case json.Number:
|
||||||
|
v, _ := nbf.Int64()
|
||||||
|
return verifyNbf(v, cmp, req)
|
||||||
|
}
|
||||||
|
return req == false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validates time based claims "exp, iat, nbf".
|
||||||
|
// There is no accounting for clock skew.
|
||||||
|
// As well, if any of the above claims are not in the token, it will still
|
||||||
|
// be considered a valid claim.
|
||||||
|
func (m MapClaims) Valid() error {
|
||||||
|
vErr := new(ValidationError)
|
||||||
|
now := TimeFunc().Unix()
|
||||||
|
|
||||||
|
if m.VerifyExpiresAt(now, false) == false {
|
||||||
|
vErr.Inner = errors.New("Token is expired")
|
||||||
|
vErr.Errors |= ValidationErrorExpired
|
||||||
|
}
|
||||||
|
|
||||||
|
if m.VerifyIssuedAt(now, false) == false {
|
||||||
|
vErr.Inner = errors.New("Token used before issued")
|
||||||
|
vErr.Errors |= ValidationErrorIssuedAt
|
||||||
|
}
|
||||||
|
|
||||||
|
if m.VerifyNotBefore(now, false) == false {
|
||||||
|
vErr.Inner = errors.New("Token is not valid yet")
|
||||||
|
vErr.Errors |= ValidationErrorNotValidYet
|
||||||
|
}
|
||||||
|
|
||||||
|
if vErr.valid() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return vErr
|
||||||
|
}
|
52
vendor/github.com/dgrijalva/jwt-go/none.go
generated
vendored
Normal file
52
vendor/github.com/dgrijalva/jwt-go/none.go
generated
vendored
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
// Implements the none signing method. This is required by the spec
|
||||||
|
// but you probably should never use it.
|
||||||
|
var SigningMethodNone *signingMethodNone
|
||||||
|
|
||||||
|
const UnsafeAllowNoneSignatureType unsafeNoneMagicConstant = "none signing method allowed"
|
||||||
|
|
||||||
|
var NoneSignatureTypeDisallowedError error
|
||||||
|
|
||||||
|
type signingMethodNone struct{}
|
||||||
|
type unsafeNoneMagicConstant string
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
SigningMethodNone = &signingMethodNone{}
|
||||||
|
NoneSignatureTypeDisallowedError = NewValidationError("'none' signature type is not allowed", ValidationErrorSignatureInvalid)
|
||||||
|
|
||||||
|
RegisterSigningMethod(SigningMethodNone.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodNone
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *signingMethodNone) Alg() string {
|
||||||
|
return "none"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
|
||||||
|
func (m *signingMethodNone) Verify(signingString, signature string, key interface{}) (err error) {
|
||||||
|
// Key must be UnsafeAllowNoneSignatureType to prevent accidentally
|
||||||
|
// accepting 'none' signing method
|
||||||
|
if _, ok := key.(unsafeNoneMagicConstant); !ok {
|
||||||
|
return NoneSignatureTypeDisallowedError
|
||||||
|
}
|
||||||
|
// If signing method is none, signature must be an empty string
|
||||||
|
if signature != "" {
|
||||||
|
return NewValidationError(
|
||||||
|
"'none' signing method with non-empty signature",
|
||||||
|
ValidationErrorSignatureInvalid,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Accept 'none' signing method.
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Only allow 'none' signing if UnsafeAllowNoneSignatureType is specified as the key
|
||||||
|
func (m *signingMethodNone) Sign(signingString string, key interface{}) (string, error) {
|
||||||
|
if _, ok := key.(unsafeNoneMagicConstant); ok {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
return "", NoneSignatureTypeDisallowedError
|
||||||
|
}
|
148
vendor/github.com/dgrijalva/jwt-go/parser.go
generated
vendored
Normal file
148
vendor/github.com/dgrijalva/jwt-go/parser.go
generated
vendored
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Parser struct {
|
||||||
|
ValidMethods []string // If populated, only these methods will be considered valid
|
||||||
|
UseJSONNumber bool // Use JSON Number format in JSON decoder
|
||||||
|
SkipClaimsValidation bool // Skip claims validation during token parsing
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse, validate, and return a token.
|
||||||
|
// keyFunc will receive the parsed token and should return the key for validating.
|
||||||
|
// If everything is kosher, err will be nil
|
||||||
|
func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
|
||||||
|
return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
|
||||||
|
token, parts, err := p.ParseUnverified(tokenString, claims)
|
||||||
|
if err != nil {
|
||||||
|
return token, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify signing method is in the required set
|
||||||
|
if p.ValidMethods != nil {
|
||||||
|
var signingMethodValid = false
|
||||||
|
var alg = token.Method.Alg()
|
||||||
|
for _, m := range p.ValidMethods {
|
||||||
|
if m == alg {
|
||||||
|
signingMethodValid = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !signingMethodValid {
|
||||||
|
// signing method is not in the listed set
|
||||||
|
return token, NewValidationError(fmt.Sprintf("signing method %v is invalid", alg), ValidationErrorSignatureInvalid)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Lookup key
|
||||||
|
var key interface{}
|
||||||
|
if keyFunc == nil {
|
||||||
|
// keyFunc was not provided. short circuiting validation
|
||||||
|
return token, NewValidationError("no Keyfunc was provided.", ValidationErrorUnverifiable)
|
||||||
|
}
|
||||||
|
if key, err = keyFunc(token); err != nil {
|
||||||
|
// keyFunc returned an error
|
||||||
|
if ve, ok := err.(*ValidationError); ok {
|
||||||
|
return token, ve
|
||||||
|
}
|
||||||
|
return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
|
||||||
|
}
|
||||||
|
|
||||||
|
vErr := &ValidationError{}
|
||||||
|
|
||||||
|
// Validate Claims
|
||||||
|
if !p.SkipClaimsValidation {
|
||||||
|
if err := token.Claims.Valid(); err != nil {
|
||||||
|
|
||||||
|
// If the Claims Valid returned an error, check if it is a validation error,
|
||||||
|
// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
|
||||||
|
if e, ok := err.(*ValidationError); !ok {
|
||||||
|
vErr = &ValidationError{Inner: err, Errors: ValidationErrorClaimsInvalid}
|
||||||
|
} else {
|
||||||
|
vErr = e
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Perform validation
|
||||||
|
token.Signature = parts[2]
|
||||||
|
if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
|
||||||
|
vErr.Inner = err
|
||||||
|
vErr.Errors |= ValidationErrorSignatureInvalid
|
||||||
|
}
|
||||||
|
|
||||||
|
if vErr.valid() {
|
||||||
|
token.Valid = true
|
||||||
|
return token, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return token, vErr
|
||||||
|
}
|
||||||
|
|
||||||
|
// WARNING: Don't use this method unless you know what you're doing
|
||||||
|
//
|
||||||
|
// This method parses the token but doesn't validate the signature. It's only
|
||||||
|
// ever useful in cases where you know the signature is valid (because it has
|
||||||
|
// been checked previously in the stack) and you want to extract values from
|
||||||
|
// it.
|
||||||
|
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
|
||||||
|
parts = strings.Split(tokenString, ".")
|
||||||
|
if len(parts) != 3 {
|
||||||
|
return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
|
||||||
|
}
|
||||||
|
|
||||||
|
token = &Token{Raw: tokenString}
|
||||||
|
|
||||||
|
// parse Header
|
||||||
|
var headerBytes []byte
|
||||||
|
if headerBytes, err = DecodeSegment(parts[0]); err != nil {
|
||||||
|
if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
|
||||||
|
return token, parts, NewValidationError("tokenstring should not contain 'bearer '", ValidationErrorMalformed)
|
||||||
|
}
|
||||||
|
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
|
||||||
|
}
|
||||||
|
if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
|
||||||
|
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
|
||||||
|
}
|
||||||
|
|
||||||
|
// parse Claims
|
||||||
|
var claimBytes []byte
|
||||||
|
token.Claims = claims
|
||||||
|
|
||||||
|
if claimBytes, err = DecodeSegment(parts[1]); err != nil {
|
||||||
|
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
|
||||||
|
}
|
||||||
|
dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
|
||||||
|
if p.UseJSONNumber {
|
||||||
|
dec.UseNumber()
|
||||||
|
}
|
||||||
|
// JSON Decode. Special case for map type to avoid weird pointer behavior
|
||||||
|
if c, ok := token.Claims.(MapClaims); ok {
|
||||||
|
err = dec.Decode(&c)
|
||||||
|
} else {
|
||||||
|
err = dec.Decode(&claims)
|
||||||
|
}
|
||||||
|
// Handle decode error
|
||||||
|
if err != nil {
|
||||||
|
return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Lookup signature method
|
||||||
|
if method, ok := token.Header["alg"].(string); ok {
|
||||||
|
if token.Method = GetSigningMethod(method); token.Method == nil {
|
||||||
|
return token, parts, NewValidationError("signing method (alg) is unavailable.", ValidationErrorUnverifiable)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return token, parts, NewValidationError("signing method (alg) is unspecified.", ValidationErrorUnverifiable)
|
||||||
|
}
|
||||||
|
|
||||||
|
return token, parts, nil
|
||||||
|
}
|
101
vendor/github.com/dgrijalva/jwt-go/rsa.go
generated
vendored
Normal file
101
vendor/github.com/dgrijalva/jwt-go/rsa.go
generated
vendored
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Implements the RSA family of signing methods signing methods
|
||||||
|
// Expects *rsa.PrivateKey for signing and *rsa.PublicKey for validation
|
||||||
|
type SigningMethodRSA struct {
|
||||||
|
Name string
|
||||||
|
Hash crypto.Hash
|
||||||
|
}
|
||||||
|
|
||||||
|
// Specific instances for RS256 and company
|
||||||
|
var (
|
||||||
|
SigningMethodRS256 *SigningMethodRSA
|
||||||
|
SigningMethodRS384 *SigningMethodRSA
|
||||||
|
SigningMethodRS512 *SigningMethodRSA
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// RS256
|
||||||
|
SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
|
||||||
|
RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodRS256
|
||||||
|
})
|
||||||
|
|
||||||
|
// RS384
|
||||||
|
SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
|
||||||
|
RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodRS384
|
||||||
|
})
|
||||||
|
|
||||||
|
// RS512
|
||||||
|
SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
|
||||||
|
RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodRS512
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *SigningMethodRSA) Alg() string {
|
||||||
|
return m.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Verify method from SigningMethod
|
||||||
|
// For this signing method, must be an *rsa.PublicKey structure.
|
||||||
|
func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Decode the signature
|
||||||
|
var sig []byte
|
||||||
|
if sig, err = DecodeSegment(signature); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
var rsaKey *rsa.PublicKey
|
||||||
|
var ok bool
|
||||||
|
|
||||||
|
if rsaKey, ok = key.(*rsa.PublicKey); !ok {
|
||||||
|
return ErrInvalidKeyType
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return ErrHashUnavailable
|
||||||
|
}
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
// Verify the signature
|
||||||
|
return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Sign method from SigningMethod
|
||||||
|
// For this signing method, must be an *rsa.PrivateKey structure.
|
||||||
|
func (m *SigningMethodRSA) Sign(signingString string, key interface{}) (string, error) {
|
||||||
|
var rsaKey *rsa.PrivateKey
|
||||||
|
var ok bool
|
||||||
|
|
||||||
|
// Validate type of key
|
||||||
|
if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
|
||||||
|
return "", ErrInvalidKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create the hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return "", ErrHashUnavailable
|
||||||
|
}
|
||||||
|
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
// Sign the string and return the encoded bytes
|
||||||
|
if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
|
||||||
|
return EncodeSegment(sigBytes), nil
|
||||||
|
} else {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
126
vendor/github.com/dgrijalva/jwt-go/rsa_pss.go
generated
vendored
Normal file
126
vendor/github.com/dgrijalva/jwt-go/rsa_pss.go
generated
vendored
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
// +build go1.4
|
||||||
|
|
||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Implements the RSAPSS family of signing methods signing methods
|
||||||
|
type SigningMethodRSAPSS struct {
|
||||||
|
*SigningMethodRSA
|
||||||
|
Options *rsa.PSSOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
// Specific instances for RS/PS and company
|
||||||
|
var (
|
||||||
|
SigningMethodPS256 *SigningMethodRSAPSS
|
||||||
|
SigningMethodPS384 *SigningMethodRSAPSS
|
||||||
|
SigningMethodPS512 *SigningMethodRSAPSS
|
||||||
|
)
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
// PS256
|
||||||
|
SigningMethodPS256 = &SigningMethodRSAPSS{
|
||||||
|
&SigningMethodRSA{
|
||||||
|
Name: "PS256",
|
||||||
|
Hash: crypto.SHA256,
|
||||||
|
},
|
||||||
|
&rsa.PSSOptions{
|
||||||
|
SaltLength: rsa.PSSSaltLengthAuto,
|
||||||
|
Hash: crypto.SHA256,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodPS256
|
||||||
|
})
|
||||||
|
|
||||||
|
// PS384
|
||||||
|
SigningMethodPS384 = &SigningMethodRSAPSS{
|
||||||
|
&SigningMethodRSA{
|
||||||
|
Name: "PS384",
|
||||||
|
Hash: crypto.SHA384,
|
||||||
|
},
|
||||||
|
&rsa.PSSOptions{
|
||||||
|
SaltLength: rsa.PSSSaltLengthAuto,
|
||||||
|
Hash: crypto.SHA384,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodPS384
|
||||||
|
})
|
||||||
|
|
||||||
|
// PS512
|
||||||
|
SigningMethodPS512 = &SigningMethodRSAPSS{
|
||||||
|
&SigningMethodRSA{
|
||||||
|
Name: "PS512",
|
||||||
|
Hash: crypto.SHA512,
|
||||||
|
},
|
||||||
|
&rsa.PSSOptions{
|
||||||
|
SaltLength: rsa.PSSSaltLengthAuto,
|
||||||
|
Hash: crypto.SHA512,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod {
|
||||||
|
return SigningMethodPS512
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Verify method from SigningMethod
|
||||||
|
// For this verify method, key must be an rsa.PublicKey struct
|
||||||
|
func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Decode the signature
|
||||||
|
var sig []byte
|
||||||
|
if sig, err = DecodeSegment(signature); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
var rsaKey *rsa.PublicKey
|
||||||
|
switch k := key.(type) {
|
||||||
|
case *rsa.PublicKey:
|
||||||
|
rsaKey = k
|
||||||
|
default:
|
||||||
|
return ErrInvalidKey
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return ErrHashUnavailable
|
||||||
|
}
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, m.Options)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Implements the Sign method from SigningMethod
|
||||||
|
// For this signing method, key must be an rsa.PrivateKey struct
|
||||||
|
func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) (string, error) {
|
||||||
|
var rsaKey *rsa.PrivateKey
|
||||||
|
|
||||||
|
switch k := key.(type) {
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
rsaKey = k
|
||||||
|
default:
|
||||||
|
return "", ErrInvalidKeyType
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create the hasher
|
||||||
|
if !m.Hash.Available() {
|
||||||
|
return "", ErrHashUnavailable
|
||||||
|
}
|
||||||
|
|
||||||
|
hasher := m.Hash.New()
|
||||||
|
hasher.Write([]byte(signingString))
|
||||||
|
|
||||||
|
// Sign the string and return the encoded bytes
|
||||||
|
if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
|
||||||
|
return EncodeSegment(sigBytes), nil
|
||||||
|
} else {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
101
vendor/github.com/dgrijalva/jwt-go/rsa_utils.go
generated
vendored
Normal file
101
vendor/github.com/dgrijalva/jwt-go/rsa_utils.go
generated
vendored
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
ErrKeyMustBePEMEncoded = errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")
|
||||||
|
ErrNotRSAPrivateKey = errors.New("Key is not a valid RSA private key")
|
||||||
|
ErrNotRSAPublicKey = errors.New("Key is not a valid RSA public key")
|
||||||
|
)
|
||||||
|
|
||||||
|
// Parse PEM encoded PKCS1 or PKCS8 private key
|
||||||
|
func ParseRSAPrivateKeyFromPEM(key []byte) (*rsa.PrivateKey, error) {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Parse PEM block
|
||||||
|
var block *pem.Block
|
||||||
|
if block, _ = pem.Decode(key); block == nil {
|
||||||
|
return nil, ErrKeyMustBePEMEncoded
|
||||||
|
}
|
||||||
|
|
||||||
|
var parsedKey interface{}
|
||||||
|
if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
|
||||||
|
if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkey *rsa.PrivateKey
|
||||||
|
var ok bool
|
||||||
|
if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
|
||||||
|
return nil, ErrNotRSAPrivateKey
|
||||||
|
}
|
||||||
|
|
||||||
|
return pkey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse PEM encoded PKCS1 or PKCS8 private key protected with password
|
||||||
|
func ParseRSAPrivateKeyFromPEMWithPassword(key []byte, password string) (*rsa.PrivateKey, error) {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Parse PEM block
|
||||||
|
var block *pem.Block
|
||||||
|
if block, _ = pem.Decode(key); block == nil {
|
||||||
|
return nil, ErrKeyMustBePEMEncoded
|
||||||
|
}
|
||||||
|
|
||||||
|
var parsedKey interface{}
|
||||||
|
|
||||||
|
var blockDecrypted []byte
|
||||||
|
if blockDecrypted, err = x509.DecryptPEMBlock(block, []byte(password)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if parsedKey, err = x509.ParsePKCS1PrivateKey(blockDecrypted); err != nil {
|
||||||
|
if parsedKey, err = x509.ParsePKCS8PrivateKey(blockDecrypted); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkey *rsa.PrivateKey
|
||||||
|
var ok bool
|
||||||
|
if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
|
||||||
|
return nil, ErrNotRSAPrivateKey
|
||||||
|
}
|
||||||
|
|
||||||
|
return pkey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse PEM encoded PKCS1 or PKCS8 public key
|
||||||
|
func ParseRSAPublicKeyFromPEM(key []byte) (*rsa.PublicKey, error) {
|
||||||
|
var err error
|
||||||
|
|
||||||
|
// Parse PEM block
|
||||||
|
var block *pem.Block
|
||||||
|
if block, _ = pem.Decode(key); block == nil {
|
||||||
|
return nil, ErrKeyMustBePEMEncoded
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the key
|
||||||
|
var parsedKey interface{}
|
||||||
|
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
|
||||||
|
if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
|
||||||
|
parsedKey = cert.PublicKey
|
||||||
|
} else {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var pkey *rsa.PublicKey
|
||||||
|
var ok bool
|
||||||
|
if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {
|
||||||
|
return nil, ErrNotRSAPublicKey
|
||||||
|
}
|
||||||
|
|
||||||
|
return pkey, nil
|
||||||
|
}
|
35
vendor/github.com/dgrijalva/jwt-go/signing_method.go
generated
vendored
Normal file
35
vendor/github.com/dgrijalva/jwt-go/signing_method.go
generated
vendored
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
var signingMethods = map[string]func() SigningMethod{}
|
||||||
|
var signingMethodLock = new(sync.RWMutex)
|
||||||
|
|
||||||
|
// Implement SigningMethod to add new methods for signing or verifying tokens.
|
||||||
|
type SigningMethod interface {
|
||||||
|
Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid
|
||||||
|
Sign(signingString string, key interface{}) (string, error) // Returns encoded signature or error
|
||||||
|
Alg() string // returns the alg identifier for this method (example: 'HS256')
|
||||||
|
}
|
||||||
|
|
||||||
|
// Register the "alg" name and a factory function for signing method.
|
||||||
|
// This is typically done during init() in the method's implementation
|
||||||
|
func RegisterSigningMethod(alg string, f func() SigningMethod) {
|
||||||
|
signingMethodLock.Lock()
|
||||||
|
defer signingMethodLock.Unlock()
|
||||||
|
|
||||||
|
signingMethods[alg] = f
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get a signing method from an "alg" string
|
||||||
|
func GetSigningMethod(alg string) (method SigningMethod) {
|
||||||
|
signingMethodLock.RLock()
|
||||||
|
defer signingMethodLock.RUnlock()
|
||||||
|
|
||||||
|
if methodF, ok := signingMethods[alg]; ok {
|
||||||
|
method = methodF()
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
108
vendor/github.com/dgrijalva/jwt-go/token.go
generated
vendored
Normal file
108
vendor/github.com/dgrijalva/jwt-go/token.go
generated
vendored
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
package jwt
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"encoding/json"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
|
||||||
|
// You can override it to use another time value. This is useful for testing or if your
|
||||||
|
// server uses a different time zone than your tokens.
|
||||||
|
var TimeFunc = time.Now
|
||||||
|
|
||||||
|
// Parse methods use this callback function to supply
|
||||||
|
// the key for verification. The function receives the parsed,
|
||||||
|
// but unverified Token. This allows you to use properties in the
|
||||||
|
// Header of the token (such as `kid`) to identify which key to use.
|
||||||
|
type Keyfunc func(*Token) (interface{}, error)
|
||||||
|
|
||||||
|
// A JWT Token. Different fields will be used depending on whether you're
|
||||||
|
// creating or parsing/verifying a token.
|
||||||
|
type Token struct {
|
||||||
|
Raw string // The raw token. Populated when you Parse a token
|
||||||
|
Method SigningMethod // The signing method used or to be used
|
||||||
|
Header map[string]interface{} // The first segment of the token
|
||||||
|
Claims Claims // The second segment of the token
|
||||||
|
Signature string // The third segment of the token. Populated when you Parse a token
|
||||||
|
Valid bool // Is the token valid? Populated when you Parse/Verify a token
|
||||||
|
}
|
||||||
|
|
||||||
|
// Create a new Token. Takes a signing method
|
||||||
|
func New(method SigningMethod) *Token {
|
||||||
|
return NewWithClaims(method, MapClaims{})
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewWithClaims(method SigningMethod, claims Claims) *Token {
|
||||||
|
return &Token{
|
||||||
|
Header: map[string]interface{}{
|
||||||
|
"typ": "JWT",
|
||||||
|
"alg": method.Alg(),
|
||||||
|
},
|
||||||
|
Claims: claims,
|
||||||
|
Method: method,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get the complete, signed token
|
||||||
|
func (t *Token) SignedString(key interface{}) (string, error) {
|
||||||
|
var sig, sstr string
|
||||||
|
var err error
|
||||||
|
if sstr, err = t.SigningString(); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
if sig, err = t.Method.Sign(sstr, key); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return strings.Join([]string{sstr, sig}, "."), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the signing string. This is the
|
||||||
|
// most expensive part of the whole deal. Unless you
|
||||||
|
// need this for something special, just go straight for
|
||||||
|
// the SignedString.
|
||||||
|
func (t *Token) SigningString() (string, error) {
|
||||||
|
var err error
|
||||||
|
parts := make([]string, 2)
|
||||||
|
for i, _ := range parts {
|
||||||
|
var jsonValue []byte
|
||||||
|
if i == 0 {
|
||||||
|
if jsonValue, err = json.Marshal(t.Header); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if jsonValue, err = json.Marshal(t.Claims); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
parts[i] = EncodeSegment(jsonValue)
|
||||||
|
}
|
||||||
|
return strings.Join(parts, "."), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse, validate, and return a token.
|
||||||
|
// keyFunc will receive the parsed token and should return the key for validating.
|
||||||
|
// If everything is kosher, err will be nil
|
||||||
|
func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
|
||||||
|
return new(Parser).Parse(tokenString, keyFunc)
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
|
||||||
|
return new(Parser).ParseWithClaims(tokenString, claims, keyFunc)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encode JWT specific base64url encoding with padding stripped
|
||||||
|
func EncodeSegment(seg []byte) string {
|
||||||
|
return strings.TrimRight(base64.URLEncoding.EncodeToString(seg), "=")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decode JWT specific base64url encoding with padding stripped
|
||||||
|
func DecodeSegment(seg string) ([]byte, error) {
|
||||||
|
if l := len(seg) % 4; l > 0 {
|
||||||
|
seg += strings.Repeat("=", 4-l)
|
||||||
|
}
|
||||||
|
|
||||||
|
return base64.URLEncoding.DecodeString(seg)
|
||||||
|
}
|
21
vendor/github.com/go-acme/lego/v4/LICENSE
generated
vendored
Normal file
21
vendor/github.com/go-acme/lego/v4/LICENSE
generated
vendored
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
The MIT License (MIT)
|
||||||
|
|
||||||
|
Copyright (c) 2015-2017 Sebastian Erhart
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
SOFTWARE.
|
85
vendor/github.com/go-acme/lego/v4/acme/api/account.go
generated
vendored
Normal file
85
vendor/github.com/go-acme/lego/v4/acme/api/account.go
generated
vendored
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
type AccountService service
|
||||||
|
|
||||||
|
// New Creates a new account.
|
||||||
|
func (a *AccountService) New(req acme.Account) (acme.ExtendedAccount, error) {
|
||||||
|
var account acme.Account
|
||||||
|
resp, err := a.core.post(a.core.GetDirectory().NewAccountURL, req, &account)
|
||||||
|
location := getLocation(resp)
|
||||||
|
|
||||||
|
if len(location) > 0 {
|
||||||
|
a.core.jws.SetKid(location)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedAccount{Location: location}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return acme.ExtendedAccount{Account: account, Location: location}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewEAB Creates a new account with an External Account Binding.
|
||||||
|
func (a *AccountService) NewEAB(accMsg acme.Account, kid, hmacEncoded string) (acme.ExtendedAccount, error) {
|
||||||
|
hmac, err := base64.RawURLEncoding.DecodeString(hmacEncoded)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedAccount{}, fmt.Errorf("acme: could not decode hmac key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
eabJWS, err := a.core.signEABContent(a.core.GetDirectory().NewAccountURL, kid, hmac)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedAccount{}, fmt.Errorf("acme: error signing eab content: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
accMsg.ExternalAccountBinding = eabJWS
|
||||||
|
|
||||||
|
return a.New(accMsg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get Retrieves an account.
|
||||||
|
func (a *AccountService) Get(accountURL string) (acme.Account, error) {
|
||||||
|
if len(accountURL) == 0 {
|
||||||
|
return acme.Account{}, errors.New("account[get]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var account acme.Account
|
||||||
|
_, err := a.core.postAsGet(accountURL, &account)
|
||||||
|
if err != nil {
|
||||||
|
return acme.Account{}, err
|
||||||
|
}
|
||||||
|
return account, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update Updates an account.
|
||||||
|
func (a *AccountService) Update(accountURL string, req acme.Account) (acme.Account, error) {
|
||||||
|
if len(accountURL) == 0 {
|
||||||
|
return acme.Account{}, errors.New("account[update]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var account acme.Account
|
||||||
|
_, err := a.core.post(accountURL, req, &account)
|
||||||
|
if err != nil {
|
||||||
|
return acme.Account{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return account, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deactivate Deactivates an account.
|
||||||
|
func (a *AccountService) Deactivate(accountURL string) error {
|
||||||
|
if len(accountURL) == 0 {
|
||||||
|
return errors.New("account[deactivate]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
req := acme.Account{Status: acme.StatusDeactivated}
|
||||||
|
_, err := a.core.post(accountURL, req, nil)
|
||||||
|
return err
|
||||||
|
}
|
169
vendor/github.com/go-acme/lego/v4/acme/api/api.go
generated
vendored
Normal file
169
vendor/github.com/go-acme/lego/v4/acme/api/api.go
generated
vendored
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"context"
|
||||||
|
"crypto"
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/cenkalti/backoff/v4"
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api/internal/nonces"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api/internal/secure"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api/internal/sender"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Core ACME/LE core API.
|
||||||
|
type Core struct {
|
||||||
|
doer *sender.Doer
|
||||||
|
nonceManager *nonces.Manager
|
||||||
|
jws *secure.JWS
|
||||||
|
directory acme.Directory
|
||||||
|
HTTPClient *http.Client
|
||||||
|
|
||||||
|
common service // Reuse a single struct instead of allocating one for each service on the heap.
|
||||||
|
Accounts *AccountService
|
||||||
|
Authorizations *AuthorizationService
|
||||||
|
Certificates *CertificateService
|
||||||
|
Challenges *ChallengeService
|
||||||
|
Orders *OrderService
|
||||||
|
}
|
||||||
|
|
||||||
|
// New Creates a new Core.
|
||||||
|
func New(httpClient *http.Client, userAgent, caDirURL, kid string, privateKey crypto.PrivateKey) (*Core, error) {
|
||||||
|
doer := sender.NewDoer(httpClient, userAgent)
|
||||||
|
|
||||||
|
dir, err := getDirectory(doer, caDirURL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
nonceManager := nonces.NewManager(doer, dir.NewNonceURL)
|
||||||
|
|
||||||
|
jws := secure.NewJWS(privateKey, kid, nonceManager)
|
||||||
|
|
||||||
|
c := &Core{doer: doer, nonceManager: nonceManager, jws: jws, directory: dir, HTTPClient: httpClient}
|
||||||
|
|
||||||
|
c.common.core = c
|
||||||
|
c.Accounts = (*AccountService)(&c.common)
|
||||||
|
c.Authorizations = (*AuthorizationService)(&c.common)
|
||||||
|
c.Certificates = (*CertificateService)(&c.common)
|
||||||
|
c.Challenges = (*ChallengeService)(&c.common)
|
||||||
|
c.Orders = (*OrderService)(&c.common)
|
||||||
|
|
||||||
|
return c, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// post performs an HTTP POST request and parses the response body as JSON,
|
||||||
|
// into the provided respBody object.
|
||||||
|
func (a *Core) post(uri string, reqBody, response interface{}) (*http.Response, error) {
|
||||||
|
content, err := json.Marshal(reqBody)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.New("failed to marshal message")
|
||||||
|
}
|
||||||
|
|
||||||
|
return a.retrievablePost(uri, content, response)
|
||||||
|
}
|
||||||
|
|
||||||
|
// postAsGet performs an HTTP POST ("POST-as-GET") request.
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-6.3
|
||||||
|
func (a *Core) postAsGet(uri string, response interface{}) (*http.Response, error) {
|
||||||
|
return a.retrievablePost(uri, []byte{}, response)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Core) retrievablePost(uri string, content []byte, response interface{}) (*http.Response, error) {
|
||||||
|
// during tests, allow to support ~90% of bad nonce with a minimum of attempts.
|
||||||
|
bo := backoff.NewExponentialBackOff()
|
||||||
|
bo.InitialInterval = 200 * time.Millisecond
|
||||||
|
bo.MaxInterval = 5 * time.Second
|
||||||
|
bo.MaxElapsedTime = 20 * time.Second
|
||||||
|
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
|
||||||
|
var resp *http.Response
|
||||||
|
operation := func() error {
|
||||||
|
var err error
|
||||||
|
resp, err = a.signedPost(uri, content, response)
|
||||||
|
if err != nil {
|
||||||
|
// Retry if the nonce was invalidated
|
||||||
|
var e *acme.NonceError
|
||||||
|
if errors.As(err, &e) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
cancel()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
notify := func(err error, duration time.Duration) {
|
||||||
|
log.Infof("retry due to: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
err := backoff.RetryNotify(operation, backoff.WithContext(bo, ctx), notify)
|
||||||
|
if err != nil {
|
||||||
|
return resp, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return resp, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Core) signedPost(uri string, content []byte, response interface{}) (*http.Response, error) {
|
||||||
|
signedContent, err := a.jws.SignContent(uri, content)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to post JWS message: failed to sign content: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
signedBody := bytes.NewBuffer([]byte(signedContent.FullSerialize()))
|
||||||
|
|
||||||
|
resp, err := a.doer.Post(uri, signedBody, "application/jose+json", response)
|
||||||
|
|
||||||
|
// nonceErr is ignored to keep the root error.
|
||||||
|
nonce, nonceErr := nonces.GetFromResponse(resp)
|
||||||
|
if nonceErr == nil {
|
||||||
|
a.nonceManager.Push(nonce)
|
||||||
|
}
|
||||||
|
|
||||||
|
return resp, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Core) signEABContent(newAccountURL, kid string, hmac []byte) ([]byte, error) {
|
||||||
|
eabJWS, err := a.jws.SignEABContent(newAccountURL, kid, hmac)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return []byte(eabJWS.FullSerialize()), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyAuthorization Gets the key authorization.
|
||||||
|
func (a *Core) GetKeyAuthorization(token string) (string, error) {
|
||||||
|
return a.jws.GetKeyAuthorization(token)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Core) GetDirectory() acme.Directory {
|
||||||
|
return a.directory
|
||||||
|
}
|
||||||
|
|
||||||
|
func getDirectory(do *sender.Doer, caDirURL string) (acme.Directory, error) {
|
||||||
|
var dir acme.Directory
|
||||||
|
if _, err := do.Get(caDirURL, &dir); err != nil {
|
||||||
|
return dir, fmt.Errorf("get directory at '%s': %w", caDirURL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if dir.NewAccountURL == "" {
|
||||||
|
return dir, errors.New("directory missing new registration URL")
|
||||||
|
}
|
||||||
|
if dir.NewOrderURL == "" {
|
||||||
|
return dir, errors.New("directory missing new order URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
return dir, nil
|
||||||
|
}
|
34
vendor/github.com/go-acme/lego/v4/acme/api/authorization.go
generated
vendored
Normal file
34
vendor/github.com/go-acme/lego/v4/acme/api/authorization.go
generated
vendored
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
type AuthorizationService service
|
||||||
|
|
||||||
|
// Get Gets an authorization.
|
||||||
|
func (c *AuthorizationService) Get(authzURL string) (acme.Authorization, error) {
|
||||||
|
if len(authzURL) == 0 {
|
||||||
|
return acme.Authorization{}, errors.New("authorization[get]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var authz acme.Authorization
|
||||||
|
_, err := c.core.postAsGet(authzURL, &authz)
|
||||||
|
if err != nil {
|
||||||
|
return acme.Authorization{}, err
|
||||||
|
}
|
||||||
|
return authz, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deactivate Deactivates an authorization.
|
||||||
|
func (c *AuthorizationService) Deactivate(authzURL string) error {
|
||||||
|
if len(authzURL) == 0 {
|
||||||
|
return errors.New("authorization[deactivate]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var disabledAuth acme.Authorization
|
||||||
|
_, err := c.core.post(authzURL, acme.Authorization{Status: acme.StatusDeactivated}, &disabledAuth)
|
||||||
|
return err
|
||||||
|
}
|
99
vendor/github.com/go-acme/lego/v4/acme/api/certificate.go
generated
vendored
Normal file
99
vendor/github.com/go-acme/lego/v4/acme/api/certificate.go
generated
vendored
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// maxBodySize is the maximum size of body that we will read.
|
||||||
|
const maxBodySize = 1024 * 1024
|
||||||
|
|
||||||
|
type CertificateService service
|
||||||
|
|
||||||
|
// Get Returns the certificate and the issuer certificate.
|
||||||
|
// 'bundle' is only applied if the issuer is provided by the 'up' link.
|
||||||
|
func (c *CertificateService) Get(certURL string, bundle bool) ([]byte, []byte, error) {
|
||||||
|
cert, up, err := c.get(certURL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get issuerCert from bundled response from Let's Encrypt
|
||||||
|
// See https://community.letsencrypt.org/t/acme-v2-no-up-link-in-response/64962
|
||||||
|
_, issuer := pem.Decode(cert)
|
||||||
|
if issuer != nil {
|
||||||
|
return cert, issuer, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
issuer, err = c.getIssuerFromLink(up)
|
||||||
|
if err != nil {
|
||||||
|
// If we fail to acquire the issuer cert, return the issued certificate - do not fail.
|
||||||
|
log.Warnf("acme: Could not bundle issuer certificate [%s]: %v", certURL, err)
|
||||||
|
} else if len(issuer) > 0 {
|
||||||
|
// If bundle is true, we want to return a certificate bundle.
|
||||||
|
// To do this, we append the issuer cert to the issued cert.
|
||||||
|
if bundle {
|
||||||
|
cert = append(cert, issuer...)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return cert, issuer, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Revoke Revokes a certificate.
|
||||||
|
func (c *CertificateService) Revoke(req acme.RevokeCertMessage) error {
|
||||||
|
_, err := c.core.post(c.core.GetDirectory().RevokeCertURL, req, nil)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// get Returns the certificate and the "up" link.
|
||||||
|
func (c *CertificateService) get(certURL string) ([]byte, string, error) {
|
||||||
|
if len(certURL) == 0 {
|
||||||
|
return nil, "", errors.New("certificate[get]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, err := c.core.postAsGet(certURL, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
|
||||||
|
if err != nil {
|
||||||
|
return nil, "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// The issuer certificate link may be supplied via an "up" link
|
||||||
|
// in the response headers of a new certificate.
|
||||||
|
// See https://tools.ietf.org/html/rfc8555#section-7.4.2
|
||||||
|
up := getLink(resp.Header, "up")
|
||||||
|
|
||||||
|
return cert, up, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// getIssuerFromLink requests the issuer certificate.
|
||||||
|
func (c *CertificateService) getIssuerFromLink(up string) ([]byte, error) {
|
||||||
|
if len(up) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("acme: Requesting issuer cert from %s", up)
|
||||||
|
|
||||||
|
cert, _, err := c.get(up)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = x509.ParseCertificate(cert)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return certcrypto.PEMEncode(certcrypto.DERCertificateBytes(cert)), nil
|
||||||
|
}
|
45
vendor/github.com/go-acme/lego/v4/acme/api/challenge.go
generated
vendored
Normal file
45
vendor/github.com/go-acme/lego/v4/acme/api/challenge.go
generated
vendored
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
type ChallengeService service
|
||||||
|
|
||||||
|
// New Creates a challenge.
|
||||||
|
func (c *ChallengeService) New(chlgURL string) (acme.ExtendedChallenge, error) {
|
||||||
|
if len(chlgURL) == 0 {
|
||||||
|
return acme.ExtendedChallenge{}, errors.New("challenge[new]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Challenge initiation is done by sending a JWS payload containing the trivial JSON object `{}`.
|
||||||
|
// We use an empty struct instance as the postJSON payload here to achieve this result.
|
||||||
|
var chlng acme.ExtendedChallenge
|
||||||
|
resp, err := c.core.post(chlgURL, struct{}{}, &chlng)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedChallenge{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
chlng.AuthorizationURL = getLink(resp.Header, "up")
|
||||||
|
chlng.RetryAfter = getRetryAfter(resp)
|
||||||
|
return chlng, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get Gets a challenge.
|
||||||
|
func (c *ChallengeService) Get(chlgURL string) (acme.ExtendedChallenge, error) {
|
||||||
|
if len(chlgURL) == 0 {
|
||||||
|
return acme.ExtendedChallenge{}, errors.New("challenge[get]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var chlng acme.ExtendedChallenge
|
||||||
|
resp, err := c.core.postAsGet(chlgURL, &chlng)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedChallenge{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
chlng.AuthorizationURL = getLink(resp.Header, "up")
|
||||||
|
chlng.RetryAfter = getRetryAfter(resp)
|
||||||
|
return chlng, nil
|
||||||
|
}
|
78
vendor/github.com/go-acme/lego/v4/acme/api/internal/nonces/nonce_manager.go
generated
vendored
Normal file
78
vendor/github.com/go-acme/lego/v4/acme/api/internal/nonces/nonce_manager.go
generated
vendored
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
package nonces
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"sync"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme/api/internal/sender"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Manager Manages nonces.
|
||||||
|
type Manager struct {
|
||||||
|
do *sender.Doer
|
||||||
|
nonceURL string
|
||||||
|
nonces []string
|
||||||
|
sync.Mutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewManager Creates a new Manager.
|
||||||
|
func NewManager(do *sender.Doer, nonceURL string) *Manager {
|
||||||
|
return &Manager{
|
||||||
|
do: do,
|
||||||
|
nonceURL: nonceURL,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Pop Pops a nonce.
|
||||||
|
func (n *Manager) Pop() (string, bool) {
|
||||||
|
n.Lock()
|
||||||
|
defer n.Unlock()
|
||||||
|
|
||||||
|
if len(n.nonces) == 0 {
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
|
||||||
|
nonce := n.nonces[len(n.nonces)-1]
|
||||||
|
n.nonces = n.nonces[:len(n.nonces)-1]
|
||||||
|
return nonce, true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Push Pushes a nonce.
|
||||||
|
func (n *Manager) Push(nonce string) {
|
||||||
|
n.Lock()
|
||||||
|
defer n.Unlock()
|
||||||
|
n.nonces = append(n.nonces, nonce)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Nonce implement jose.NonceSource.
|
||||||
|
func (n *Manager) Nonce() (string, error) {
|
||||||
|
if nonce, ok := n.Pop(); ok {
|
||||||
|
return nonce, nil
|
||||||
|
}
|
||||||
|
return n.getNonce()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (n *Manager) getNonce() (string, error) {
|
||||||
|
resp, err := n.do.Head(n.nonceURL)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("failed to get nonce from HTTP HEAD: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return GetFromResponse(resp)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetFromResponse Extracts a nonce from a HTTP response.
|
||||||
|
func GetFromResponse(resp *http.Response) (string, error) {
|
||||||
|
if resp == nil {
|
||||||
|
return "", errors.New("nil response")
|
||||||
|
}
|
||||||
|
|
||||||
|
nonce := resp.Header.Get("Replay-Nonce")
|
||||||
|
if nonce == "" {
|
||||||
|
return "", errors.New("server did not respond with a proper nonce header")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nonce, nil
|
||||||
|
}
|
130
vendor/github.com/go-acme/lego/v4/acme/api/internal/secure/jws.go
generated
vendored
Normal file
130
vendor/github.com/go-acme/lego/v4/acme/api/internal/secure/jws.go
generated
vendored
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
package secure
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rsa"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme/api/internal/nonces"
|
||||||
|
jose "gopkg.in/square/go-jose.v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
// JWS Represents a JWS.
|
||||||
|
type JWS struct {
|
||||||
|
privKey crypto.PrivateKey
|
||||||
|
kid string // Key identifier
|
||||||
|
nonces *nonces.Manager
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewJWS Create a new JWS.
|
||||||
|
func NewJWS(privateKey crypto.PrivateKey, kid string, nonceManager *nonces.Manager) *JWS {
|
||||||
|
return &JWS{
|
||||||
|
privKey: privateKey,
|
||||||
|
nonces: nonceManager,
|
||||||
|
kid: kid,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetKid Sets a key identifier.
|
||||||
|
func (j *JWS) SetKid(kid string) {
|
||||||
|
j.kid = kid
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignContent Signs a content with the JWS.
|
||||||
|
func (j *JWS) SignContent(url string, content []byte) (*jose.JSONWebSignature, error) {
|
||||||
|
var alg jose.SignatureAlgorithm
|
||||||
|
switch k := j.privKey.(type) {
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
alg = jose.RS256
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
if k.Curve == elliptic.P256() {
|
||||||
|
alg = jose.ES256
|
||||||
|
} else if k.Curve == elliptic.P384() {
|
||||||
|
alg = jose.ES384
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
signKey := jose.SigningKey{
|
||||||
|
Algorithm: alg,
|
||||||
|
Key: jose.JSONWebKey{Key: j.privKey, KeyID: j.kid},
|
||||||
|
}
|
||||||
|
|
||||||
|
options := jose.SignerOptions{
|
||||||
|
NonceSource: j.nonces,
|
||||||
|
ExtraHeaders: map[jose.HeaderKey]interface{}{
|
||||||
|
"url": url,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
if j.kid == "" {
|
||||||
|
options.EmbedJWK = true
|
||||||
|
}
|
||||||
|
|
||||||
|
signer, err := jose.NewSigner(signKey, &options)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create jose signer: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
signed, err := signer.Sign(content)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to sign content: %w", err)
|
||||||
|
}
|
||||||
|
return signed, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SignEABContent Signs an external account binding content with the JWS.
|
||||||
|
func (j *JWS) SignEABContent(url, kid string, hmac []byte) (*jose.JSONWebSignature, error) {
|
||||||
|
jwk := jose.JSONWebKey{Key: j.privKey}
|
||||||
|
jwkJSON, err := jwk.Public().MarshalJSON()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("acme: error encoding eab jwk key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
signer, err := jose.NewSigner(
|
||||||
|
jose.SigningKey{Algorithm: jose.HS256, Key: hmac},
|
||||||
|
&jose.SignerOptions{
|
||||||
|
EmbedJWK: false,
|
||||||
|
ExtraHeaders: map[jose.HeaderKey]interface{}{
|
||||||
|
"kid": kid,
|
||||||
|
"url": url,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create External Account Binding jose signer: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
signed, err := signer.Sign(jwkJSON)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to External Account Binding sign content: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return signed, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetKeyAuthorization Gets the key authorization for a token.
|
||||||
|
func (j *JWS) GetKeyAuthorization(token string) (string, error) {
|
||||||
|
var publicKey crypto.PublicKey
|
||||||
|
switch k := j.privKey.(type) {
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
publicKey = k.Public()
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
publicKey = k.Public()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the Key Authorization for the challenge
|
||||||
|
jwk := &jose.JSONWebKey{Key: publicKey}
|
||||||
|
|
||||||
|
thumbBytes, err := jwk.Thumbprint(crypto.SHA256)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
// unpad the base64URL
|
||||||
|
keyThumb := base64.RawURLEncoding.EncodeToString(thumbBytes)
|
||||||
|
|
||||||
|
return token + "." + keyThumb, nil
|
||||||
|
}
|
145
vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/sender.go
generated
vendored
Normal file
145
vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/sender.go
generated
vendored
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
package sender
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"runtime"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
type RequestOption func(*http.Request) error
|
||||||
|
|
||||||
|
func contentType(ct string) RequestOption {
|
||||||
|
return func(req *http.Request) error {
|
||||||
|
req.Header.Set("Content-Type", ct)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type Doer struct {
|
||||||
|
httpClient *http.Client
|
||||||
|
userAgent string
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDoer Creates a new Doer.
|
||||||
|
func NewDoer(client *http.Client, userAgent string) *Doer {
|
||||||
|
return &Doer{
|
||||||
|
httpClient: client,
|
||||||
|
userAgent: userAgent,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get performs a GET request with a proper User-Agent string.
|
||||||
|
// If "response" is not provided, callers should close resp.Body when done reading from it.
|
||||||
|
func (d *Doer) Get(url string, response interface{}) (*http.Response, error) {
|
||||||
|
req, err := d.newRequest(http.MethodGet, url, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return d.do(req, response)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Head performs a HEAD request with a proper User-Agent string.
|
||||||
|
// The response body (resp.Body) is already closed when this function returns.
|
||||||
|
func (d *Doer) Head(url string) (*http.Response, error) {
|
||||||
|
req, err := d.newRequest(http.MethodHead, url, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return d.do(req, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Post performs a POST request with a proper User-Agent string.
|
||||||
|
// If "response" is not provided, callers should close resp.Body when done reading from it.
|
||||||
|
func (d *Doer) Post(url string, body io.Reader, bodyType string, response interface{}) (*http.Response, error) {
|
||||||
|
req, err := d.newRequest(http.MethodPost, url, body, contentType(bodyType))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return d.do(req, response)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (d *Doer) newRequest(method, uri string, body io.Reader, opts ...RequestOption) (*http.Request, error) {
|
||||||
|
req, err := http.NewRequest(method, uri, body)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create request: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
req.Header.Set("User-Agent", d.formatUserAgent())
|
||||||
|
|
||||||
|
for _, opt := range opts {
|
||||||
|
err = opt(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to create request: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return req, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (d *Doer) do(req *http.Request, response interface{}) (*http.Response, error) {
|
||||||
|
resp, err := d.httpClient.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = checkError(req, resp); err != nil {
|
||||||
|
return resp, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if response != nil {
|
||||||
|
raw, err := ioutil.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return resp, err
|
||||||
|
}
|
||||||
|
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
err = json.Unmarshal(raw, response)
|
||||||
|
if err != nil {
|
||||||
|
return resp, fmt.Errorf("failed to unmarshal %q to type %T: %w", raw, response, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return resp, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// formatUserAgent builds and returns the User-Agent string to use in requests.
|
||||||
|
func (d *Doer) formatUserAgent() string {
|
||||||
|
ua := fmt.Sprintf("%s %s (%s; %s; %s)", d.userAgent, ourUserAgent, ourUserAgentComment, runtime.GOOS, runtime.GOARCH)
|
||||||
|
return strings.TrimSpace(ua)
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkError(req *http.Request, resp *http.Response) error {
|
||||||
|
if resp.StatusCode >= http.StatusBadRequest {
|
||||||
|
body, err := ioutil.ReadAll(resp.Body)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("%d :: %s :: %s :: %w", resp.StatusCode, req.Method, req.URL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
var errorDetails *acme.ProblemDetails
|
||||||
|
err = json.Unmarshal(body, &errorDetails)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("%d ::%s :: %s :: %w :: %s", resp.StatusCode, req.Method, req.URL, err, string(body))
|
||||||
|
}
|
||||||
|
|
||||||
|
errorDetails.Method = req.Method
|
||||||
|
errorDetails.URL = req.URL.String()
|
||||||
|
|
||||||
|
// Check for errors we handle specifically
|
||||||
|
if errorDetails.HTTPStatus == http.StatusBadRequest && errorDetails.Type == acme.BadNonceErr {
|
||||||
|
return &acme.NonceError{ProblemDetails: errorDetails}
|
||||||
|
}
|
||||||
|
|
||||||
|
return errorDetails
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
14
vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go
generated
vendored
Normal file
14
vendor/github.com/go-acme/lego/v4/acme/api/internal/sender/useragent.go
generated
vendored
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
package sender
|
||||||
|
|
||||||
|
// CODE GENERATED AUTOMATICALLY
|
||||||
|
// THIS FILE MUST NOT BE EDITED BY HAND
|
||||||
|
|
||||||
|
const (
|
||||||
|
// ourUserAgent is the User-Agent of this underlying library package.
|
||||||
|
ourUserAgent = "xenolf-acme/4.1.0"
|
||||||
|
|
||||||
|
// ourUserAgentComment is part of the UA comment linked to the version status of this underlying library package.
|
||||||
|
// values: detach|release
|
||||||
|
// NOTE: Update this with each tagged release.
|
||||||
|
ourUserAgentComment = "release"
|
||||||
|
)
|
72
vendor/github.com/go-acme/lego/v4/acme/api/order.go
generated
vendored
Normal file
72
vendor/github.com/go-acme/lego/v4/acme/api/order.go
generated
vendored
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/base64"
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
type OrderService service
|
||||||
|
|
||||||
|
// New Creates a new order.
|
||||||
|
func (o *OrderService) New(domains []string) (acme.ExtendedOrder, error) {
|
||||||
|
var identifiers []acme.Identifier
|
||||||
|
for _, domain := range domains {
|
||||||
|
identifiers = append(identifiers, acme.Identifier{Type: "dns", Value: domain})
|
||||||
|
}
|
||||||
|
|
||||||
|
orderReq := acme.Order{Identifiers: identifiers}
|
||||||
|
|
||||||
|
var order acme.Order
|
||||||
|
resp, err := o.core.post(o.core.GetDirectory().NewOrderURL, orderReq, &order)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedOrder{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return acme.ExtendedOrder{
|
||||||
|
Order: order,
|
||||||
|
Location: resp.Header.Get("Location"),
|
||||||
|
AlternateChainLinks: getLinks(resp.Header, "alternate"),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get Gets an order.
|
||||||
|
func (o *OrderService) Get(orderURL string) (acme.ExtendedOrder, error) {
|
||||||
|
if len(orderURL) == 0 {
|
||||||
|
return acme.ExtendedOrder{}, errors.New("order[get]: empty URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
var order acme.Order
|
||||||
|
resp, err := o.core.postAsGet(orderURL, &order)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedOrder{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return acme.ExtendedOrder{
|
||||||
|
Order: order,
|
||||||
|
AlternateChainLinks: getLinks(resp.Header, "alternate"),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// UpdateForCSR Updates an order for a CSR.
|
||||||
|
func (o *OrderService) UpdateForCSR(orderURL string, csr []byte) (acme.ExtendedOrder, error) {
|
||||||
|
csrMsg := acme.CSRMessage{
|
||||||
|
Csr: base64.RawURLEncoding.EncodeToString(csr),
|
||||||
|
}
|
||||||
|
|
||||||
|
var order acme.Order
|
||||||
|
resp, err := o.core.post(orderURL, csrMsg, &order)
|
||||||
|
if err != nil {
|
||||||
|
return acme.ExtendedOrder{}, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if order.Status == acme.StatusInvalid {
|
||||||
|
return acme.ExtendedOrder{}, order.Error
|
||||||
|
}
|
||||||
|
|
||||||
|
return acme.ExtendedOrder{
|
||||||
|
Order: order,
|
||||||
|
AlternateChainLinks: getLinks(resp.Header, "alternate"),
|
||||||
|
}, nil
|
||||||
|
}
|
56
vendor/github.com/go-acme/lego/v4/acme/api/service.go
generated
vendored
Normal file
56
vendor/github.com/go-acme/lego/v4/acme/api/service.go
generated
vendored
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"regexp"
|
||||||
|
)
|
||||||
|
|
||||||
|
type service struct {
|
||||||
|
core *Core
|
||||||
|
}
|
||||||
|
|
||||||
|
// getLink get a rel into the Link header.
|
||||||
|
func getLink(header http.Header, rel string) string {
|
||||||
|
links := getLinks(header, rel)
|
||||||
|
if len(links) < 1 {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return links[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
func getLinks(header http.Header, rel string) []string {
|
||||||
|
linkExpr := regexp.MustCompile(`<(.+?)>(?:;[^;]+)*?;\s*rel="(.+?)"`)
|
||||||
|
|
||||||
|
var links []string
|
||||||
|
for _, link := range header["Link"] {
|
||||||
|
for _, m := range linkExpr.FindAllStringSubmatch(link, -1) {
|
||||||
|
if len(m) != 3 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if m[2] == rel {
|
||||||
|
links = append(links, m[1])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return links
|
||||||
|
}
|
||||||
|
|
||||||
|
// getLocation get the value of the header Location.
|
||||||
|
func getLocation(resp *http.Response) string {
|
||||||
|
if resp == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return resp.Header.Get("Location")
|
||||||
|
}
|
||||||
|
|
||||||
|
// getRetryAfter get the value of the header Retry-After.
|
||||||
|
func getRetryAfter(resp *http.Response) string {
|
||||||
|
if resp == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return resp.Header.Get("Retry-After")
|
||||||
|
}
|
289
vendor/github.com/go-acme/lego/v4/acme/commons.go
generated
vendored
Normal file
289
vendor/github.com/go-acme/lego/v4/acme/commons.go
generated
vendored
Normal file
@ -0,0 +1,289 @@
|
|||||||
|
// Package acme contains all objects related the ACME endpoints.
|
||||||
|
// https://tools.ietf.org/html/rfc8555
|
||||||
|
package acme
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Challenge statuses
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-7.1.6
|
||||||
|
const (
|
||||||
|
StatusPending = "pending"
|
||||||
|
StatusInvalid = "invalid"
|
||||||
|
StatusValid = "valid"
|
||||||
|
StatusProcessing = "processing"
|
||||||
|
StatusDeactivated = "deactivated"
|
||||||
|
StatusExpired = "expired"
|
||||||
|
StatusRevoked = "revoked"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Directory the ACME directory object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.1
|
||||||
|
type Directory struct {
|
||||||
|
NewNonceURL string `json:"newNonce"`
|
||||||
|
NewAccountURL string `json:"newAccount"`
|
||||||
|
NewOrderURL string `json:"newOrder"`
|
||||||
|
NewAuthzURL string `json:"newAuthz"`
|
||||||
|
RevokeCertURL string `json:"revokeCert"`
|
||||||
|
KeyChangeURL string `json:"keyChange"`
|
||||||
|
Meta Meta `json:"meta"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Meta the ACME meta object (related to Directory).
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.1
|
||||||
|
type Meta struct {
|
||||||
|
// termsOfService (optional, string):
|
||||||
|
// A URL identifying the current terms of service.
|
||||||
|
TermsOfService string `json:"termsOfService"`
|
||||||
|
|
||||||
|
// website (optional, string):
|
||||||
|
// An HTTP or HTTPS URL locating a website providing more information about the ACME server.
|
||||||
|
Website string `json:"website"`
|
||||||
|
|
||||||
|
// caaIdentities (optional, array of string):
|
||||||
|
// The hostnames that the ACME server recognizes as referring to itself
|
||||||
|
// for the purposes of CAA record validation as defined in [RFC6844].
|
||||||
|
// Each string MUST represent the same sequence of ASCII code points
|
||||||
|
// that the server will expect to see as the "Issuer Domain Name" in a CAA issue or issuewild property tag.
|
||||||
|
// This allows clients to determine the correct issuer domain name to use when configuring CAA records.
|
||||||
|
CaaIdentities []string `json:"caaIdentities"`
|
||||||
|
|
||||||
|
// externalAccountRequired (optional, boolean):
|
||||||
|
// If this field is present and set to "true",
|
||||||
|
// then the CA requires that all new- account requests include an "externalAccountBinding" field
|
||||||
|
// associating the new account with an external account.
|
||||||
|
ExternalAccountRequired bool `json:"externalAccountRequired"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExtendedAccount a extended Account.
|
||||||
|
type ExtendedAccount struct {
|
||||||
|
Account
|
||||||
|
// Contains the value of the response header `Location`
|
||||||
|
Location string `json:"-"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Account the ACME account Object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.2
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.3
|
||||||
|
type Account struct {
|
||||||
|
// status (required, string):
|
||||||
|
// The status of this account.
|
||||||
|
// Possible values are: "valid", "deactivated", and "revoked".
|
||||||
|
// The value "deactivated" should be used to indicate client-initiated deactivation
|
||||||
|
// whereas "revoked" should be used to indicate server- initiated deactivation. (See Section 7.1.6)
|
||||||
|
Status string `json:"status,omitempty"`
|
||||||
|
|
||||||
|
// contact (optional, array of string):
|
||||||
|
// An array of URLs that the server can use to contact the client for issues related to this account.
|
||||||
|
// For example, the server may wish to notify the client about server-initiated revocation or certificate expiration.
|
||||||
|
// For information on supported URL schemes, see Section 7.3
|
||||||
|
Contact []string `json:"contact,omitempty"`
|
||||||
|
|
||||||
|
// termsOfServiceAgreed (optional, boolean):
|
||||||
|
// Including this field in a new-account request,
|
||||||
|
// with a value of true, indicates the client's agreement with the terms of service.
|
||||||
|
// This field is not updateable by the client.
|
||||||
|
TermsOfServiceAgreed bool `json:"termsOfServiceAgreed,omitempty"`
|
||||||
|
|
||||||
|
// orders (required, string):
|
||||||
|
// A URL from which a list of orders submitted by this account can be fetched via a POST-as-GET request,
|
||||||
|
// as described in Section 7.1.2.1.
|
||||||
|
Orders string `json:"orders,omitempty"`
|
||||||
|
|
||||||
|
// onlyReturnExisting (optional, boolean):
|
||||||
|
// If this field is present with the value "true",
|
||||||
|
// then the server MUST NOT create a new account if one does not already exist.
|
||||||
|
// This allows a client to look up an account URL based on an account key (see Section 7.3.1).
|
||||||
|
OnlyReturnExisting bool `json:"onlyReturnExisting,omitempty"`
|
||||||
|
|
||||||
|
// externalAccountBinding (optional, object):
|
||||||
|
// An optional field for binding the new account with an existing non-ACME account (see Section 7.3.4).
|
||||||
|
ExternalAccountBinding json.RawMessage `json:"externalAccountBinding,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExtendedOrder a extended Order.
|
||||||
|
type ExtendedOrder struct {
|
||||||
|
Order
|
||||||
|
// The order URL, contains the value of the response header `Location`
|
||||||
|
Location string `json:"-"`
|
||||||
|
|
||||||
|
// AlternateChainLinks (optional, array of string):
|
||||||
|
// URLs of "alternate" link relation
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.4.2
|
||||||
|
AlternateChainLinks []string `json:"-"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Order the ACME order Object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.3
|
||||||
|
type Order struct {
|
||||||
|
// status (required, string):
|
||||||
|
// The status of this order.
|
||||||
|
// Possible values are: "pending", "ready", "processing", "valid", and "invalid".
|
||||||
|
Status string `json:"status,omitempty"`
|
||||||
|
|
||||||
|
// expires (optional, string):
|
||||||
|
// The timestamp after which the server will consider this order invalid,
|
||||||
|
// encoded in the format specified in RFC 3339 [RFC3339].
|
||||||
|
// This field is REQUIRED for objects with "pending" or "valid" in the status field.
|
||||||
|
Expires string `json:"expires,omitempty"`
|
||||||
|
|
||||||
|
// identifiers (required, array of object):
|
||||||
|
// An array of identifier objects that the order pertains to.
|
||||||
|
Identifiers []Identifier `json:"identifiers"`
|
||||||
|
|
||||||
|
// notBefore (optional, string):
|
||||||
|
// The requested value of the notBefore field in the certificate,
|
||||||
|
// in the date format defined in [RFC3339].
|
||||||
|
NotBefore string `json:"notBefore,omitempty"`
|
||||||
|
|
||||||
|
// notAfter (optional, string):
|
||||||
|
// The requested value of the notAfter field in the certificate,
|
||||||
|
// in the date format defined in [RFC3339].
|
||||||
|
NotAfter string `json:"notAfter,omitempty"`
|
||||||
|
|
||||||
|
// error (optional, object):
|
||||||
|
// The error that occurred while processing the order, if any.
|
||||||
|
// This field is structured as a problem document [RFC7807].
|
||||||
|
Error *ProblemDetails `json:"error,omitempty"`
|
||||||
|
|
||||||
|
// authorizations (required, array of string):
|
||||||
|
// For pending orders,
|
||||||
|
// the authorizations that the client needs to complete before the requested certificate can be issued (see Section 7.5),
|
||||||
|
// including unexpired authorizations that the client has completed in the past for identifiers specified in the order.
|
||||||
|
// The authorizations required are dictated by server policy
|
||||||
|
// and there may not be a 1:1 relationship between the order identifiers and the authorizations required.
|
||||||
|
// For final orders (in the "valid" or "invalid" state), the authorizations that were completed.
|
||||||
|
// Each entry is a URL from which an authorization can be fetched with a POST-as-GET request.
|
||||||
|
Authorizations []string `json:"authorizations,omitempty"`
|
||||||
|
|
||||||
|
// finalize (required, string):
|
||||||
|
// A URL that a CSR must be POSTed to once all of the order's authorizations are satisfied to finalize the order.
|
||||||
|
// The result of a successful finalization will be the population of the certificate URL for the order.
|
||||||
|
Finalize string `json:"finalize,omitempty"`
|
||||||
|
|
||||||
|
// certificate (optional, string):
|
||||||
|
// A URL for the certificate that has been issued in response to this order
|
||||||
|
Certificate string `json:"certificate,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authorization the ACME authorization object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.4
|
||||||
|
type Authorization struct {
|
||||||
|
// status (required, string):
|
||||||
|
// The status of this authorization.
|
||||||
|
// Possible values are: "pending", "valid", "invalid", "deactivated", "expired", and "revoked".
|
||||||
|
Status string `json:"status"`
|
||||||
|
|
||||||
|
// expires (optional, string):
|
||||||
|
// The timestamp after which the server will consider this authorization invalid,
|
||||||
|
// encoded in the format specified in RFC 3339 [RFC3339].
|
||||||
|
// This field is REQUIRED for objects with "valid" in the "status" field.
|
||||||
|
Expires time.Time `json:"expires,omitempty"`
|
||||||
|
|
||||||
|
// identifier (required, object):
|
||||||
|
// The identifier that the account is authorized to represent
|
||||||
|
Identifier Identifier `json:"identifier,omitempty"`
|
||||||
|
|
||||||
|
// challenges (required, array of objects):
|
||||||
|
// For pending authorizations, the challenges that the client can fulfill in order to prove possession of the identifier.
|
||||||
|
// For valid authorizations, the challenge that was validated.
|
||||||
|
// For invalid authorizations, the challenge that was attempted and failed.
|
||||||
|
// Each array entry is an object with parameters required to validate the challenge.
|
||||||
|
// A client should attempt to fulfill one of these challenges,
|
||||||
|
// and a server should consider any one of the challenges sufficient to make the authorization valid.
|
||||||
|
Challenges []Challenge `json:"challenges,omitempty"`
|
||||||
|
|
||||||
|
// wildcard (optional, boolean):
|
||||||
|
// For authorizations created as a result of a newOrder request containing a DNS identifier
|
||||||
|
// with a value that contained a wildcard prefix this field MUST be present, and true.
|
||||||
|
Wildcard bool `json:"wildcard,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ExtendedChallenge a extended Challenge.
|
||||||
|
type ExtendedChallenge struct {
|
||||||
|
Challenge
|
||||||
|
// Contains the value of the response header `Retry-After`
|
||||||
|
RetryAfter string `json:"-"`
|
||||||
|
// Contains the value of the response header `Link` rel="up"
|
||||||
|
AuthorizationURL string `json:"-"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Challenge the ACME challenge object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.1.5
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-8
|
||||||
|
type Challenge struct {
|
||||||
|
// type (required, string):
|
||||||
|
// The type of challenge encoded in the object.
|
||||||
|
Type string `json:"type"`
|
||||||
|
|
||||||
|
// url (required, string):
|
||||||
|
// The URL to which a response can be posted.
|
||||||
|
URL string `json:"url"`
|
||||||
|
|
||||||
|
// status (required, string):
|
||||||
|
// The status of this challenge. Possible values are: "pending", "processing", "valid", and "invalid".
|
||||||
|
Status string `json:"status"`
|
||||||
|
|
||||||
|
// validated (optional, string):
|
||||||
|
// The time at which the server validated this challenge,
|
||||||
|
// encoded in the format specified in RFC 3339 [RFC3339].
|
||||||
|
// This field is REQUIRED if the "status" field is "valid".
|
||||||
|
Validated time.Time `json:"validated,omitempty"`
|
||||||
|
|
||||||
|
// error (optional, object):
|
||||||
|
// Error that occurred while the server was validating the challenge, if any,
|
||||||
|
// structured as a problem document [RFC7807].
|
||||||
|
// Multiple errors can be indicated by using subproblems Section 6.7.1.
|
||||||
|
// A challenge object with an error MUST have status equal to "invalid".
|
||||||
|
Error *ProblemDetails `json:"error,omitempty"`
|
||||||
|
|
||||||
|
// token (required, string):
|
||||||
|
// A random value that uniquely identifies the challenge.
|
||||||
|
// This value MUST have at least 128 bits of entropy.
|
||||||
|
// It MUST NOT contain any characters outside the base64url alphabet,
|
||||||
|
// and MUST NOT include base64 padding characters ("=").
|
||||||
|
// See [RFC4086] for additional information on randomness requirements.
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-8.3
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-8.4
|
||||||
|
Token string `json:"token"`
|
||||||
|
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-8.1
|
||||||
|
KeyAuthorization string `json:"keyAuthorization"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Identifier the ACME identifier object.
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-9.7.7
|
||||||
|
type Identifier struct {
|
||||||
|
Type string `json:"type"`
|
||||||
|
Value string `json:"value"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// CSRMessage Certificate Signing Request
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.4
|
||||||
|
type CSRMessage struct {
|
||||||
|
// csr (required, string):
|
||||||
|
// A CSR encoding the parameters for the certificate being requested [RFC2986].
|
||||||
|
// The CSR is sent in the base64url-encoded version of the DER format.
|
||||||
|
// (Note: Because this field uses base64url, and does not include headers, it is different from PEM.).
|
||||||
|
Csr string `json:"csr"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// RevokeCertMessage a certificate revocation message
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.6
|
||||||
|
// - https://tools.ietf.org/html/rfc5280#section-5.3.1
|
||||||
|
type RevokeCertMessage struct {
|
||||||
|
// certificate (required, string):
|
||||||
|
// The certificate to be revoked, in the base64url-encoded version of the DER format.
|
||||||
|
// (Note: Because this field uses base64url, and does not include headers, it is different from PEM.)
|
||||||
|
Certificate string `json:"certificate"`
|
||||||
|
|
||||||
|
// reason (optional, int):
|
||||||
|
// One of the revocation reasonCodes defined in Section 5.3.1 of [RFC5280] to be used when generating OCSP responses and CRLs.
|
||||||
|
// If this field is not set the server SHOULD omit the reasonCode CRL entry extension when generating OCSP responses and CRLs.
|
||||||
|
// The server MAY disallow a subset of reasonCodes from being used by the user.
|
||||||
|
// If a request contains a disallowed reasonCode the server MUST reject it with the error type "urn:ietf:params:acme:error:badRevocationReason".
|
||||||
|
// The problem document detail SHOULD indicate which reasonCodes are allowed.
|
||||||
|
Reason *uint `json:"reason,omitempty"`
|
||||||
|
}
|
58
vendor/github.com/go-acme/lego/v4/acme/errors.go
generated
vendored
Normal file
58
vendor/github.com/go-acme/lego/v4/acme/errors.go
generated
vendored
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
package acme
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Errors types.
|
||||||
|
const (
|
||||||
|
errNS = "urn:ietf:params:acme:error:"
|
||||||
|
BadNonceErr = errNS + "badNonce"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ProblemDetails the problem details object
|
||||||
|
// - https://tools.ietf.org/html/rfc7807#section-3.1
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-7.3.3
|
||||||
|
type ProblemDetails struct {
|
||||||
|
Type string `json:"type,omitempty"`
|
||||||
|
Detail string `json:"detail,omitempty"`
|
||||||
|
HTTPStatus int `json:"status,omitempty"`
|
||||||
|
Instance string `json:"instance,omitempty"`
|
||||||
|
SubProblems []SubProblem `json:"subproblems,omitempty"`
|
||||||
|
|
||||||
|
// additional values to have a better error message (Not defined by the RFC)
|
||||||
|
Method string `json:"method,omitempty"`
|
||||||
|
URL string `json:"url,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// SubProblem a "subproblems"
|
||||||
|
// - https://tools.ietf.org/html/rfc8555#section-6.7.1
|
||||||
|
type SubProblem struct {
|
||||||
|
Type string `json:"type,omitempty"`
|
||||||
|
Detail string `json:"detail,omitempty"`
|
||||||
|
Identifier Identifier `json:"identifier,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p ProblemDetails) Error() string {
|
||||||
|
msg := fmt.Sprintf("acme: error: %d", p.HTTPStatus)
|
||||||
|
if len(p.Method) != 0 || len(p.URL) != 0 {
|
||||||
|
msg += fmt.Sprintf(" :: %s :: %s", p.Method, p.URL)
|
||||||
|
}
|
||||||
|
msg += fmt.Sprintf(" :: %s :: %s", p.Type, p.Detail)
|
||||||
|
|
||||||
|
for _, sub := range p.SubProblems {
|
||||||
|
msg += fmt.Sprintf(", problem: %q :: %s", sub.Type, sub.Detail)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(p.Instance) == 0 {
|
||||||
|
msg += ", url: " + p.Instance
|
||||||
|
}
|
||||||
|
|
||||||
|
return msg
|
||||||
|
}
|
||||||
|
|
||||||
|
// NonceError represents the error which is returned
|
||||||
|
// if the nonce sent by the client was not accepted by the server.
|
||||||
|
type NonceError struct {
|
||||||
|
*ProblemDetails
|
||||||
|
}
|
282
vendor/github.com/go-acme/lego/v4/certcrypto/crypto.go
generated
vendored
Normal file
282
vendor/github.com/go-acme/lego/v4/certcrypto/crypto.go
generated
vendored
Normal file
@ -0,0 +1,282 @@
|
|||||||
|
package certcrypto
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/ed25519"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"encoding/asn1"
|
||||||
|
"encoding/pem"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"math/big"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/ocsp"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Constants for all key types we support.
|
||||||
|
const (
|
||||||
|
EC256 = KeyType("P256")
|
||||||
|
EC384 = KeyType("P384")
|
||||||
|
RSA2048 = KeyType("2048")
|
||||||
|
RSA4096 = KeyType("4096")
|
||||||
|
RSA8192 = KeyType("8192")
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// OCSPGood means that the certificate is valid.
|
||||||
|
OCSPGood = ocsp.Good
|
||||||
|
// OCSPRevoked means that the certificate has been deliberately revoked.
|
||||||
|
OCSPRevoked = ocsp.Revoked
|
||||||
|
// OCSPUnknown means that the OCSP responder doesn't know about the certificate.
|
||||||
|
OCSPUnknown = ocsp.Unknown
|
||||||
|
// OCSPServerFailed means that the OCSP responder failed to process the request.
|
||||||
|
OCSPServerFailed = ocsp.ServerFailed
|
||||||
|
)
|
||||||
|
|
||||||
|
// Constants for OCSP must staple.
|
||||||
|
var (
|
||||||
|
tlsFeatureExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
|
||||||
|
ocspMustStapleFeature = []byte{0x30, 0x03, 0x02, 0x01, 0x05}
|
||||||
|
)
|
||||||
|
|
||||||
|
// KeyType represents the key algo as well as the key size or curve to use.
|
||||||
|
type KeyType string
|
||||||
|
|
||||||
|
type DERCertificateBytes []byte
|
||||||
|
|
||||||
|
// ParsePEMBundle parses a certificate bundle from top to bottom and returns
|
||||||
|
// a slice of x509 certificates. This function will error if no certificates are found.
|
||||||
|
func ParsePEMBundle(bundle []byte) ([]*x509.Certificate, error) {
|
||||||
|
var certificates []*x509.Certificate
|
||||||
|
var certDERBlock *pem.Block
|
||||||
|
|
||||||
|
for {
|
||||||
|
certDERBlock, bundle = pem.Decode(bundle)
|
||||||
|
if certDERBlock == nil {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
|
||||||
|
if certDERBlock.Type == "CERTIFICATE" {
|
||||||
|
cert, err := x509.ParseCertificate(certDERBlock.Bytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
certificates = append(certificates, cert)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(certificates) == 0 {
|
||||||
|
return nil, errors.New("no certificates were found while parsing the bundle")
|
||||||
|
}
|
||||||
|
|
||||||
|
return certificates, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ParsePEMPrivateKey parses a private key from key, which is a PEM block.
|
||||||
|
// Borrowed from Go standard library, to handle various private key and PEM block types.
|
||||||
|
// https://github.com/golang/go/blob/693748e9fa385f1e2c3b91ca9acbb6c0ad2d133d/src/crypto/tls/tls.go#L291-L308
|
||||||
|
// https://github.com/golang/go/blob/693748e9fa385f1e2c3b91ca9acbb6c0ad2d133d/src/crypto/tls/tls.go#L238)
|
||||||
|
func ParsePEMPrivateKey(key []byte) (crypto.PrivateKey, error) {
|
||||||
|
keyBlockDER, _ := pem.Decode(key)
|
||||||
|
|
||||||
|
if keyBlockDER.Type != "PRIVATE KEY" && !strings.HasSuffix(keyBlockDER.Type, " PRIVATE KEY") {
|
||||||
|
return nil, fmt.Errorf("unknown PEM header %q", keyBlockDER.Type)
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := x509.ParsePKCS1PrivateKey(keyBlockDER.Bytes); err == nil {
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := x509.ParsePKCS8PrivateKey(keyBlockDER.Bytes); err == nil {
|
||||||
|
switch key := key.(type) {
|
||||||
|
case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
|
||||||
|
return key, nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("found unknown private key type in PKCS#8 wrapping: %T", key)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := x509.ParseECPrivateKey(keyBlockDER.Bytes); err == nil {
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, errors.New("failed to parse private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
func GeneratePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
|
||||||
|
switch keyType {
|
||||||
|
case EC256:
|
||||||
|
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
|
case EC384:
|
||||||
|
return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
||||||
|
case RSA2048:
|
||||||
|
return rsa.GenerateKey(rand.Reader, 2048)
|
||||||
|
case RSA4096:
|
||||||
|
return rsa.GenerateKey(rand.Reader, 4096)
|
||||||
|
case RSA8192:
|
||||||
|
return rsa.GenerateKey(rand.Reader, 8192)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("invalid KeyType: %s", keyType)
|
||||||
|
}
|
||||||
|
|
||||||
|
func GenerateCSR(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
|
||||||
|
template := x509.CertificateRequest{
|
||||||
|
Subject: pkix.Name{CommonName: domain},
|
||||||
|
DNSNames: san,
|
||||||
|
}
|
||||||
|
|
||||||
|
if mustStaple {
|
||||||
|
template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
|
||||||
|
Id: tlsFeatureExtensionOID,
|
||||||
|
Value: ocspMustStapleFeature,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
return x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
|
||||||
|
}
|
||||||
|
|
||||||
|
func PEMEncode(data interface{}) []byte {
|
||||||
|
return pem.EncodeToMemory(PEMBlock(data))
|
||||||
|
}
|
||||||
|
|
||||||
|
func PEMBlock(data interface{}) *pem.Block {
|
||||||
|
var pemBlock *pem.Block
|
||||||
|
switch key := data.(type) {
|
||||||
|
case *ecdsa.PrivateKey:
|
||||||
|
keyBytes, _ := x509.MarshalECPrivateKey(key)
|
||||||
|
pemBlock = &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
|
||||||
|
case *rsa.PrivateKey:
|
||||||
|
pemBlock = &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}
|
||||||
|
case *x509.CertificateRequest:
|
||||||
|
pemBlock = &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: key.Raw}
|
||||||
|
case DERCertificateBytes:
|
||||||
|
pemBlock = &pem.Block{Type: "CERTIFICATE", Bytes: []byte(data.(DERCertificateBytes))}
|
||||||
|
}
|
||||||
|
|
||||||
|
return pemBlock
|
||||||
|
}
|
||||||
|
|
||||||
|
func pemDecode(data []byte) (*pem.Block, error) {
|
||||||
|
pemBlock, _ := pem.Decode(data)
|
||||||
|
if pemBlock == nil {
|
||||||
|
return nil, errors.New("PEM decode did not yield a valid block. Is the certificate in the right format?")
|
||||||
|
}
|
||||||
|
|
||||||
|
return pemBlock, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func PemDecodeTox509CSR(pem []byte) (*x509.CertificateRequest, error) {
|
||||||
|
pemBlock, err := pemDecode(pem)
|
||||||
|
if pemBlock == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if pemBlock.Type != "CERTIFICATE REQUEST" {
|
||||||
|
return nil, errors.New("PEM block is not a certificate request")
|
||||||
|
}
|
||||||
|
|
||||||
|
return x509.ParseCertificateRequest(pemBlock.Bytes)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ParsePEMCertificate returns Certificate from a PEM encoded certificate.
|
||||||
|
// The certificate has to be PEM encoded. Any other encodings like DER will fail.
|
||||||
|
func ParsePEMCertificate(cert []byte) (*x509.Certificate, error) {
|
||||||
|
pemBlock, err := pemDecode(cert)
|
||||||
|
if pemBlock == nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// from a DER encoded certificate
|
||||||
|
return x509.ParseCertificate(pemBlock.Bytes)
|
||||||
|
}
|
||||||
|
|
||||||
|
func ExtractDomains(cert *x509.Certificate) []string {
|
||||||
|
var domains []string
|
||||||
|
if cert.Subject.CommonName != "" {
|
||||||
|
domains = append(domains, cert.Subject.CommonName)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check for SAN certificate
|
||||||
|
for _, sanDomain := range cert.DNSNames {
|
||||||
|
if sanDomain == cert.Subject.CommonName {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
domains = append(domains, sanDomain)
|
||||||
|
}
|
||||||
|
|
||||||
|
return domains
|
||||||
|
}
|
||||||
|
|
||||||
|
func ExtractDomainsCSR(csr *x509.CertificateRequest) []string {
|
||||||
|
var domains []string
|
||||||
|
if csr.Subject.CommonName != "" {
|
||||||
|
domains = append(domains, csr.Subject.CommonName)
|
||||||
|
}
|
||||||
|
|
||||||
|
// loop over the SubjectAltName DNS names
|
||||||
|
for _, sanName := range csr.DNSNames {
|
||||||
|
if containsSAN(domains, sanName) {
|
||||||
|
// Duplicate; skip this name
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Name is unique
|
||||||
|
domains = append(domains, sanName)
|
||||||
|
}
|
||||||
|
|
||||||
|
return domains
|
||||||
|
}
|
||||||
|
|
||||||
|
func containsSAN(domains []string, sanName string) bool {
|
||||||
|
for _, existingName := range domains {
|
||||||
|
if existingName == sanName {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func GeneratePemCert(privateKey *rsa.PrivateKey, domain string, extensions []pkix.Extension) ([]byte, error) {
|
||||||
|
derBytes, err := generateDerCert(privateKey, time.Time{}, domain, extensions)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func generateDerCert(privateKey *rsa.PrivateKey, expiration time.Time, domain string, extensions []pkix.Extension) ([]byte, error) {
|
||||||
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||||
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if expiration.IsZero() {
|
||||||
|
expiration = time.Now().Add(365)
|
||||||
|
}
|
||||||
|
|
||||||
|
template := x509.Certificate{
|
||||||
|
SerialNumber: serialNumber,
|
||||||
|
Subject: pkix.Name{
|
||||||
|
CommonName: "ACME Challenge TEMP",
|
||||||
|
},
|
||||||
|
NotBefore: time.Now(),
|
||||||
|
NotAfter: expiration,
|
||||||
|
|
||||||
|
KeyUsage: x509.KeyUsageKeyEncipherment,
|
||||||
|
BasicConstraintsValid: true,
|
||||||
|
DNSNames: []string{domain},
|
||||||
|
ExtraExtensions: extensions,
|
||||||
|
}
|
||||||
|
|
||||||
|
return x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
|
||||||
|
}
|
81
vendor/github.com/go-acme/lego/v4/certificate/authorization.go
generated
vendored
Normal file
81
vendor/github.com/go-acme/lego/v4/certificate/authorization.go
generated
vendored
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
package certificate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// overallRequestLimit is the overall number of request per second
|
||||||
|
// limited on the "new-reg", "new-authz" and "new-cert" endpoints.
|
||||||
|
// From the documentation the limitation is 20 requests per second,
|
||||||
|
// but using 20 as value doesn't work but 18 do.
|
||||||
|
overallRequestLimit = 18
|
||||||
|
)
|
||||||
|
|
||||||
|
func (c *Certifier) getAuthorizations(order acme.ExtendedOrder) ([]acme.Authorization, error) {
|
||||||
|
resc, errc := make(chan acme.Authorization), make(chan domainError)
|
||||||
|
|
||||||
|
delay := time.Second / overallRequestLimit
|
||||||
|
|
||||||
|
for _, authzURL := range order.Authorizations {
|
||||||
|
time.Sleep(delay)
|
||||||
|
|
||||||
|
go func(authzURL string) {
|
||||||
|
authz, err := c.core.Authorizations.Get(authzURL)
|
||||||
|
if err != nil {
|
||||||
|
errc <- domainError{Domain: authz.Identifier.Value, Error: err}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
resc <- authz
|
||||||
|
}(authzURL)
|
||||||
|
}
|
||||||
|
|
||||||
|
var responses []acme.Authorization
|
||||||
|
failures := make(obtainError)
|
||||||
|
for i := 0; i < len(order.Authorizations); i++ {
|
||||||
|
select {
|
||||||
|
case res := <-resc:
|
||||||
|
responses = append(responses, res)
|
||||||
|
case err := <-errc:
|
||||||
|
failures[err.Domain] = err.Error
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for i, auth := range order.Authorizations {
|
||||||
|
log.Infof("[%s] AuthURL: %s", order.Identifiers[i].Value, auth)
|
||||||
|
}
|
||||||
|
|
||||||
|
close(resc)
|
||||||
|
close(errc)
|
||||||
|
|
||||||
|
// be careful to not return an empty failures map;
|
||||||
|
// even if empty, they become non-nil error values
|
||||||
|
if len(failures) > 0 {
|
||||||
|
return responses, failures
|
||||||
|
}
|
||||||
|
return responses, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Certifier) deactivateAuthorizations(order acme.ExtendedOrder) {
|
||||||
|
for _, authzURL := range order.Authorizations {
|
||||||
|
auth, err := c.core.Authorizations.Get(authzURL)
|
||||||
|
if err != nil {
|
||||||
|
log.Infof("Unable to get the authorization for: %s", authzURL)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if auth.Status == acme.StatusValid {
|
||||||
|
log.Infof("Skipping deactivating of valid auth: %s", authzURL)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("Deactivating auth: %s", authzURL)
|
||||||
|
if c.core.Authorizations.Deactivate(authzURL) != nil {
|
||||||
|
log.Infof("Unable to deactivate the authorization: %s", authzURL)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
584
vendor/github.com/go-acme/lego/v4/certificate/certificates.go
generated
vendored
Normal file
584
vendor/github.com/go-acme/lego/v4/certificate/certificates.go
generated
vendored
Normal file
@ -0,0 +1,584 @@
|
|||||||
|
package certificate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/base64"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
"github.com/go-acme/lego/v4/platform/wait"
|
||||||
|
"golang.org/x/crypto/ocsp"
|
||||||
|
"golang.org/x/net/idna"
|
||||||
|
)
|
||||||
|
|
||||||
|
// maxBodySize is the maximum size of body that we will read.
|
||||||
|
const maxBodySize = 1024 * 1024
|
||||||
|
|
||||||
|
// Resource represents a CA issued certificate.
|
||||||
|
// PrivateKey, Certificate and IssuerCertificate are all
|
||||||
|
// already PEM encoded and can be directly written to disk.
|
||||||
|
// Certificate may be a certificate bundle,
|
||||||
|
// depending on the options supplied to create it.
|
||||||
|
type Resource struct {
|
||||||
|
Domain string `json:"domain"`
|
||||||
|
CertURL string `json:"certUrl"`
|
||||||
|
CertStableURL string `json:"certStableUrl"`
|
||||||
|
PrivateKey []byte `json:"-"`
|
||||||
|
Certificate []byte `json:"-"`
|
||||||
|
IssuerCertificate []byte `json:"-"`
|
||||||
|
CSR []byte `json:"-"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// ObtainRequest The request to obtain certificate.
|
||||||
|
//
|
||||||
|
// The first domain in domains is used for the CommonName field of the certificate,
|
||||||
|
// all other domains are added using the Subject Alternate Names extension.
|
||||||
|
//
|
||||||
|
// A new private key is generated for every invocation of the function Obtain.
|
||||||
|
// If you do not want that you can supply your own private key in the privateKey parameter.
|
||||||
|
// If this parameter is non-nil it will be used instead of generating a new one.
|
||||||
|
//
|
||||||
|
// If bundle is true, the []byte contains both the issuer certificate and your issued certificate as a bundle.
|
||||||
|
type ObtainRequest struct {
|
||||||
|
Domains []string
|
||||||
|
Bundle bool
|
||||||
|
PrivateKey crypto.PrivateKey
|
||||||
|
MustStaple bool
|
||||||
|
PreferredChain string
|
||||||
|
}
|
||||||
|
|
||||||
|
// ObtainForCSRRequest The request to obtain a certificate matching the CSR passed into it.
|
||||||
|
//
|
||||||
|
// If bundle is true, the []byte contains both the issuer certificate and your issued certificate as a bundle.
|
||||||
|
type ObtainForCSRRequest struct {
|
||||||
|
CSR *x509.CertificateRequest
|
||||||
|
Bundle bool
|
||||||
|
PreferredChain string
|
||||||
|
}
|
||||||
|
|
||||||
|
type resolver interface {
|
||||||
|
Solve(authorizations []acme.Authorization) error
|
||||||
|
}
|
||||||
|
|
||||||
|
type CertifierOptions struct {
|
||||||
|
KeyType certcrypto.KeyType
|
||||||
|
Timeout time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
// Certifier A service to obtain/renew/revoke certificates.
|
||||||
|
type Certifier struct {
|
||||||
|
core *api.Core
|
||||||
|
resolver resolver
|
||||||
|
options CertifierOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewCertifier creates a Certifier.
|
||||||
|
func NewCertifier(core *api.Core, resolver resolver, options CertifierOptions) *Certifier {
|
||||||
|
return &Certifier{
|
||||||
|
core: core,
|
||||||
|
resolver: resolver,
|
||||||
|
options: options,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Obtain tries to obtain a single certificate using all domains passed into it.
|
||||||
|
//
|
||||||
|
// This function will never return a partial certificate.
|
||||||
|
// If one domain in the list fails, the whole certificate will fail.
|
||||||
|
func (c *Certifier) Obtain(request ObtainRequest) (*Resource, error) {
|
||||||
|
if len(request.Domains) == 0 {
|
||||||
|
return nil, errors.New("no domains to obtain a certificate for")
|
||||||
|
}
|
||||||
|
|
||||||
|
domains := sanitizeDomain(request.Domains)
|
||||||
|
|
||||||
|
if request.Bundle {
|
||||||
|
log.Infof("[%s] acme: Obtaining bundled SAN certificate", strings.Join(domains, ", "))
|
||||||
|
} else {
|
||||||
|
log.Infof("[%s] acme: Obtaining SAN certificate", strings.Join(domains, ", "))
|
||||||
|
}
|
||||||
|
|
||||||
|
order, err := c.core.Orders.New(domains)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
authz, err := c.getAuthorizations(order)
|
||||||
|
if err != nil {
|
||||||
|
// If any challenge fails, return. Do not generate partial SAN certificates.
|
||||||
|
c.deactivateAuthorizations(order)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.resolver.Solve(authz)
|
||||||
|
if err != nil {
|
||||||
|
// If any challenge fails, return. Do not generate partial SAN certificates.
|
||||||
|
c.deactivateAuthorizations(order)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("[%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", "))
|
||||||
|
|
||||||
|
failures := make(obtainError)
|
||||||
|
cert, err := c.getForOrder(domains, order, request.Bundle, request.PrivateKey, request.MustStaple, request.PreferredChain)
|
||||||
|
if err != nil {
|
||||||
|
for _, auth := range authz {
|
||||||
|
failures[challenge.GetTargetedDomain(auth)] = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Do not return an empty failures map, because
|
||||||
|
// it would still be a non-nil error value
|
||||||
|
if len(failures) > 0 {
|
||||||
|
return cert, failures
|
||||||
|
}
|
||||||
|
return cert, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ObtainForCSR tries to obtain a certificate matching the CSR passed into it.
|
||||||
|
//
|
||||||
|
// The domains are inferred from the CommonName and SubjectAltNames, if any.
|
||||||
|
// The private key for this CSR is not required.
|
||||||
|
//
|
||||||
|
// If bundle is true, the []byte contains both the issuer certificate and your issued certificate as a bundle.
|
||||||
|
//
|
||||||
|
// This function will never return a partial certificate.
|
||||||
|
// If one domain in the list fails, the whole certificate will fail.
|
||||||
|
func (c *Certifier) ObtainForCSR(request ObtainForCSRRequest) (*Resource, error) {
|
||||||
|
if request.CSR == nil {
|
||||||
|
return nil, errors.New("cannot obtain resource for CSR: CSR is missing")
|
||||||
|
}
|
||||||
|
|
||||||
|
// figure out what domains it concerns
|
||||||
|
// start with the common name
|
||||||
|
domains := certcrypto.ExtractDomainsCSR(request.CSR)
|
||||||
|
|
||||||
|
if request.Bundle {
|
||||||
|
log.Infof("[%s] acme: Obtaining bundled SAN certificate given a CSR", strings.Join(domains, ", "))
|
||||||
|
} else {
|
||||||
|
log.Infof("[%s] acme: Obtaining SAN certificate given a CSR", strings.Join(domains, ", "))
|
||||||
|
}
|
||||||
|
|
||||||
|
order, err := c.core.Orders.New(domains)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
authz, err := c.getAuthorizations(order)
|
||||||
|
if err != nil {
|
||||||
|
// If any challenge fails, return. Do not generate partial SAN certificates.
|
||||||
|
c.deactivateAuthorizations(order)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.resolver.Solve(authz)
|
||||||
|
if err != nil {
|
||||||
|
// If any challenge fails, return. Do not generate partial SAN certificates.
|
||||||
|
c.deactivateAuthorizations(order)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("[%s] acme: Validations succeeded; requesting certificates", strings.Join(domains, ", "))
|
||||||
|
|
||||||
|
failures := make(obtainError)
|
||||||
|
cert, err := c.getForCSR(domains, order, request.Bundle, request.CSR.Raw, nil, request.PreferredChain)
|
||||||
|
if err != nil {
|
||||||
|
for _, auth := range authz {
|
||||||
|
failures[challenge.GetTargetedDomain(auth)] = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if cert != nil {
|
||||||
|
// Add the CSR to the certificate so that it can be used for renewals.
|
||||||
|
cert.CSR = certcrypto.PEMEncode(request.CSR)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Do not return an empty failures map,
|
||||||
|
// because it would still be a non-nil error value
|
||||||
|
if len(failures) > 0 {
|
||||||
|
return cert, failures
|
||||||
|
}
|
||||||
|
return cert, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Certifier) getForOrder(domains []string, order acme.ExtendedOrder, bundle bool, privateKey crypto.PrivateKey, mustStaple bool, preferredChain string) (*Resource, error) {
|
||||||
|
if privateKey == nil {
|
||||||
|
var err error
|
||||||
|
privateKey, err = certcrypto.GeneratePrivateKey(c.options.KeyType)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Determine certificate name(s) based on the authorization resources
|
||||||
|
commonName := domains[0]
|
||||||
|
|
||||||
|
// RFC8555 Section 7.4 "Applying for Certificate Issuance"
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-7.4
|
||||||
|
// says:
|
||||||
|
// Clients SHOULD NOT make any assumptions about the sort order of
|
||||||
|
// "identifiers" or "authorizations" elements in the returned order
|
||||||
|
// object.
|
||||||
|
san := []string{commonName}
|
||||||
|
for _, auth := range order.Identifiers {
|
||||||
|
if auth.Value != commonName {
|
||||||
|
san = append(san, auth.Value)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: should the CSR be customizable?
|
||||||
|
csr, err := certcrypto.GenerateCSR(privateKey, commonName, san, mustStaple)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.getForCSR(domains, order, bundle, csr, certcrypto.PEMEncode(privateKey), preferredChain)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Certifier) getForCSR(domains []string, order acme.ExtendedOrder, bundle bool, csr, privateKeyPem []byte, preferredChain string) (*Resource, error) {
|
||||||
|
respOrder, err := c.core.Orders.UpdateForCSR(order.Finalize, csr)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
commonName := domains[0]
|
||||||
|
certRes := &Resource{
|
||||||
|
Domain: commonName,
|
||||||
|
CertURL: respOrder.Certificate,
|
||||||
|
PrivateKey: privateKeyPem,
|
||||||
|
}
|
||||||
|
|
||||||
|
if respOrder.Status == acme.StatusValid {
|
||||||
|
// if the certificate is available right away, short cut!
|
||||||
|
ok, errR := c.checkResponse(respOrder, certRes, bundle, preferredChain)
|
||||||
|
if errR != nil {
|
||||||
|
return nil, errR
|
||||||
|
}
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
return certRes, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
timeout := c.options.Timeout
|
||||||
|
if c.options.Timeout <= 0 {
|
||||||
|
timeout = 30 * time.Second
|
||||||
|
}
|
||||||
|
|
||||||
|
err = wait.For("certificate", timeout, timeout/60, func() (bool, error) {
|
||||||
|
ord, errW := c.core.Orders.Get(order.Location)
|
||||||
|
if errW != nil {
|
||||||
|
return false, errW
|
||||||
|
}
|
||||||
|
|
||||||
|
done, errW := c.checkResponse(ord, certRes, bundle, preferredChain)
|
||||||
|
if errW != nil {
|
||||||
|
return false, errW
|
||||||
|
}
|
||||||
|
|
||||||
|
return done, nil
|
||||||
|
})
|
||||||
|
|
||||||
|
return certRes, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkResponse checks to see if the certificate is ready and a link is contained in the response.
|
||||||
|
//
|
||||||
|
// If so, loads it into certRes and returns true.
|
||||||
|
// If the cert is not yet ready, it returns false.
|
||||||
|
//
|
||||||
|
// The certRes input should already have the Domain (common name) field populated.
|
||||||
|
//
|
||||||
|
// If bundle is true, the certificate will be bundled with the issuer's cert.
|
||||||
|
func (c *Certifier) checkResponse(order acme.ExtendedOrder, certRes *Resource, bundle bool, preferredChain string) (bool, error) {
|
||||||
|
valid, err := checkOrderStatus(order)
|
||||||
|
if err != nil || !valid {
|
||||||
|
return valid, err
|
||||||
|
}
|
||||||
|
|
||||||
|
links := append([]string{order.Certificate}, order.AlternateChainLinks...)
|
||||||
|
|
||||||
|
for i, link := range links {
|
||||||
|
cert, issuer, err := c.core.Certificates.Get(link, bundle)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set the default certificate
|
||||||
|
if i == 0 {
|
||||||
|
certRes.IssuerCertificate = issuer
|
||||||
|
certRes.Certificate = cert
|
||||||
|
certRes.CertURL = link
|
||||||
|
certRes.CertStableURL = link
|
||||||
|
}
|
||||||
|
|
||||||
|
if preferredChain == "" {
|
||||||
|
log.Infof("[%s] Server responded with a certificate.", certRes.Domain)
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ok, err := hasPreferredChain(issuer, preferredChain)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if ok {
|
||||||
|
log.Infof("[%s] Server responded with a certificate for the preferred certificate chains %q.", certRes.Domain, preferredChain)
|
||||||
|
|
||||||
|
certRes.IssuerCertificate = issuer
|
||||||
|
certRes.Certificate = cert
|
||||||
|
certRes.CertURL = link
|
||||||
|
certRes.CertStableURL = link
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("lego has been configured to prefer certificate chains with issuer %q, but no chain from the CA matched this issuer. Using the default certificate chain instead.", preferredChain)
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Revoke takes a PEM encoded certificate or bundle and tries to revoke it at the CA.
|
||||||
|
func (c *Certifier) Revoke(cert []byte) error {
|
||||||
|
certificates, err := certcrypto.ParsePEMBundle(cert)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
x509Cert := certificates[0]
|
||||||
|
if x509Cert.IsCA {
|
||||||
|
return errors.New("certificate bundle starts with a CA certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
revokeMsg := acme.RevokeCertMessage{
|
||||||
|
Certificate: base64.RawURLEncoding.EncodeToString(x509Cert.Raw),
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.core.Certificates.Revoke(revokeMsg)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Renew takes a Resource and tries to renew the certificate.
|
||||||
|
//
|
||||||
|
// If the renewal process succeeds, the new certificate will be returned in a new CertResource.
|
||||||
|
// Please be aware that this function will return a new certificate in ANY case that is not an error.
|
||||||
|
// If the server does not provide us with a new cert on a GET request to the CertURL
|
||||||
|
// this function will start a new-cert flow where a new certificate gets generated.
|
||||||
|
//
|
||||||
|
// If bundle is true, the []byte contains both the issuer certificate and your issued certificate as a bundle.
|
||||||
|
//
|
||||||
|
// For private key reuse the PrivateKey property of the passed in Resource should be non-nil.
|
||||||
|
func (c *Certifier) Renew(certRes Resource, bundle, mustStaple bool, preferredChain string) (*Resource, error) {
|
||||||
|
// Input certificate is PEM encoded.
|
||||||
|
// Decode it here as we may need the decoded cert later on in the renewal process.
|
||||||
|
// The input may be a bundle or a single certificate.
|
||||||
|
certificates, err := certcrypto.ParsePEMBundle(certRes.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
x509Cert := certificates[0]
|
||||||
|
if x509Cert.IsCA {
|
||||||
|
return nil, fmt.Errorf("[%s] Certificate bundle starts with a CA certificate", certRes.Domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// This is just meant to be informal for the user.
|
||||||
|
timeLeft := x509Cert.NotAfter.Sub(time.Now().UTC())
|
||||||
|
log.Infof("[%s] acme: Trying renewal with %d hours remaining", certRes.Domain, int(timeLeft.Hours()))
|
||||||
|
|
||||||
|
// We always need to request a new certificate to renew.
|
||||||
|
// Start by checking to see if the certificate was based off a CSR,
|
||||||
|
// and use that if it's defined.
|
||||||
|
if len(certRes.CSR) > 0 {
|
||||||
|
csr, errP := certcrypto.PemDecodeTox509CSR(certRes.CSR)
|
||||||
|
if errP != nil {
|
||||||
|
return nil, errP
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.ObtainForCSR(ObtainForCSRRequest{
|
||||||
|
CSR: csr,
|
||||||
|
Bundle: bundle,
|
||||||
|
PreferredChain: preferredChain,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
var privateKey crypto.PrivateKey
|
||||||
|
if certRes.PrivateKey != nil {
|
||||||
|
privateKey, err = certcrypto.ParsePEMPrivateKey(certRes.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
query := ObtainRequest{
|
||||||
|
Domains: certcrypto.ExtractDomains(x509Cert),
|
||||||
|
Bundle: bundle,
|
||||||
|
PrivateKey: privateKey,
|
||||||
|
MustStaple: mustStaple,
|
||||||
|
}
|
||||||
|
return c.Obtain(query)
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOCSP takes a PEM encoded cert or cert bundle returning the raw OCSP response,
|
||||||
|
// the parsed response, and an error, if any.
|
||||||
|
//
|
||||||
|
// The returned []byte can be passed directly into the OCSPStaple property of a tls.Certificate.
|
||||||
|
// If the bundle only contains the issued certificate,
|
||||||
|
// this function will try to get the issuer certificate from the IssuingCertificateURL in the certificate.
|
||||||
|
//
|
||||||
|
// If the []byte and/or ocsp.Response return values are nil, the OCSP status may be assumed OCSPUnknown.
|
||||||
|
func (c *Certifier) GetOCSP(bundle []byte) ([]byte, *ocsp.Response, error) {
|
||||||
|
certificates, err := certcrypto.ParsePEMBundle(bundle)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// We expect the certificate slice to be ordered downwards the chain.
|
||||||
|
// SRV CRT -> CA. We need to pull the leaf and issuer certs out of it,
|
||||||
|
// which should always be the first two certificates.
|
||||||
|
// If there's no OCSP server listed in the leaf cert, there's nothing to do.
|
||||||
|
// And if we have only one certificate so far, we need to get the issuer cert.
|
||||||
|
|
||||||
|
issuedCert := certificates[0]
|
||||||
|
|
||||||
|
if len(issuedCert.OCSPServer) == 0 {
|
||||||
|
return nil, nil, errors.New("no OCSP server specified in cert")
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(certificates) == 1 {
|
||||||
|
// TODO: build fallback. If this fails, check the remaining array entries.
|
||||||
|
if len(issuedCert.IssuingCertificateURL) == 0 {
|
||||||
|
return nil, nil, errors.New("no issuing certificate URL")
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, errC := c.core.HTTPClient.Get(issuedCert.IssuingCertificateURL[0])
|
||||||
|
if errC != nil {
|
||||||
|
return nil, nil, errC
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
issuerBytes, errC := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
|
||||||
|
if errC != nil {
|
||||||
|
return nil, nil, errC
|
||||||
|
}
|
||||||
|
|
||||||
|
issuerCert, errC := x509.ParseCertificate(issuerBytes)
|
||||||
|
if errC != nil {
|
||||||
|
return nil, nil, errC
|
||||||
|
}
|
||||||
|
|
||||||
|
// Insert it into the slice on position 0
|
||||||
|
// We want it ordered right SRV CRT -> CA
|
||||||
|
certificates = append(certificates, issuerCert)
|
||||||
|
}
|
||||||
|
|
||||||
|
issuerCert := certificates[1]
|
||||||
|
|
||||||
|
// Finally kick off the OCSP request.
|
||||||
|
ocspReq, err := ocsp.CreateRequest(issuedCert, issuerCert, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
resp, err := c.core.HTTPClient.Post(issuedCert.OCSPServer[0], "application/ocsp-request", bytes.NewReader(ocspReq))
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
ocspResBytes, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, maxBodySize))
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ocspResBytes, ocspRes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get attempts to fetch the certificate at the supplied URL.
|
||||||
|
// The URL is the same as what would normally be supplied at the Resource's CertURL.
|
||||||
|
//
|
||||||
|
// The returned Resource will not have the PrivateKey and CSR fields populated as these will not be available.
|
||||||
|
//
|
||||||
|
// If bundle is true, the Certificate field in the returned Resource includes the issuer certificate.
|
||||||
|
func (c *Certifier) Get(url string, bundle bool) (*Resource, error) {
|
||||||
|
cert, issuer, err := c.core.Certificates.Get(url, bundle)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Parse the returned cert bundle so that we can grab the domain from the common name.
|
||||||
|
x509Certs, err := certcrypto.ParsePEMBundle(cert)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{
|
||||||
|
Domain: x509Certs[0].Subject.CommonName,
|
||||||
|
Certificate: cert,
|
||||||
|
IssuerCertificate: issuer,
|
||||||
|
CertURL: url,
|
||||||
|
CertStableURL: url,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func hasPreferredChain(issuer []byte, preferredChain string) (bool, error) {
|
||||||
|
certs, err := certcrypto.ParsePEMBundle(issuer)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, cert := range certs {
|
||||||
|
if cert.Issuer.CommonName == preferredChain {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkOrderStatus(order acme.ExtendedOrder) (bool, error) {
|
||||||
|
switch order.Status {
|
||||||
|
case acme.StatusValid:
|
||||||
|
return true, nil
|
||||||
|
case acme.StatusInvalid:
|
||||||
|
return false, order.Error
|
||||||
|
default:
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// https://tools.ietf.org/html/rfc8555#section-7.1.4
|
||||||
|
// The domain name MUST be encoded
|
||||||
|
// in the form in which it would appear in a certificate. That is, it
|
||||||
|
// MUST be encoded according to the rules in Section 7 of [RFC5280].
|
||||||
|
//
|
||||||
|
// https://tools.ietf.org/html/rfc5280#section-7
|
||||||
|
func sanitizeDomain(domains []string) []string {
|
||||||
|
var sanitizedDomains []string
|
||||||
|
for _, domain := range domains {
|
||||||
|
sanitizedDomain, err := idna.ToASCII(domain)
|
||||||
|
if err != nil {
|
||||||
|
log.Infof("skip domain %q: unable to sanitize (punnycode): %v", domain, err)
|
||||||
|
} else {
|
||||||
|
sanitizedDomains = append(sanitizedDomains, sanitizedDomain)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return sanitizedDomains
|
||||||
|
}
|
30
vendor/github.com/go-acme/lego/v4/certificate/errors.go
generated
vendored
Normal file
30
vendor/github.com/go-acme/lego/v4/certificate/errors.go
generated
vendored
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
package certificate
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"sort"
|
||||||
|
)
|
||||||
|
|
||||||
|
// obtainError is returned when there are specific errors available per domain.
|
||||||
|
type obtainError map[string]error
|
||||||
|
|
||||||
|
func (e obtainError) Error() string {
|
||||||
|
buffer := bytes.NewBufferString("error: one or more domains had a problem:\n")
|
||||||
|
|
||||||
|
var domains []string
|
||||||
|
for domain := range e {
|
||||||
|
domains = append(domains, domain)
|
||||||
|
}
|
||||||
|
sort.Strings(domains)
|
||||||
|
|
||||||
|
for _, domain := range domains {
|
||||||
|
buffer.WriteString(fmt.Sprintf("[%s] %s\n", domain, e[domain]))
|
||||||
|
}
|
||||||
|
return buffer.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
type domainError struct {
|
||||||
|
Domain string
|
||||||
|
Error error
|
||||||
|
}
|
44
vendor/github.com/go-acme/lego/v4/challenge/challenges.go
generated
vendored
Normal file
44
vendor/github.com/go-acme/lego/v4/challenge/challenges.go
generated
vendored
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
package challenge
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Type is a string that identifies a particular challenge type and version of ACME challenge.
|
||||||
|
type Type string
|
||||||
|
|
||||||
|
const (
|
||||||
|
// HTTP01 is the "http-01" ACME challenge https://tools.ietf.org/html/rfc8555#section-8.3
|
||||||
|
// Note: ChallengePath returns the URL path to fulfill this challenge.
|
||||||
|
HTTP01 = Type("http-01")
|
||||||
|
|
||||||
|
// DNS01 is the "dns-01" ACME challenge https://tools.ietf.org/html/rfc8555#section-8.4
|
||||||
|
// Note: GetRecord returns a DNS record which will fulfill this challenge.
|
||||||
|
DNS01 = Type("dns-01")
|
||||||
|
|
||||||
|
// TLSALPN01 is the "tls-alpn-01" ACME challenge https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-07
|
||||||
|
TLSALPN01 = Type("tls-alpn-01")
|
||||||
|
)
|
||||||
|
|
||||||
|
func (t Type) String() string {
|
||||||
|
return string(t)
|
||||||
|
}
|
||||||
|
|
||||||
|
func FindChallenge(chlgType Type, authz acme.Authorization) (acme.Challenge, error) {
|
||||||
|
for _, chlg := range authz.Challenges {
|
||||||
|
if chlg.Type == string(chlgType) {
|
||||||
|
return chlg, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return acme.Challenge{}, fmt.Errorf("[%s] acme: unable to find challenge %s", GetTargetedDomain(authz), chlgType)
|
||||||
|
}
|
||||||
|
|
||||||
|
func GetTargetedDomain(authz acme.Authorization) string {
|
||||||
|
if authz.Wildcard {
|
||||||
|
return "*." + authz.Identifier.Value
|
||||||
|
}
|
||||||
|
return authz.Identifier.Value
|
||||||
|
}
|
16
vendor/github.com/go-acme/lego/v4/challenge/dns01/cname.go
generated
vendored
Normal file
16
vendor/github.com/go-acme/lego/v4/challenge/dns01/cname.go
generated
vendored
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
import "github.com/miekg/dns"
|
||||||
|
|
||||||
|
// Update FQDN with CNAME if any.
|
||||||
|
func updateDomainWithCName(r *dns.Msg, fqdn string) string {
|
||||||
|
for _, rr := range r.Answer {
|
||||||
|
if cn, ok := rr.(*dns.CNAME); ok {
|
||||||
|
if cn.Hdr.Name == fqdn {
|
||||||
|
return cn.Target
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return fqdn
|
||||||
|
}
|
190
vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go
generated
vendored
Normal file
190
vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge.go
generated
vendored
Normal file
@ -0,0 +1,190 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/sha256"
|
||||||
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
"github.com/go-acme/lego/v4/platform/wait"
|
||||||
|
"github.com/miekg/dns"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// DefaultPropagationTimeout default propagation timeout.
|
||||||
|
DefaultPropagationTimeout = 60 * time.Second
|
||||||
|
|
||||||
|
// DefaultPollingInterval default polling interval.
|
||||||
|
DefaultPollingInterval = 2 * time.Second
|
||||||
|
|
||||||
|
// DefaultTTL default TTL.
|
||||||
|
DefaultTTL = 120
|
||||||
|
)
|
||||||
|
|
||||||
|
type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
|
||||||
|
|
||||||
|
type ChallengeOption func(*Challenge) error
|
||||||
|
|
||||||
|
// CondOption Conditional challenge option.
|
||||||
|
func CondOption(condition bool, opt ChallengeOption) ChallengeOption {
|
||||||
|
if !condition {
|
||||||
|
// NoOp options
|
||||||
|
return func(*Challenge) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return opt
|
||||||
|
}
|
||||||
|
|
||||||
|
// Challenge implements the dns-01 challenge.
|
||||||
|
type Challenge struct {
|
||||||
|
core *api.Core
|
||||||
|
validate ValidateFunc
|
||||||
|
provider challenge.Provider
|
||||||
|
preCheck preCheck
|
||||||
|
dnsTimeout time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider, opts ...ChallengeOption) *Challenge {
|
||||||
|
chlg := &Challenge{
|
||||||
|
core: core,
|
||||||
|
validate: validate,
|
||||||
|
provider: provider,
|
||||||
|
preCheck: newPreCheck(),
|
||||||
|
dnsTimeout: 10 * time.Second,
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, opt := range opts {
|
||||||
|
err := opt(chlg)
|
||||||
|
if err != nil {
|
||||||
|
log.Infof("challenge option error: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return chlg
|
||||||
|
}
|
||||||
|
|
||||||
|
// PreSolve just submits the txt record to the dns provider.
|
||||||
|
// It does not validate record propagation, or do anything at all with the acme server.
|
||||||
|
func (c *Challenge) PreSolve(authz acme.Authorization) error {
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
log.Infof("[%s] acme: Preparing to solve DNS-01", domain)
|
||||||
|
|
||||||
|
chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if c.provider == nil {
|
||||||
|
return fmt.Errorf("[%s] acme: no DNS Provider configured", domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the Key Authorization for the challenge
|
||||||
|
keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.provider.Present(authz.Identifier.Value, chlng.Token, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("[%s] acme: error presenting token: %w", domain, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Challenge) Solve(authz acme.Authorization) error {
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
log.Infof("[%s] acme: Trying to solve DNS-01", domain)
|
||||||
|
|
||||||
|
chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the Key Authorization for the challenge
|
||||||
|
keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
fqdn, value := GetRecord(authz.Identifier.Value, keyAuth)
|
||||||
|
|
||||||
|
var timeout, interval time.Duration
|
||||||
|
switch provider := c.provider.(type) {
|
||||||
|
case challenge.ProviderTimeout:
|
||||||
|
timeout, interval = provider.Timeout()
|
||||||
|
default:
|
||||||
|
timeout, interval = DefaultPropagationTimeout, DefaultPollingInterval
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("[%s] acme: Checking DNS record propagation using %+v", domain, recursiveNameservers)
|
||||||
|
|
||||||
|
time.Sleep(interval)
|
||||||
|
|
||||||
|
err = wait.For("propagation", timeout, interval, func() (bool, error) {
|
||||||
|
stop, errP := c.preCheck.call(domain, fqdn, value)
|
||||||
|
if !stop || errP != nil {
|
||||||
|
log.Infof("[%s] acme: Waiting for DNS record propagation.", domain)
|
||||||
|
}
|
||||||
|
return stop, errP
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
chlng.KeyAuthorization = keyAuth
|
||||||
|
return c.validate(c.core, domain, chlng)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp cleans the challenge.
|
||||||
|
func (c *Challenge) CleanUp(authz acme.Authorization) error {
|
||||||
|
log.Infof("[%s] acme: Cleaning DNS-01 challenge", challenge.GetTargetedDomain(authz))
|
||||||
|
|
||||||
|
chlng, err := challenge.FindChallenge(challenge.DNS01, authz)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.provider.CleanUp(authz.Identifier.Value, chlng.Token, keyAuth)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Challenge) Sequential() (bool, time.Duration) {
|
||||||
|
if p, ok := c.provider.(sequential); ok {
|
||||||
|
return ok, p.Sequential()
|
||||||
|
}
|
||||||
|
return false, 0
|
||||||
|
}
|
||||||
|
|
||||||
|
type sequential interface {
|
||||||
|
Sequential() time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetRecord returns a DNS record which will fulfill the `dns-01` challenge.
|
||||||
|
func GetRecord(domain, keyAuth string) (fqdn, value string) {
|
||||||
|
keyAuthShaBytes := sha256.Sum256([]byte(keyAuth))
|
||||||
|
// base64URL encoding without padding
|
||||||
|
value = base64.RawURLEncoding.EncodeToString(keyAuthShaBytes[:sha256.Size])
|
||||||
|
fqdn = fmt.Sprintf("_acme-challenge.%s.", domain)
|
||||||
|
|
||||||
|
if ok, _ := strconv.ParseBool(os.Getenv("LEGO_EXPERIMENTAL_CNAME_SUPPORT")); ok {
|
||||||
|
r, err := dnsQuery(fqdn, dns.TypeCNAME, recursiveNameservers, true)
|
||||||
|
// Check if the domain has CNAME then return that
|
||||||
|
if err == nil && r.Rcode == dns.RcodeSuccess {
|
||||||
|
fqdn = updateDomainWithCName(r, fqdn)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
59
vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge_manual.go
generated
vendored
Normal file
59
vendor/github.com/go-acme/lego/v4/challenge/dns01/dns_challenge_manual.go
generated
vendored
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bufio"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
dnsTemplate = `%s %d IN TXT "%s"`
|
||||||
|
)
|
||||||
|
|
||||||
|
// DNSProviderManual is an implementation of the ChallengeProvider interface.
|
||||||
|
type DNSProviderManual struct{}
|
||||||
|
|
||||||
|
// NewDNSProviderManual returns a DNSProviderManual instance.
|
||||||
|
func NewDNSProviderManual() (*DNSProviderManual, error) {
|
||||||
|
return &DNSProviderManual{}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present prints instructions for manually creating the TXT record.
|
||||||
|
func (*DNSProviderManual) Present(domain, token, keyAuth string) error {
|
||||||
|
fqdn, value := GetRecord(domain, keyAuth)
|
||||||
|
|
||||||
|
authZone, err := FindZoneByFqdn(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Printf("lego: Please create the following TXT record in your %s zone:\n", authZone)
|
||||||
|
fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, value)
|
||||||
|
fmt.Printf("lego: Press 'Enter' when you are done\n")
|
||||||
|
|
||||||
|
_, err = bufio.NewReader(os.Stdin).ReadBytes('\n')
|
||||||
|
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp prints instructions for manually removing the TXT record.
|
||||||
|
func (*DNSProviderManual) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
fqdn, _ := GetRecord(domain, keyAuth)
|
||||||
|
|
||||||
|
authZone, err := FindZoneByFqdn(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Printf("lego: You can now remove this TXT record from your %s zone:\n", authZone)
|
||||||
|
fmt.Printf(dnsTemplate+"\n", fqdn, DefaultTTL, "...")
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sequential All DNS challenges for this provider will be resolved sequentially.
|
||||||
|
// Returns the interval between each iteration.
|
||||||
|
func (d *DNSProviderManual) Sequential() time.Duration {
|
||||||
|
return DefaultPropagationTimeout
|
||||||
|
}
|
19
vendor/github.com/go-acme/lego/v4/challenge/dns01/fqdn.go
generated
vendored
Normal file
19
vendor/github.com/go-acme/lego/v4/challenge/dns01/fqdn.go
generated
vendored
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
// ToFqdn converts the name into a fqdn appending a trailing dot.
|
||||||
|
func ToFqdn(name string) string {
|
||||||
|
n := len(name)
|
||||||
|
if n == 0 || name[n-1] == '.' {
|
||||||
|
return name
|
||||||
|
}
|
||||||
|
return name + "."
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnFqdn converts the fqdn into a name removing the trailing dot.
|
||||||
|
func UnFqdn(name string) string {
|
||||||
|
n := len(name)
|
||||||
|
if n != 0 && name[n-1] == '.' {
|
||||||
|
return name[:n-1]
|
||||||
|
}
|
||||||
|
return name
|
||||||
|
}
|
284
vendor/github.com/go-acme/lego/v4/challenge/dns01/nameserver.go
generated
vendored
Normal file
284
vendor/github.com/go-acme/lego/v4/challenge/dns01/nameserver.go
generated
vendored
Normal file
@ -0,0 +1,284 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/miekg/dns"
|
||||||
|
)
|
||||||
|
|
||||||
|
const defaultResolvConf = "/etc/resolv.conf"
|
||||||
|
|
||||||
|
// dnsTimeout is used to override the default DNS timeout of 10 seconds.
|
||||||
|
var dnsTimeout = 10 * time.Second
|
||||||
|
|
||||||
|
var (
|
||||||
|
fqdnSoaCache = map[string]*soaCacheEntry{}
|
||||||
|
muFqdnSoaCache sync.Mutex
|
||||||
|
)
|
||||||
|
|
||||||
|
var defaultNameservers = []string{
|
||||||
|
"google-public-dns-a.google.com:53",
|
||||||
|
"google-public-dns-b.google.com:53",
|
||||||
|
}
|
||||||
|
|
||||||
|
// recursiveNameservers are used to pre-check DNS propagation.
|
||||||
|
var recursiveNameservers = getNameservers(defaultResolvConf, defaultNameservers)
|
||||||
|
|
||||||
|
// soaCacheEntry holds a cached SOA record (only selected fields).
|
||||||
|
type soaCacheEntry struct {
|
||||||
|
zone string // zone apex (a domain name)
|
||||||
|
primaryNs string // primary nameserver for the zone apex
|
||||||
|
expires time.Time // time when this cache entry should be evicted
|
||||||
|
}
|
||||||
|
|
||||||
|
func newSoaCacheEntry(soa *dns.SOA) *soaCacheEntry {
|
||||||
|
return &soaCacheEntry{
|
||||||
|
zone: soa.Hdr.Name,
|
||||||
|
primaryNs: soa.Ns,
|
||||||
|
expires: time.Now().Add(time.Duration(soa.Refresh) * time.Second),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// isExpired checks whether a cache entry should be considered expired.
|
||||||
|
func (cache *soaCacheEntry) isExpired() bool {
|
||||||
|
return time.Now().After(cache.expires)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ClearFqdnCache clears the cache of fqdn to zone mappings. Primarily used in testing.
|
||||||
|
func ClearFqdnCache() {
|
||||||
|
muFqdnSoaCache.Lock()
|
||||||
|
fqdnSoaCache = map[string]*soaCacheEntry{}
|
||||||
|
muFqdnSoaCache.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
|
func AddDNSTimeout(timeout time.Duration) ChallengeOption {
|
||||||
|
return func(_ *Challenge) error {
|
||||||
|
dnsTimeout = timeout
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func AddRecursiveNameservers(nameservers []string) ChallengeOption {
|
||||||
|
return func(_ *Challenge) error {
|
||||||
|
recursiveNameservers = ParseNameservers(nameservers)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// getNameservers attempts to get systems nameservers before falling back to the defaults.
|
||||||
|
func getNameservers(path string, defaults []string) []string {
|
||||||
|
config, err := dns.ClientConfigFromFile(path)
|
||||||
|
if err != nil || len(config.Servers) == 0 {
|
||||||
|
return defaults
|
||||||
|
}
|
||||||
|
|
||||||
|
return ParseNameservers(config.Servers)
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseNameservers(servers []string) []string {
|
||||||
|
var resolvers []string
|
||||||
|
for _, resolver := range servers {
|
||||||
|
// ensure all servers have a port number
|
||||||
|
if _, _, err := net.SplitHostPort(resolver); err != nil {
|
||||||
|
resolvers = append(resolvers, net.JoinHostPort(resolver, "53"))
|
||||||
|
} else {
|
||||||
|
resolvers = append(resolvers, resolver)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return resolvers
|
||||||
|
}
|
||||||
|
|
||||||
|
// lookupNameservers returns the authoritative nameservers for the given fqdn.
|
||||||
|
func lookupNameservers(fqdn string) ([]string, error) {
|
||||||
|
var authoritativeNss []string
|
||||||
|
|
||||||
|
zone, err := FindZoneByFqdn(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("could not determine the zone: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
r, err := dnsQuery(zone, dns.TypeNS, recursiveNameservers, true)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, rr := range r.Answer {
|
||||||
|
if ns, ok := rr.(*dns.NS); ok {
|
||||||
|
authoritativeNss = append(authoritativeNss, strings.ToLower(ns.Ns))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(authoritativeNss) > 0 {
|
||||||
|
return authoritativeNss, nil
|
||||||
|
}
|
||||||
|
return nil, errors.New("could not determine authoritative nameservers")
|
||||||
|
}
|
||||||
|
|
||||||
|
// FindPrimaryNsByFqdn determines the primary nameserver of the zone apex for the given fqdn
|
||||||
|
// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
|
||||||
|
func FindPrimaryNsByFqdn(fqdn string) (string, error) {
|
||||||
|
return FindPrimaryNsByFqdnCustom(fqdn, recursiveNameservers)
|
||||||
|
}
|
||||||
|
|
||||||
|
// FindPrimaryNsByFqdnCustom determines the primary nameserver of the zone apex for the given fqdn
|
||||||
|
// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
|
||||||
|
func FindPrimaryNsByFqdnCustom(fqdn string, nameservers []string) (string, error) {
|
||||||
|
soa, err := lookupSoaByFqdn(fqdn, nameservers)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return soa.primaryNs, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// FindZoneByFqdn determines the zone apex for the given fqdn
|
||||||
|
// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
|
||||||
|
func FindZoneByFqdn(fqdn string) (string, error) {
|
||||||
|
return FindZoneByFqdnCustom(fqdn, recursiveNameservers)
|
||||||
|
}
|
||||||
|
|
||||||
|
// FindZoneByFqdnCustom determines the zone apex for the given fqdn
|
||||||
|
// by recursing up the domain labels until the nameserver returns a SOA record in the answer section.
|
||||||
|
func FindZoneByFqdnCustom(fqdn string, nameservers []string) (string, error) {
|
||||||
|
soa, err := lookupSoaByFqdn(fqdn, nameservers)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return soa.zone, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func lookupSoaByFqdn(fqdn string, nameservers []string) (*soaCacheEntry, error) {
|
||||||
|
muFqdnSoaCache.Lock()
|
||||||
|
defer muFqdnSoaCache.Unlock()
|
||||||
|
|
||||||
|
// Do we have it cached and is it still fresh?
|
||||||
|
if ent := fqdnSoaCache[fqdn]; ent != nil && !ent.isExpired() {
|
||||||
|
return ent, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ent, err := fetchSoaByFqdn(fqdn, nameservers)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
fqdnSoaCache[fqdn] = ent
|
||||||
|
return ent, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func fetchSoaByFqdn(fqdn string, nameservers []string) (*soaCacheEntry, error) {
|
||||||
|
var err error
|
||||||
|
var in *dns.Msg
|
||||||
|
|
||||||
|
labelIndexes := dns.Split(fqdn)
|
||||||
|
for _, index := range labelIndexes {
|
||||||
|
domain := fqdn[index:]
|
||||||
|
|
||||||
|
in, err = dnsQuery(domain, dns.TypeSOA, nameservers, true)
|
||||||
|
if err != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if in == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
switch in.Rcode {
|
||||||
|
case dns.RcodeSuccess:
|
||||||
|
// Check if we got a SOA RR in the answer section
|
||||||
|
if len(in.Answer) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// CNAME records cannot/should not exist at the root of a zone.
|
||||||
|
// So we skip a domain when a CNAME is found.
|
||||||
|
if dnsMsgContainsCNAME(in) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, ans := range in.Answer {
|
||||||
|
if soa, ok := ans.(*dns.SOA); ok {
|
||||||
|
return newSoaCacheEntry(soa), nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
case dns.RcodeNameError:
|
||||||
|
// NXDOMAIN
|
||||||
|
default:
|
||||||
|
// Any response code other than NOERROR and NXDOMAIN is treated as error
|
||||||
|
return nil, fmt.Errorf("unexpected response code '%s' for %s", dns.RcodeToString[in.Rcode], domain)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("could not find the start of authority for %s%s", fqdn, formatDNSError(in, err))
|
||||||
|
}
|
||||||
|
|
||||||
|
// dnsMsgContainsCNAME checks for a CNAME answer in msg.
|
||||||
|
func dnsMsgContainsCNAME(msg *dns.Msg) bool {
|
||||||
|
for _, ans := range msg.Answer {
|
||||||
|
if _, ok := ans.(*dns.CNAME); ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func dnsQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (*dns.Msg, error) {
|
||||||
|
m := createDNSMsg(fqdn, rtype, recursive)
|
||||||
|
|
||||||
|
var in *dns.Msg
|
||||||
|
var err error
|
||||||
|
|
||||||
|
for _, ns := range nameservers {
|
||||||
|
in, err = sendDNSQuery(m, ns)
|
||||||
|
if err == nil && len(in.Answer) > 0 {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return in, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func createDNSMsg(fqdn string, rtype uint16, recursive bool) *dns.Msg {
|
||||||
|
m := new(dns.Msg)
|
||||||
|
m.SetQuestion(fqdn, rtype)
|
||||||
|
m.SetEdns0(4096, false)
|
||||||
|
|
||||||
|
if !recursive {
|
||||||
|
m.RecursionDesired = false
|
||||||
|
}
|
||||||
|
|
||||||
|
return m
|
||||||
|
}
|
||||||
|
|
||||||
|
func sendDNSQuery(m *dns.Msg, ns string) (*dns.Msg, error) {
|
||||||
|
udp := &dns.Client{Net: "udp", Timeout: dnsTimeout}
|
||||||
|
in, _, err := udp.Exchange(m, ns)
|
||||||
|
|
||||||
|
if in != nil && in.Truncated {
|
||||||
|
tcp := &dns.Client{Net: "tcp", Timeout: dnsTimeout}
|
||||||
|
// If the TCP request succeeds, the err will reset to nil
|
||||||
|
in, _, err = tcp.Exchange(m, ns)
|
||||||
|
}
|
||||||
|
|
||||||
|
return in, err
|
||||||
|
}
|
||||||
|
|
||||||
|
func formatDNSError(msg *dns.Msg, err error) string {
|
||||||
|
var parts []string
|
||||||
|
|
||||||
|
if msg != nil {
|
||||||
|
parts = append(parts, dns.RcodeToString[msg.Rcode])
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
parts = append(parts, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(parts) > 0 {
|
||||||
|
return ": " + strings.Join(parts, " ")
|
||||||
|
}
|
||||||
|
|
||||||
|
return ""
|
||||||
|
}
|
110
vendor/github.com/go-acme/lego/v4/challenge/dns01/precheck.go
generated
vendored
Normal file
110
vendor/github.com/go-acme/lego/v4/challenge/dns01/precheck.go
generated
vendored
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
package dns01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/miekg/dns"
|
||||||
|
)
|
||||||
|
|
||||||
|
// PreCheckFunc checks DNS propagation before notifying ACME that the DNS challenge is ready.
|
||||||
|
type PreCheckFunc func(fqdn, value string) (bool, error)
|
||||||
|
|
||||||
|
// WrapPreCheckFunc wraps a PreCheckFunc in order to do extra operations before or after
|
||||||
|
// the main check, put it in a loop, etc.
|
||||||
|
type WrapPreCheckFunc func(domain, fqdn, value string, check PreCheckFunc) (bool, error)
|
||||||
|
|
||||||
|
// WrapPreCheck Allow to define checks before notifying ACME that the DNS challenge is ready.
|
||||||
|
func WrapPreCheck(wrap WrapPreCheckFunc) ChallengeOption {
|
||||||
|
return func(chlg *Challenge) error {
|
||||||
|
chlg.preCheck.checkFunc = wrap
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func DisableCompletePropagationRequirement() ChallengeOption {
|
||||||
|
return func(chlg *Challenge) error {
|
||||||
|
chlg.preCheck.requireCompletePropagation = false
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type preCheck struct {
|
||||||
|
// checks DNS propagation before notifying ACME that the DNS challenge is ready.
|
||||||
|
checkFunc WrapPreCheckFunc
|
||||||
|
// require the TXT record to be propagated to all authoritative name servers
|
||||||
|
requireCompletePropagation bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func newPreCheck() preCheck {
|
||||||
|
return preCheck{
|
||||||
|
requireCompletePropagation: true,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (p preCheck) call(domain, fqdn, value string) (bool, error) {
|
||||||
|
if p.checkFunc == nil {
|
||||||
|
return p.checkDNSPropagation(fqdn, value)
|
||||||
|
}
|
||||||
|
|
||||||
|
return p.checkFunc(domain, fqdn, value, p.checkDNSPropagation)
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkDNSPropagation checks if the expected TXT record has been propagated to all authoritative nameservers.
|
||||||
|
func (p preCheck) checkDNSPropagation(fqdn, value string) (bool, error) {
|
||||||
|
// Initial attempt to resolve at the recursive NS
|
||||||
|
r, err := dnsQuery(fqdn, dns.TypeTXT, recursiveNameservers, true)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !p.requireCompletePropagation {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.Rcode == dns.RcodeSuccess {
|
||||||
|
fqdn = updateDomainWithCName(r, fqdn)
|
||||||
|
}
|
||||||
|
|
||||||
|
authoritativeNss, err := lookupNameservers(fqdn)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return checkAuthoritativeNss(fqdn, value, authoritativeNss)
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkAuthoritativeNss queries each of the given nameservers for the expected TXT record.
|
||||||
|
func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, error) {
|
||||||
|
for _, ns := range nameservers {
|
||||||
|
r, err := dnsQuery(fqdn, dns.TypeTXT, []string{net.JoinHostPort(ns, "53")}, false)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.Rcode != dns.RcodeSuccess {
|
||||||
|
return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
|
||||||
|
}
|
||||||
|
|
||||||
|
var records []string
|
||||||
|
|
||||||
|
var found bool
|
||||||
|
for _, rr := range r.Answer {
|
||||||
|
if txt, ok := rr.(*dns.TXT); ok {
|
||||||
|
record := strings.Join(txt.Txt, "")
|
||||||
|
records = append(records, record)
|
||||||
|
if record == value {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !found {
|
||||||
|
return false, fmt.Errorf("NS %s did not return the expected TXT record [fqdn: %s, value: %s]: %s", ns, fqdn, value, strings.Join(records, " ,"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
184
vendor/github.com/go-acme/lego/v4/challenge/http01/domain_matcher.go
generated
vendored
Normal file
184
vendor/github.com/go-acme/lego/v4/challenge/http01/domain_matcher.go
generated
vendored
Normal file
@ -0,0 +1,184 @@
|
|||||||
|
package http01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
)
|
||||||
|
|
||||||
|
// A domainMatcher tries to match a domain (the one we're requesting a certificate for)
|
||||||
|
// in the HTTP request coming from the ACME validation servers.
|
||||||
|
// This step is part of DNS rebind attack prevention,
|
||||||
|
// where the webserver matches incoming requests to a list of domain the server acts authoritative for.
|
||||||
|
//
|
||||||
|
// The most simple check involves finding the domain in the HTTP Host header;
|
||||||
|
// this is what hostMatcher does.
|
||||||
|
// Use it, when the http01.ProviderServer is directly reachable from the internet,
|
||||||
|
// or when it operates behind a transparent proxy.
|
||||||
|
//
|
||||||
|
// In many (reverse) proxy setups, Apache and NGINX traditionally move the Host header to a new header named X-Forwarded-Host.
|
||||||
|
// Use arbitraryMatcher("X-Forwarded-Host") in this case,
|
||||||
|
// or the appropriate header name for other proxy servers.
|
||||||
|
//
|
||||||
|
// RFC7239 has standardized the different forwarding headers into a single header named Forwarded.
|
||||||
|
// The header value has a different format, so you should use forwardedMatcher
|
||||||
|
// when the http01.ProviderServer operates behind a RFC7239 compatible proxy.
|
||||||
|
// https://tools.ietf.org/html/rfc7239
|
||||||
|
//
|
||||||
|
// Note: RFC7239 also reminds us, "that an HTTP list [...] may be split over multiple header fields" (section 7.1),
|
||||||
|
// meaning that
|
||||||
|
// X-Header: a
|
||||||
|
// X-Header: b
|
||||||
|
// is equal to
|
||||||
|
// X-Header: a, b
|
||||||
|
//
|
||||||
|
// All matcher implementations (explicitly not excluding arbitraryMatcher!)
|
||||||
|
// have in common that they only match against the first value in such lists.
|
||||||
|
type domainMatcher interface {
|
||||||
|
// matches checks whether the request is valid for the given domain.
|
||||||
|
matches(request *http.Request, domain string) bool
|
||||||
|
|
||||||
|
// name returns the header name used in the check.
|
||||||
|
// This is primarily used to create meaningful error messages.
|
||||||
|
name() string
|
||||||
|
}
|
||||||
|
|
||||||
|
// hostMatcher checks whether (*net/http).Request.Host starts with a domain name.
|
||||||
|
type hostMatcher struct{}
|
||||||
|
|
||||||
|
func (m *hostMatcher) name() string {
|
||||||
|
return "Host"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *hostMatcher) matches(r *http.Request, domain string) bool {
|
||||||
|
return strings.HasPrefix(r.Host, domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// hostMatcher checks whether the specified (*net/http.Request).Header value starts with a domain name.
|
||||||
|
type arbitraryMatcher string
|
||||||
|
|
||||||
|
func (m arbitraryMatcher) name() string {
|
||||||
|
return string(m)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m arbitraryMatcher) matches(r *http.Request, domain string) bool {
|
||||||
|
return strings.HasPrefix(r.Header.Get(m.name()), domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// forwardedMatcher checks whether the Forwarded header contains a "host" element starting with a domain name.
|
||||||
|
// See https://tools.ietf.org/html/rfc7239 for details.
|
||||||
|
type forwardedMatcher struct{}
|
||||||
|
|
||||||
|
func (m *forwardedMatcher) name() string {
|
||||||
|
return "Forwarded"
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *forwardedMatcher) matches(r *http.Request, domain string) bool {
|
||||||
|
fwds, err := parseForwardedHeader(r.Header.Get(m.name()))
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(fwds) == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
host := fwds[0]["host"]
|
||||||
|
return strings.HasPrefix(host, domain)
|
||||||
|
}
|
||||||
|
|
||||||
|
// parsing requires some form of state machine.
|
||||||
|
func parseForwardedHeader(s string) (elements []map[string]string, err error) {
|
||||||
|
cur := make(map[string]string)
|
||||||
|
key := ""
|
||||||
|
val := ""
|
||||||
|
inquote := false
|
||||||
|
|
||||||
|
pos := 0
|
||||||
|
l := len(s)
|
||||||
|
for i := 0; i < l; i++ {
|
||||||
|
r := rune(s[i])
|
||||||
|
|
||||||
|
if inquote {
|
||||||
|
if r == '"' {
|
||||||
|
cur[key] = s[pos:i]
|
||||||
|
key = ""
|
||||||
|
pos = i
|
||||||
|
inquote = false
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
switch {
|
||||||
|
case r == '"': // start of quoted-string
|
||||||
|
if key == "" {
|
||||||
|
return nil, fmt.Errorf("unexpected quoted string as pos %d", i)
|
||||||
|
}
|
||||||
|
inquote = true
|
||||||
|
pos = i + 1
|
||||||
|
|
||||||
|
case r == ';': // end of forwarded-pair
|
||||||
|
cur[key] = s[pos:i]
|
||||||
|
key = ""
|
||||||
|
i = skipWS(s, i)
|
||||||
|
pos = i + 1
|
||||||
|
|
||||||
|
case r == '=': // end of token
|
||||||
|
key = strings.ToLower(strings.TrimFunc(s[pos:i], isWS))
|
||||||
|
i = skipWS(s, i)
|
||||||
|
pos = i + 1
|
||||||
|
|
||||||
|
case r == ',': // end of forwarded-element
|
||||||
|
if key != "" {
|
||||||
|
if val == "" {
|
||||||
|
val = s[pos:i]
|
||||||
|
}
|
||||||
|
cur[key] = val
|
||||||
|
}
|
||||||
|
elements = append(elements, cur)
|
||||||
|
cur = make(map[string]string)
|
||||||
|
key = ""
|
||||||
|
val = ""
|
||||||
|
|
||||||
|
i = skipWS(s, i)
|
||||||
|
pos = i + 1
|
||||||
|
case tchar(r) || isWS(r): // valid token character or whitespace
|
||||||
|
continue
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("invalid token character at pos %d: %c", i, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if inquote {
|
||||||
|
return nil, fmt.Errorf("unterminated quoted-string at pos %d", len(s))
|
||||||
|
}
|
||||||
|
|
||||||
|
if key != "" {
|
||||||
|
if pos < len(s) {
|
||||||
|
val = s[pos:]
|
||||||
|
}
|
||||||
|
cur[key] = val
|
||||||
|
}
|
||||||
|
if len(cur) > 0 {
|
||||||
|
elements = append(elements, cur)
|
||||||
|
}
|
||||||
|
return elements, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func tchar(r rune) bool {
|
||||||
|
return strings.ContainsRune("!#$%&'*+-.^_`|~", r) ||
|
||||||
|
'0' <= r && r <= '9' ||
|
||||||
|
'a' <= r && r <= 'z' ||
|
||||||
|
'A' <= r && r <= 'Z'
|
||||||
|
}
|
||||||
|
|
||||||
|
func skipWS(s string, i int) int {
|
||||||
|
for isWS(rune(s[i+1])) {
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
return i
|
||||||
|
}
|
||||||
|
|
||||||
|
func isWS(r rune) bool {
|
||||||
|
return strings.ContainsRune(" \t\v\r\n", r)
|
||||||
|
}
|
65
vendor/github.com/go-acme/lego/v4/challenge/http01/http_challenge.go
generated
vendored
Normal file
65
vendor/github.com/go-acme/lego/v4/challenge/http01/http_challenge.go
generated
vendored
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
package http01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
|
||||||
|
|
||||||
|
// ChallengePath returns the URL path for the `http-01` challenge.
|
||||||
|
func ChallengePath(token string) string {
|
||||||
|
return "/.well-known/acme-challenge/" + token
|
||||||
|
}
|
||||||
|
|
||||||
|
type Challenge struct {
|
||||||
|
core *api.Core
|
||||||
|
validate ValidateFunc
|
||||||
|
provider challenge.Provider
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
|
||||||
|
return &Challenge{
|
||||||
|
core: core,
|
||||||
|
validate: validate,
|
||||||
|
provider: provider,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Challenge) SetProvider(provider challenge.Provider) {
|
||||||
|
c.provider = provider
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Challenge) Solve(authz acme.Authorization) error {
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
log.Infof("[%s] acme: Trying to solve HTTP-01", domain)
|
||||||
|
|
||||||
|
chlng, err := challenge.FindChallenge(challenge.HTTP01, authz)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the Key Authorization for the challenge
|
||||||
|
keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.provider.Present(authz.Identifier.Value, chlng.Token, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("[%s] acme: error presenting token: %w", domain, err)
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
err := c.provider.CleanUp(authz.Identifier.Value, chlng.Token, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
log.Warnf("[%s] acme: cleaning up failed: %v", domain, err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
chlng.KeyAuthorization = keyAuth
|
||||||
|
return c.validate(c.core, domain, chlng)
|
||||||
|
}
|
122
vendor/github.com/go-acme/lego/v4/challenge/http01/http_challenge_server.go
generated
vendored
Normal file
122
vendor/github.com/go-acme/lego/v4/challenge/http01/http_challenge_server.go
generated
vendored
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
package http01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"net/textproto"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ProviderServer implements ChallengeProvider for `http-01` challenge.
|
||||||
|
// It may be instantiated without using the NewProviderServer function if
|
||||||
|
// you want only to use the default values.
|
||||||
|
type ProviderServer struct {
|
||||||
|
iface string
|
||||||
|
port string
|
||||||
|
matcher domainMatcher
|
||||||
|
done chan bool
|
||||||
|
listener net.Listener
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewProviderServer creates a new ProviderServer on the selected interface and port.
|
||||||
|
// Setting iface and / or port to an empty string will make the server fall back to
|
||||||
|
// the "any" interface and port 80 respectively.
|
||||||
|
func NewProviderServer(iface, port string) *ProviderServer {
|
||||||
|
if port == "" {
|
||||||
|
port = "80"
|
||||||
|
}
|
||||||
|
|
||||||
|
return &ProviderServer{iface: iface, port: port, matcher: &hostMatcher{}}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present starts a web server and makes the token available at `ChallengePath(token)` for web requests.
|
||||||
|
func (s *ProviderServer) Present(domain, token, keyAuth string) error {
|
||||||
|
var err error
|
||||||
|
s.listener, err = net.Listen("tcp", s.GetAddress())
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not start HTTP server for challenge: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
s.done = make(chan bool)
|
||||||
|
go s.serve(domain, token, keyAuth)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ProviderServer) GetAddress() string {
|
||||||
|
return net.JoinHostPort(s.iface, s.port)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp closes the HTTP server and removes the token from `ChallengePath(token)`.
|
||||||
|
func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
if s.listener == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
s.listener.Close()
|
||||||
|
<-s.done
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetProxyHeader changes the validation of incoming requests.
|
||||||
|
// By default, s matches the "Host" header value to the domain name.
|
||||||
|
//
|
||||||
|
// When the server runs behind a proxy server, this is not the correct place to look at;
|
||||||
|
// Apache and NGINX have traditionally moved the original Host header into a new header named "X-Forwarded-Host".
|
||||||
|
// Other webservers might use different names;
|
||||||
|
// and RFC7239 has standardized a new header named "Forwarded" (with slightly different semantics).
|
||||||
|
//
|
||||||
|
// The exact behavior depends on the value of headerName:
|
||||||
|
// - "" (the empty string) and "Host" will restore the default and only check the Host header
|
||||||
|
// - "Forwarded" will look for a Forwarded header, and inspect it according to https://tools.ietf.org/html/rfc7239
|
||||||
|
// - any other value will check the header value with the same name.
|
||||||
|
func (s *ProviderServer) SetProxyHeader(headerName string) {
|
||||||
|
switch h := textproto.CanonicalMIMEHeaderKey(headerName); h {
|
||||||
|
case "", "Host":
|
||||||
|
s.matcher = &hostMatcher{}
|
||||||
|
case "Forwarded":
|
||||||
|
s.matcher = &forwardedMatcher{}
|
||||||
|
default:
|
||||||
|
s.matcher = arbitraryMatcher(h)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ProviderServer) serve(domain, token, keyAuth string) {
|
||||||
|
path := ChallengePath(token)
|
||||||
|
|
||||||
|
// The incoming request must will be validated to prevent DNS rebind attacks.
|
||||||
|
// We only respond with the keyAuth, when we're receiving a GET requests with
|
||||||
|
// the "Host" header matching the domain (the latter is configurable though SetProxyHeader).
|
||||||
|
mux := http.NewServeMux()
|
||||||
|
mux.HandleFunc(path, func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if r.Method == http.MethodGet && s.matcher.matches(r, domain) {
|
||||||
|
w.Header().Set("Content-Type", "text/plain")
|
||||||
|
_, err := w.Write([]byte(keyAuth))
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Infof("[%s] Served key authentication", domain)
|
||||||
|
} else {
|
||||||
|
log.Warnf("Received request for domain %s with method %s but the domain did not match any challenge. Please ensure your are passing the %s header properly.", r.Host, r.Method, s.matcher.name())
|
||||||
|
_, err := w.Write([]byte("TEST"))
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
httpServer := &http.Server{Handler: mux}
|
||||||
|
|
||||||
|
// Once httpServer is shut down
|
||||||
|
// we don't want any lingering connections, so disable KeepAlives.
|
||||||
|
httpServer.SetKeepAlivesEnabled(false)
|
||||||
|
|
||||||
|
err := httpServer.Serve(s.listener)
|
||||||
|
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
|
||||||
|
log.Println(err)
|
||||||
|
}
|
||||||
|
s.done <- true
|
||||||
|
}
|
28
vendor/github.com/go-acme/lego/v4/challenge/provider.go
generated
vendored
Normal file
28
vendor/github.com/go-acme/lego/v4/challenge/provider.go
generated
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
package challenge
|
||||||
|
|
||||||
|
import "time"
|
||||||
|
|
||||||
|
// Provider enables implementing a custom challenge
|
||||||
|
// provider. Present presents the solution to a challenge available to
|
||||||
|
// be solved. CleanUp will be called by the challenge if Present ends
|
||||||
|
// in a non-error state.
|
||||||
|
type Provider interface {
|
||||||
|
Present(domain, token, keyAuth string) error
|
||||||
|
CleanUp(domain, token, keyAuth string) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// ProviderTimeout allows for implementing a
|
||||||
|
// Provider where an unusually long timeout is required when
|
||||||
|
// waiting for an ACME challenge to be satisfied, such as when
|
||||||
|
// checking for DNS record propagation. If an implementor of a
|
||||||
|
// Provider provides a Timeout method, then the return values
|
||||||
|
// of the Timeout method will be used when appropriate by the acme
|
||||||
|
// package. The interval value is the time between checks.
|
||||||
|
//
|
||||||
|
// The default values used for timeout and interval are 60 seconds and
|
||||||
|
// 2 seconds respectively. These are used when no Timeout method is
|
||||||
|
// defined for the Provider.
|
||||||
|
type ProviderTimeout interface {
|
||||||
|
Provider
|
||||||
|
Timeout() (timeout, interval time.Duration)
|
||||||
|
}
|
25
vendor/github.com/go-acme/lego/v4/challenge/resolver/errors.go
generated
vendored
Normal file
25
vendor/github.com/go-acme/lego/v4/challenge/resolver/errors.go
generated
vendored
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
package resolver
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"fmt"
|
||||||
|
"sort"
|
||||||
|
)
|
||||||
|
|
||||||
|
// obtainError is returned when there are specific errors available per domain.
|
||||||
|
type obtainError map[string]error
|
||||||
|
|
||||||
|
func (e obtainError) Error() string {
|
||||||
|
buffer := bytes.NewBufferString("error: one or more domains had a problem:\n")
|
||||||
|
|
||||||
|
var domains []string
|
||||||
|
for domain := range e {
|
||||||
|
domains = append(domains, domain)
|
||||||
|
}
|
||||||
|
sort.Strings(domains)
|
||||||
|
|
||||||
|
for _, domain := range domains {
|
||||||
|
buffer.WriteString(fmt.Sprintf("[%s] %s\n", domain, e[domain]))
|
||||||
|
}
|
||||||
|
return buffer.String()
|
||||||
|
}
|
173
vendor/github.com/go-acme/lego/v4/challenge/resolver/prober.go
generated
vendored
Normal file
173
vendor/github.com/go-acme/lego/v4/challenge/resolver/prober.go
generated
vendored
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
package resolver
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Interface for all challenge solvers to implement.
|
||||||
|
type solver interface {
|
||||||
|
Solve(authorization acme.Authorization) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// Interface for challenges like dns, where we can set a record in advance for ALL challenges.
|
||||||
|
// This saves quite a bit of time vs creating the records and solving them serially.
|
||||||
|
type preSolver interface {
|
||||||
|
PreSolve(authorization acme.Authorization) error
|
||||||
|
}
|
||||||
|
|
||||||
|
// Interface for challenges like dns, where we can solve all the challenges before to delete them.
|
||||||
|
type cleanup interface {
|
||||||
|
CleanUp(authorization acme.Authorization) error
|
||||||
|
}
|
||||||
|
|
||||||
|
type sequential interface {
|
||||||
|
Sequential() (bool, time.Duration)
|
||||||
|
}
|
||||||
|
|
||||||
|
// an authz with the solver we have chosen and the index of the challenge associated with it.
|
||||||
|
type selectedAuthSolver struct {
|
||||||
|
authz acme.Authorization
|
||||||
|
solver solver
|
||||||
|
}
|
||||||
|
|
||||||
|
type Prober struct {
|
||||||
|
solverManager *SolverManager
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewProber(solverManager *SolverManager) *Prober {
|
||||||
|
return &Prober{
|
||||||
|
solverManager: solverManager,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Solve Looks through the challenge combinations to find a solvable match.
|
||||||
|
// Then solves the challenges in series and returns.
|
||||||
|
func (p *Prober) Solve(authorizations []acme.Authorization) error {
|
||||||
|
failures := make(obtainError)
|
||||||
|
|
||||||
|
var authSolvers []*selectedAuthSolver
|
||||||
|
var authSolversSequential []*selectedAuthSolver
|
||||||
|
|
||||||
|
// Loop through the resources, basically through the domains.
|
||||||
|
// First pass just selects a solver for each authz.
|
||||||
|
for _, authz := range authorizations {
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
if authz.Status == acme.StatusValid {
|
||||||
|
// Boulder might recycle recent validated authz (see issue #267)
|
||||||
|
log.Infof("[%s] acme: authorization already valid; skipping challenge", domain)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if solvr := p.solverManager.chooseSolver(authz); solvr != nil {
|
||||||
|
authSolver := &selectedAuthSolver{authz: authz, solver: solvr}
|
||||||
|
|
||||||
|
switch s := solvr.(type) {
|
||||||
|
case sequential:
|
||||||
|
if ok, _ := s.Sequential(); ok {
|
||||||
|
authSolversSequential = append(authSolversSequential, authSolver)
|
||||||
|
} else {
|
||||||
|
authSolvers = append(authSolvers, authSolver)
|
||||||
|
}
|
||||||
|
default:
|
||||||
|
authSolvers = append(authSolvers, authSolver)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
failures[domain] = fmt.Errorf("[%s] acme: could not determine solvers", domain)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
parallelSolve(authSolvers, failures)
|
||||||
|
|
||||||
|
sequentialSolve(authSolversSequential, failures)
|
||||||
|
|
||||||
|
// Be careful not to return an empty failures map,
|
||||||
|
// for even an empty obtainError is a non-nil error value
|
||||||
|
if len(failures) > 0 {
|
||||||
|
return failures
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func sequentialSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
|
||||||
|
for i, authSolver := range authSolvers {
|
||||||
|
// Submit the challenge
|
||||||
|
domain := challenge.GetTargetedDomain(authSolver.authz)
|
||||||
|
|
||||||
|
if solvr, ok := authSolver.solver.(preSolver); ok {
|
||||||
|
err := solvr.PreSolve(authSolver.authz)
|
||||||
|
if err != nil {
|
||||||
|
failures[domain] = err
|
||||||
|
cleanUp(authSolver.solver, authSolver.authz)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Solve challenge
|
||||||
|
err := authSolver.solver.Solve(authSolver.authz)
|
||||||
|
if err != nil {
|
||||||
|
failures[domain] = err
|
||||||
|
cleanUp(authSolver.solver, authSolver.authz)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Clean challenge
|
||||||
|
cleanUp(authSolver.solver, authSolver.authz)
|
||||||
|
|
||||||
|
if len(authSolvers)-1 > i {
|
||||||
|
solvr := authSolver.solver.(sequential)
|
||||||
|
_, interval := solvr.Sequential()
|
||||||
|
log.Infof("sequence: wait for %s", interval)
|
||||||
|
time.Sleep(interval)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func parallelSolve(authSolvers []*selectedAuthSolver, failures obtainError) {
|
||||||
|
// For all valid preSolvers, first submit the challenges so they have max time to propagate
|
||||||
|
for _, authSolver := range authSolvers {
|
||||||
|
authz := authSolver.authz
|
||||||
|
if solvr, ok := authSolver.solver.(preSolver); ok {
|
||||||
|
err := solvr.PreSolve(authz)
|
||||||
|
if err != nil {
|
||||||
|
failures[challenge.GetTargetedDomain(authz)] = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
defer func() {
|
||||||
|
// Clean all created TXT records
|
||||||
|
for _, authSolver := range authSolvers {
|
||||||
|
cleanUp(authSolver.solver, authSolver.authz)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
// Finally solve all challenges for real
|
||||||
|
for _, authSolver := range authSolvers {
|
||||||
|
authz := authSolver.authz
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
if failures[domain] != nil {
|
||||||
|
// already failed in previous loop
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
err := authSolver.solver.Solve(authz)
|
||||||
|
if err != nil {
|
||||||
|
failures[domain] = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func cleanUp(solvr solver, authz acme.Authorization) {
|
||||||
|
if solvr, ok := solvr.(cleanup); ok {
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
err := solvr.CleanUp(authz)
|
||||||
|
if err != nil {
|
||||||
|
log.Warnf("[%s] acme: cleaning up failed: %v ", domain, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
169
vendor/github.com/go-acme/lego/v4/challenge/resolver/solver_manager.go
generated
vendored
Normal file
169
vendor/github.com/go-acme/lego/v4/challenge/resolver/solver_manager.go
generated
vendored
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
package resolver
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"sort"
|
||||||
|
"strconv"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/cenkalti/backoff/v4"
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/challenge/dns01"
|
||||||
|
"github.com/go-acme/lego/v4/challenge/http01"
|
||||||
|
"github.com/go-acme/lego/v4/challenge/tlsalpn01"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
type byType []acme.Challenge
|
||||||
|
|
||||||
|
func (a byType) Len() int { return len(a) }
|
||||||
|
func (a byType) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
|
||||||
|
func (a byType) Less(i, j int) bool { return a[i].Type > a[j].Type }
|
||||||
|
|
||||||
|
type SolverManager struct {
|
||||||
|
core *api.Core
|
||||||
|
solvers map[challenge.Type]solver
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewSolversManager(core *api.Core) *SolverManager {
|
||||||
|
return &SolverManager{
|
||||||
|
solvers: map[challenge.Type]solver{},
|
||||||
|
core: core,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetHTTP01Provider specifies a custom provider p that can solve the given HTTP-01 challenge.
|
||||||
|
func (c *SolverManager) SetHTTP01Provider(p challenge.Provider) error {
|
||||||
|
c.solvers[challenge.HTTP01] = http01.NewChallenge(c.core, validate, p)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetTLSALPN01Provider specifies a custom provider p that can solve the given TLS-ALPN-01 challenge.
|
||||||
|
func (c *SolverManager) SetTLSALPN01Provider(p challenge.Provider) error {
|
||||||
|
c.solvers[challenge.TLSALPN01] = tlsalpn01.NewChallenge(c.core, validate, p)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// SetDNS01Provider specifies a custom provider p that can solve the given DNS-01 challenge.
|
||||||
|
func (c *SolverManager) SetDNS01Provider(p challenge.Provider, opts ...dns01.ChallengeOption) error {
|
||||||
|
c.solvers[challenge.DNS01] = dns01.NewChallenge(c.core, validate, p, opts...)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove Remove a challenge type from the available solvers.
|
||||||
|
func (c *SolverManager) Remove(chlgType challenge.Type) {
|
||||||
|
delete(c.solvers, chlgType)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Checks all challenges from the server in order and returns the first matching solver.
|
||||||
|
func (c *SolverManager) chooseSolver(authz acme.Authorization) solver {
|
||||||
|
// Allow to have a deterministic challenge order
|
||||||
|
sort.Sort(byType(authz.Challenges))
|
||||||
|
|
||||||
|
domain := challenge.GetTargetedDomain(authz)
|
||||||
|
for _, chlg := range authz.Challenges {
|
||||||
|
if solvr, ok := c.solvers[challenge.Type(chlg.Type)]; ok {
|
||||||
|
log.Infof("[%s] acme: use %s solver", domain, chlg.Type)
|
||||||
|
return solvr
|
||||||
|
}
|
||||||
|
log.Infof("[%s] acme: Could not find solver for: %s", domain, chlg.Type)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func validate(core *api.Core, domain string, chlg acme.Challenge) error {
|
||||||
|
chlng, err := core.Challenges.New(chlg.URL)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed to initiate challenge: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
valid, err := checkChallengeStatus(chlng)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if valid {
|
||||||
|
log.Infof("[%s] The server validated our request", domain)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
ra, err := strconv.Atoi(chlng.RetryAfter)
|
||||||
|
if err != nil {
|
||||||
|
// The ACME server MUST return a Retry-After.
|
||||||
|
// If it doesn't, we'll just poll hard.
|
||||||
|
// Boulder does not implement the ability to retry challenges or the Retry-After header.
|
||||||
|
// https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md#section-82
|
||||||
|
ra = 5
|
||||||
|
}
|
||||||
|
initialInterval := time.Duration(ra) * time.Second
|
||||||
|
|
||||||
|
bo := backoff.NewExponentialBackOff()
|
||||||
|
bo.InitialInterval = initialInterval
|
||||||
|
bo.MaxInterval = 10 * initialInterval
|
||||||
|
bo.MaxElapsedTime = 100 * initialInterval
|
||||||
|
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
|
||||||
|
// After the path is sent, the ACME server will access our server.
|
||||||
|
// Repeatedly check the server for an updated status on our request.
|
||||||
|
operation := func() error {
|
||||||
|
authz, err := core.Authorizations.Get(chlng.AuthorizationURL)
|
||||||
|
if err != nil {
|
||||||
|
cancel()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
valid, err := checkAuthorizationStatus(authz)
|
||||||
|
if err != nil {
|
||||||
|
cancel()
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if valid {
|
||||||
|
log.Infof("[%s] The server validated our request", domain)
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return errors.New("the server didn't respond to our request")
|
||||||
|
}
|
||||||
|
|
||||||
|
return backoff.Retry(operation, backoff.WithContext(bo, ctx))
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkChallengeStatus(chlng acme.ExtendedChallenge) (bool, error) {
|
||||||
|
switch chlng.Status {
|
||||||
|
case acme.StatusValid:
|
||||||
|
return true, nil
|
||||||
|
case acme.StatusPending, acme.StatusProcessing:
|
||||||
|
return false, nil
|
||||||
|
case acme.StatusInvalid:
|
||||||
|
return false, chlng.Error
|
||||||
|
default:
|
||||||
|
return false, errors.New("the server returned an unexpected state")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkAuthorizationStatus(authz acme.Authorization) (bool, error) {
|
||||||
|
switch authz.Status {
|
||||||
|
case acme.StatusValid:
|
||||||
|
return true, nil
|
||||||
|
case acme.StatusPending, acme.StatusProcessing:
|
||||||
|
return false, nil
|
||||||
|
case acme.StatusDeactivated, acme.StatusExpired, acme.StatusRevoked:
|
||||||
|
return false, fmt.Errorf("the authorization state %s", authz.Status)
|
||||||
|
case acme.StatusInvalid:
|
||||||
|
for _, chlg := range authz.Challenges {
|
||||||
|
if chlg.Status == acme.StatusInvalid && chlg.Error != nil {
|
||||||
|
return false, chlg.Error
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false, fmt.Errorf("the authorization state %s", authz.Status)
|
||||||
|
default:
|
||||||
|
return false, errors.New("the server returned an unexpected state")
|
||||||
|
}
|
||||||
|
}
|
129
vendor/github.com/go-acme/lego/v4/challenge/tlsalpn01/tls_alpn_challenge.go
generated
vendored
Normal file
129
vendor/github.com/go-acme/lego/v4/challenge/tlsalpn01/tls_alpn_challenge.go
generated
vendored
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
package tlsalpn01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/sha256"
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"encoding/asn1"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
|
"github.com/go-acme/lego/v4/challenge"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// idPeAcmeIdentifierV1 is the SMI Security for PKIX Certification Extension OID referencing the ACME extension.
|
||||||
|
// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-07#section-6.1
|
||||||
|
var idPeAcmeIdentifierV1 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31}
|
||||||
|
|
||||||
|
type ValidateFunc func(core *api.Core, domain string, chlng acme.Challenge) error
|
||||||
|
|
||||||
|
type Challenge struct {
|
||||||
|
core *api.Core
|
||||||
|
validate ValidateFunc
|
||||||
|
provider challenge.Provider
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewChallenge(core *api.Core, validate ValidateFunc, provider challenge.Provider) *Challenge {
|
||||||
|
return &Challenge{
|
||||||
|
core: core,
|
||||||
|
validate: validate,
|
||||||
|
provider: provider,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Challenge) SetProvider(provider challenge.Provider) {
|
||||||
|
c.provider = provider
|
||||||
|
}
|
||||||
|
|
||||||
|
// Solve manages the provider to validate and solve the challenge.
|
||||||
|
func (c *Challenge) Solve(authz acme.Authorization) error {
|
||||||
|
domain := authz.Identifier.Value
|
||||||
|
log.Infof("[%s] acme: Trying to solve TLS-ALPN-01", challenge.GetTargetedDomain(authz))
|
||||||
|
|
||||||
|
chlng, err := challenge.FindChallenge(challenge.TLSALPN01, authz)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the Key Authorization for the challenge
|
||||||
|
keyAuth, err := c.core.GetKeyAuthorization(chlng.Token)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = c.provider.Present(domain, chlng.Token, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("[%s] acme: error presenting token: %w", challenge.GetTargetedDomain(authz), err)
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
err := c.provider.CleanUp(domain, chlng.Token, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
log.Warnf("[%s] acme: cleaning up failed: %v", challenge.GetTargetedDomain(authz), err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
chlng.KeyAuthorization = keyAuth
|
||||||
|
return c.validate(c.core, domain, chlng)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ChallengeBlocks returns PEM blocks (certPEMBlock, keyPEMBlock) with the acmeValidation-v1 extension
|
||||||
|
// and domain name for the `tls-alpn-01` challenge.
|
||||||
|
func ChallengeBlocks(domain, keyAuth string) ([]byte, []byte, error) {
|
||||||
|
// Compute the SHA-256 digest of the key authorization.
|
||||||
|
zBytes := sha256.Sum256([]byte(keyAuth))
|
||||||
|
|
||||||
|
value, err := asn1.Marshal(zBytes[:sha256.Size])
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Add the keyAuth digest as the acmeValidation-v1 extension
|
||||||
|
// (marked as critical such that it won't be used by non-ACME software).
|
||||||
|
// Reference: https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-07#section-3
|
||||||
|
extensions := []pkix.Extension{
|
||||||
|
{
|
||||||
|
Id: idPeAcmeIdentifierV1,
|
||||||
|
Critical: true,
|
||||||
|
Value: value,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate a new RSA key for the certificates.
|
||||||
|
tempPrivateKey, err := certcrypto.GeneratePrivateKey(certcrypto.RSA2048)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
rsaPrivateKey := tempPrivateKey.(*rsa.PrivateKey)
|
||||||
|
|
||||||
|
// Generate the PEM certificate using the provided private key, domain, and extra extensions.
|
||||||
|
tempCertPEM, err := certcrypto.GeneratePemCert(rsaPrivateKey, domain, extensions)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encode the private key into a PEM format. We'll need to use it to generate the x509 keypair.
|
||||||
|
rsaPrivatePEM := certcrypto.PEMEncode(rsaPrivateKey)
|
||||||
|
|
||||||
|
return tempCertPEM, rsaPrivatePEM, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// ChallengeCert returns a certificate with the acmeValidation-v1 extension
|
||||||
|
// and domain name for the `tls-alpn-01` challenge.
|
||||||
|
func ChallengeCert(domain, keyAuth string) (*tls.Certificate, error) {
|
||||||
|
tempCertPEM, rsaPrivatePEM, err := ChallengeBlocks(domain, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := tls.X509KeyPair(tempCertPEM, rsaPrivatePEM)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &cert, nil
|
||||||
|
}
|
96
vendor/github.com/go-acme/lego/v4/challenge/tlsalpn01/tls_alpn_challenge_server.go
generated
vendored
Normal file
96
vendor/github.com/go-acme/lego/v4/challenge/tlsalpn01/tls_alpn_challenge_server.go
generated
vendored
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
package tlsalpn01
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// ACMETLS1Protocol is the ALPN Protocol ID for the ACME-TLS/1 Protocol.
|
||||||
|
ACMETLS1Protocol = "acme-tls/1"
|
||||||
|
|
||||||
|
// defaultTLSPort is the port that the ProviderServer will default to
|
||||||
|
// when no other port is provided.
|
||||||
|
defaultTLSPort = "443"
|
||||||
|
)
|
||||||
|
|
||||||
|
// ProviderServer implements ChallengeProvider for `TLS-ALPN-01` challenge.
|
||||||
|
// It may be instantiated without using the NewProviderServer
|
||||||
|
// if you want only to use the default values.
|
||||||
|
type ProviderServer struct {
|
||||||
|
iface string
|
||||||
|
port string
|
||||||
|
listener net.Listener
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewProviderServer creates a new ProviderServer on the selected interface and port.
|
||||||
|
// Setting iface and / or port to an empty string will make the server fall back to
|
||||||
|
// the "any" interface and port 443 respectively.
|
||||||
|
func NewProviderServer(iface, port string) *ProviderServer {
|
||||||
|
return &ProviderServer{iface: iface, port: port}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ProviderServer) GetAddress() string {
|
||||||
|
return net.JoinHostPort(s.iface, s.port)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present generates a certificate with a SHA-256 digest of the keyAuth provided
|
||||||
|
// as the acmeValidation-v1 extension value to conform to the ACME-TLS-ALPN spec.
|
||||||
|
func (s *ProviderServer) Present(domain, token, keyAuth string) error {
|
||||||
|
if s.port == "" {
|
||||||
|
// Fallback to port 443 if the port was not provided.
|
||||||
|
s.port = defaultTLSPort
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate the challenge certificate using the provided keyAuth and domain.
|
||||||
|
cert, err := ChallengeCert(domain, keyAuth)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Place the generated certificate with the extension into the TLS config
|
||||||
|
// so that it can serve the correct details.
|
||||||
|
tlsConf := new(tls.Config)
|
||||||
|
tlsConf.Certificates = []tls.Certificate{*cert}
|
||||||
|
|
||||||
|
// We must set that the `acme-tls/1` application level protocol is supported
|
||||||
|
// so that the protocol negotiation can succeed. Reference:
|
||||||
|
// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-07#section-6.2
|
||||||
|
tlsConf.NextProtos = []string{ACMETLS1Protocol}
|
||||||
|
|
||||||
|
// Create the listener with the created tls.Config.
|
||||||
|
s.listener, err = tls.Listen("tcp", s.GetAddress(), tlsConf)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("could not start HTTPS server for challenge: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Shut the server down when we're finished.
|
||||||
|
go func() {
|
||||||
|
err := http.Serve(s.listener, nil)
|
||||||
|
if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
|
||||||
|
log.Println(err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp closes the HTTPS server.
|
||||||
|
func (s *ProviderServer) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
if s.listener == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Server was created, close it.
|
||||||
|
if err := s.listener.Close(); err != nil && errors.Is(err, http.ErrServerClosed) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
74
vendor/github.com/go-acme/lego/v4/lego/client.go
generated
vendored
Normal file
74
vendor/github.com/go-acme/lego/v4/lego/client.go
generated
vendored
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
package lego
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"net/url"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/certificate"
|
||||||
|
"github.com/go-acme/lego/v4/challenge/resolver"
|
||||||
|
"github.com/go-acme/lego/v4/registration"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Client is the user-friendly way to ACME.
|
||||||
|
type Client struct {
|
||||||
|
Certificate *certificate.Certifier
|
||||||
|
Challenge *resolver.SolverManager
|
||||||
|
Registration *registration.Registrar
|
||||||
|
core *api.Core
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewClient creates a new ACME client on behalf of the user.
|
||||||
|
// The client will depend on the ACME directory located at CADirURL for the rest of its actions.
|
||||||
|
// A private key of type keyType (see KeyType constants) will be generated when requesting a new certificate if one isn't provided.
|
||||||
|
func NewClient(config *Config) (*Client, error) {
|
||||||
|
if config == nil {
|
||||||
|
return nil, errors.New("a configuration must be provided")
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err := url.Parse(config.CADirURL)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.HTTPClient == nil {
|
||||||
|
return nil, errors.New("the HTTP client cannot be nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
privateKey := config.User.GetPrivateKey()
|
||||||
|
if privateKey == nil {
|
||||||
|
return nil, errors.New("private key was nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
var kid string
|
||||||
|
if reg := config.User.GetRegistration(); reg != nil {
|
||||||
|
kid = reg.URI
|
||||||
|
}
|
||||||
|
|
||||||
|
core, err := api.New(config.HTTPClient, config.UserAgent, config.CADirURL, kid, privateKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
solversManager := resolver.NewSolversManager(core)
|
||||||
|
|
||||||
|
prober := resolver.NewProber(solversManager)
|
||||||
|
certifier := certificate.NewCertifier(core, prober, certificate.CertifierOptions{KeyType: config.Certificate.KeyType, Timeout: config.Certificate.Timeout})
|
||||||
|
|
||||||
|
return &Client{
|
||||||
|
Certificate: certifier,
|
||||||
|
Challenge: solversManager,
|
||||||
|
Registration: registration.NewRegistrar(core, config.User),
|
||||||
|
core: core,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetToSURL returns the current ToS URL from the Directory.
|
||||||
|
func (c *Client) GetToSURL() string {
|
||||||
|
return c.core.GetDirectory().Meta.TermsOfService
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetExternalAccountRequired returns the External Account Binding requirement of the Directory.
|
||||||
|
func (c *Client) GetExternalAccountRequired() bool {
|
||||||
|
return c.core.GetDirectory().Meta.ExternalAccountRequired
|
||||||
|
}
|
104
vendor/github.com/go-acme/lego/v4/lego/client_config.go
generated
vendored
Normal file
104
vendor/github.com/go-acme/lego/v4/lego/client_config.go
generated
vendored
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
package lego
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/certcrypto"
|
||||||
|
"github.com/go-acme/lego/v4/registration"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// caCertificatesEnvVar is the environment variable name that can be used to
|
||||||
|
// specify the path to PEM encoded CA Certificates that can be used to
|
||||||
|
// authenticate an ACME server with a HTTPS certificate not issued by a CA in
|
||||||
|
// the system-wide trusted root list.
|
||||||
|
caCertificatesEnvVar = "LEGO_CA_CERTIFICATES"
|
||||||
|
|
||||||
|
// caServerNameEnvVar is the environment variable name that can be used to
|
||||||
|
// specify the CA server name that can be used to
|
||||||
|
// authenticate an ACME server with a HTTPS certificate not issued by a CA in
|
||||||
|
// the system-wide trusted root list.
|
||||||
|
caServerNameEnvVar = "LEGO_CA_SERVER_NAME"
|
||||||
|
|
||||||
|
// LEDirectoryProduction URL to the Let's Encrypt production.
|
||||||
|
LEDirectoryProduction = "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
|
// LEDirectoryStaging URL to the Let's Encrypt staging.
|
||||||
|
LEDirectoryStaging = "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
)
|
||||||
|
|
||||||
|
type Config struct {
|
||||||
|
CADirURL string
|
||||||
|
User registration.User
|
||||||
|
UserAgent string
|
||||||
|
HTTPClient *http.Client
|
||||||
|
Certificate CertificateConfig
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewConfig(user registration.User) *Config {
|
||||||
|
return &Config{
|
||||||
|
CADirURL: LEDirectoryProduction,
|
||||||
|
User: user,
|
||||||
|
HTTPClient: createDefaultHTTPClient(),
|
||||||
|
Certificate: CertificateConfig{
|
||||||
|
KeyType: certcrypto.RSA2048,
|
||||||
|
Timeout: 30 * time.Second,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
type CertificateConfig struct {
|
||||||
|
KeyType certcrypto.KeyType
|
||||||
|
Timeout time.Duration
|
||||||
|
}
|
||||||
|
|
||||||
|
// createDefaultHTTPClient Creates an HTTP client with a reasonable timeout value
|
||||||
|
// and potentially a custom *x509.CertPool
|
||||||
|
// based on the caCertificatesEnvVar environment variable (see the `initCertPool` function).
|
||||||
|
func createDefaultHTTPClient() *http.Client {
|
||||||
|
return &http.Client{
|
||||||
|
Transport: &http.Transport{
|
||||||
|
Proxy: http.ProxyFromEnvironment,
|
||||||
|
DialContext: (&net.Dialer{
|
||||||
|
Timeout: 30 * time.Second,
|
||||||
|
KeepAlive: 30 * time.Second,
|
||||||
|
}).DialContext,
|
||||||
|
TLSHandshakeTimeout: 15 * time.Second,
|
||||||
|
ResponseHeaderTimeout: 15 * time.Second,
|
||||||
|
ExpectContinueTimeout: 1 * time.Second,
|
||||||
|
TLSClientConfig: &tls.Config{
|
||||||
|
ServerName: os.Getenv(caServerNameEnvVar),
|
||||||
|
RootCAs: initCertPool(),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// initCertPool creates a *x509.CertPool populated with the PEM certificates
|
||||||
|
// found in the filepath specified in the caCertificatesEnvVar OS environment
|
||||||
|
// variable. If the caCertificatesEnvVar is not set then initCertPool will
|
||||||
|
// return nil. If there is an error creating a *x509.CertPool from the provided
|
||||||
|
// caCertificatesEnvVar value then initCertPool will panic.
|
||||||
|
func initCertPool() *x509.CertPool {
|
||||||
|
if customCACertsPath := os.Getenv(caCertificatesEnvVar); customCACertsPath != "" {
|
||||||
|
customCAs, err := ioutil.ReadFile(customCACertsPath)
|
||||||
|
if err != nil {
|
||||||
|
panic(fmt.Sprintf("error reading %s=%q: %v",
|
||||||
|
caCertificatesEnvVar, customCACertsPath, err))
|
||||||
|
}
|
||||||
|
certPool := x509.NewCertPool()
|
||||||
|
if ok := certPool.AppendCertsFromPEM(customCAs); !ok {
|
||||||
|
panic(fmt.Sprintf("error creating x509 cert pool from %s=%q: %v",
|
||||||
|
caCertificatesEnvVar, customCACertsPath, err))
|
||||||
|
}
|
||||||
|
return certPool
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
59
vendor/github.com/go-acme/lego/v4/log/logger.go
generated
vendored
Normal file
59
vendor/github.com/go-acme/lego/v4/log/logger.go
generated
vendored
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
package log
|
||||||
|
|
||||||
|
import (
|
||||||
|
"log"
|
||||||
|
"os"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Logger is an optional custom logger.
|
||||||
|
var Logger StdLogger = log.New(os.Stdout, "", log.LstdFlags)
|
||||||
|
|
||||||
|
// StdLogger interface for Standard Logger.
|
||||||
|
type StdLogger interface {
|
||||||
|
Fatal(args ...interface{})
|
||||||
|
Fatalln(args ...interface{})
|
||||||
|
Fatalf(format string, args ...interface{})
|
||||||
|
Print(args ...interface{})
|
||||||
|
Println(args ...interface{})
|
||||||
|
Printf(format string, args ...interface{})
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fatal writes a log entry.
|
||||||
|
// It uses Logger if not nil, otherwise it uses the default log.Logger.
|
||||||
|
func Fatal(args ...interface{}) {
|
||||||
|
Logger.Fatal(args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fatalf writes a log entry.
|
||||||
|
// It uses Logger if not nil, otherwise it uses the default log.Logger.
|
||||||
|
func Fatalf(format string, args ...interface{}) {
|
||||||
|
Logger.Fatalf(format, args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print writes a log entry.
|
||||||
|
// It uses Logger if not nil, otherwise it uses the default log.Logger.
|
||||||
|
func Print(args ...interface{}) {
|
||||||
|
Logger.Print(args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Println writes a log entry.
|
||||||
|
// It uses Logger if not nil, otherwise it uses the default log.Logger.
|
||||||
|
func Println(args ...interface{}) {
|
||||||
|
Logger.Println(args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Printf writes a log entry.
|
||||||
|
// It uses Logger if not nil, otherwise it uses the default log.Logger.
|
||||||
|
func Printf(format string, args ...interface{}) {
|
||||||
|
Logger.Printf(format, args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Warnf writes a log entry.
|
||||||
|
func Warnf(format string, args ...interface{}) {
|
||||||
|
Printf("[WARN] "+format, args...)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Infof writes a log entry.
|
||||||
|
func Infof(format string, args ...interface{}) {
|
||||||
|
Printf("[INFO] "+format, args...)
|
||||||
|
}
|
163
vendor/github.com/go-acme/lego/v4/platform/config/env/env.go
generated
vendored
Normal file
163
vendor/github.com/go-acme/lego/v4/platform/config/env/env.go
generated
vendored
Normal file
@ -0,0 +1,163 @@
|
|||||||
|
package env
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Get environment variables.
|
||||||
|
func Get(names ...string) (map[string]string, error) {
|
||||||
|
values := map[string]string{}
|
||||||
|
|
||||||
|
var missingEnvVars []string
|
||||||
|
for _, envVar := range names {
|
||||||
|
value := GetOrFile(envVar)
|
||||||
|
if value == "" {
|
||||||
|
missingEnvVars = append(missingEnvVars, envVar)
|
||||||
|
}
|
||||||
|
values[envVar] = value
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(missingEnvVars) > 0 {
|
||||||
|
return nil, fmt.Errorf("some credentials information are missing: %s", strings.Join(missingEnvVars, ","))
|
||||||
|
}
|
||||||
|
|
||||||
|
return values, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetWithFallback Get environment variable values
|
||||||
|
// The first name in each group is use as key in the result map
|
||||||
|
//
|
||||||
|
// // LEGO_ONE="ONE"
|
||||||
|
// // LEGO_TWO="TWO"
|
||||||
|
// env.GetWithFallback([]string{"LEGO_ONE", "LEGO_TWO"})
|
||||||
|
// // => "LEGO_ONE" = "ONE"
|
||||||
|
//
|
||||||
|
// ----
|
||||||
|
//
|
||||||
|
// // LEGO_ONE=""
|
||||||
|
// // LEGO_TWO="TWO"
|
||||||
|
// env.GetWithFallback([]string{"LEGO_ONE", "LEGO_TWO"})
|
||||||
|
// // => "LEGO_ONE" = "TWO"
|
||||||
|
//
|
||||||
|
// ----
|
||||||
|
//
|
||||||
|
// // LEGO_ONE=""
|
||||||
|
// // LEGO_TWO=""
|
||||||
|
// env.GetWithFallback([]string{"LEGO_ONE", "LEGO_TWO"})
|
||||||
|
// // => error
|
||||||
|
//
|
||||||
|
func GetWithFallback(groups ...[]string) (map[string]string, error) {
|
||||||
|
values := map[string]string{}
|
||||||
|
|
||||||
|
var missingEnvVars []string
|
||||||
|
for _, names := range groups {
|
||||||
|
if len(names) == 0 {
|
||||||
|
return nil, errors.New("undefined environment variable names")
|
||||||
|
}
|
||||||
|
|
||||||
|
value, envVar := getOneWithFallback(names[0], names[1:]...)
|
||||||
|
if len(value) == 0 {
|
||||||
|
missingEnvVars = append(missingEnvVars, envVar)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
values[envVar] = value
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(missingEnvVars) > 0 {
|
||||||
|
return nil, fmt.Errorf("some credentials information are missing: %s", strings.Join(missingEnvVars, ","))
|
||||||
|
}
|
||||||
|
|
||||||
|
return values, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func getOneWithFallback(main string, names ...string) (string, string) {
|
||||||
|
value := GetOrFile(main)
|
||||||
|
if len(value) > 0 {
|
||||||
|
return value, main
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, name := range names {
|
||||||
|
value := GetOrFile(name)
|
||||||
|
if len(value) > 0 {
|
||||||
|
return value, main
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", main
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOrDefaultInt returns the given environment variable value as an integer.
|
||||||
|
// Returns the default if the envvar cannot be coopered to an int, or is not found.
|
||||||
|
func GetOrDefaultInt(envVar string, defaultValue int) int {
|
||||||
|
v, err := strconv.Atoi(GetOrFile(envVar))
|
||||||
|
if err != nil {
|
||||||
|
return defaultValue
|
||||||
|
}
|
||||||
|
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOrDefaultSecond returns the given environment variable value as an time.Duration (second).
|
||||||
|
// Returns the default if the envvar cannot be coopered to an int, or is not found.
|
||||||
|
func GetOrDefaultSecond(envVar string, defaultValue time.Duration) time.Duration {
|
||||||
|
v := GetOrDefaultInt(envVar, -1)
|
||||||
|
if v < 0 {
|
||||||
|
return defaultValue
|
||||||
|
}
|
||||||
|
|
||||||
|
return time.Duration(v) * time.Second
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOrDefaultString returns the given environment variable value as a string.
|
||||||
|
// Returns the default if the envvar cannot be find.
|
||||||
|
func GetOrDefaultString(envVar, defaultValue string) string {
|
||||||
|
v := GetOrFile(envVar)
|
||||||
|
if len(v) == 0 {
|
||||||
|
return defaultValue
|
||||||
|
}
|
||||||
|
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOrDefaultBool returns the given environment variable value as a boolean.
|
||||||
|
// Returns the default if the envvar cannot be coopered to a boolean, or is not found.
|
||||||
|
func GetOrDefaultBool(envVar string, defaultValue bool) bool {
|
||||||
|
v, err := strconv.ParseBool(GetOrFile(envVar))
|
||||||
|
if err != nil {
|
||||||
|
return defaultValue
|
||||||
|
}
|
||||||
|
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetOrFile Attempts to resolve 'key' as an environment variable.
|
||||||
|
// Failing that, it will check to see if '<key>_FILE' exists.
|
||||||
|
// If so, it will attempt to read from the referenced file to populate a value.
|
||||||
|
func GetOrFile(envVar string) string {
|
||||||
|
envVarValue := os.Getenv(envVar)
|
||||||
|
if envVarValue != "" {
|
||||||
|
return envVarValue
|
||||||
|
}
|
||||||
|
|
||||||
|
fileVar := envVar + "_FILE"
|
||||||
|
fileVarValue := os.Getenv(fileVar)
|
||||||
|
if fileVarValue == "" {
|
||||||
|
return envVarValue
|
||||||
|
}
|
||||||
|
|
||||||
|
fileContents, err := ioutil.ReadFile(fileVarValue)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("Failed to read the file %s (defined by env var %s): %s", fileVarValue, fileVar, err)
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
return strings.TrimSuffix(string(fileContents), "\n")
|
||||||
|
}
|
33
vendor/github.com/go-acme/lego/v4/platform/wait/wait.go
generated
vendored
Normal file
33
vendor/github.com/go-acme/lego/v4/platform/wait/wait.go
generated
vendored
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
package wait
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// For polls the given function 'f', once every 'interval', up to 'timeout'.
|
||||||
|
func For(msg string, timeout, interval time.Duration, f func() (bool, error)) error {
|
||||||
|
log.Infof("Wait for %s [timeout: %s, interval: %s]", msg, timeout, interval)
|
||||||
|
|
||||||
|
var lastErr error
|
||||||
|
timeUp := time.After(timeout)
|
||||||
|
for {
|
||||||
|
select {
|
||||||
|
case <-timeUp:
|
||||||
|
return fmt.Errorf("time limit exceeded: last error: %w", lastErr)
|
||||||
|
default:
|
||||||
|
}
|
||||||
|
|
||||||
|
stop, err := f()
|
||||||
|
if stop {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
lastErr = err
|
||||||
|
}
|
||||||
|
|
||||||
|
time.Sleep(interval)
|
||||||
|
}
|
||||||
|
}
|
214
vendor/github.com/go-acme/lego/v4/providers/dns/ovh/ovh.go
generated
vendored
Normal file
214
vendor/github.com/go-acme/lego/v4/providers/dns/ovh/ovh.go
generated
vendored
Normal file
@ -0,0 +1,214 @@
|
|||||||
|
// Package ovh implements a DNS provider for solving the DNS-01 challenge using OVH DNS.
|
||||||
|
package ovh
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/challenge/dns01"
|
||||||
|
"github.com/go-acme/lego/v4/platform/config/env"
|
||||||
|
"github.com/ovh/go-ovh/ovh"
|
||||||
|
)
|
||||||
|
|
||||||
|
// OVH API reference: https://eu.api.ovh.com/
|
||||||
|
// Create a Token: https://eu.api.ovh.com/createToken/
|
||||||
|
|
||||||
|
// Environment variables names.
|
||||||
|
const (
|
||||||
|
envNamespace = "OVH_"
|
||||||
|
|
||||||
|
EnvEndpoint = envNamespace + "ENDPOINT"
|
||||||
|
EnvApplicationKey = envNamespace + "APPLICATION_KEY"
|
||||||
|
EnvApplicationSecret = envNamespace + "APPLICATION_SECRET"
|
||||||
|
EnvConsumerKey = envNamespace + "CONSUMER_KEY"
|
||||||
|
|
||||||
|
EnvTTL = envNamespace + "TTL"
|
||||||
|
EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
|
||||||
|
EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
|
||||||
|
EnvHTTPTimeout = envNamespace + "HTTP_TIMEOUT"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Record a DNS record.
|
||||||
|
type Record struct {
|
||||||
|
ID int64 `json:"id,omitempty"`
|
||||||
|
FieldType string `json:"fieldType,omitempty"`
|
||||||
|
SubDomain string `json:"subDomain,omitempty"`
|
||||||
|
Target string `json:"target,omitempty"`
|
||||||
|
TTL int `json:"ttl,omitempty"`
|
||||||
|
Zone string `json:"zone,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// Config is used to configure the creation of the DNSProvider.
|
||||||
|
type Config struct {
|
||||||
|
APIEndpoint string
|
||||||
|
ApplicationKey string
|
||||||
|
ApplicationSecret string
|
||||||
|
ConsumerKey string
|
||||||
|
PropagationTimeout time.Duration
|
||||||
|
PollingInterval time.Duration
|
||||||
|
TTL int
|
||||||
|
HTTPClient *http.Client
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDefaultConfig returns a default configuration for the DNSProvider.
|
||||||
|
func NewDefaultConfig() *Config {
|
||||||
|
return &Config{
|
||||||
|
TTL: env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
|
||||||
|
PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
|
||||||
|
PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
|
||||||
|
HTTPClient: &http.Client{
|
||||||
|
Timeout: env.GetOrDefaultSecond(EnvHTTPTimeout, ovh.DefaultTimeout),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// DNSProvider implements the challenge.Provider interface.
|
||||||
|
type DNSProvider struct {
|
||||||
|
config *Config
|
||||||
|
client *ovh.Client
|
||||||
|
recordIDs map[string]int64
|
||||||
|
recordIDsMu sync.Mutex
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDNSProvider returns a DNSProvider instance configured for OVH
|
||||||
|
// Credentials must be passed in the environment variables:
|
||||||
|
// OVH_ENDPOINT (must be either "ovh-eu" or "ovh-ca"), OVH_APPLICATION_KEY, OVH_APPLICATION_SECRET, OVH_CONSUMER_KEY.
|
||||||
|
func NewDNSProvider() (*DNSProvider, error) {
|
||||||
|
values, err := env.Get(EnvEndpoint, EnvApplicationKey, EnvApplicationSecret, EnvConsumerKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("ovh: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
config := NewDefaultConfig()
|
||||||
|
config.APIEndpoint = values[EnvEndpoint]
|
||||||
|
config.ApplicationKey = values[EnvApplicationKey]
|
||||||
|
config.ApplicationSecret = values[EnvApplicationSecret]
|
||||||
|
config.ConsumerKey = values[EnvConsumerKey]
|
||||||
|
|
||||||
|
return NewDNSProviderConfig(config)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDNSProviderConfig return a DNSProvider instance configured for OVH.
|
||||||
|
func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
|
||||||
|
if config == nil {
|
||||||
|
return nil, errors.New("ovh: the configuration of the DNS provider is nil")
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.APIEndpoint == "" || config.ApplicationKey == "" || config.ApplicationSecret == "" || config.ConsumerKey == "" {
|
||||||
|
return nil, errors.New("ovh: credentials missing")
|
||||||
|
}
|
||||||
|
|
||||||
|
client, err := ovh.NewClient(
|
||||||
|
config.APIEndpoint,
|
||||||
|
config.ApplicationKey,
|
||||||
|
config.ApplicationSecret,
|
||||||
|
config.ConsumerKey,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("ovh: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
client.Client = config.HTTPClient
|
||||||
|
|
||||||
|
return &DNSProvider{
|
||||||
|
config: config,
|
||||||
|
client: client,
|
||||||
|
recordIDs: make(map[string]int64),
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Present creates a TXT record to fulfill the dns-01 challenge.
|
||||||
|
func (d *DNSProvider) Present(domain, token, keyAuth string) error {
|
||||||
|
fqdn, value := dns01.GetRecord(domain, keyAuth)
|
||||||
|
|
||||||
|
// Parse domain name
|
||||||
|
authZone, err := dns01.FindZoneByFqdn(dns01.ToFqdn(domain))
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: could not determine zone for domain %q: %w", domain, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
authZone = dns01.UnFqdn(authZone)
|
||||||
|
subDomain := extractRecordName(fqdn, authZone)
|
||||||
|
|
||||||
|
reqURL := fmt.Sprintf("/domain/zone/%s/record", authZone)
|
||||||
|
reqData := Record{FieldType: "TXT", SubDomain: subDomain, Target: value, TTL: d.config.TTL}
|
||||||
|
|
||||||
|
// Create TXT record
|
||||||
|
var respData Record
|
||||||
|
err = d.client.Post(reqURL, reqData, &respData)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: error when call api to add record (%s): %w", reqURL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Apply the change
|
||||||
|
reqURL = fmt.Sprintf("/domain/zone/%s/refresh", authZone)
|
||||||
|
err = d.client.Post(reqURL, nil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: error when call api to refresh zone (%s): %w", reqURL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
d.recordIDs[token] = respData.ID
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CleanUp removes the TXT record matching the specified parameters.
|
||||||
|
func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
||||||
|
fqdn, _ := dns01.GetRecord(domain, keyAuth)
|
||||||
|
|
||||||
|
// get the record's unique ID from when we created it
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
recordID, ok := d.recordIDs[token]
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
if !ok {
|
||||||
|
return fmt.Errorf("ovh: unknown record ID for '%s'", fqdn)
|
||||||
|
}
|
||||||
|
|
||||||
|
authZone, err := dns01.FindZoneByFqdn(dns01.ToFqdn(domain))
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: could not determine zone for domain %q: %w", domain, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
authZone = dns01.UnFqdn(authZone)
|
||||||
|
|
||||||
|
reqURL := fmt.Sprintf("/domain/zone/%s/record/%d", authZone, recordID)
|
||||||
|
|
||||||
|
err = d.client.Delete(reqURL, nil)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: error when call OVH api to delete challenge record (%s): %w", reqURL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Apply the change
|
||||||
|
reqURL = fmt.Sprintf("/domain/zone/%s/refresh", authZone)
|
||||||
|
err = d.client.Post(reqURL, nil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("ovh: error when call api to refresh zone (%s): %w", reqURL, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Delete record ID from map
|
||||||
|
d.recordIDsMu.Lock()
|
||||||
|
delete(d.recordIDs, token)
|
||||||
|
d.recordIDsMu.Unlock()
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Timeout returns the timeout and interval to use when checking for DNS propagation.
|
||||||
|
// Adjusting here to cope with spikes in propagation times.
|
||||||
|
func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
||||||
|
return d.config.PropagationTimeout, d.config.PollingInterval
|
||||||
|
}
|
||||||
|
|
||||||
|
func extractRecordName(fqdn, zone string) string {
|
||||||
|
name := dns01.UnFqdn(fqdn)
|
||||||
|
if idx := strings.Index(name, "."+zone); idx != -1 {
|
||||||
|
return name[:idx]
|
||||||
|
}
|
||||||
|
return name
|
||||||
|
}
|
52
vendor/github.com/go-acme/lego/v4/providers/dns/ovh/ovh.toml
generated
vendored
Normal file
52
vendor/github.com/go-acme/lego/v4/providers/dns/ovh/ovh.toml
generated
vendored
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
Name = "OVH"
|
||||||
|
Description = ''''''
|
||||||
|
URL = "https://www.ovh.com/"
|
||||||
|
Code = "ovh"
|
||||||
|
Since = "v0.4.0"
|
||||||
|
|
||||||
|
Example = '''
|
||||||
|
OVH_APPLICATION_KEY=1234567898765432 \
|
||||||
|
OVH_APPLICATION_SECRET=b9841238feb177a84330febba8a832089 \
|
||||||
|
OVH_CONSUMER_KEY=256vfsd347245sdfg \
|
||||||
|
OVH_ENDPOINT=ovh-eu \
|
||||||
|
lego --dns autodns --domains my.domain.com --email my@email.com run
|
||||||
|
'''
|
||||||
|
|
||||||
|
Additional = '''
|
||||||
|
## Application Key and Secret
|
||||||
|
|
||||||
|
Application key and secret can be created by following the [OVH guide](https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/).
|
||||||
|
|
||||||
|
When requesting the consumer key, the following configuration can be use to define access rights:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"accessRules": [
|
||||||
|
{
|
||||||
|
"method": "POST",
|
||||||
|
"path": "/domain/zone/*"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"method": "DELETE",
|
||||||
|
"path": "/domain/zone/*"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
'''
|
||||||
|
|
||||||
|
[Configuration]
|
||||||
|
[Configuration.Credentials]
|
||||||
|
OVH_ENDPOINT = "Endpoint URL (ovh-eu or ovh-ca)"
|
||||||
|
OVH_APPLICATION_KEY = "Application key"
|
||||||
|
OVH_APPLICATION_SECRET = "Application secret"
|
||||||
|
OVH_CONSUMER_KEY = "Consumer key"
|
||||||
|
[Configuration.Additional]
|
||||||
|
OVH_POLLING_INTERVAL = "Time between DNS propagation check"
|
||||||
|
OVH_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
|
||||||
|
OVH_TTL = "The TTL of the TXT record used for the DNS challenge"
|
||||||
|
OVH_HTTP_TIMEOUT = "API request timeout"
|
||||||
|
|
||||||
|
[Links]
|
||||||
|
API = "https://eu.api.ovh.com/"
|
||||||
|
GoClient = "https://github.com/ovh/go-ovh"
|
167
vendor/github.com/go-acme/lego/v4/registration/registar.go
generated
vendored
Normal file
167
vendor/github.com/go-acme/lego/v4/registration/registar.go
generated
vendored
Normal file
@ -0,0 +1,167 @@
|
|||||||
|
package registration
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/go-acme/lego/v4/acme"
|
||||||
|
"github.com/go-acme/lego/v4/acme/api"
|
||||||
|
"github.com/go-acme/lego/v4/log"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Resource represents all important information about a registration
|
||||||
|
// of which the client needs to keep track itself.
|
||||||
|
// WARNING: will be remove in the future (acme.ExtendedAccount), https://github.com/go-acme/lego/issues/855.
|
||||||
|
type Resource struct {
|
||||||
|
Body acme.Account `json:"body,omitempty"`
|
||||||
|
URI string `json:"uri,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type RegisterOptions struct {
|
||||||
|
TermsOfServiceAgreed bool
|
||||||
|
}
|
||||||
|
|
||||||
|
type RegisterEABOptions struct {
|
||||||
|
TermsOfServiceAgreed bool
|
||||||
|
Kid string
|
||||||
|
HmacEncoded string
|
||||||
|
}
|
||||||
|
|
||||||
|
type Registrar struct {
|
||||||
|
core *api.Core
|
||||||
|
user User
|
||||||
|
}
|
||||||
|
|
||||||
|
func NewRegistrar(core *api.Core, user User) *Registrar {
|
||||||
|
return &Registrar{
|
||||||
|
core: core,
|
||||||
|
user: user,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Register the current account to the ACME server.
|
||||||
|
func (r *Registrar) Register(options RegisterOptions) (*Resource, error) {
|
||||||
|
if r == nil || r.user == nil {
|
||||||
|
return nil, errors.New("acme: cannot register a nil client or user")
|
||||||
|
}
|
||||||
|
|
||||||
|
accMsg := acme.Account{
|
||||||
|
TermsOfServiceAgreed: options.TermsOfServiceAgreed,
|
||||||
|
Contact: []string{},
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.user.GetEmail() != "" {
|
||||||
|
log.Infof("acme: Registering account for %s", r.user.GetEmail())
|
||||||
|
accMsg.Contact = []string{"mailto:" + r.user.GetEmail()}
|
||||||
|
}
|
||||||
|
|
||||||
|
account, err := r.core.Accounts.New(accMsg)
|
||||||
|
if err != nil {
|
||||||
|
// FIXME seems impossible
|
||||||
|
var errorDetails acme.ProblemDetails
|
||||||
|
if !errors.As(err, &errorDetails) || errorDetails.HTTPStatus != http.StatusConflict {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{URI: account.Location, Body: account.Account}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// RegisterWithExternalAccountBinding Register the current account to the ACME server.
|
||||||
|
func (r *Registrar) RegisterWithExternalAccountBinding(options RegisterEABOptions) (*Resource, error) {
|
||||||
|
accMsg := acme.Account{
|
||||||
|
TermsOfServiceAgreed: options.TermsOfServiceAgreed,
|
||||||
|
Contact: []string{},
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.user.GetEmail() != "" {
|
||||||
|
log.Infof("acme: Registering account for %s", r.user.GetEmail())
|
||||||
|
accMsg.Contact = []string{"mailto:" + r.user.GetEmail()}
|
||||||
|
}
|
||||||
|
|
||||||
|
account, err := r.core.Accounts.NewEAB(accMsg, options.Kid, options.HmacEncoded)
|
||||||
|
if err != nil {
|
||||||
|
// FIXME seems impossible
|
||||||
|
var errorDetails acme.ProblemDetails
|
||||||
|
if !errors.As(err, &errorDetails) || errorDetails.HTTPStatus != http.StatusConflict {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{URI: account.Location, Body: account.Account}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// QueryRegistration runs a POST request on the client's registration and returns the result.
|
||||||
|
//
|
||||||
|
// This is similar to the Register function,
|
||||||
|
// but acting on an existing registration link and resource.
|
||||||
|
func (r *Registrar) QueryRegistration() (*Resource, error) {
|
||||||
|
if r == nil || r.user == nil || r.user.GetRegistration() == nil {
|
||||||
|
return nil, errors.New("acme: cannot query the registration of a nil client or user")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Log the URL here instead of the email as the email may not be set
|
||||||
|
log.Infof("acme: Querying account for %s", r.user.GetRegistration().URI)
|
||||||
|
|
||||||
|
account, err := r.core.Accounts.Get(r.user.GetRegistration().URI)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{
|
||||||
|
Body: account,
|
||||||
|
// Location: header is not returned so this needs to be populated off of existing URI
|
||||||
|
URI: r.user.GetRegistration().URI,
|
||||||
|
}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// UpdateRegistration update the user registration on the ACME server.
|
||||||
|
func (r *Registrar) UpdateRegistration(options RegisterOptions) (*Resource, error) {
|
||||||
|
if r == nil || r.user == nil {
|
||||||
|
return nil, errors.New("acme: cannot update a nil client or user")
|
||||||
|
}
|
||||||
|
|
||||||
|
accMsg := acme.Account{
|
||||||
|
TermsOfServiceAgreed: options.TermsOfServiceAgreed,
|
||||||
|
Contact: []string{},
|
||||||
|
}
|
||||||
|
|
||||||
|
if r.user.GetEmail() != "" {
|
||||||
|
log.Infof("acme: Registering account for %s", r.user.GetEmail())
|
||||||
|
accMsg.Contact = []string{"mailto:" + r.user.GetEmail()}
|
||||||
|
}
|
||||||
|
|
||||||
|
accountURL := r.user.GetRegistration().URI
|
||||||
|
|
||||||
|
account, err := r.core.Accounts.Update(accountURL, accMsg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{URI: accountURL, Body: account}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteRegistration deletes the client's user registration from the ACME server.
|
||||||
|
func (r *Registrar) DeleteRegistration() error {
|
||||||
|
if r == nil || r.user == nil {
|
||||||
|
return errors.New("acme: cannot unregister a nil client or user")
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Infof("acme: Deleting account for %s", r.user.GetEmail())
|
||||||
|
|
||||||
|
return r.core.Accounts.Deactivate(r.user.GetRegistration().URI)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ResolveAccountByKey will attempt to look up an account using the given account key
|
||||||
|
// and return its registration resource.
|
||||||
|
func (r *Registrar) ResolveAccountByKey() (*Resource, error) {
|
||||||
|
log.Infof("acme: Trying to resolve account by key")
|
||||||
|
|
||||||
|
accMsg := acme.Account{OnlyReturnExisting: true}
|
||||||
|
account, err := r.core.Accounts.New(accMsg)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return &Resource{URI: account.Location, Body: account.Account}, nil
|
||||||
|
}
|
13
vendor/github.com/go-acme/lego/v4/registration/user.go
generated
vendored
Normal file
13
vendor/github.com/go-acme/lego/v4/registration/user.go
generated
vendored
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
package registration
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto"
|
||||||
|
)
|
||||||
|
|
||||||
|
// User interface is to be implemented by users of this library.
|
||||||
|
// It is used by the client type to get user specific information.
|
||||||
|
type User interface {
|
||||||
|
GetEmail() string
|
||||||
|
GetRegistration() *Resource
|
||||||
|
GetPrivateKey() crypto.PrivateKey
|
||||||
|
}
|
16
vendor/github.com/golang/snappy/.gitignore
generated
vendored
Normal file
16
vendor/github.com/golang/snappy/.gitignore
generated
vendored
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
cmd/snappytool/snappytool
|
||||||
|
testdata/bench
|
||||||
|
|
||||||
|
# These explicitly listed benchmark data files are for an obsolete version of
|
||||||
|
# snappy_test.go.
|
||||||
|
testdata/alice29.txt
|
||||||
|
testdata/asyoulik.txt
|
||||||
|
testdata/fireworks.jpeg
|
||||||
|
testdata/geo.protodata
|
||||||
|
testdata/html
|
||||||
|
testdata/html_x_4
|
||||||
|
testdata/kppkn.gtb
|
||||||
|
testdata/lcet10.txt
|
||||||
|
testdata/paper-100k.pdf
|
||||||
|
testdata/plrabn12.txt
|
||||||
|
testdata/urls.10K
|
15
vendor/github.com/golang/snappy/AUTHORS
generated
vendored
Normal file
15
vendor/github.com/golang/snappy/AUTHORS
generated
vendored
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# This is the official list of Snappy-Go authors for copyright purposes.
|
||||||
|
# This file is distinct from the CONTRIBUTORS files.
|
||||||
|
# See the latter for an explanation.
|
||||||
|
|
||||||
|
# Names should be added to this file as
|
||||||
|
# Name or Organization <email address>
|
||||||
|
# The email address is not required for organizations.
|
||||||
|
|
||||||
|
# Please keep the list sorted.
|
||||||
|
|
||||||
|
Damian Gryski <dgryski@gmail.com>
|
||||||
|
Google Inc.
|
||||||
|
Jan Mercl <0xjnml@gmail.com>
|
||||||
|
Rodolfo Carvalho <rhcarvalho@gmail.com>
|
||||||
|
Sebastien Binet <seb.binet@gmail.com>
|
37
vendor/github.com/golang/snappy/CONTRIBUTORS
generated
vendored
Normal file
37
vendor/github.com/golang/snappy/CONTRIBUTORS
generated
vendored
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
# This is the official list of people who can contribute
|
||||||
|
# (and typically have contributed) code to the Snappy-Go repository.
|
||||||
|
# The AUTHORS file lists the copyright holders; this file
|
||||||
|
# lists people. For example, Google employees are listed here
|
||||||
|
# but not in AUTHORS, because Google holds the copyright.
|
||||||
|
#
|
||||||
|
# The submission process automatically checks to make sure
|
||||||
|
# that people submitting code are listed in this file (by email address).
|
||||||
|
#
|
||||||
|
# Names should be added to this file only after verifying that
|
||||||
|
# the individual or the individual's organization has agreed to
|
||||||
|
# the appropriate Contributor License Agreement, found here:
|
||||||
|
#
|
||||||
|
# http://code.google.com/legal/individual-cla-v1.0.html
|
||||||
|
# http://code.google.com/legal/corporate-cla-v1.0.html
|
||||||
|
#
|
||||||
|
# The agreement for individuals can be filled out on the web.
|
||||||
|
#
|
||||||
|
# When adding J Random Contributor's name to this file,
|
||||||
|
# either J's name or J's organization's name should be
|
||||||
|
# added to the AUTHORS file, depending on whether the
|
||||||
|
# individual or corporate CLA was used.
|
||||||
|
|
||||||
|
# Names should be added to this file like so:
|
||||||
|
# Name <email address>
|
||||||
|
|
||||||
|
# Please keep the list sorted.
|
||||||
|
|
||||||
|
Damian Gryski <dgryski@gmail.com>
|
||||||
|
Jan Mercl <0xjnml@gmail.com>
|
||||||
|
Kai Backman <kaib@golang.org>
|
||||||
|
Marc-Antoine Ruel <maruel@chromium.org>
|
||||||
|
Nigel Tao <nigeltao@golang.org>
|
||||||
|
Rob Pike <r@golang.org>
|
||||||
|
Rodolfo Carvalho <rhcarvalho@gmail.com>
|
||||||
|
Russ Cox <rsc@golang.org>
|
||||||
|
Sebastien Binet <seb.binet@gmail.com>
|
27
vendor/github.com/golang/snappy/LICENSE
generated
vendored
Normal file
27
vendor/github.com/golang/snappy/LICENSE
generated
vendored
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
Copyright (c) 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions are
|
||||||
|
met:
|
||||||
|
|
||||||
|
* Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
* Redistributions in binary form must reproduce the above
|
||||||
|
copyright notice, this list of conditions and the following disclaimer
|
||||||
|
in the documentation and/or other materials provided with the
|
||||||
|
distribution.
|
||||||
|
* Neither the name of Google Inc. nor the names of its
|
||||||
|
contributors may be used to endorse or promote products derived from
|
||||||
|
this software without specific prior written permission.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
107
vendor/github.com/golang/snappy/README
generated
vendored
Normal file
107
vendor/github.com/golang/snappy/README
generated
vendored
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
The Snappy compression format in the Go programming language.
|
||||||
|
|
||||||
|
To download and install from source:
|
||||||
|
$ go get github.com/golang/snappy
|
||||||
|
|
||||||
|
Unless otherwise noted, the Snappy-Go source files are distributed
|
||||||
|
under the BSD-style license found in the LICENSE file.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Benchmarks.
|
||||||
|
|
||||||
|
The golang/snappy benchmarks include compressing (Z) and decompressing (U) ten
|
||||||
|
or so files, the same set used by the C++ Snappy code (github.com/google/snappy
|
||||||
|
and note the "google", not "golang"). On an "Intel(R) Core(TM) i7-3770 CPU @
|
||||||
|
3.40GHz", Go's GOARCH=amd64 numbers as of 2016-05-29:
|
||||||
|
|
||||||
|
"go test -test.bench=."
|
||||||
|
|
||||||
|
_UFlat0-8 2.19GB/s ± 0% html
|
||||||
|
_UFlat1-8 1.41GB/s ± 0% urls
|
||||||
|
_UFlat2-8 23.5GB/s ± 2% jpg
|
||||||
|
_UFlat3-8 1.91GB/s ± 0% jpg_200
|
||||||
|
_UFlat4-8 14.0GB/s ± 1% pdf
|
||||||
|
_UFlat5-8 1.97GB/s ± 0% html4
|
||||||
|
_UFlat6-8 814MB/s ± 0% txt1
|
||||||
|
_UFlat7-8 785MB/s ± 0% txt2
|
||||||
|
_UFlat8-8 857MB/s ± 0% txt3
|
||||||
|
_UFlat9-8 719MB/s ± 1% txt4
|
||||||
|
_UFlat10-8 2.84GB/s ± 0% pb
|
||||||
|
_UFlat11-8 1.05GB/s ± 0% gaviota
|
||||||
|
|
||||||
|
_ZFlat0-8 1.04GB/s ± 0% html
|
||||||
|
_ZFlat1-8 534MB/s ± 0% urls
|
||||||
|
_ZFlat2-8 15.7GB/s ± 1% jpg
|
||||||
|
_ZFlat3-8 740MB/s ± 3% jpg_200
|
||||||
|
_ZFlat4-8 9.20GB/s ± 1% pdf
|
||||||
|
_ZFlat5-8 991MB/s ± 0% html4
|
||||||
|
_ZFlat6-8 379MB/s ± 0% txt1
|
||||||
|
_ZFlat7-8 352MB/s ± 0% txt2
|
||||||
|
_ZFlat8-8 396MB/s ± 1% txt3
|
||||||
|
_ZFlat9-8 327MB/s ± 1% txt4
|
||||||
|
_ZFlat10-8 1.33GB/s ± 1% pb
|
||||||
|
_ZFlat11-8 605MB/s ± 1% gaviota
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
"go test -test.bench=. -tags=noasm"
|
||||||
|
|
||||||
|
_UFlat0-8 621MB/s ± 2% html
|
||||||
|
_UFlat1-8 494MB/s ± 1% urls
|
||||||
|
_UFlat2-8 23.2GB/s ± 1% jpg
|
||||||
|
_UFlat3-8 1.12GB/s ± 1% jpg_200
|
||||||
|
_UFlat4-8 4.35GB/s ± 1% pdf
|
||||||
|
_UFlat5-8 609MB/s ± 0% html4
|
||||||
|
_UFlat6-8 296MB/s ± 0% txt1
|
||||||
|
_UFlat7-8 288MB/s ± 0% txt2
|
||||||
|
_UFlat8-8 309MB/s ± 1% txt3
|
||||||
|
_UFlat9-8 280MB/s ± 1% txt4
|
||||||
|
_UFlat10-8 753MB/s ± 0% pb
|
||||||
|
_UFlat11-8 400MB/s ± 0% gaviota
|
||||||
|
|
||||||
|
_ZFlat0-8 409MB/s ± 1% html
|
||||||
|
_ZFlat1-8 250MB/s ± 1% urls
|
||||||
|
_ZFlat2-8 12.3GB/s ± 1% jpg
|
||||||
|
_ZFlat3-8 132MB/s ± 0% jpg_200
|
||||||
|
_ZFlat4-8 2.92GB/s ± 0% pdf
|
||||||
|
_ZFlat5-8 405MB/s ± 1% html4
|
||||||
|
_ZFlat6-8 179MB/s ± 1% txt1
|
||||||
|
_ZFlat7-8 170MB/s ± 1% txt2
|
||||||
|
_ZFlat8-8 189MB/s ± 1% txt3
|
||||||
|
_ZFlat9-8 164MB/s ± 1% txt4
|
||||||
|
_ZFlat10-8 479MB/s ± 1% pb
|
||||||
|
_ZFlat11-8 270MB/s ± 1% gaviota
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
For comparison (Go's encoded output is byte-for-byte identical to C++'s), here
|
||||||
|
are the numbers from C++ Snappy's
|
||||||
|
|
||||||
|
make CXXFLAGS="-O2 -DNDEBUG -g" clean snappy_unittest.log && cat snappy_unittest.log
|
||||||
|
|
||||||
|
BM_UFlat/0 2.4GB/s html
|
||||||
|
BM_UFlat/1 1.4GB/s urls
|
||||||
|
BM_UFlat/2 21.8GB/s jpg
|
||||||
|
BM_UFlat/3 1.5GB/s jpg_200
|
||||||
|
BM_UFlat/4 13.3GB/s pdf
|
||||||
|
BM_UFlat/5 2.1GB/s html4
|
||||||
|
BM_UFlat/6 1.0GB/s txt1
|
||||||
|
BM_UFlat/7 959.4MB/s txt2
|
||||||
|
BM_UFlat/8 1.0GB/s txt3
|
||||||
|
BM_UFlat/9 864.5MB/s txt4
|
||||||
|
BM_UFlat/10 2.9GB/s pb
|
||||||
|
BM_UFlat/11 1.2GB/s gaviota
|
||||||
|
|
||||||
|
BM_ZFlat/0 944.3MB/s html (22.31 %)
|
||||||
|
BM_ZFlat/1 501.6MB/s urls (47.78 %)
|
||||||
|
BM_ZFlat/2 14.3GB/s jpg (99.95 %)
|
||||||
|
BM_ZFlat/3 538.3MB/s jpg_200 (73.00 %)
|
||||||
|
BM_ZFlat/4 8.3GB/s pdf (83.30 %)
|
||||||
|
BM_ZFlat/5 903.5MB/s html4 (22.52 %)
|
||||||
|
BM_ZFlat/6 336.0MB/s txt1 (57.88 %)
|
||||||
|
BM_ZFlat/7 312.3MB/s txt2 (61.91 %)
|
||||||
|
BM_ZFlat/8 353.1MB/s txt3 (54.99 %)
|
||||||
|
BM_ZFlat/9 289.9MB/s txt4 (66.26 %)
|
||||||
|
BM_ZFlat/10 1.2GB/s pb (19.68 %)
|
||||||
|
BM_ZFlat/11 527.4MB/s gaviota (37.72 %)
|
237
vendor/github.com/golang/snappy/decode.go
generated
vendored
Normal file
237
vendor/github.com/golang/snappy/decode.go
generated
vendored
Normal file
@ -0,0 +1,237 @@
|
|||||||
|
// Copyright 2011 The Snappy-Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package snappy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"errors"
|
||||||
|
"io"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
// ErrCorrupt reports that the input is invalid.
|
||||||
|
ErrCorrupt = errors.New("snappy: corrupt input")
|
||||||
|
// ErrTooLarge reports that the uncompressed length is too large.
|
||||||
|
ErrTooLarge = errors.New("snappy: decoded block is too large")
|
||||||
|
// ErrUnsupported reports that the input isn't supported.
|
||||||
|
ErrUnsupported = errors.New("snappy: unsupported input")
|
||||||
|
|
||||||
|
errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length")
|
||||||
|
)
|
||||||
|
|
||||||
|
// DecodedLen returns the length of the decoded block.
|
||||||
|
func DecodedLen(src []byte) (int, error) {
|
||||||
|
v, _, err := decodedLen(src)
|
||||||
|
return v, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// decodedLen returns the length of the decoded block and the number of bytes
|
||||||
|
// that the length header occupied.
|
||||||
|
func decodedLen(src []byte) (blockLen, headerLen int, err error) {
|
||||||
|
v, n := binary.Uvarint(src)
|
||||||
|
if n <= 0 || v > 0xffffffff {
|
||||||
|
return 0, 0, ErrCorrupt
|
||||||
|
}
|
||||||
|
|
||||||
|
const wordSize = 32 << (^uint(0) >> 32 & 1)
|
||||||
|
if wordSize == 32 && v > 0x7fffffff {
|
||||||
|
return 0, 0, ErrTooLarge
|
||||||
|
}
|
||||||
|
return int(v), n, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
const (
|
||||||
|
decodeErrCodeCorrupt = 1
|
||||||
|
decodeErrCodeUnsupportedLiteralLength = 2
|
||||||
|
)
|
||||||
|
|
||||||
|
// Decode returns the decoded form of src. The returned slice may be a sub-
|
||||||
|
// slice of dst if dst was large enough to hold the entire decoded block.
|
||||||
|
// Otherwise, a newly allocated slice will be returned.
|
||||||
|
//
|
||||||
|
// The dst and src must not overlap. It is valid to pass a nil dst.
|
||||||
|
func Decode(dst, src []byte) ([]byte, error) {
|
||||||
|
dLen, s, err := decodedLen(src)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if dLen <= len(dst) {
|
||||||
|
dst = dst[:dLen]
|
||||||
|
} else {
|
||||||
|
dst = make([]byte, dLen)
|
||||||
|
}
|
||||||
|
switch decode(dst, src[s:]) {
|
||||||
|
case 0:
|
||||||
|
return dst, nil
|
||||||
|
case decodeErrCodeUnsupportedLiteralLength:
|
||||||
|
return nil, errUnsupportedLiteralLength
|
||||||
|
}
|
||||||
|
return nil, ErrCorrupt
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewReader returns a new Reader that decompresses from r, using the framing
|
||||||
|
// format described at
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
func NewReader(r io.Reader) *Reader {
|
||||||
|
return &Reader{
|
||||||
|
r: r,
|
||||||
|
decoded: make([]byte, maxBlockSize),
|
||||||
|
buf: make([]byte, maxEncodedLenOfMaxBlockSize+checksumSize),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reader is an io.Reader that can read Snappy-compressed bytes.
|
||||||
|
type Reader struct {
|
||||||
|
r io.Reader
|
||||||
|
err error
|
||||||
|
decoded []byte
|
||||||
|
buf []byte
|
||||||
|
// decoded[i:j] contains decoded bytes that have not yet been passed on.
|
||||||
|
i, j int
|
||||||
|
readHeader bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// Reset discards any buffered data, resets all state, and switches the Snappy
|
||||||
|
// reader to read from r. This permits reusing a Reader rather than allocating
|
||||||
|
// a new one.
|
||||||
|
func (r *Reader) Reset(reader io.Reader) {
|
||||||
|
r.r = reader
|
||||||
|
r.err = nil
|
||||||
|
r.i = 0
|
||||||
|
r.j = 0
|
||||||
|
r.readHeader = false
|
||||||
|
}
|
||||||
|
|
||||||
|
func (r *Reader) readFull(p []byte, allowEOF bool) (ok bool) {
|
||||||
|
if _, r.err = io.ReadFull(r.r, p); r.err != nil {
|
||||||
|
if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Read satisfies the io.Reader interface.
|
||||||
|
func (r *Reader) Read(p []byte) (int, error) {
|
||||||
|
if r.err != nil {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
for {
|
||||||
|
if r.i < r.j {
|
||||||
|
n := copy(p, r.decoded[r.i:r.j])
|
||||||
|
r.i += n
|
||||||
|
return n, nil
|
||||||
|
}
|
||||||
|
if !r.readFull(r.buf[:4], true) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
chunkType := r.buf[0]
|
||||||
|
if !r.readHeader {
|
||||||
|
if chunkType != chunkTypeStreamIdentifier {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.readHeader = true
|
||||||
|
}
|
||||||
|
chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16
|
||||||
|
if chunkLen > len(r.buf) {
|
||||||
|
r.err = ErrUnsupported
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
|
||||||
|
// The chunk types are specified at
|
||||||
|
// https://github.com/google/snappy/blob/master/framing_format.txt
|
||||||
|
switch chunkType {
|
||||||
|
case chunkTypeCompressedData:
|
||||||
|
// Section 4.2. Compressed data (chunk type 0x00).
|
||||||
|
if chunkLen < checksumSize {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
buf := r.buf[:chunkLen]
|
||||||
|
if !r.readFull(buf, false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
|
||||||
|
buf = buf[checksumSize:]
|
||||||
|
|
||||||
|
n, err := DecodedLen(buf)
|
||||||
|
if err != nil {
|
||||||
|
r.err = err
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if n > len(r.decoded) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if _, err := Decode(r.decoded, buf); err != nil {
|
||||||
|
r.err = err
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if crc(r.decoded[:n]) != checksum {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.i, r.j = 0, n
|
||||||
|
continue
|
||||||
|
|
||||||
|
case chunkTypeUncompressedData:
|
||||||
|
// Section 4.3. Uncompressed data (chunk type 0x01).
|
||||||
|
if chunkLen < checksumSize {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
buf := r.buf[:checksumSize]
|
||||||
|
if !r.readFull(buf, false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24
|
||||||
|
// Read directly into r.decoded instead of via r.buf.
|
||||||
|
n := chunkLen - checksumSize
|
||||||
|
if n > len(r.decoded) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if !r.readFull(r.decoded[:n], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if crc(r.decoded[:n]) != checksum {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
r.i, r.j = 0, n
|
||||||
|
continue
|
||||||
|
|
||||||
|
case chunkTypeStreamIdentifier:
|
||||||
|
// Section 4.1. Stream identifier (chunk type 0xff).
|
||||||
|
if chunkLen != len(magicBody) {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
if !r.readFull(r.buf[:len(magicBody)], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
for i := 0; i < len(magicBody); i++ {
|
||||||
|
if r.buf[i] != magicBody[i] {
|
||||||
|
r.err = ErrCorrupt
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if chunkType <= 0x7f {
|
||||||
|
// Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f).
|
||||||
|
r.err = ErrUnsupported
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
// Section 4.4 Padding (chunk type 0xfe).
|
||||||
|
// Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd).
|
||||||
|
if !r.readFull(r.buf[:chunkLen], false) {
|
||||||
|
return 0, r.err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user