diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index 4971aa77f9d8e..398037cb85942 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -1,15 +1,64 @@ package localscanner import ( + "github.com/hashicorp/go-multierror" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/mtls" ) // secretDataMap represents data stored as part of a secret. type secretDataMap = map[string][]byte +// IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. +func IssueLocalScannerCerts(namespace string, clusterID string) (*storage.TypedServiceCertificateSet, error) { + if !features.LocalImageScanning.Enabled() { + return nil, errors.Errorf("feature '%s' is disabled", features.LocalImageScanning.Name()) + } + if namespace == "" { + return nil, errors.New("namespace is required to issue the certificates for the local scanner") + } + + var certIssueError error + caPem, scannerCertificate, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) + if err != nil { + certIssueError = multierror.Append(certIssueError, err) + } + _, scannerDBCertificate, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) + if err != nil { + certIssueError = multierror.Append(certIssueError, err) + } + if certIssueError != nil { + return nil, certIssueError + } + + return &storage.TypedServiceCertificateSet{ + CaPem: caPem, + ServiceCerts: []*storage.TypedServiceCertificate{ + scannerCertificate, + scannerDBCertificate, + }, + }, nil +} + +func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (caPem []byte, cert *storage.TypedServiceCertificate, err error) { + certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) + if err != nil { + return nil, nil, errors.Wrapf(err, "generating certificate for service %s", serviceType) + } + caPem = certificates[mtls.CACertFileName] + cert = &storage.TypedServiceCertificate{ + ServiceType: serviceType, + Cert: &storage.ServiceCertificate{ + CertPem: certificates[mtls.ServiceCertFileName], + KeyPem: certificates[mtls.ServiceKeyFileName], + }, + } + return +} + func generateServiceCertMap(serviceType storage.ServiceType, namespace string, clusterID string) (secretDataMap, error) { if serviceType != storage.ServiceType_SCANNER_SERVICE && serviceType != storage.ServiceType_SCANNER_DB_SERVICE { return nil, errors.Errorf("can only generate certificates for Scanner services, service type %s is not supported", diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 69088fbddec8f..c9027c8381d54 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -9,6 +9,7 @@ import ( testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/mtls" "github.com/stackrox/rox/pkg/testutils/envisolator" "github.com/stretchr/testify/suite" @@ -52,18 +53,19 @@ func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { } for _, tc := range testCases { - certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) - if tc.expectError { - s.Require().Error(err, tc.service) - continue - } else { - s.Require().NoError(err, tc.service) - } - expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} - s.Assert().Equal(len(expectedFiles), len(certMap)) - for _, key := range expectedFiles { - s.Assert().Contains(certMap, key, tc.service) - } + s.Run(tc.service.String(), func() { + certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) + if tc.expectError { + s.Require().Error(err) + return + } + s.Require().NoError(err) + expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} + s.Len(certMap, len(expectedFiles)) + for _, key := range expectedFiles { + s.Contains(certMap, key) + } + }) } } @@ -74,11 +76,13 @@ func (s *localScannerSuite) TestValidateServiceCertificate() { } for _, serviceType := range testCases { - certMap, err := generateServiceCertMap(serviceType, namespace, clusterID) - s.Require().NoError(err, serviceType) - validatingCA, err := mtls.LoadCAForValidation(certMap["ca.pem"]) - s.Require().NoError(err, serviceType) - s.Assert().NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, ""), serviceType) + s.Run(serviceType.String(), func() { + certMap, err := generateServiceCertMap(serviceType, namespace, clusterID) + s.Require().NoError(err) + validatingCA, err := mtls.LoadCAForValidation(certMap["ca.pem"]) + s.Require().NoError(err) + s.NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, "")) + }) } } @@ -95,23 +99,67 @@ func (s *localScannerSuite) TestCertificateGeneration() { } for _, tc := range testCases { - certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) - s.Require().NoError(err, tc.service) - cert, err := helpers.ParseCertificatePEM(certMap["cert.pem"]) - s.Require().NoError(err, tc.service) - - subject := cert.Subject - certOUs := subject.OrganizationalUnit - s.Assert().Equal(1, len(certOUs), tc.service) - s.Assert().Equal(tc.expectOU, certOUs[0], tc.service) - - s.Assert().Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) - - certAlternativeNames := cert.DNSNames - s.Assert().Equal(len(tc.expectedAlternativeNames), len(certAlternativeNames), tc.service) - for _, name := range tc.expectedAlternativeNames { - s.Assert().Contains(certAlternativeNames, name, tc.service) - } - s.Assert().Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) + s.Run(tc.service.String(), func() { + certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) + s.Require().NoError(err) + cert, err := helpers.ParseCertificatePEM(certMap["cert.pem"]) + s.Require().NoError(err) + + subject := cert.Subject + certOUs := subject.OrganizationalUnit + s.Require().Len(certOUs, 1) + s.Equal(tc.expectOU, certOUs[0]) + + s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName) + + certAlternativeNames := cert.DNSNames + s.ElementsMatch(tc.expectedAlternativeNames, certAlternativeNames) + s.Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter) + }) + } +} + +func (s *localScannerSuite) TestServiceIssueLocalScannerCertsFeatureFlagDisabled() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "false") + if features.LocalImageScanning.Enabled() { + s.T().Skip() + } + + _, err := IssueLocalScannerCerts(namespace, clusterID) + + s.Error(err) +} + +func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") + if !features.LocalImageScanning.Enabled() { + s.T().Skip() + } + testCases := map[string]struct { + namespace string + clusterID string + shouldFail bool + }{ + "no parameter missing": {namespace: namespace, clusterID: clusterID, shouldFail: false}, + "namespace missing": {namespace: "", clusterID: clusterID, shouldFail: true}, + "clusterID missing": {namespace: namespace, clusterID: "", shouldFail: true}, + } + for tcName, tc := range testCases { + s.Run(tcName, func() { + certs, err := IssueLocalScannerCerts(tc.namespace, tc.clusterID) + if tc.shouldFail { + s.Require().Error(err) + return + } + s.Require().NoError(err) + s.Require().NotNil(certs.GetCaPem()) + s.Require().NotEmpty(certs.GetServiceCerts()) + for _, cert := range certs.ServiceCerts { + s.Contains([]storage.ServiceType{storage.ServiceType_SCANNER_SERVICE, + storage.ServiceType_SCANNER_DB_SERVICE}, cert.GetServiceType()) + s.NotEmpty(cert.GetCert().GetCertPem()) + s.NotEmpty(cert.GetCert().GetKeyPem()) + } + }) } } diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index 7d5e1a8d51f33..0bc2cb29c5716 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -2,8 +2,10 @@ package connection import ( "context" + "fmt" "github.com/pkg/errors" + "github.com/stackrox/rox/central/localscanner" "github.com/stackrox/rox/central/networkpolicies/graph" "github.com/stackrox/rox/central/scrape" "github.com/stackrox/rox/central/sensor/networkentities" @@ -215,6 +217,8 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.networkPoliciesCtrl.ProcessNetworkPoliciesResponse(m.NetworkPoliciesResponse) case *central.MsgFromSensor_TelemetryDataResponse: return c.telemetryCtrl.ProcessTelemetryDataResponse(m.TelemetryDataResponse) + case *central.MsgFromSensor_IssueLocalScannerCertsRequest: + return c.processIssueLocalScannerCertsRequest(ctx, m.IssueLocalScannerCertsRequest) case *central.MsgFromSensor_Event: // Special case the reprocess deployment because its fields are already set if msg.GetEvent().GetReprocessDeployment() != nil { @@ -234,6 +238,47 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.eventPipeline.Run(ctx, msg, c) } +func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { + requestID := request.GetRequestId() + clusterID := c.clusterID + namespace := c.sensorHello.GetDeploymentIdentification().GetAppNamespace() + errMsg := fmt.Sprintf("issuing local Scanner certificates for request ID %q, cluster ID %q and namespace %q", + requestID, clusterID, namespace) + var ( + err error + response *central.IssueLocalScannerCertsResponse + ) + if requestID == "" { + err = errors.New("requestID is required to issue the certificates for the local scanner") + } else { + certificates, issueErr := localscanner.IssueLocalScannerCerts(namespace, clusterID) + err = issueErr + response = ¢ral.IssueLocalScannerCertsResponse{ + RequestId: requestID, + Response: ¢ral.IssueLocalScannerCertsResponse_Certificates{ + Certificates: certificates, + }, + } + } + if err != nil { + response = ¢ral.IssueLocalScannerCertsResponse{ + RequestId: requestID, + Response: ¢ral.IssueLocalScannerCertsResponse_Error{ + Error: ¢ral.LocalScannerCertsIssueError{ + Message: fmt.Sprintf("%s: %s", errMsg, err.Error()), + }, + }, + } + } + err = c.InjectMessage(ctx, ¢ral.MsgToSensor{ + Msg: ¢ral.MsgToSensor_IssueLocalScannerCertsResponse{IssueLocalScannerCertsResponse: response}, + }) + if err != nil { + return errors.Wrap(err, errMsg) + } + return nil +} + // getPolicySyncMsg fetches stored policies and prepares them for delivery to sensor. func (c *sensorConnection) getPolicySyncMsg(ctx context.Context) (*central.MsgToSensor, error) { policies, err := c.policyMgr.GetAllPolicies(ctx) diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index fceb9fc5526e1..c8177ac72a1cc 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -3,19 +3,45 @@ package connection import ( "context" "testing" + "time" "github.com/gogo/protobuf/types" "github.com/golang/mock/gomock" clusterMgrMock "github.com/stackrox/rox/central/sensor/service/common/mocks" + testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/booleanpolicy/policyversion" "github.com/stackrox/rox/pkg/centralsensor" + "github.com/stackrox/rox/pkg/concurrency" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/testutils/envisolator" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/suite" "google.golang.org/grpc" ) +func TestHandler(t *testing.T) { + suite.Run(t, new(testSuite)) +} + +type testSuite struct { + suite.Suite + envIsolator *envisolator.EnvIsolator +} + +func (s *testSuite) SetupSuite() { + s.envIsolator = envisolator.NewEnvIsolator(s.T()) +} + +func (s *testSuite) TearDownTest() { + s.envIsolator.RestoreAll() +} + +func (s *testSuite) SetupTest() { + err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) + s.Require().NoError(err) +} + type mockServer struct { grpc.ServerStream sentList []*central.MsgToSensor @@ -33,7 +59,7 @@ func (c *mockServer) Recv() (*central.MsgFromSensor, error) { // TestGetPolicySyncMsgFromPolicies verifies that the sensor connection is // capable of downgrading policies to the version known of the underlying // sensor. The test uses specific policy versions and not a general approach. -func TestGetPolicySyncMsgFromPolicies(t *testing.T) { +func (s *testSuite) TestGetPolicySyncMsgFromPolicies() { centralVersion := policyversion.CurrentVersion() sensorVersion := policyversion.Version1() sensorHello := ¢ral.SensorHello{ @@ -47,18 +73,15 @@ func TestGetPolicySyncMsgFromPolicies(t *testing.T) { } msg, err := sensorMockConn.getPolicySyncMsgFromPolicies([]*storage.Policy{policy}) - assert.NoError(t, err) + s.NoError(err) policySync := msg.GetPolicySync() - assert.NotNil(t, policySync) - assert.NotEmpty(t, policySync.Policies) - assert.Equal(t, sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) + s.Require().NotNil(policySync) + s.NotEmpty(policySync.Policies) + s.Equal(sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) } -func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { - envIsolator := envisolator.NewEnvIsolator(t) - defer envIsolator.RestoreAll() - +func (s *testSuite) TestSendsAuditLogSyncMessageIfEnabledOnRun() { ctx := context.Background() clusterID := "this-cluster" auditLogState := map[string]*storage.AuditLogFileState{ @@ -73,7 +96,7 @@ func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { AuditLogState: auditLogState, } - ctrl := gomock.NewController(t) + ctrl := gomock.NewController(s.T()) mgrMock := clusterMgrMock.NewMockClusterManager(ctrl) sensorMockConn := &sensorConnection{ @@ -87,15 +110,80 @@ func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { mgrMock.EXPECT().GetCluster(ctx, clusterID).Return(cluster, true, nil).AnyTimes() - assert.NoError(t, sensorMockConn.Run(ctx, server, caps)) + s.NoError(sensorMockConn.Run(ctx, server, caps)) for _, msg := range server.sentList { if syncMsg := msg.GetAuditLogSync(); syncMsg != nil { - assert.Equal(t, auditLogState, syncMsg.GetNodeAuditLogFileStates()) + s.Equal(auditLogState, syncMsg.GetNodeAuditLogFileStates()) return } } - assert.FailNow(t, "Audit log sync message was not sent") + s.FailNow("Audit log sync message was not sent") +} +func (s *testSuite) TestIssueLocalScannerCerts() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") + if !features.LocalImageScanning.Enabled() { + s.T().Skip() + } + namespace, clusterID, requestID := "namespace", "clusterID", "requestID" + testCases := map[string]struct { + requestID string + namespace string + clusterID string + shouldFail bool + }{ + "no parameter missing": {requestID: requestID, namespace: namespace, clusterID: clusterID, shouldFail: false}, + "requestID missing": {requestID: "", namespace: namespace, clusterID: clusterID, shouldFail: true}, + "namespace missing": {requestID: requestID, namespace: "", clusterID: clusterID, shouldFail: true}, + "clusterID missing": {requestID: requestID, namespace: namespace, clusterID: "", shouldFail: true}, + } + for tcName, tc := range testCases { + s.Run(tcName, func() { + sendC := make(chan *central.MsgToSensor) + sensorMockConn := &sensorConnection{ + clusterID: tc.clusterID, + sendC: sendC, + stopSig: concurrency.NewErrorSignal(), + sensorHello: ¢ral.SensorHello{ + DeploymentIdentification: &storage.SensorDeploymentIdentification{ + AppNamespace: tc.namespace, + }, + }, + } + ctx := context.Background() + ctx, cancel := context.WithTimeout(ctx, 1*time.Second) + defer cancel() + request := ¢ral.MsgFromSensor{ + Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ + RequestId: tc.requestID, + }, + }, + } + + handleDoneErrSig := concurrency.NewErrorSignal() + go func() { + handleDoneErrSig.SignalWithError(sensorMockConn.handleMessage(ctx, request)) + }() + + select { + case msgToSensor := <-sendC: + response := msgToSensor.GetIssueLocalScannerCertsResponse() + s.Equal(tc.requestID, response.GetRequestId()) + if tc.shouldFail { + s.NotNil(response.GetError()) + } else { + s.NotNil(response.GetCertificates()) + } + case <-ctx.Done(): + s.Fail(ctx.Err().Error()) + } + + handleErr, ok := handleDoneErrSig.WaitUntil(ctx) + s.Require().True(ok) + s.NoError(handleErr) + }) + } } diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go new file mode 100644 index 0000000000000..d9ee4a3695c03 --- /dev/null +++ b/generated/internalapi/central/local_scanner.pb.go @@ -0,0 +1,960 @@ +// Code generated by protoc-gen-gogo. DO NOT EDIT. +// source: internalapi/central/local_scanner.proto + +package central + +import ( + fmt "fmt" + proto "github.com/golang/protobuf/proto" + storage "github.com/stackrox/rox/generated/storage" + io "io" + math "math" + math_bits "math/bits" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +type LocalScannerCertsIssueError struct { + Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *LocalScannerCertsIssueError) Reset() { *m = LocalScannerCertsIssueError{} } +func (m *LocalScannerCertsIssueError) String() string { return proto.CompactTextString(m) } +func (*LocalScannerCertsIssueError) ProtoMessage() {} +func (*LocalScannerCertsIssueError) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{0} +} +func (m *LocalScannerCertsIssueError) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *LocalScannerCertsIssueError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_LocalScannerCertsIssueError.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *LocalScannerCertsIssueError) XXX_Merge(src proto.Message) { + xxx_messageInfo_LocalScannerCertsIssueError.Merge(m, src) +} +func (m *LocalScannerCertsIssueError) XXX_Size() int { + return m.Size() +} +func (m *LocalScannerCertsIssueError) XXX_DiscardUnknown() { + xxx_messageInfo_LocalScannerCertsIssueError.DiscardUnknown(m) +} + +var xxx_messageInfo_LocalScannerCertsIssueError proto.InternalMessageInfo + +func (m *LocalScannerCertsIssueError) GetMessage() string { + if m != nil { + return m.Message + } + return "" +} + +func (m *LocalScannerCertsIssueError) MessageClone() proto.Message { + return m.Clone() +} +func (m *LocalScannerCertsIssueError) Clone() *LocalScannerCertsIssueError { + if m == nil { + return nil + } + cloned := new(LocalScannerCertsIssueError) + *cloned = *m + + return cloned +} + +type IssueLocalScannerCertsRequest struct { + RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *IssueLocalScannerCertsRequest) Reset() { *m = IssueLocalScannerCertsRequest{} } +func (m *IssueLocalScannerCertsRequest) String() string { return proto.CompactTextString(m) } +func (*IssueLocalScannerCertsRequest) ProtoMessage() {} +func (*IssueLocalScannerCertsRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{1} +} +func (m *IssueLocalScannerCertsRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *IssueLocalScannerCertsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_IssueLocalScannerCertsRequest.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *IssueLocalScannerCertsRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_IssueLocalScannerCertsRequest.Merge(m, src) +} +func (m *IssueLocalScannerCertsRequest) XXX_Size() int { + return m.Size() +} +func (m *IssueLocalScannerCertsRequest) XXX_DiscardUnknown() { + xxx_messageInfo_IssueLocalScannerCertsRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_IssueLocalScannerCertsRequest proto.InternalMessageInfo + +func (m *IssueLocalScannerCertsRequest) GetRequestId() string { + if m != nil { + return m.RequestId + } + return "" +} + +func (m *IssueLocalScannerCertsRequest) MessageClone() proto.Message { + return m.Clone() +} +func (m *IssueLocalScannerCertsRequest) Clone() *IssueLocalScannerCertsRequest { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsRequest) + *cloned = *m + + return cloned +} + +type IssueLocalScannerCertsResponse struct { + RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"` + // Types that are valid to be assigned to Response: + // *IssueLocalScannerCertsResponse_Certificates + // *IssueLocalScannerCertsResponse_Error + Response isIssueLocalScannerCertsResponse_Response `protobuf_oneof:"response"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *IssueLocalScannerCertsResponse) Reset() { *m = IssueLocalScannerCertsResponse{} } +func (m *IssueLocalScannerCertsResponse) String() string { return proto.CompactTextString(m) } +func (*IssueLocalScannerCertsResponse) ProtoMessage() {} +func (*IssueLocalScannerCertsResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{2} +} +func (m *IssueLocalScannerCertsResponse) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *IssueLocalScannerCertsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_IssueLocalScannerCertsResponse.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *IssueLocalScannerCertsResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_IssueLocalScannerCertsResponse.Merge(m, src) +} +func (m *IssueLocalScannerCertsResponse) XXX_Size() int { + return m.Size() +} +func (m *IssueLocalScannerCertsResponse) XXX_DiscardUnknown() { + xxx_messageInfo_IssueLocalScannerCertsResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_IssueLocalScannerCertsResponse proto.InternalMessageInfo + +type isIssueLocalScannerCertsResponse_Response interface { + isIssueLocalScannerCertsResponse_Response() + MarshalTo([]byte) (int, error) + Size() int + Clone() isIssueLocalScannerCertsResponse_Response +} + +type IssueLocalScannerCertsResponse_Certificates struct { + Certificates *storage.TypedServiceCertificateSet `protobuf:"bytes,2,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` +} +type IssueLocalScannerCertsResponse_Error struct { + Error *LocalScannerCertsIssueError `protobuf:"bytes,3,opt,name=error,proto3,oneof" json:"error,omitempty"` +} + +func (*IssueLocalScannerCertsResponse_Certificates) isIssueLocalScannerCertsResponse_Response() {} +func (m *IssueLocalScannerCertsResponse_Certificates) Clone() isIssueLocalScannerCertsResponse_Response { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse_Certificates) + *cloned = *m + + cloned.Certificates = m.Certificates.Clone() + return cloned +} +func (*IssueLocalScannerCertsResponse_Error) isIssueLocalScannerCertsResponse_Response() {} +func (m *IssueLocalScannerCertsResponse_Error) Clone() isIssueLocalScannerCertsResponse_Response { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse_Error) + *cloned = *m + + cloned.Error = m.Error.Clone() + return cloned +} + +func (m *IssueLocalScannerCertsResponse) GetResponse() isIssueLocalScannerCertsResponse_Response { + if m != nil { + return m.Response + } + return nil +} + +func (m *IssueLocalScannerCertsResponse) GetRequestId() string { + if m != nil { + return m.RequestId + } + return "" +} + +func (m *IssueLocalScannerCertsResponse) GetCertificates() *storage.TypedServiceCertificateSet { + if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Certificates); ok { + return x.Certificates + } + return nil +} + +func (m *IssueLocalScannerCertsResponse) GetError() *LocalScannerCertsIssueError { + if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Error); ok { + return x.Error + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*IssueLocalScannerCertsResponse) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*IssueLocalScannerCertsResponse_Certificates)(nil), + (*IssueLocalScannerCertsResponse_Error)(nil), + } +} + +func (m *IssueLocalScannerCertsResponse) MessageClone() proto.Message { + return m.Clone() +} +func (m *IssueLocalScannerCertsResponse) Clone() *IssueLocalScannerCertsResponse { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse) + *cloned = *m + + if m.Response != nil { + cloned.Response = m.Response.Clone() + } + return cloned +} + +func init() { + proto.RegisterType((*LocalScannerCertsIssueError)(nil), "central.LocalScannerCertsIssueError") + proto.RegisterType((*IssueLocalScannerCertsRequest)(nil), "central.IssueLocalScannerCertsRequest") + proto.RegisterType((*IssueLocalScannerCertsResponse)(nil), "central.IssueLocalScannerCertsResponse") +} + +func init() { + proto.RegisterFile("internalapi/central/local_scanner.proto", fileDescriptor_856923c76f63cf0a) +} + +var fileDescriptor_856923c76f63cf0a = []byte{ + // 289 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x91, 0xcd, 0x4a, 0xc3, 0x40, + 0x14, 0x85, 0x3b, 0x8a, 0xd6, 0x8e, 0xae, 0xb2, 0x8a, 0x4a, 0x87, 0x12, 0x05, 0xbb, 0x4a, 0x40, + 0x17, 0x6e, 0xc4, 0x45, 0x8b, 0xd0, 0x80, 0xab, 0xc4, 0x95, 0x9b, 0x30, 0x4e, 0xae, 0x65, 0x20, + 0xce, 0xc4, 0x7b, 0xa7, 0x42, 0xdf, 0xc4, 0x47, 0x72, 0xe9, 0xc2, 0x07, 0x90, 0xf8, 0x22, 0xd2, + 0x64, 0x8a, 0x88, 0xa8, 0xbb, 0xf9, 0x39, 0xdf, 0xe1, 0x9e, 0x73, 0xf9, 0x89, 0x36, 0x0e, 0xd0, + 0xc8, 0x4a, 0xd6, 0x3a, 0x51, 0x60, 0x1c, 0xca, 0x2a, 0xa9, 0xac, 0x92, 0x55, 0x41, 0x4a, 0x1a, + 0x03, 0x18, 0xd7, 0x68, 0x9d, 0x0d, 0xfa, 0xfe, 0xf3, 0x40, 0x90, 0xb3, 0x28, 0xe7, 0x90, 0x10, + 0xe0, 0x93, 0x56, 0x50, 0xe8, 0x12, 0x8c, 0xd3, 0x6e, 0xd9, 0x09, 0xa3, 0x73, 0x7e, 0x78, 0xbd, + 0xe2, 0xf3, 0x0e, 0x9f, 0x02, 0x3a, 0x4a, 0x89, 0x16, 0x70, 0x85, 0x68, 0x31, 0x08, 0x79, 0xff, + 0x01, 0x88, 0xe4, 0x1c, 0x42, 0x36, 0x62, 0xe3, 0x41, 0xb6, 0xbe, 0x46, 0x97, 0x7c, 0xd8, 0xea, + 0x7e, 0xd0, 0x19, 0x3c, 0x2e, 0x80, 0x5c, 0x30, 0xe4, 0x1c, 0xbb, 0x63, 0xa1, 0x4b, 0x4f, 0x0f, + 0xfc, 0x4b, 0x5a, 0x46, 0x6f, 0x8c, 0x8b, 0xdf, 0x0c, 0xa8, 0xb6, 0x86, 0xe0, 0x1f, 0x87, 0x20, + 0xe5, 0x7b, 0x0a, 0xd0, 0xe9, 0x7b, 0xad, 0xa4, 0x03, 0x0a, 0x37, 0x46, 0x6c, 0xbc, 0x7b, 0x7a, + 0x14, 0xfb, 0xc4, 0xf1, 0xcd, 0xb2, 0x86, 0x32, 0xef, 0x62, 0x4f, 0xbf, 0x84, 0x39, 0xb8, 0x59, + 0x2f, 0xfb, 0x86, 0x06, 0x17, 0x7c, 0x0b, 0x56, 0x79, 0xc3, 0xcd, 0xd6, 0xe3, 0x38, 0xf6, 0xf5, + 0xc5, 0x7f, 0x74, 0x33, 0xeb, 0x65, 0x1d, 0x34, 0xe1, 0x7c, 0x07, 0xfd, 0xcc, 0x93, 0xfd, 0x97, + 0x46, 0xb0, 0xd7, 0x46, 0xb0, 0xf7, 0x46, 0xb0, 0xe7, 0x0f, 0xd1, 0xbb, 0x5d, 0xaf, 0xe2, 0x6e, + 0xbb, 0x6d, 0xfc, 0xec, 0x33, 0x00, 0x00, 0xff, 0xff, 0xbd, 0x93, 0x4a, 0x05, 0xc5, 0x01, 0x00, + 0x00, +} + +func (m *LocalScannerCertsIssueError) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *LocalScannerCertsIssueError) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *LocalScannerCertsIssueError) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Message) > 0 { + i -= len(m.Message) + copy(dAtA[i:], m.Message) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Message))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsRequest) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *IssueLocalScannerCertsRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.RequestId) > 0 { + i -= len(m.RequestId) + copy(dAtA[i:], m.RequestId) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.RequestId))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsResponse) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *IssueLocalScannerCertsResponse) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Response != nil { + { + size := m.Response.Size() + i -= size + if _, err := m.Response.MarshalTo(dAtA[i:]); err != nil { + return 0, err + } + } + } + if len(m.RequestId) > 0 { + i -= len(m.RequestId) + copy(dAtA[i:], m.RequestId) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.RequestId))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsResponse_Certificates) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse_Certificates) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.Certificates != nil { + { + size, err := m.Certificates.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + return len(dAtA) - i, nil +} +func (m *IssueLocalScannerCertsResponse_Error) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse_Error) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.Error != nil { + { + size, err := m.Error.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1a + } + return len(dAtA) - i, nil +} +func encodeVarintLocalScanner(dAtA []byte, offset int, v uint64) int { + offset -= sovLocalScanner(v) + base := offset + for v >= 1<<7 { + dAtA[offset] = uint8(v&0x7f | 0x80) + v >>= 7 + offset++ + } + dAtA[offset] = uint8(v) + return base +} +func (m *LocalScannerCertsIssueError) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Message) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *IssueLocalScannerCertsRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.RequestId) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *IssueLocalScannerCertsResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.RequestId) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.Response != nil { + n += m.Response.Size() + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *IssueLocalScannerCertsResponse_Certificates) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Certificates != nil { + l = m.Certificates.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + return n +} +func (m *IssueLocalScannerCertsResponse_Error) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Error != nil { + l = m.Error.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + return n +} + +func sovLocalScanner(x uint64) (n int) { + return (math_bits.Len64(x|1) + 6) / 7 +} +func sozLocalScanner(x uint64) (n int) { + return sovLocalScanner(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (m *LocalScannerCertsIssueError) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: LocalScannerCertsIssueError: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: LocalScannerCertsIssueError: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Message = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: IssueLocalScannerCertsRequest: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: IssueLocalScannerCertsRequest: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RequestId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.RequestId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: IssueLocalScannerCertsResponse: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: IssueLocalScannerCertsResponse: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RequestId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.RequestId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Certificates", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &storage.TypedServiceCertificateSet{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Response = &IssueLocalScannerCertsResponse_Certificates{v} + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &LocalScannerCertsIssueError{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Response = &IssueLocalScannerCertsResponse_Error{v} + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func skipLocalScanner(dAtA []byte) (n int, err error) { + l := len(dAtA) + iNdEx := 0 + depth := 0 + for iNdEx < l { + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + wireType := int(wire & 0x7) + switch wireType { + case 0: + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + iNdEx++ + if dAtA[iNdEx-1] < 0x80 { + break + } + } + case 1: + iNdEx += 8 + case 2: + var length int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + length |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if length < 0 { + return 0, ErrInvalidLengthLocalScanner + } + iNdEx += length + case 3: + depth++ + case 4: + if depth == 0 { + return 0, ErrUnexpectedEndOfGroupLocalScanner + } + depth-- + case 5: + iNdEx += 4 + default: + return 0, fmt.Errorf("proto: illegal wireType %d", wireType) + } + if iNdEx < 0 { + return 0, ErrInvalidLengthLocalScanner + } + if depth == 0 { + return iNdEx, nil + } + } + return 0, io.ErrUnexpectedEOF +} + +var ( + ErrInvalidLengthLocalScanner = fmt.Errorf("proto: negative length found during unmarshaling") + ErrIntOverflowLocalScanner = fmt.Errorf("proto: integer overflow") + ErrUnexpectedEndOfGroupLocalScanner = fmt.Errorf("proto: unexpected end of group") +) diff --git a/generated/internalapi/central/sensor_iservice.pb.go b/generated/internalapi/central/sensor_iservice.pb.go index 62421f690467b..b48e16d56bca3 100644 --- a/generated/internalapi/central/sensor_iservice.pb.go +++ b/generated/internalapi/central/sensor_iservice.pb.go @@ -40,6 +40,7 @@ type MsgFromSensor struct { // *MsgFromSensor_ClusterHealthInfo // *MsgFromSensor_Hello // *MsgFromSensor_AuditLogStatusInfo + // *MsgFromSensor_IssueLocalScannerCertsRequest Msg isMsgFromSensor_Msg `protobuf_oneof:"msg"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -113,6 +114,9 @@ type MsgFromSensor_Hello struct { type MsgFromSensor_AuditLogStatusInfo struct { AuditLogStatusInfo *AuditLogStatusInfo `protobuf:"bytes,11,opt,name=audit_log_status_info,json=auditLogStatusInfo,proto3,oneof" json:"audit_log_status_info,omitempty"` } +type MsgFromSensor_IssueLocalScannerCertsRequest struct { + IssueLocalScannerCertsRequest *IssueLocalScannerCertsRequest `protobuf:"bytes,12,opt,name=issue_local_scanner_certs_request,json=issueLocalScannerCertsRequest,proto3,oneof" json:"issue_local_scanner_certs_request,omitempty"` +} func (*MsgFromSensor_Event) isMsgFromSensor_Msg() {} func (m *MsgFromSensor_Event) Clone() isMsgFromSensor_Msg { @@ -213,6 +217,17 @@ func (m *MsgFromSensor_AuditLogStatusInfo) Clone() isMsgFromSensor_Msg { cloned.AuditLogStatusInfo = m.AuditLogStatusInfo.Clone() return cloned } +func (*MsgFromSensor_IssueLocalScannerCertsRequest) isMsgFromSensor_Msg() {} +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) Clone() isMsgFromSensor_Msg { + if m == nil { + return nil + } + cloned := new(MsgFromSensor_IssueLocalScannerCertsRequest) + *cloned = *m + + cloned.IssueLocalScannerCertsRequest = m.IssueLocalScannerCertsRequest.Clone() + return cloned +} func (m *MsgFromSensor) GetMsg() isMsgFromSensor_Msg { if m != nil { @@ -298,6 +313,13 @@ func (m *MsgFromSensor) GetAuditLogStatusInfo() *AuditLogStatusInfo { return nil } +func (m *MsgFromSensor) GetIssueLocalScannerCertsRequest() *IssueLocalScannerCertsRequest { + if x, ok := m.GetMsg().(*MsgFromSensor_IssueLocalScannerCertsRequest); ok { + return x.IssueLocalScannerCertsRequest + } + return nil +} + // XXX_OneofWrappers is for the internal use of the proto package. func (*MsgFromSensor) XXX_OneofWrappers() []interface{} { return []interface{}{ @@ -310,6 +332,7 @@ func (*MsgFromSensor) XXX_OneofWrappers() []interface{} { (*MsgFromSensor_ClusterHealthInfo)(nil), (*MsgFromSensor_Hello)(nil), (*MsgFromSensor_AuditLogStatusInfo)(nil), + (*MsgFromSensor_IssueLocalScannerCertsRequest)(nil), } } @@ -399,6 +422,7 @@ type MsgToSensor struct { // *MsgToSensor_AuditLogSync // *MsgToSensor_ReprocessDeployment // *MsgToSensor_InvalidateImageCache + // *MsgToSensor_IssueLocalScannerCertsResponse Msg isMsgToSensor_Msg `protobuf_oneof:"msg"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -493,6 +517,9 @@ type MsgToSensor_ReprocessDeployment struct { type MsgToSensor_InvalidateImageCache struct { InvalidateImageCache *InvalidateImageCache `protobuf:"bytes,16,opt,name=invalidate_image_cache,json=invalidateImageCache,proto3,oneof" json:"invalidate_image_cache,omitempty"` } +type MsgToSensor_IssueLocalScannerCertsResponse struct { + IssueLocalScannerCertsResponse *IssueLocalScannerCertsResponse `protobuf:"bytes,17,opt,name=issue_local_scanner_certs_response,json=issueLocalScannerCertsResponse,proto3,oneof" json:"issue_local_scanner_certs_response,omitempty"` +} func (*MsgToSensor_Enforcement) isMsgToSensor_Msg() {} func (m *MsgToSensor_Enforcement) Clone() isMsgToSensor_Msg { @@ -670,6 +697,17 @@ func (m *MsgToSensor_InvalidateImageCache) Clone() isMsgToSensor_Msg { cloned.InvalidateImageCache = m.InvalidateImageCache.Clone() return cloned } +func (*MsgToSensor_IssueLocalScannerCertsResponse) isMsgToSensor_Msg() {} +func (m *MsgToSensor_IssueLocalScannerCertsResponse) Clone() isMsgToSensor_Msg { + if m == nil { + return nil + } + cloned := new(MsgToSensor_IssueLocalScannerCertsResponse) + *cloned = *m + + cloned.IssueLocalScannerCertsResponse = m.IssueLocalScannerCertsResponse.Clone() + return cloned +} func (m *MsgToSensor) GetMsg() isMsgToSensor_Msg { if m != nil { @@ -790,6 +828,13 @@ func (m *MsgToSensor) GetInvalidateImageCache() *InvalidateImageCache { return nil } +func (m *MsgToSensor) GetIssueLocalScannerCertsResponse() *IssueLocalScannerCertsResponse { + if x, ok := m.GetMsg().(*MsgToSensor_IssueLocalScannerCertsResponse); ok { + return x.IssueLocalScannerCertsResponse + } + return nil +} + // XXX_OneofWrappers is for the internal use of the proto package. func (*MsgToSensor) XXX_OneofWrappers() []interface{} { return []interface{}{ @@ -809,6 +854,7 @@ func (*MsgToSensor) XXX_OneofWrappers() []interface{} { (*MsgToSensor_AuditLogSync)(nil), (*MsgToSensor_ReprocessDeployment)(nil), (*MsgToSensor_InvalidateImageCache)(nil), + (*MsgToSensor_IssueLocalScannerCertsResponse)(nil), } } @@ -1176,82 +1222,87 @@ func init() { } var fileDescriptor_9d0a66b7b73dbb5d = []byte{ - // 1198 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xdd, 0x4e, 0x1b, 0x47, - 0x14, 0xf6, 0x86, 0x12, 0xf0, 0x18, 0x13, 0x32, 0x60, 0xc7, 0x38, 0x85, 0x50, 0x47, 0x21, 0x54, - 0x6a, 0x4d, 0x4a, 0xa5, 0xb6, 0xaa, 0xd2, 0x46, 0x85, 0x80, 0x8c, 0x12, 0x28, 0x5d, 0xe0, 0xa2, - 0x3f, 0xea, 0x6a, 0xd8, 0x3d, 0xb6, 0x57, 0x8c, 0x67, 0xb7, 0x3b, 0xb3, 0x20, 0xbf, 0x49, 0x1f, - 0xa2, 0x0f, 0xd2, 0xcb, 0x3e, 0x42, 0x45, 0x7b, 0x5b, 0xa9, 0xea, 0x13, 0x54, 0xf3, 0xb3, 0x3f, - 0xac, 0x17, 0xab, 0x97, 0xbd, 0xf2, 0xce, 0x39, 0xdf, 0xf9, 0xe6, 0xcc, 0x99, 0x6f, 0xce, 0x8c, - 0xd1, 0xfb, 0x3e, 0x13, 0x10, 0x31, 0x42, 0x49, 0xe8, 0x6f, 0xbb, 0xc0, 0x44, 0x44, 0xe8, 0x36, - 0x07, 0xc6, 0x83, 0xc8, 0xf1, 0x39, 0x44, 0x57, 0xbe, 0x0b, 0xdd, 0x30, 0x0a, 0x44, 0x80, 0xe7, - 0x8c, 0xbb, 0xbd, 0x55, 0x16, 0xe3, 0xd2, 0x98, 0x0b, 0x88, 0x1c, 0x37, 0x60, 0x7d, 0x7f, 0xa0, - 0x43, 0xa6, 0x23, 0xb9, 0x20, 0x22, 0xe6, 0x06, 0xb9, 0x59, 0x86, 0x64, 0x20, 0xae, 0x83, 0xe8, - 0xd2, 0xe9, 0xd3, 0xe0, 0xda, 0xe0, 0x9e, 0x95, 0xe1, 0xc2, 0x80, 0xfa, 0xee, 0xd8, 0xe1, 0x63, - 0xe6, 0x1a, 0xd8, 0xf3, 0x29, 0xcb, 0x82, 0x2b, 0x60, 0x82, 0x4f, 0xcb, 0xd0, 0x00, 0xe3, 0x70, - 0x10, 0x11, 0xcf, 0x2c, 0xbf, 0xfd, 0xb4, 0x0c, 0x29, 0x80, 0xc2, 0x08, 0x44, 0x34, 0x9e, 0x36, - 0xef, 0x05, 0xe1, 0x40, 0x7d, 0x06, 0xf9, 0x04, 0x9f, 0x94, 0x01, 0x87, 0x40, 0x69, 0x60, 0x00, - 0xdb, 0xd3, 0x0a, 0x52, 0xc6, 0xd8, 0xe0, 0x22, 0x88, 0xc8, 0x00, 0x92, 0xfa, 0x6a, 0x73, 0xe7, - 0xaf, 0x59, 0x54, 0x3f, 0xe2, 0x83, 0x83, 0x28, 0x18, 0x9d, 0xaa, 0x65, 0xe1, 0x55, 0x34, 0x3f, - 0x24, 0x7c, 0xe8, 0x5c, 0xc2, 0xb8, 0x35, 0xb7, 0x61, 0x6d, 0x55, 0xed, 0x39, 0x39, 0x7e, 0x03, - 0x63, 0xbc, 0x86, 0x90, 0x07, 0x5e, 0x1c, 0x82, 0x72, 0xce, 0x2b, 0x67, 0x55, 0x5b, 0xa4, 0xfb, - 0x03, 0x34, 0xab, 0x8a, 0xd7, 0xb2, 0x36, 0xac, 0xad, 0xda, 0xce, 0x4a, 0xd7, 0xe4, 0xd5, 0xd5, - 0xcc, 0xfb, 0xd2, 0xd7, 0xab, 0xd8, 0x1a, 0x84, 0xdf, 0xa2, 0xe5, 0xfc, 0x06, 0x3a, 0x71, 0xe8, - 0x11, 0x01, 0xad, 0x7b, 0x2a, 0xb6, 0x9d, 0xc6, 0x1e, 0x6b, 0xcc, 0x01, 0x0d, 0xae, 0xcf, 0x15, - 0xa2, 0x57, 0xb1, 0x1f, 0xb2, 0xa2, 0x11, 0xbf, 0x44, 0x75, 0xee, 0x46, 0x24, 0x84, 0x84, 0x67, - 0x46, 0xf1, 0x34, 0xb2, 0x1c, 0x94, 0x37, 0xa5, 0x58, 0xe0, 0xb9, 0x31, 0xfe, 0x11, 0xad, 0x26, - 0xb9, 0x28, 0xb1, 0xf8, 0xc0, 0x9d, 0x08, 0x78, 0x18, 0x30, 0x0e, 0xad, 0x77, 0x14, 0xd3, 0x46, - 0x31, 0xa3, 0x13, 0x03, 0xb4, 0x0d, 0xae, 0x57, 0xb1, 0x1f, 0xb1, 0x72, 0x17, 0xb6, 0x51, 0xe3, - 0xb6, 0xac, 0x93, 0x2c, 0x67, 0x15, 0xf7, 0xbb, 0x29, 0xf7, 0x9e, 0x46, 0x9d, 0x2a, 0x50, 0x9a, - 0xec, 0xb2, 0x3b, 0x69, 0xc6, 0x3f, 0xa0, 0x47, 0xa9, 0xbc, 0x1c, 0x8f, 0x08, 0x92, 0x65, 0x7c, - 0x5f, 0xb1, 0x76, 0x52, 0xd6, 0x93, 0x98, 0xd2, 0xb3, 0x04, 0xfb, 0x9a, 0x08, 0x92, 0xcb, 0xb9, - 0x21, 0xca, 0x1c, 0xf8, 0x6b, 0x94, 0x4c, 0xea, 0x0c, 0x81, 0x50, 0x31, 0x74, 0x7c, 0xd6, 0x0f, - 0x5a, 0x55, 0xc5, 0xbc, 0x96, 0x32, 0xdb, 0xe4, 0xda, 0xa4, 0xdc, 0x53, 0xa8, 0x43, 0xd6, 0x0f, - 0xe4, 0x06, 0xb9, 0x45, 0xa3, 0x14, 0x87, 0xd2, 0x6f, 0x0b, 0x95, 0x8a, 0xa3, 0x27, 0x7d, 0x52, - 0x1c, 0x0a, 0x84, 0x4f, 0x50, 0x83, 0xc4, 0x9e, 0x2f, 0x1c, 0x1a, 0x0c, 0x92, 0x92, 0xa9, 0x04, - 0x6a, 0x2a, 0xfa, 0x71, 0x1a, 0xfd, 0x95, 0x44, 0xbd, 0x0d, 0x06, 0xba, 0x34, 0x66, 0x7a, 0x4c, - 0x26, 0xac, 0xbb, 0xb3, 0x68, 0x66, 0xc4, 0x07, 0x1d, 0x8c, 0x96, 0x6c, 0x20, 0x9c, 0x03, 0xe7, - 0xc9, 0x2e, 0x75, 0xfe, 0xa9, 0xa2, 0xda, 0x11, 0x1f, 0x9c, 0x05, 0xe6, 0x04, 0x7c, 0x89, 0x6a, - 0xc0, 0xfa, 0x41, 0xe4, 0xc2, 0x28, 0x53, 0x73, 0xbb, 0xa8, 0xe6, 0x0c, 0xd1, 0xab, 0xd8, 0xf9, - 0x00, 0xfc, 0x0a, 0x2d, 0x1a, 0x2d, 0xba, 0xc1, 0x68, 0x44, 0x98, 0x67, 0x44, 0xdd, 0x2c, 0x88, - 0x71, 0x4f, 0x7b, 0x7b, 0x15, 0xdb, 0x68, 0xd7, 0x18, 0xf0, 0xf7, 0xa8, 0x35, 0x21, 0xc7, 0x84, - 0x4a, 0xeb, 0xfa, 0xc9, 0x5d, 0x6a, 0xcc, 0x38, 0x9b, 0xac, 0xd4, 0x23, 0xb3, 0xbb, 0xdd, 0x8c, - 0x8d, 0xc0, 0x9b, 0x45, 0x11, 0xee, 0x29, 0xaf, 0xcc, 0xce, 0xcd, 0x1b, 0xf0, 0x39, 0x6a, 0xde, - 0xee, 0x80, 0x8e, 0x88, 0xfc, 0xc1, 0x00, 0x22, 0xa3, 0xe6, 0xb5, 0x42, 0xa5, 0xce, 0x35, 0xea, - 0x4c, 0x83, 0x7a, 0x15, 0x7b, 0x85, 0x97, 0xd8, 0xf1, 0xb7, 0xa8, 0x39, 0xa1, 0xe7, 0x9f, 0x62, - 0xe0, 0xc2, 0xc8, 0xf9, 0xbd, 0x69, 0x72, 0x56, 0x40, 0x49, 0x2d, 0x4a, 0xec, 0xf8, 0x13, 0x54, - 0xcb, 0xdd, 0x01, 0xaa, 0xab, 0xd5, 0x76, 0x96, 0x33, 0x3e, 0xe5, 0x3b, 0x1d, 0x33, 0xb7, 0x57, - 0xb1, 0x51, 0x98, 0x8e, 0x70, 0x0f, 0x3d, 0x8c, 0x8c, 0x58, 0xd2, 0x8d, 0x50, 0x6d, 0xaf, 0xb6, - 0xb3, 0x9a, 0x1d, 0x81, 0x82, 0x9c, 0x7a, 0x15, 0x7b, 0x29, 0x2a, 0xd8, 0x64, 0x7b, 0xba, 0xd5, - 0x94, 0xcd, 0x41, 0xca, 0xda, 0xd3, 0xae, 0xf1, 0x9a, 0x2c, 0x16, 0x2e, 0x72, 0x63, 0x1c, 0xa3, - 0x8e, 0x4b, 0x98, 0x0b, 0xd4, 0x09, 0x63, 0x4a, 0x9d, 0x3b, 0xca, 0xa4, 0x0f, 0xd6, 0xf3, 0x6c, - 0x1b, 0x55, 0xc8, 0x94, 0x62, 0xad, 0xbb, 0x53, 0x11, 0x78, 0x88, 0xd6, 0xc2, 0x98, 0x0f, 0x9d, - 0x44, 0x8b, 0xc0, 0x84, 0x2f, 0x74, 0x6b, 0xd4, 0x33, 0xea, 0xc3, 0xf8, 0x34, 0xb7, 0x31, 0x7c, - 0x68, 0xf4, 0xb8, 0x6f, 0xb0, 0xd9, 0x6c, 0xed, 0xf0, 0x4e, 0x2f, 0xfe, 0x30, 0x69, 0x0e, 0x0b, - 0x85, 0xb2, 0xec, 0xe9, 0xdf, 0x42, 0x77, 0xb0, 0x51, 0xa3, 0xf4, 0xaa, 0x6b, 0xd5, 0x0b, 0xed, - 0xd4, 0x4c, 0x57, 0x28, 0x6e, 0x72, 0xef, 0xe4, 0xcd, 0xf8, 0x0b, 0xb4, 0x98, 0xeb, 0x38, 0x92, - 0x6c, 0xb1, 0x90, 0x4b, 0xda, 0x6a, 0xcc, 0x16, 0x91, 0xdc, 0x18, 0x7f, 0x83, 0x56, 0x22, 0x08, - 0xa3, 0xc0, 0x95, 0x5a, 0xf1, 0x20, 0xa4, 0xc1, 0x58, 0x35, 0x8f, 0x07, 0x85, 0x8c, 0xec, 0x04, - 0xf4, 0x3a, 0xc5, 0xc8, 0x8c, 0xa2, 0x49, 0xb3, 0x3c, 0x67, 0x3e, 0xbb, 0x22, 0xd4, 0x97, 0xed, - 0xde, 0xf1, 0x47, 0x64, 0x00, 0x8e, 0x4b, 0xdc, 0x21, 0xb4, 0x96, 0x0a, 0xe7, 0xec, 0x30, 0x85, - 0x1d, 0x4a, 0xd4, 0x9e, 0x04, 0xc9, 0xc3, 0xe0, 0x97, 0xd8, 0x93, 0x46, 0xf8, 0xa7, 0x85, 0x16, - 0xf2, 0x2b, 0xc2, 0x23, 0xd4, 0x66, 0x81, 0x07, 0x4e, 0x56, 0x85, 0xbe, 0x4f, 0x41, 0x35, 0x5f, - 0xe0, 0x2d, 0x6b, 0x63, 0x66, 0xab, 0xb6, 0xf3, 0x51, 0x69, 0x31, 0xba, 0xc7, 0x81, 0x07, 0x89, - 0xe1, 0xc0, 0xa7, 0x70, 0xaa, 0x62, 0xf6, 0x99, 0x88, 0xc6, 0x76, 0x93, 0x95, 0x3a, 0xdb, 0x80, - 0x1e, 0x4f, 0x09, 0xc3, 0x4b, 0x68, 0x46, 0xbe, 0x31, 0x2c, 0xf5, 0xc6, 0x90, 0x9f, 0xf8, 0x05, - 0x9a, 0xbd, 0x22, 0x34, 0xce, 0x5e, 0x08, 0xe6, 0x41, 0xd3, 0x9d, 0xa0, 0xb0, 0x35, 0xf0, 0xf3, - 0x7b, 0x9f, 0x59, 0x9d, 0xbf, 0x2d, 0x84, 0x27, 0xef, 0x08, 0xcc, 0xff, 0xc3, 0x62, 0x3f, 0x9d, - 0x72, 0xc9, 0xfc, 0x9f, 0x97, 0xfc, 0x12, 0x2d, 0x97, 0xa8, 0x0c, 0x3f, 0x43, 0x8b, 0x99, 0x2e, - 0x1d, 0xdf, 0xd3, 0xcb, 0xac, 0xda, 0xf5, 0xcc, 0x7a, 0xe8, 0xf1, 0xce, 0x2f, 0x16, 0x5a, 0x29, - 0xd3, 0x13, 0xde, 0x47, 0x48, 0x6b, 0xf0, 0x12, 0xc6, 0x49, 0x89, 0x36, 0xa7, 0x4a, 0xb0, 0xab, - 0x3e, 0xdf, 0xc0, 0xd8, 0xae, 0xfa, 0xe6, 0x8b, 0xb7, 0x8f, 0xd0, 0x7c, 0x62, 0x96, 0x4f, 0x4d, - 0x4d, 0xe9, 0x7b, 0x66, 0xd9, 0x73, 0x6a, 0x7c, 0xe8, 0xe1, 0x4d, 0xf4, 0x40, 0xbb, 0xfa, 0xb2, - 0xe3, 0x31, 0x32, 0xd2, 0x45, 0xa8, 0xda, 0x75, 0x65, 0x3e, 0x88, 0x29, 0x3d, 0x26, 0x23, 0xd8, - 0x39, 0x41, 0x75, 0x7d, 0xcb, 0x9c, 0xea, 0x3f, 0x23, 0xf8, 0x15, 0xaa, 0xc9, 0x9b, 0x2e, 0x66, - 0xbe, 0x2b, 0x5f, 0x49, 0xd9, 0xad, 0x76, 0xeb, 0x95, 0xdb, 0x5e, 0xc9, 0xdb, 0x93, 0x9b, 0x7f, - 0xcb, 0x7a, 0x61, 0xed, 0xae, 0xfe, 0x7a, 0xb3, 0x6e, 0xfd, 0x76, 0xb3, 0x6e, 0xfd, 0x7e, 0xb3, - 0x6e, 0xfd, 0xfc, 0xc7, 0x7a, 0xe5, 0xbb, 0xe4, 0x9f, 0xcd, 0xc5, 0x7d, 0xf5, 0x66, 0xfe, 0xf8, - 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x7f, 0x93, 0x65, 0xd7, 0x16, 0x0d, 0x00, 0x00, + // 1275 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xdb, 0x6e, 0x1c, 0x45, + 0x13, 0xde, 0x89, 0x7f, 0xc7, 0x71, 0xaf, 0xed, 0x38, 0xed, 0x43, 0xd6, 0x9b, 0xdf, 0x8e, 0xb3, + 0x51, 0x1c, 0x23, 0x81, 0x13, 0x8c, 0x04, 0x08, 0x05, 0x22, 0xe2, 0xd8, 0x5a, 0x2b, 0x07, 0xcc, + 0x38, 0xb9, 0xe0, 0x20, 0x46, 0x9d, 0x99, 0xda, 0xdd, 0x56, 0x7a, 0x7b, 0x86, 0xee, 0x1e, 0x5b, + 0xfb, 0x26, 0x3c, 0x04, 0x0f, 0xc2, 0x25, 0x8f, 0x00, 0x81, 0x1b, 0xee, 0x78, 0x04, 0xd4, 0x87, + 0x39, 0x78, 0x76, 0x3c, 0xe2, 0x92, 0xab, 0xdd, 0xae, 0xfa, 0xaa, 0xba, 0xba, 0xfa, 0xab, 0xaa, + 0x1e, 0xf4, 0x1e, 0xe5, 0x0a, 0x04, 0x27, 0x8c, 0x24, 0xf4, 0x41, 0x08, 0x5c, 0x09, 0xc2, 0x1e, + 0x48, 0xe0, 0x32, 0x16, 0x01, 0x95, 0x20, 0xce, 0x68, 0x08, 0x7b, 0x89, 0x88, 0x55, 0x8c, 0xe7, + 0x9c, 0xba, 0xbb, 0x5b, 0x67, 0x13, 0xb2, 0x54, 0x2a, 0x10, 0x41, 0x18, 0xf3, 0x01, 0x1d, 0x5a, + 0x93, 0x66, 0xa4, 0x54, 0x44, 0xa5, 0xd2, 0x21, 0x77, 0xea, 0x90, 0x1c, 0xd4, 0x79, 0x2c, 0xde, + 0x06, 0x03, 0x16, 0x9f, 0x3b, 0xdc, 0xbd, 0x3a, 0x5c, 0x12, 0x33, 0x1a, 0x4e, 0x02, 0x39, 0xe1, + 0xa1, 0x83, 0xdd, 0x6f, 0x38, 0x16, 0x9c, 0x01, 0x57, 0xb2, 0x29, 0x42, 0x07, 0x4c, 0x93, 0xa1, + 0x20, 0x91, 0x3b, 0x7e, 0xf7, 0x6e, 0x1d, 0x52, 0x01, 0x83, 0x31, 0x28, 0x31, 0x69, 0xda, 0xf7, + 0x0d, 0x91, 0xc0, 0x28, 0x87, 0x72, 0x80, 0xb7, 0xeb, 0x80, 0x23, 0x60, 0x2c, 0x76, 0x80, 0x07, + 0x4d, 0x09, 0xa9, 0xf3, 0x58, 0xbb, 0x35, 0x8b, 0x43, 0xc2, 0x02, 0x19, 0x12, 0xce, 0x41, 0x38, + 0xe0, 0x9a, 0x54, 0xb1, 0x20, 0x43, 0xc8, 0x2e, 0xc2, 0x8a, 0x7b, 0xbf, 0x5f, 0x45, 0x8b, 0x2f, + 0xe4, 0xf0, 0x48, 0xc4, 0xe3, 0x53, 0x73, 0x7e, 0xbc, 0x81, 0xae, 0x8d, 0x88, 0x1c, 0x05, 0x6f, + 0x61, 0xd2, 0x99, 0xdb, 0xf6, 0x76, 0xe7, 0xfd, 0x39, 0xbd, 0x7e, 0x06, 0x13, 0xbc, 0x89, 0x50, + 0x04, 0x51, 0x9a, 0x80, 0x51, 0x5e, 0x33, 0xca, 0x79, 0x2b, 0xd1, 0xea, 0xf7, 0xd1, 0xac, 0xc9, + 0x72, 0xc7, 0xdb, 0xf6, 0x76, 0xdb, 0xfb, 0xab, 0x7b, 0x2e, 0x9e, 0x3d, 0xeb, 0xf9, 0x50, 0xeb, + 0xfa, 0x2d, 0xdf, 0x82, 0xf0, 0x73, 0xb4, 0x52, 0xbe, 0xe9, 0x20, 0x4d, 0x22, 0xa2, 0xa0, 0x73, + 0xc5, 0xd8, 0x76, 0x73, 0xdb, 0x97, 0x16, 0x73, 0xc4, 0xe2, 0xf3, 0xd7, 0x06, 0xd1, 0x6f, 0xf9, + 0x37, 0x78, 0x55, 0x88, 0x1f, 0xa1, 0x45, 0x19, 0x0a, 0x92, 0x40, 0xe6, 0x67, 0xc6, 0xf8, 0x59, + 0x2b, 0x62, 0x30, 0xda, 0xdc, 0xc5, 0x82, 0x2c, 0xad, 0xf1, 0x0f, 0x68, 0x23, 0x8b, 0xc5, 0xb0, + 0x8a, 0x82, 0x0c, 0x04, 0xc8, 0x24, 0xe6, 0x12, 0x3a, 0xff, 0x33, 0x9e, 0xb6, 0xab, 0x11, 0x9d, + 0x38, 0xa0, 0xef, 0x70, 0xfd, 0x96, 0x7f, 0x93, 0xd7, 0xab, 0xb0, 0x8f, 0xd6, 0x2e, 0xf2, 0x3f, + 0x8b, 0x72, 0xd6, 0xf8, 0xfe, 0x7f, 0xee, 0xfb, 0xc0, 0xa2, 0x4e, 0x0d, 0x28, 0x0f, 0x76, 0x25, + 0x9c, 0x16, 0xe3, 0xef, 0xd1, 0xcd, 0x9c, 0x87, 0x41, 0x44, 0x14, 0x29, 0x22, 0xbe, 0x6a, 0xbc, + 0xf6, 0x72, 0xaf, 0x27, 0x29, 0x63, 0xaf, 0x32, 0xec, 0x53, 0xa2, 0x48, 0x29, 0xe6, 0x35, 0x55, + 0xa7, 0xc0, 0x5f, 0xa1, 0x6c, 0xd3, 0x60, 0x04, 0x84, 0xa9, 0x51, 0x40, 0xf9, 0x20, 0xee, 0xcc, + 0x1b, 0xcf, 0x9b, 0xb9, 0x67, 0x9f, 0x9c, 0xbb, 0x90, 0xfb, 0x06, 0x75, 0xcc, 0x07, 0xb1, 0xbe, + 0xa0, 0xb0, 0x2a, 0xd4, 0xe4, 0x30, 0x44, 0xef, 0xa0, 0x5a, 0x72, 0xf4, 0xb5, 0x4e, 0x93, 0xc3, + 0x80, 0xf0, 0x09, 0x5a, 0x23, 0x69, 0x44, 0x55, 0xc0, 0xe2, 0x61, 0x96, 0x32, 0x13, 0x40, 0xdb, + 0x58, 0xdf, 0xca, 0xad, 0xbf, 0xd4, 0xa8, 0xe7, 0xf1, 0xd0, 0xa6, 0xc6, 0x6d, 0x8f, 0xc9, 0x94, + 0x14, 0x0b, 0x74, 0x87, 0x4a, 0x99, 0x42, 0x70, 0xa1, 0x38, 0x82, 0x10, 0x84, 0xd2, 0x77, 0xfd, + 0x63, 0x0a, 0x52, 0x75, 0x16, 0x8c, 0xf7, 0x9d, 0xdc, 0xfb, 0xb1, 0xb6, 0x78, 0xae, 0x0d, 0x4e, + 0x2d, 0xfe, 0x40, 0xc3, 0x7d, 0x8b, 0xee, 0xb7, 0xfc, 0x4d, 0xda, 0x04, 0x78, 0x32, 0x8b, 0x66, + 0xc6, 0x72, 0xd8, 0xc3, 0x68, 0xd9, 0x07, 0x22, 0x25, 0x48, 0x99, 0x31, 0xa3, 0xf7, 0x17, 0x42, + 0xed, 0x17, 0x72, 0xf8, 0x2a, 0x76, 0x55, 0xf7, 0x05, 0x6a, 0x03, 0x1f, 0xc4, 0x22, 0x84, 0x71, + 0x51, 0x41, 0xdd, 0x6a, 0x05, 0x15, 0x88, 0x7e, 0xcb, 0x2f, 0x1b, 0xe0, 0xc7, 0x68, 0xc9, 0xf1, + 0x3f, 0x8c, 0xc7, 0x63, 0xc2, 0x23, 0x57, 0x48, 0xeb, 0x95, 0x02, 0x38, 0xb0, 0xda, 0x7e, 0xcb, + 0x77, 0xf5, 0xe2, 0x04, 0xf8, 0x3b, 0xd4, 0x99, 0x2a, 0x81, 0xcc, 0x95, 0xad, 0xa5, 0xdb, 0x97, + 0x55, 0x40, 0xe1, 0x73, 0x9d, 0xd7, 0x6a, 0x74, 0x74, 0x17, 0x27, 0x85, 0x2b, 0xaa, 0xf5, 0x2a, + 0xf1, 0x0f, 0x8c, 0x56, 0x47, 0x17, 0x96, 0x05, 0xf8, 0x35, 0x5a, 0xbf, 0xd8, 0x9e, 0x03, 0x25, + 0xe8, 0x70, 0x08, 0xc2, 0x55, 0xd0, 0x66, 0x25, 0x53, 0xaf, 0x2d, 0xea, 0x95, 0x05, 0xf5, 0x5b, + 0xfe, 0xaa, 0xac, 0x91, 0xe3, 0x6f, 0xd0, 0xfa, 0x54, 0x0d, 0x59, 0x26, 0xd8, 0x12, 0xba, 0xd3, + 0x54, 0x42, 0x19, 0x09, 0x56, 0x55, 0x8d, 0x1c, 0x7f, 0x8c, 0xda, 0xa5, 0x01, 0x65, 0x3a, 0x69, + 0x7b, 0x7f, 0xa5, 0xf0, 0x67, 0x74, 0xa7, 0x13, 0x1e, 0xf6, 0x5b, 0x3e, 0x4a, 0xf2, 0x15, 0xee, + 0xa3, 0x1b, 0xc2, 0x91, 0x25, 0xbf, 0x08, 0xd3, 0x6a, 0xdb, 0xfb, 0x1b, 0x45, 0xd9, 0x55, 0xe8, + 0xd4, 0x6f, 0xf9, 0xcb, 0xa2, 0x22, 0xd3, 0x2d, 0xf1, 0xc2, 0xc4, 0x70, 0xc5, 0x5b, 0xb4, 0xc4, + 0x27, 0x4e, 0xeb, 0xa2, 0x58, 0x78, 0x53, 0x5a, 0xe3, 0x14, 0xf5, 0x42, 0xc2, 0x43, 0x60, 0x41, + 0x92, 0x32, 0x16, 0x5c, 0x92, 0x26, 0x5b, 0xcc, 0xf7, 0x8b, 0x6b, 0x34, 0x26, 0x0d, 0xc9, 0xda, + 0x0a, 0x1b, 0x11, 0x78, 0x84, 0x36, 0x93, 0x54, 0x8e, 0x82, 0x8c, 0x8b, 0xc0, 0x15, 0x55, 0xb6, + 0x1d, 0xdb, 0x1d, 0x6d, 0x03, 0xb8, 0x5b, 0xba, 0x18, 0x39, 0x72, 0x7c, 0x3c, 0x74, 0xd8, 0x62, + 0xb7, 0x6e, 0x72, 0xa9, 0x16, 0x7f, 0x90, 0x35, 0xa4, 0x85, 0x4a, 0x5a, 0x0e, 0xec, 0x6f, 0xa5, + 0x23, 0xf9, 0x68, 0xad, 0x76, 0x0e, 0x77, 0x16, 0x2b, 0x2d, 0xdc, 0x6d, 0x57, 0x49, 0x6e, 0x36, + 0xeb, 0xca, 0x62, 0xfc, 0x39, 0x5a, 0x2a, 0x75, 0x39, 0xed, 0x6c, 0xa9, 0x12, 0x4b, 0xde, 0xde, + 0xdc, 0x15, 0x91, 0xd2, 0x1a, 0x7f, 0x8d, 0x56, 0x05, 0x24, 0x22, 0x0e, 0x35, 0x57, 0x22, 0x48, + 0x58, 0x3c, 0x31, 0xcd, 0xe3, 0x7a, 0x25, 0x22, 0x3f, 0x03, 0x3d, 0xcd, 0x31, 0x3a, 0x22, 0x31, + 0x2d, 0xd6, 0x75, 0x46, 0xf9, 0x19, 0x61, 0x54, 0x8f, 0x98, 0x80, 0x8e, 0xc9, 0x10, 0x82, 0x90, + 0x84, 0x23, 0xe8, 0x2c, 0x57, 0xea, 0xec, 0x38, 0x87, 0x1d, 0x6b, 0xd4, 0x81, 0x06, 0xe9, 0x62, + 0xa0, 0x35, 0x72, 0x4d, 0xa6, 0xa6, 0xe6, 0xeb, 0xc6, 0xd6, 0x8d, 0x0a, 0x99, 0x2e, 0xeb, 0xbe, + 0xf9, 0xec, 0xda, 0xa2, 0x8d, 0x88, 0xac, 0xff, 0xfe, 0xe9, 0xa1, 0x85, 0x72, 0x22, 0xf1, 0x18, + 0x75, 0x79, 0x1c, 0x41, 0x50, 0x24, 0x7f, 0x40, 0x19, 0x98, 0x39, 0x03, 0xb2, 0xe3, 0x6d, 0xcf, + 0xec, 0xb6, 0xf7, 0x3f, 0xac, 0xbd, 0x83, 0xbd, 0x97, 0x71, 0x04, 0x99, 0xe0, 0x88, 0x32, 0x38, + 0x35, 0x36, 0x87, 0x5c, 0x89, 0x89, 0xbf, 0xce, 0x6b, 0x95, 0x5d, 0x40, 0xb7, 0x1a, 0xcc, 0xf0, + 0x32, 0x9a, 0xd1, 0xcf, 0x29, 0xcf, 0x3c, 0xa7, 0xf4, 0x5f, 0xfc, 0x10, 0xcd, 0x9e, 0x11, 0x96, + 0x16, 0x8f, 0x21, 0xf7, 0x76, 0xdb, 0x9b, 0x72, 0xe1, 0x5b, 0xe0, 0x67, 0x57, 0x3e, 0xf5, 0x7a, + 0x7f, 0x7b, 0x08, 0x4f, 0x8f, 0x43, 0x2c, 0xff, 0xc5, 0x61, 0x3f, 0x69, 0x98, 0xa7, 0xff, 0xe5, + 0x23, 0x3f, 0x42, 0x2b, 0x35, 0xe4, 0xc6, 0xf7, 0xd0, 0x52, 0x51, 0x0e, 0x01, 0x8d, 0xec, 0x31, + 0xe7, 0xfd, 0xc5, 0x42, 0x7a, 0x1c, 0xc9, 0xde, 0xcf, 0x1e, 0x5a, 0xad, 0xa3, 0x31, 0x3e, 0x44, + 0xc8, 0x52, 0xff, 0x2d, 0x4c, 0xb2, 0x14, 0xed, 0x34, 0x32, 0x7f, 0xcf, 0xfc, 0x7d, 0x06, 0x13, + 0x7f, 0x9e, 0xba, 0x7f, 0xb2, 0xfb, 0x02, 0x5d, 0xcb, 0xc4, 0xfa, 0x55, 0x6d, 0x5d, 0xd2, 0xc8, + 0x1d, 0x7b, 0xce, 0xac, 0x8f, 0x23, 0xbc, 0x83, 0xae, 0x5b, 0xd5, 0x40, 0x37, 0x5a, 0x4e, 0xc6, + 0x36, 0x09, 0xf3, 0xfe, 0xa2, 0x11, 0x1f, 0xa5, 0x8c, 0xbd, 0x24, 0x63, 0xd8, 0x3f, 0x41, 0x8b, + 0x76, 0xb8, 0x9d, 0xda, 0x0f, 0x34, 0xfc, 0x18, 0xb5, 0xf5, 0x80, 0x4d, 0x39, 0x0d, 0xf5, 0x83, + 0xb0, 0x18, 0xa6, 0x17, 0x1e, 0xf4, 0xdd, 0xd5, 0xb2, 0x3c, 0x7b, 0x70, 0xec, 0x7a, 0x0f, 0xbd, + 0x27, 0x1b, 0xbf, 0xbc, 0xdb, 0xf2, 0x7e, 0x7d, 0xb7, 0xe5, 0xfd, 0xf6, 0x6e, 0xcb, 0xfb, 0xe9, + 0x8f, 0xad, 0xd6, 0xb7, 0xd9, 0xd7, 0xde, 0x9b, 0xab, 0xe6, 0xf3, 0xe0, 0xa3, 0x7f, 0x02, 0x00, + 0x00, 0xff, 0xff, 0xad, 0x38, 0xed, 0x01, 0x2a, 0x0e, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -1605,6 +1656,27 @@ func (m *MsgFromSensor_AuditLogStatusInfo) MarshalToSizedBuffer(dAtA []byte) (in } return len(dAtA) - i, nil } +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.IssueLocalScannerCertsRequest != nil { + { + size, err := m.IssueLocalScannerCertsRequest.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintSensorIservice(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x62 + } + return len(dAtA) - i, nil +} func (m *ReassessPolicies) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2006,6 +2078,29 @@ func (m *MsgToSensor_InvalidateImageCache) MarshalToSizedBuffer(dAtA []byte) (in } return len(dAtA) - i, nil } +func (m *MsgToSensor_IssueLocalScannerCertsResponse) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *MsgToSensor_IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.IssueLocalScannerCertsResponse != nil { + { + size, err := m.IssueLocalScannerCertsResponse.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintSensorIservice(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x8a + } + return len(dAtA) - i, nil +} func (m *AuditLogSync) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2372,6 +2467,18 @@ func (m *MsgFromSensor_AuditLogStatusInfo) Size() (n int) { } return n } +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.IssueLocalScannerCertsRequest != nil { + l = m.IssueLocalScannerCertsRequest.Size() + n += 1 + l + sovSensorIservice(uint64(l)) + } + return n +} func (m *ReassessPolicies) Size() (n int) { if m == nil { return 0 @@ -2591,6 +2698,18 @@ func (m *MsgToSensor_InvalidateImageCache) Size() (n int) { } return n } +func (m *MsgToSensor_IssueLocalScannerCertsResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.IssueLocalScannerCertsResponse != nil { + l = m.IssueLocalScannerCertsResponse.Size() + n += 2 + l + sovSensorIservice(uint64(l)) + } + return n +} func (m *AuditLogSync) Size() (n int) { if m == nil { return 0 @@ -3111,6 +3230,41 @@ func (m *MsgFromSensor) Unmarshal(dAtA []byte) error { } m.Msg = &MsgFromSensor_AuditLogStatusInfo{v} iNdEx = postIndex + case 12: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IssueLocalScannerCertsRequest", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowSensorIservice + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthSensorIservice + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthSensorIservice + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &IssueLocalScannerCertsRequest{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Msg = &MsgFromSensor_IssueLocalScannerCertsRequest{v} + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipSensorIservice(dAtA[iNdEx:]) @@ -3773,6 +3927,41 @@ func (m *MsgToSensor) Unmarshal(dAtA []byte) error { } m.Msg = &MsgToSensor_InvalidateImageCache{v} iNdEx = postIndex + case 17: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IssueLocalScannerCertsResponse", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowSensorIservice + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthSensorIservice + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthSensorIservice + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &IssueLocalScannerCertsResponse{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Msg = &MsgToSensor_IssueLocalScannerCertsResponse{v} + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipSensorIservice(dAtA[iNdEx:]) diff --git a/generated/storage/service_identity.pb.go b/generated/storage/service_identity.pb.go index 48fdce7f4ce08..11ae6163c4f8e 100644 --- a/generated/storage/service_identity.pb.go +++ b/generated/storage/service_identity.pb.go @@ -225,41 +225,275 @@ func (m *ServiceIdentity) Clone() *ServiceIdentity { return cloned } +type ServiceCertificate struct { + CertPem []byte `protobuf:"bytes,1,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` + KeyPem []byte `protobuf:"bytes,2,opt,name=key_pem,json=keyPem,proto3" json:"key_pem,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ServiceCertificate) Reset() { *m = ServiceCertificate{} } +func (m *ServiceCertificate) String() string { return proto.CompactTextString(m) } +func (*ServiceCertificate) ProtoMessage() {} +func (*ServiceCertificate) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{1} +} +func (m *ServiceCertificate) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *ServiceCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_ServiceCertificate.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *ServiceCertificate) XXX_Merge(src proto.Message) { + xxx_messageInfo_ServiceCertificate.Merge(m, src) +} +func (m *ServiceCertificate) XXX_Size() int { + return m.Size() +} +func (m *ServiceCertificate) XXX_DiscardUnknown() { + xxx_messageInfo_ServiceCertificate.DiscardUnknown(m) +} + +var xxx_messageInfo_ServiceCertificate proto.InternalMessageInfo + +func (m *ServiceCertificate) GetCertPem() []byte { + if m != nil { + return m.CertPem + } + return nil +} + +func (m *ServiceCertificate) GetKeyPem() []byte { + if m != nil { + return m.KeyPem + } + return nil +} + +func (m *ServiceCertificate) MessageClone() proto.Message { + return m.Clone() +} +func (m *ServiceCertificate) Clone() *ServiceCertificate { + if m == nil { + return nil + } + cloned := new(ServiceCertificate) + *cloned = *m + + if m.CertPem != nil { + cloned.CertPem = make([]byte, len(m.CertPem)) + copy(cloned.CertPem, m.CertPem) + } + if m.KeyPem != nil { + cloned.KeyPem = make([]byte, len(m.KeyPem)) + copy(cloned.KeyPem, m.KeyPem) + } + return cloned +} + +type TypedServiceCertificate struct { + ServiceType ServiceType `protobuf:"varint,1,opt,name=service_type,json=serviceType,proto3,enum=storage.ServiceType" json:"service_type,omitempty"` + Cert *ServiceCertificate `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *TypedServiceCertificate) Reset() { *m = TypedServiceCertificate{} } +func (m *TypedServiceCertificate) String() string { return proto.CompactTextString(m) } +func (*TypedServiceCertificate) ProtoMessage() {} +func (*TypedServiceCertificate) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{2} +} +func (m *TypedServiceCertificate) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *TypedServiceCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_TypedServiceCertificate.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *TypedServiceCertificate) XXX_Merge(src proto.Message) { + xxx_messageInfo_TypedServiceCertificate.Merge(m, src) +} +func (m *TypedServiceCertificate) XXX_Size() int { + return m.Size() +} +func (m *TypedServiceCertificate) XXX_DiscardUnknown() { + xxx_messageInfo_TypedServiceCertificate.DiscardUnknown(m) +} + +var xxx_messageInfo_TypedServiceCertificate proto.InternalMessageInfo + +func (m *TypedServiceCertificate) GetServiceType() ServiceType { + if m != nil { + return m.ServiceType + } + return ServiceType_UNKNOWN_SERVICE +} + +func (m *TypedServiceCertificate) GetCert() *ServiceCertificate { + if m != nil { + return m.Cert + } + return nil +} + +func (m *TypedServiceCertificate) MessageClone() proto.Message { + return m.Clone() +} +func (m *TypedServiceCertificate) Clone() *TypedServiceCertificate { + if m == nil { + return nil + } + cloned := new(TypedServiceCertificate) + *cloned = *m + + cloned.Cert = m.Cert.Clone() + return cloned +} + +type TypedServiceCertificateSet struct { + CaPem []byte `protobuf:"bytes,1,opt,name=ca_pem,json=caPem,proto3" json:"ca_pem,omitempty"` + ServiceCerts []*TypedServiceCertificate `protobuf:"bytes,2,rep,name=service_certs,json=serviceCerts,proto3" json:"service_certs,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *TypedServiceCertificateSet) Reset() { *m = TypedServiceCertificateSet{} } +func (m *TypedServiceCertificateSet) String() string { return proto.CompactTextString(m) } +func (*TypedServiceCertificateSet) ProtoMessage() {} +func (*TypedServiceCertificateSet) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{3} +} +func (m *TypedServiceCertificateSet) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *TypedServiceCertificateSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_TypedServiceCertificateSet.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *TypedServiceCertificateSet) XXX_Merge(src proto.Message) { + xxx_messageInfo_TypedServiceCertificateSet.Merge(m, src) +} +func (m *TypedServiceCertificateSet) XXX_Size() int { + return m.Size() +} +func (m *TypedServiceCertificateSet) XXX_DiscardUnknown() { + xxx_messageInfo_TypedServiceCertificateSet.DiscardUnknown(m) +} + +var xxx_messageInfo_TypedServiceCertificateSet proto.InternalMessageInfo + +func (m *TypedServiceCertificateSet) GetCaPem() []byte { + if m != nil { + return m.CaPem + } + return nil +} + +func (m *TypedServiceCertificateSet) GetServiceCerts() []*TypedServiceCertificate { + if m != nil { + return m.ServiceCerts + } + return nil +} + +func (m *TypedServiceCertificateSet) MessageClone() proto.Message { + return m.Clone() +} +func (m *TypedServiceCertificateSet) Clone() *TypedServiceCertificateSet { + if m == nil { + return nil + } + cloned := new(TypedServiceCertificateSet) + *cloned = *m + + if m.CaPem != nil { + cloned.CaPem = make([]byte, len(m.CaPem)) + copy(cloned.CaPem, m.CaPem) + } + if m.ServiceCerts != nil { + cloned.ServiceCerts = make([]*TypedServiceCertificate, len(m.ServiceCerts)) + for idx, v := range m.ServiceCerts { + cloned.ServiceCerts[idx] = v.Clone() + } + } + return cloned +} + func init() { proto.RegisterEnum("storage.ServiceType", ServiceType_name, ServiceType_value) proto.RegisterType((*ServiceIdentity)(nil), "storage.ServiceIdentity") + proto.RegisterType((*ServiceCertificate)(nil), "storage.ServiceCertificate") + proto.RegisterType((*TypedServiceCertificate)(nil), "storage.TypedServiceCertificate") + proto.RegisterType((*TypedServiceCertificateSet)(nil), "storage.TypedServiceCertificateSet") } func init() { proto.RegisterFile("storage/service_identity.proto", fileDescriptor_a988b93c2073ff63) } var fileDescriptor_a988b93c2073ff63 = []byte{ - // 402 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x5c, 0x92, 0xdf, 0x8a, 0xd3, 0x40, - 0x14, 0xc6, 0x3b, 0xe9, 0x9f, 0xb5, 0x67, 0xa5, 0xab, 0xa3, 0x2b, 0x29, 0x68, 0x2c, 0xe2, 0x45, - 0xf1, 0xa2, 0x82, 0xfa, 0x02, 0xcd, 0xec, 0x60, 0x87, 0x4d, 0x66, 0x60, 0x26, 0xab, 0xe0, 0x4d, - 0xe8, 0x6e, 0x82, 0x0c, 0x96, 0xa6, 0x4c, 0x46, 0xb1, 0x6f, 0xe2, 0x53, 0x78, 0xeb, 0x2b, 0x78, - 0xe9, 0x23, 0x48, 0x7d, 0x11, 0x99, 0x24, 0xcd, 0x86, 0xbd, 0x0b, 0xbf, 0xdf, 0x97, 0xf3, 0x9d, - 0x90, 0x03, 0x41, 0x69, 0x0b, 0xb3, 0xfe, 0x9c, 0xbf, 0x2e, 0x73, 0xf3, 0x4d, 0xdf, 0xe4, 0xa9, - 0xce, 0xf2, 0xad, 0xd5, 0x76, 0xbf, 0xd8, 0x99, 0xc2, 0x16, 0xf8, 0xa4, 0xf1, 0x2f, 0x7e, 0x21, - 0x38, 0x53, 0x75, 0x86, 0x35, 0x11, 0xfc, 0x14, 0x46, 0x65, 0x6e, 0xf4, 0x7a, 0xe3, 0xa3, 0x19, - 0x9a, 0xf7, 0x43, 0xcf, 0x47, 0xab, 0x9e, 0x6c, 0x18, 0x7e, 0x0e, 0x50, 0x3f, 0xa5, 0xa5, 0x35, - 0xfe, 0x60, 0x86, 0xe6, 0xe3, 0x55, 0x4f, 0x8e, 0x6b, 0xa6, 0xac, 0xc1, 0x13, 0xf0, 0x74, 0xe6, - 0x7b, 0x4e, 0x48, 0x4f, 0x67, 0x78, 0x0e, 0x03, 0xbb, 0xdf, 0xe5, 0x7e, 0x7f, 0x86, 0xe6, 0x93, - 0x37, 0x8f, 0x17, 0x4d, 0xf5, 0xa2, 0xa9, 0x4d, 0xf6, 0xbb, 0x5c, 0x56, 0x09, 0xfc, 0x12, 0x26, - 0x7a, 0xab, 0x6d, 0x7a, 0xfd, 0x75, 0x9b, 0x6d, 0xdc, 0xce, 0xfe, 0xb0, 0x9a, 0x72, 0xdf, 0xd1, - 0xb0, 0x82, 0x2c, 0x0b, 0x87, 0xd0, 0x2f, 0xcd, 0xe6, 0xd5, 0x4f, 0x0f, 0x4e, 0x3b, 0x23, 0xf0, - 0x23, 0x38, 0xbb, 0xe2, 0x97, 0x5c, 0x7c, 0xe4, 0xa9, 0xa2, 0xf2, 0x03, 0x23, 0xf4, 0x41, 0x0f, - 0x63, 0x98, 0x28, 0xca, 0x95, 0x90, 0x2d, 0x43, 0x2e, 0x48, 0x28, 0x4f, 0xe4, 0x32, 0x6a, 0xa1, - 0xe7, 0x82, 0x92, 0xc6, 0x22, 0xa1, 0x2d, 0xeb, 0xe3, 0x73, 0x78, 0x48, 0x44, 0x14, 0x51, 0x92, - 0x74, 0xde, 0x1f, 0xe0, 0x29, 0x9c, 0xc7, 0x82, 0xb3, 0x44, 0x48, 0xc6, 0xdf, 0xa7, 0x57, 0xac, - 0x55, 0xc3, 0x3b, 0xea, 0x22, 0x6c, 0xd5, 0x08, 0x3f, 0x83, 0x69, 0x47, 0x91, 0x88, 0x51, 0x9e, - 0xb4, 0xfa, 0xc4, 0x75, 0x85, 0x94, 0x93, 0x55, 0xbc, 0x94, 0x97, 0x2d, 0xbe, 0xe7, 0x76, 0x55, - 0x64, 0xc9, 0x39, 0xbd, 0x5d, 0x60, 0x8c, 0x9f, 0x00, 0x3e, 0xc2, 0x4e, 0x05, 0xb8, 0x8a, 0xe5, - 0x45, 0xcc, 0x94, 0x62, 0x82, 0xa7, 0x44, 0xf0, 0x44, 0x8a, 0xdb, 0x4f, 0x3c, 0x0d, 0xdf, 0xfd, - 0x3e, 0x04, 0xe8, 0xcf, 0x21, 0x40, 0x7f, 0x0f, 0x01, 0xfa, 0xf1, 0x2f, 0xe8, 0xc1, 0x54, 0x17, - 0x8b, 0xd2, 0xae, 0x6f, 0xbe, 0x98, 0xe2, 0x7b, 0x7d, 0x18, 0xc7, 0x9f, 0xf3, 0xe9, 0x78, 0x20, - 0xd7, 0xa3, 0x8a, 0xbf, 0xfd, 0x1f, 0x00, 0x00, 0xff, 0xff, 0xf0, 0xd4, 0xa1, 0x53, 0x52, 0x02, - 0x00, 0x00, + // 535 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xcb, 0x6e, 0xd3, 0x4e, + 0x18, 0xc5, 0x33, 0xce, 0xad, 0xfd, 0x92, 0x7f, 0xfa, 0x67, 0x20, 0xd4, 0xe1, 0x12, 0xa2, 0x88, + 0x45, 0xc4, 0x22, 0x95, 0x02, 0x12, 0xeb, 0xd8, 0x1d, 0x11, 0xab, 0xc9, 0xb8, 0x1a, 0xbb, 0x20, + 0xb1, 0xb1, 0x5c, 0x7b, 0x40, 0xa3, 0x5c, 0x65, 0x0f, 0x88, 0xb0, 0xe5, 0x25, 0x78, 0x0a, 0xb6, + 0xbc, 0x02, 0x4b, 0x1e, 0x01, 0x85, 0x17, 0x41, 0xe3, 0xd8, 0x8e, 0x55, 0x51, 0x76, 0x99, 0xdf, + 0xf9, 0xe6, 0x3b, 0xe7, 0xc4, 0x1a, 0xe8, 0xc6, 0x72, 0x1d, 0xf9, 0xef, 0xf9, 0x59, 0xcc, 0xa3, + 0x8f, 0x22, 0xe0, 0x9e, 0x08, 0xf9, 0x4a, 0x0a, 0xb9, 0x1d, 0x6e, 0xa2, 0xb5, 0x5c, 0xe3, 0x7a, + 0xaa, 0xf7, 0xbf, 0x23, 0x38, 0x71, 0xf6, 0x33, 0x56, 0x3a, 0x82, 0x1f, 0x41, 0x2d, 0xe6, 0x91, + 0xf0, 0x17, 0x3a, 0xea, 0xa1, 0x41, 0xd9, 0xd0, 0x74, 0x34, 0x29, 0xb1, 0x94, 0xe1, 0x27, 0x00, + 0xfb, 0x5f, 0x5e, 0x2c, 0x23, 0xbd, 0xd2, 0x43, 0x83, 0xe3, 0x49, 0x89, 0x1d, 0xef, 0x99, 0x23, + 0x23, 0xdc, 0x02, 0x4d, 0x84, 0xba, 0xa6, 0x04, 0xa6, 0x89, 0x10, 0x0f, 0xa0, 0x22, 0xb7, 0x1b, + 0xae, 0x97, 0x7b, 0x68, 0xd0, 0x1a, 0xdd, 0x1b, 0xa6, 0xd6, 0xc3, 0xd4, 0xd6, 0xdd, 0x6e, 0x38, + 0x4b, 0x26, 0xf0, 0x53, 0x68, 0x89, 0x95, 0x90, 0xde, 0xf5, 0x87, 0x55, 0xb8, 0x50, 0x99, 0xf5, + 0x6a, 0xb2, 0xa5, 0xa9, 0xa8, 0x91, 0x40, 0x2b, 0x34, 0xaa, 0x50, 0x8e, 0xa3, 0x45, 0x7f, 0x02, + 0x38, 0xdd, 0x60, 0xf2, 0x48, 0x8a, 0x77, 0x22, 0xf0, 0x25, 0xc7, 0x1d, 0x38, 0x0a, 0x78, 0x24, + 0xbd, 0x0d, 0x5f, 0x26, 0xe9, 0x9b, 0xac, 0xae, 0xce, 0x97, 0x7c, 0x89, 0x4f, 0xa1, 0x3e, 0xe7, + 0xdb, 0x44, 0xd1, 0x12, 0xa5, 0x36, 0xe7, 0xdb, 0x4b, 0xbe, 0xec, 0x7f, 0x41, 0x70, 0xaa, 0x52, + 0x84, 0x7f, 0xd9, 0xf7, 0x12, 0x9a, 0xd9, 0x5f, 0x98, 0x94, 0x40, 0xff, 0x28, 0xd1, 0x88, 0x0f, + 0x07, 0x7c, 0x06, 0x15, 0x65, 0x9c, 0x58, 0x35, 0x46, 0x0f, 0x6f, 0x5e, 0x28, 0x78, 0xb0, 0x64, + 0xb0, 0xff, 0x19, 0x1e, 0xdc, 0x12, 0xc2, 0xe1, 0x12, 0xb7, 0xa1, 0x16, 0xf8, 0x85, 0x56, 0xd5, + 0xc0, 0x57, 0x9d, 0x08, 0xfc, 0x97, 0xc5, 0x53, 0x4b, 0x62, 0x5d, 0xeb, 0x95, 0x07, 0x8d, 0x51, + 0x2f, 0xb7, 0xbb, 0x65, 0x25, 0xcb, 0x5a, 0x29, 0x16, 0x3f, 0xfb, 0xa6, 0x41, 0xa3, 0xd0, 0x04, + 0xdf, 0x85, 0x93, 0x2b, 0x7a, 0x41, 0xed, 0x37, 0xd4, 0x73, 0x08, 0x7b, 0x6d, 0x99, 0xe4, 0xff, + 0x12, 0xc6, 0xd0, 0x72, 0x08, 0x75, 0x6c, 0x96, 0x33, 0xa4, 0x06, 0x4d, 0x42, 0x5d, 0x36, 0x9e, + 0xe6, 0x50, 0x53, 0x83, 0x8c, 0xcc, 0x6c, 0x97, 0xe4, 0xac, 0x8c, 0xdb, 0x70, 0xc7, 0xb4, 0xa7, + 0x53, 0x62, 0xba, 0x85, 0xfb, 0x15, 0xdc, 0x81, 0xf6, 0xcc, 0xa6, 0x96, 0x6b, 0x33, 0x8b, 0xbe, + 0xf2, 0xae, 0xac, 0x5c, 0xaa, 0xde, 0x90, 0xce, 0x8d, 0x5c, 0xaa, 0xe1, 0xc7, 0xd0, 0x29, 0x48, + 0xe6, 0xd4, 0x22, 0xd4, 0xcd, 0xe5, 0xba, 0xf2, 0x32, 0x08, 0x35, 0x27, 0xb3, 0x31, 0xbb, 0xc8, + 0xf1, 0x91, 0xca, 0xea, 0x98, 0x63, 0x4a, 0xc9, 0x21, 0xc0, 0x31, 0xbe, 0x0f, 0x38, 0x83, 0x05, + 0x0b, 0x50, 0x16, 0xe3, 0xf3, 0x99, 0xe5, 0x38, 0x96, 0x4d, 0x3d, 0xd3, 0xa6, 0x2e, 0xb3, 0x0f, + 0x15, 0x1b, 0xc6, 0x8b, 0x1f, 0xbb, 0x2e, 0xfa, 0xb9, 0xeb, 0xa2, 0x5f, 0xbb, 0x2e, 0xfa, 0xfa, + 0xbb, 0x5b, 0x82, 0x8e, 0x58, 0x0f, 0x63, 0xe9, 0x07, 0xf3, 0x68, 0xfd, 0x69, 0xff, 0xc8, 0xb2, + 0x6f, 0xf0, 0x36, 0x7b, 0x6c, 0xd7, 0xb5, 0x84, 0x3f, 0xff, 0x13, 0x00, 0x00, 0xff, 0xff, 0x44, + 0xd1, 0x58, 0x4a, 0x9e, 0x03, 0x00, 0x00, } func (m *ServiceIdentity) Marshal() (dAtA []byte, err error) { @@ -343,6 +577,139 @@ func (m *ServiceIdentity_SerialStr) MarshalToSizedBuffer(dAtA []byte) (int, erro dAtA[i] = 0x22 return len(dAtA) - i, nil } +func (m *ServiceCertificate) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *ServiceCertificate) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *ServiceCertificate) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.KeyPem) > 0 { + i -= len(m.KeyPem) + copy(dAtA[i:], m.KeyPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.KeyPem))) + i-- + dAtA[i] = 0x12 + } + if len(m.CertPem) > 0 { + i -= len(m.CertPem) + copy(dAtA[i:], m.CertPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.CertPem))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *TypedServiceCertificate) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *TypedServiceCertificate) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *TypedServiceCertificate) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Cert != nil { + { + size, err := m.Cert.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintServiceIdentity(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + if m.ServiceType != 0 { + i = encodeVarintServiceIdentity(dAtA, i, uint64(m.ServiceType)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *TypedServiceCertificateSet) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *TypedServiceCertificateSet) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *TypedServiceCertificateSet) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.ServiceCerts) > 0 { + for iNdEx := len(m.ServiceCerts) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.ServiceCerts[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintServiceIdentity(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + if len(m.CaPem) > 0 { + i -= len(m.CaPem) + copy(dAtA[i:], m.CaPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.CaPem))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func encodeVarintServiceIdentity(dAtA []byte, offset int, v uint64) int { offset -= sovServiceIdentity(v) base := offset @@ -399,14 +766,74 @@ func (m *ServiceIdentity_SerialStr) Size() (n int) { n += 1 + l + sovServiceIdentity(uint64(l)) return n } - -func sovServiceIdentity(x uint64) (n int) { - return (math_bits.Len64(x|1) + 6) / 7 +func (m *ServiceCertificate) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.CertPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + l = len(m.KeyPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n } -func sozServiceIdentity(x uint64) (n int) { - return sovServiceIdentity(uint64((x << 1) ^ uint64((int64(x) >> 63)))) + +func (m *TypedServiceCertificate) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ServiceType != 0 { + n += 1 + sovServiceIdentity(uint64(m.ServiceType)) + } + if m.Cert != nil { + l = m.Cert.Size() + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n } -func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { + +func (m *TypedServiceCertificateSet) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.CaPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if len(m.ServiceCerts) > 0 { + for _, e := range m.ServiceCerts { + l = e.Size() + n += 1 + l + sovServiceIdentity(uint64(l)) + } + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func sovServiceIdentity(x uint64) (n int) { + return (math_bits.Len64(x|1) + 6) / 7 +} +func sozServiceIdentity(x uint64) (n int) { + return sovServiceIdentity(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -592,6 +1019,350 @@ func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { } return nil } +func (m *ServiceCertificate) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: ServiceCertificate: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: ServiceCertificate: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CertPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CertPem = append(m.CertPem[:0], dAtA[iNdEx:postIndex]...) + if m.CertPem == nil { + m.CertPem = []byte{} + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field KeyPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.KeyPem = append(m.KeyPem[:0], dAtA[iNdEx:postIndex]...) + if m.KeyPem == nil { + m.KeyPem = []byte{} + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *TypedServiceCertificate) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: TypedServiceCertificate: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: TypedServiceCertificate: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceType", wireType) + } + m.ServiceType = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.ServiceType |= ServiceType(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Cert == nil { + m.Cert = &ServiceCertificate{} + } + if err := m.Cert.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *TypedServiceCertificateSet) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: TypedServiceCertificateSet: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: TypedServiceCertificateSet: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CaPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CaPem = append(m.CaPem[:0], dAtA[iNdEx:postIndex]...) + if m.CaPem == nil { + m.CaPem = []byte{} + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ServiceCerts = append(m.ServiceCerts, &TypedServiceCertificate{}) + if err := m.ServiceCerts[len(m.ServiceCerts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipServiceIdentity(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 diff --git a/pkg/centralsensor/caps_list.go b/pkg/centralsensor/caps_list.go index e31cd51e8a556..e0b85406eee2b 100644 --- a/pkg/centralsensor/caps_list.go +++ b/pkg/centralsensor/caps_list.go @@ -24,4 +24,7 @@ const ( // AuditLogEventsCap identifies the capability to handle audit log event detection. AuditLogEventsCap SensorCapability = "AuditLogEvents" + + // LocalScannerCredentialsRefresh identifies the capability to maintain the Local scanner TLS credentials refreshed. + LocalScannerCredentialsRefresh SensorCapability = "LocalScannerCredentialsRefresh" ) diff --git a/pkg/mtls/crypto.go b/pkg/mtls/crypto.go index 03ff11ba901aa..13db9b333100c 100644 --- a/pkg/mtls/crypto.go +++ b/pkg/mtls/crypto.go @@ -105,6 +105,10 @@ var ( readCAKeyOnce sync.Once caKeyFileContents []byte caKeyErr error + + caForSigningOnce sync.Once + caForSigning CA + caForSigningErr error ) // IssuedCert is a representation of an issued certificate @@ -183,16 +187,22 @@ func CACert() (*x509.Certificate, []byte, error) { // CAForSigning reads the cert and key from the local file system and returns // a corresponding CA instance that can be used for signing. func CAForSigning() (CA, error) { - _, certPEM, _, err := readCA() - if err != nil { - return nil, errors.Wrap(err, "could not read CA cert file") - } - keyPEM, err := readCAKey() - if err != nil { - return nil, errors.Wrap(err, "could not read CA key file") - } + caForSigningOnce.Do(func() { + _, certPEM, _, err := readCA() + if err != nil { + caForSigningErr = errors.Wrap(err, "could not read CA cert file") + return + } + keyPEM, err := readCAKey() + if err != nil { + caForSigningErr = errors.Wrap(err, "could not read CA key file") + return + } + + caForSigning, caForSigningErr = LoadCAForSigning(certPEM, keyPEM) + }) - return LoadCAForSigning(certPEM, keyPEM) + return caForSigning, caForSigningErr } func signer() (cfsigner.Signer, error) { diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto new file mode 100644 index 0000000000000..2a05dab413401 --- /dev/null +++ b/proto/internalapi/central/local_scanner.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +option go_package = "central"; + +import "storage/service_identity.proto"; + +package central; + +message LocalScannerCertsIssueError { + string message = 1; +} + +message IssueLocalScannerCertsRequest { + string request_id = 1; +} + +message IssueLocalScannerCertsResponse { + string request_id = 1; + oneof response { + storage.TypedServiceCertificateSet certificates = 2; + LocalScannerCertsIssueError error = 3; + } +} diff --git a/proto/internalapi/central/sensor_iservice.proto b/proto/internalapi/central/sensor_iservice.proto index 2dd96176af088..fe9d2a2c53410 100644 --- a/proto/internalapi/central/sensor_iservice.proto +++ b/proto/internalapi/central/sensor_iservice.proto @@ -12,6 +12,7 @@ import "internalapi/central/telemetry.proto"; import "internalapi/central/baseline_sync.proto"; import "internalapi/central/hello.proto"; import "internalapi/central/network_baseline_sync.proto"; +import "internalapi/central/local_scanner.proto"; import "storage/cluster.proto"; package central; @@ -29,6 +30,7 @@ message MsgFromSensor { RawClusterHealthInfo cluster_health_info = 9; SensorHello hello = 10; AuditLogStatusInfo audit_log_status_info = 11; + IssueLocalScannerCertsRequest issue_local_scanner_certs_request = 12; } } @@ -52,6 +54,7 @@ message MsgToSensor { AuditLogSync audit_log_sync = 14; ReprocessDeployment reprocess_deployment = 15; InvalidateImageCache invalidate_image_cache = 16; + IssueLocalScannerCertsResponse issue_local_scanner_certs_response = 17; } } diff --git a/proto/storage/service_identity.proto b/proto/storage/service_identity.proto index 9ca023fd37c20..ef9d60ea242c9 100644 --- a/proto/storage/service_identity.proto +++ b/proto/storage/service_identity.proto @@ -29,3 +29,18 @@ enum ServiceType { SCANNER_DB_SERVICE = 10; ADMISSION_CONTROL_SERVICE = 11; } + +message ServiceCertificate { + bytes cert_pem = 1; + bytes key_pem = 2; +} + +message TypedServiceCertificate { + ServiceType service_type = 1; + ServiceCertificate cert = 2; +} + +message TypedServiceCertificateSet { + bytes ca_pem = 1; + repeated TypedServiceCertificate service_certs = 2; +} diff --git a/sensor/kubernetes/localscanner/tls_issuer.go b/sensor/kubernetes/localscanner/tls_issuer.go new file mode 100644 index 0000000000000..7d91212ff320a --- /dev/null +++ b/sensor/kubernetes/localscanner/tls_issuer.go @@ -0,0 +1,287 @@ +package localscanner + +import ( + "context" + "crypto/x509" + "math/rand" + "time" + + "github.com/cloudflare/cfssl/helpers" + "github.com/pkg/errors" + "github.com/stackrox/rox/generated/internalapi/central" + "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/centralsensor" + "github.com/stackrox/rox/pkg/logging" + "github.com/stackrox/rox/pkg/mtls" + "github.com/stackrox/rox/pkg/uuid" + "github.com/stackrox/rox/sensor/common" + v1 "k8s.io/api/core/v1" + k8sErrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + corev1 "k8s.io/client-go/kubernetes/typed/core/v1" +) + +const ( + issueCertificatesTimeout = 2 * time.Minute + fetchSecretsTimeout = 2 * time.Minute + updateSecretsTimeout = 2 * time.Minute + refreshSecretsMaxNumAttempts = uint(5) + refreshSecretAttemptWaitTime = 5 * time.Minute + refreshSecretAllAttemptsFailedWaitTime = 2 * time.Hour + localScannerCredentialsSecretName = "scanner-local-tls" + localScannerDBCredentialsSecretName = "scanner-db-local-tls" +) + +var ( + log = logging.LoggerForModule() + _ common.SensorComponent = (*localScannerTLSIssuerImpl)(nil) +) + +// NewLocalScannerTLSIssuer creates a Sensor component that maintains the local Scanner TLS certificates +func NewLocalScannerTLSIssuer(k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { + return &localScannerTLSIssuerImpl{ + sensorNamespace: sensorNamespace, + secretsClient: k8sClient.CoreV1().Secrets(sensorNamespace), + ctx: context.Background(), + responsesC: make(chan *central.MsgFromSensor), + } +} + +type localScannerTLSIssuerImpl struct { + sensorNamespace string + secretsClient corev1.SecretInterface + numLocalScannerSecretRefreshAttempts uint + refreshTimer *time.Timer + ctx context.Context + responsesC chan *central.MsgFromSensor +} + +func (i *localScannerTLSIssuerImpl) Start() error { + log.Info("starting local scanner TLS issuer.") + + if err := i.scheduleLocalScannerSecretsRefresh(); err != nil { + return errors.Wrap(err, "failure scheduling local scanner secrets refresh") + } + + log.Info("local scanner TLS issuer started.") + + return nil +} + +func (i *localScannerTLSIssuerImpl) Stop(err error) { + if i.refreshTimer != nil { + i.refreshTimer.Stop() + } + log.Info("local scanner TLS issuer stopped.") +} + +func (i *localScannerTLSIssuerImpl) Capabilities() []centralsensor.SensorCapability { + return []centralsensor.SensorCapability{centralsensor.LocalScannerCredentialsRefresh} +} + +func (i *localScannerTLSIssuerImpl) ProcessMessage(msg *central.MsgToSensor) error { + switch m := msg.GetMsg().(type) { + case *central.MsgToSensor_IssueLocalScannerCertsResponse: + nextTimeToRefresh, refreshErr := i.refreshLocalScannerSecrets(m.IssueLocalScannerCertsResponse) + if refreshErr == nil { + log.Infof("successfully refreshed local Scanner credential secrets %s and %s", + localScannerCredentialsSecretName, localScannerDBCredentialsSecretName) + i.numLocalScannerSecretRefreshAttempts = 0 + i.doScheduleLocalScannerSecretsRefresh(nextTimeToRefresh) + return nil + } + // note centralReceiverImpl just logs the error + err := errors.Wrapf(refreshErr, "attempt %d to refresh local Scanner credential secrets, will retry in %s", + i.numLocalScannerSecretRefreshAttempts, refreshSecretAttemptWaitTime) + i.numLocalScannerSecretRefreshAttempts++ + if i.numLocalScannerSecretRefreshAttempts <= refreshSecretsMaxNumAttempts { + i.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) + } else { + err = errors.Wrapf(refreshErr, "Failed to refresh local Scanner credential secrets after %d attempts, "+ + "will wait %s and restart the retry cycle", + refreshSecretsMaxNumAttempts, refreshSecretAllAttemptsFailedWaitTime) + i.numLocalScannerSecretRefreshAttempts = 0 + i.doScheduleLocalScannerSecretsRefresh(refreshSecretAllAttemptsFailedWaitTime) + } + return err + + default: + // FIXME return err + return nil + } +} + +func (i *localScannerTLSIssuerImpl) ResponsesC() <-chan *central.MsgFromSensor { + return i.responsesC +} + +func (i *localScannerTLSIssuerImpl) scheduleLocalScannerSecretsRefresh() error { + localScannerCredsSecret, localScannerDBCredsSecret, fetchErr := i.fetchLocalScannerSecrets() + if k8sErrors.IsNotFound(fetchErr) { + log.Warnf("some local scanner secret is missing, "+ + "TLS issuer will not maintain any local scanner secret fresh : %v", fetchErr) + return nil + } + if fetchErr != nil { + // FIXME wrap + return fetchErr + } + + // if certificates are already expired this refreshes immediately. + i.doScheduleLocalScannerSecretsRefresh(getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret)) + return nil +} + +func (i *localScannerTLSIssuerImpl) doScheduleLocalScannerSecretsRefresh(timeToRefresh time.Duration) { + log.Infof("local scanner certificates scheduled to be refreshed in %s", timeToRefresh) + i.refreshTimer = time.AfterFunc(timeToRefresh, func() { + if err := i.issueScannerCertificates(); err != nil { + // FIXME log and treat as o.numLocalScannerSecretRefreshAttempts >= refreshSecretsMaxNumAttempts + log.Error("FIXME") + } + }) +} + +func getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret *v1.Secret) time.Duration { + scannerDuration := getScannerSecretDuration(localScannerCredsSecret) + scannerDBDuration := getScannerSecretDuration(localScannerDBCredsSecret) + if scannerDuration > scannerDBDuration { + return scannerDBDuration + } + return scannerDuration +} + +func getScannerSecretDurationFromCertificate(scannerCert *x509.Certificate) time.Duration { + certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() + durationBeforeRenewalAttempt := time.Second * + (time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10)))) + certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) + timeToRefresh := time.Until(certRenewalTime) + if timeToRefresh.Seconds() <= 0 { + // Certificate is already expired. + return 0 + } + return timeToRefresh +} + +func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { + scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] + var ( + scannerCert *x509.Certificate + err error + ) + if len(scannerCertBytes) == 0 { + err = errors.Errorf("empty certificate for secret %s, will refresh secret immediately", + scannerSecret.GetName()) + } else { + scannerCert, err = helpers.ParseCertificatePEM(scannerCertBytes) + } + if err != nil { + // Note this also covers a secret with no certificates stored, which should be refreshed immediately. + log.Warnf("failure parsing certificate for secret %s, will refresh secret immediately %v", + scannerSecret.GetName(), err) + return 0 + } + + return getScannerSecretDurationFromCertificate(scannerCert) +} + +func (i *localScannerTLSIssuerImpl) issueScannerCertificates() error { + ctx, cancel := context.WithTimeout(i.ctx, issueCertificatesTimeout) + defer cancel() + requestID := uuid.NewV4().String() // FIXME validate response has the same request ID + msg := ¢ral.MsgFromSensor{ + Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ + RequestId: requestID, + }, + }, + } + select { + case i.responsesC <- msg: + log.Debugf("Request to issue local Scanner certificates sent to Central succesfully: %v", msg) + return nil + case <-ctx.Done(): + return ctx.Err() + } +} + +func (i *localScannerTLSIssuerImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.Secret, error) { + ctx, cancel := context.WithTimeout(i.ctx, fetchSecretsTimeout) + defer cancel() + + // FIXME multierror + localScannerCredsSecret, err := i.secretsClient.Get(ctx, localScannerCredentialsSecretName, metav1.GetOptions{}) + if err != nil { + return nil, nil, errors.Wrapf(err, "for secret %s", localScannerCredentialsSecretName) + } + localScannerDBCredsSecret, err := i.secretsClient.Get(ctx, localScannerDBCredentialsSecretName, metav1.GetOptions{}) + if err != nil { + return nil, nil, errors.Wrapf(err, "for secret %s", localScannerDBCredentialsSecretName) + } + + return localScannerCredsSecret, localScannerDBCredsSecret, nil +} + +func setScannerCerts(scannerSecret, scannerDBSecert *v1.Secret, certificates *storage.TypedServiceCertificateSet) error { + // FIXME: validate all fields present + for _, cert := range certificates.GetServiceCerts() { + switch cert.GetServiceType() { + case storage.ServiceType_SCANNER_SERVICE: + scannerSecret.Data = map[string][]byte{ + mtls.ServiceCertFileName: cert.GetCert().GetCertPem(), + mtls.CACertFileName: certificates.GetCaPem(), + mtls.ServiceKeyFileName: cert.GetCert().GetKeyPem(), + } + case storage.ServiceType_SCANNER_DB_SERVICE: + scannerDBSecert.Data = map[string][]byte{ + mtls.ServiceCertFileName: cert.GetCert().GetCertPem(), + mtls.CACertFileName: certificates.GetCaPem(), + mtls.ServiceKeyFileName: cert.GetCert().GetKeyPem(), + } + + default: + return errors.New("FIXME") + } + } + + return nil +} + +// When any of the secrets is missing this returns an err such that k8sErrors.IsNotFound(err) is true +// On success it returns the duration after which the secrets should be refreshed +func (i *localScannerTLSIssuerImpl) refreshLocalScannerSecrets(issueCertsResponse *central.IssueLocalScannerCertsResponse) (time.Duration, error) { + localScannerCredsSecret, localScannerDBCredsSecret, err := i.fetchLocalScannerSecrets() + if err != nil { + // FIXME wrap + return 0, err + } + + if issueCertsResponse.GetError() != nil { + // FIXME Wrap + return 0, errors.New(issueCertsResponse.GetError().GetMessage()) + } + + if err := setScannerCerts(localScannerCredsSecret, localScannerDBCredsSecret, issueCertsResponse.GetCertificates()); err != nil { + // FIXME wrap + return 0, err + } + + ctx, cancel := context.WithTimeout(i.ctx, updateSecretsTimeout) + defer cancel() + // FIXME do a loop, and apply pattern elsewhere + localScannerCredsSecret, err = i.secretsClient.Update(ctx, localScannerCredsSecret, metav1.UpdateOptions{}) + if err != nil { + // FIXME wrap + return 0, err + } + localScannerDBCredsSecret, err = i.secretsClient.Update(ctx, localScannerDBCredsSecret, metav1.UpdateOptions{}) + if err != nil { + // FIXME wrap + return 0, err + } + + timeToRefresh := getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret) + return timeToRefresh, nil +} diff --git a/sensor/kubernetes/localscanner/tls_issuer_test.go b/sensor/kubernetes/localscanner/tls_issuer_test.go new file mode 100644 index 0000000000000..01848e2c7e3e0 --- /dev/null +++ b/sensor/kubernetes/localscanner/tls_issuer_test.go @@ -0,0 +1,28 @@ +package localscanner + +import ( + "crypto/x509" + "testing" + "time" + + "github.com/stretchr/testify/suite" +) + +func TestHandler(t *testing.T) { + suite.Run(t, new(tlsIssuerSuite)) +} + +type tlsIssuerSuite struct { + suite.Suite +} + +func (s *tlsIssuerSuite) TestGetScannerSecretDurationFromCertificate() { + now := time.Now() + afterOffset := 2 * 24 * time.Hour + scannerCert := &x509.Certificate{ + NotBefore: now, + NotAfter: now.Add(afterOffset), + } + certDuration := getScannerSecretDurationFromCertificate(scannerCert) + s.LessOrEqual(certDuration, afterOffset/2) +} diff --git a/sensor/kubernetes/sensor/sensor.go b/sensor/kubernetes/sensor/sensor.go index c54609364aee3..7b1213130f4d9 100644 --- a/sensor/kubernetes/sensor/sensor.go +++ b/sensor/kubernetes/sensor/sensor.go @@ -45,6 +45,7 @@ import ( "github.com/stackrox/rox/sensor/kubernetes/fake" "github.com/stackrox/rox/sensor/kubernetes/listener" "github.com/stackrox/rox/sensor/kubernetes/listener/resources" + "github.com/stackrox/rox/sensor/kubernetes/localscanner" "github.com/stackrox/rox/sensor/kubernetes/networkpolicies" "github.com/stackrox/rox/sensor/kubernetes/orchestrator" "github.com/stackrox/rox/sensor/kubernetes/telemetry" @@ -115,6 +116,18 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager imageService := image.NewService(imageCache) complianceCommandHandler := compliance.NewCommandHandler(complianceService) + sensorNamespace, err := satoken.LoadNamespaceFromFile() + if err != nil { + log.Errorf("Failed to determine namespace from service account token file: %s", err) + } + if sensorNamespace == "" { + sensorNamespace = os.Getenv("POD_NAMESPACE") + } + if sensorNamespace == "" { + sensorNamespace = namespaces.StackRox + log.Warnf("Unable to determine Sensor namespace, defaulting to %s", sensorNamespace) + } + // Create Process Pipeline indicators := make(chan *central.MsgFromSensor) processPipeline := processsignal.NewProcessPipeline(indicators, clusterentities.StoreInstance(), processfilter.Singleton(), policyDetector) @@ -141,16 +154,8 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager components = append(components, reprocessor.NewHandler(admCtrlSettingsMgr, policyDetector, imageCache)) } - sensorNamespace, err := satoken.LoadNamespaceFromFile() - if err != nil { - log.Errorf("Failed to determine namespace from service account token file: %s", err) - } - if sensorNamespace == "" { - sensorNamespace = os.Getenv("POD_NAMESPACE") - } - if sensorNamespace == "" { - sensorNamespace = namespaces.StackRox - log.Warnf("Unable to determine Sensor namespace, defaulting to %s", sensorNamespace) + if !features.LocalImageScanning.Enabled() { + components = append(components, localscanner.NewLocalScannerTLSIssuer(client.Kubernetes(), sensorNamespace)) } if admCtrlSettingsMgr != nil {