From f9dbf7b61964e32af8c34e8af50a354b00b0a406 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 28 Dec 2021 19:05:46 +0100 Subject: [PATCH 01/45] Initial code for central service to generate local scanner certificates --- central/localscanner/service.go | 66 + central/main.go | 2 + .../internalapi/central/local_scanner.pb.go | 1103 +++++++++++++++++ proto/internalapi/central/local_scanner.proto | 28 + 4 files changed, 1199 insertions(+) create mode 100644 central/localscanner/service.go create mode 100644 generated/internalapi/central/local_scanner.pb.go create mode 100644 proto/internalapi/central/local_scanner.proto diff --git a/central/localscanner/service.go b/central/localscanner/service.go new file mode 100644 index 0000000000000..167dc73440355 --- /dev/null +++ b/central/localscanner/service.go @@ -0,0 +1,66 @@ +package localscanner + +import ( + "context" + + "github.com/grpc-ecosystem/grpc-gateway/runtime" + "github.com/pkg/errors" + "github.com/stackrox/rox/generated/storage" + pkgGRPC "github.com/stackrox/rox/pkg/grpc" + "github.com/stackrox/rox/pkg/mtls" + "google.golang.org/grpc" + + "github.com/stackrox/rox/generated/internalapi/central" +) + +type Service interface { + pkgGRPC.APIService + central.LocalScannerServiceServer +} + +func New() Service { + return &serviceImpl{} +} + +type serviceImpl struct {} + +func (s *serviceImpl) RegisterServiceServer(server *grpc.Server) { + central.RegisterLocalScannerServiceServer(server, s) +} + +func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, *grpc.ClientConn) error { + return nil +} + +func localCertificatesForCertMap(serviceType storage.ServiceType, certificates secretDataMap) *central.LocalScannerCertificates { + // FIXME replace secretDataMap in central/localscanner/certificates.go by typed struct + return ¢ral.LocalScannerCertificates { + ServiceType: serviceType, + Ca: certificates[mtls.CACertFileName], + Cert: certificates[mtls.ServiceCertFileName], + Key: certificates[mtls.ServiceKeyFileName], + } +} + +func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { + if request.GetNamespace() == "" { + return nil, errors.New("namespace is required to issue the certificates for the local scanner") + } + if request.GetClusterId() == "" { + return nil, errors.New("cluster id is required to issue the certificates for the local scanner") + } + + scannerCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_SERVICE, request.GetNamespace(), request.GetClusterId()) + if err != nil { + return nil, errors.Wrapf(err, "error generating certificate for service %s", storage.ServiceType_SCANNER_SERVICE) + } + scannerDBCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_DB_SERVICE, request.GetNamespace(), request.GetClusterId()) + if err != nil { + return nil, errors.Wrapf(err, "error generating certificate for service %s", storage.ServiceType_SCANNER_DB_SERVICE) + } + + return ¢ral.IssueLocalScannerCertsResponse{ + ScannerCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_SERVICE, scannerCertificates), + ScannerDbCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_DB_SERVICE, scannerDBCertificates), + }, nil +} diff --git a/central/main.go b/central/main.go index aaebf0246b1c0..e8d8bad090a76 100644 --- a/central/main.go +++ b/central/main.go @@ -67,6 +67,7 @@ import ( "github.com/stackrox/rox/central/jwt" licenseService "github.com/stackrox/rox/central/license/service" licenseSingletons "github.com/stackrox/rox/central/license/singleton" + "github.com/stackrox/rox/central/localscanner" logimbueHandler "github.com/stackrox/rox/central/logimbue/handler" logimbueStore "github.com/stackrox/rox/central/logimbue/store" metadataService "github.com/stackrox/rox/central/metadata/service" @@ -312,6 +313,7 @@ func servicesToRegister(registry authproviders.Registry, authzTraceSink observe. imageService.Singleton(), iiService.Singleton(), licenseService.New(false, licenseSingletons.ManagerSingleton()), + localscanner.New(), integrationHealthService.Singleton(), metadataService.New(), mitreService.Singleton(), diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go new file mode 100644 index 0000000000000..09bd4880b2d0c --- /dev/null +++ b/generated/internalapi/central/local_scanner.pb.go @@ -0,0 +1,1103 @@ +// Code generated by protoc-gen-gogo. DO NOT EDIT. +// source: internalapi/central/local_scanner.proto + +package central + +import ( + context "context" + fmt "fmt" + proto "github.com/golang/protobuf/proto" + storage "github.com/stackrox/rox/generated/storage" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + io "io" + math "math" + math_bits "math/bits" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +type LocalScannerCertificates struct { + ServiceType storage.ServiceType `protobuf:"varint,1,opt,name=service_type,json=serviceType,proto3,enum=storage.ServiceType" json:"service_type,omitempty"` + Ca []byte `protobuf:"bytes,2,opt,name=ca,proto3" json:"ca,omitempty"` + Cert []byte `protobuf:"bytes,3,opt,name=cert,proto3" json:"cert,omitempty"` + Key []byte `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *LocalScannerCertificates) Reset() { *m = LocalScannerCertificates{} } +func (m *LocalScannerCertificates) String() string { return proto.CompactTextString(m) } +func (*LocalScannerCertificates) ProtoMessage() {} +func (*LocalScannerCertificates) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{0} +} +func (m *LocalScannerCertificates) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *LocalScannerCertificates) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_LocalScannerCertificates.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *LocalScannerCertificates) XXX_Merge(src proto.Message) { + xxx_messageInfo_LocalScannerCertificates.Merge(m, src) +} +func (m *LocalScannerCertificates) XXX_Size() int { + return m.Size() +} +func (m *LocalScannerCertificates) XXX_DiscardUnknown() { + xxx_messageInfo_LocalScannerCertificates.DiscardUnknown(m) +} + +var xxx_messageInfo_LocalScannerCertificates proto.InternalMessageInfo + +func (m *LocalScannerCertificates) GetServiceType() storage.ServiceType { + if m != nil { + return m.ServiceType + } + return storage.ServiceType_UNKNOWN_SERVICE +} + +func (m *LocalScannerCertificates) GetCa() []byte { + if m != nil { + return m.Ca + } + return nil +} + +func (m *LocalScannerCertificates) GetCert() []byte { + if m != nil { + return m.Cert + } + return nil +} + +func (m *LocalScannerCertificates) GetKey() []byte { + if m != nil { + return m.Key + } + return nil +} + +func (m *LocalScannerCertificates) MessageClone() proto.Message { + return m.Clone() +} +func (m *LocalScannerCertificates) Clone() *LocalScannerCertificates { + if m == nil { + return nil + } + cloned := new(LocalScannerCertificates) + *cloned = *m + + if m.Ca != nil { + cloned.Ca = make([]byte, len(m.Ca)) + copy(cloned.Ca, m.Ca) + } + if m.Cert != nil { + cloned.Cert = make([]byte, len(m.Cert)) + copy(cloned.Cert, m.Cert) + } + if m.Key != nil { + cloned.Key = make([]byte, len(m.Key)) + copy(cloned.Key, m.Key) + } + return cloned +} + +type IssueLocalScannerCertsRequest struct { + ClusterId string `protobuf:"bytes,1,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` + Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *IssueLocalScannerCertsRequest) Reset() { *m = IssueLocalScannerCertsRequest{} } +func (m *IssueLocalScannerCertsRequest) String() string { return proto.CompactTextString(m) } +func (*IssueLocalScannerCertsRequest) ProtoMessage() {} +func (*IssueLocalScannerCertsRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{1} +} +func (m *IssueLocalScannerCertsRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *IssueLocalScannerCertsRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_IssueLocalScannerCertsRequest.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *IssueLocalScannerCertsRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_IssueLocalScannerCertsRequest.Merge(m, src) +} +func (m *IssueLocalScannerCertsRequest) XXX_Size() int { + return m.Size() +} +func (m *IssueLocalScannerCertsRequest) XXX_DiscardUnknown() { + xxx_messageInfo_IssueLocalScannerCertsRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_IssueLocalScannerCertsRequest proto.InternalMessageInfo + +func (m *IssueLocalScannerCertsRequest) GetClusterId() string { + if m != nil { + return m.ClusterId + } + return "" +} + +func (m *IssueLocalScannerCertsRequest) GetNamespace() string { + if m != nil { + return m.Namespace + } + return "" +} + +func (m *IssueLocalScannerCertsRequest) MessageClone() proto.Message { + return m.Clone() +} +func (m *IssueLocalScannerCertsRequest) Clone() *IssueLocalScannerCertsRequest { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsRequest) + *cloned = *m + + return cloned +} + +type IssueLocalScannerCertsResponse struct { + ScannerCerts *LocalScannerCertificates `protobuf:"bytes,1,opt,name=scanner_certs,json=scannerCerts,proto3" json:"scanner_certs,omitempty"` + ScannerDbCerts *LocalScannerCertificates `protobuf:"bytes,2,opt,name=scanner_db_certs,json=scannerDbCerts,proto3" json:"scanner_db_certs,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *IssueLocalScannerCertsResponse) Reset() { *m = IssueLocalScannerCertsResponse{} } +func (m *IssueLocalScannerCertsResponse) String() string { return proto.CompactTextString(m) } +func (*IssueLocalScannerCertsResponse) ProtoMessage() {} +func (*IssueLocalScannerCertsResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{2} +} +func (m *IssueLocalScannerCertsResponse) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *IssueLocalScannerCertsResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_IssueLocalScannerCertsResponse.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *IssueLocalScannerCertsResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_IssueLocalScannerCertsResponse.Merge(m, src) +} +func (m *IssueLocalScannerCertsResponse) XXX_Size() int { + return m.Size() +} +func (m *IssueLocalScannerCertsResponse) XXX_DiscardUnknown() { + xxx_messageInfo_IssueLocalScannerCertsResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_IssueLocalScannerCertsResponse proto.InternalMessageInfo + +func (m *IssueLocalScannerCertsResponse) GetScannerCerts() *LocalScannerCertificates { + if m != nil { + return m.ScannerCerts + } + return nil +} + +func (m *IssueLocalScannerCertsResponse) GetScannerDbCerts() *LocalScannerCertificates { + if m != nil { + return m.ScannerDbCerts + } + return nil +} + +func (m *IssueLocalScannerCertsResponse) MessageClone() proto.Message { + return m.Clone() +} +func (m *IssueLocalScannerCertsResponse) Clone() *IssueLocalScannerCertsResponse { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse) + *cloned = *m + + cloned.ScannerCerts = m.ScannerCerts.Clone() + cloned.ScannerDbCerts = m.ScannerDbCerts.Clone() + return cloned +} + +func init() { + proto.RegisterType((*LocalScannerCertificates)(nil), "central.LocalScannerCertificates") + proto.RegisterType((*IssueLocalScannerCertsRequest)(nil), "central.IssueLocalScannerCertsRequest") + proto.RegisterType((*IssueLocalScannerCertsResponse)(nil), "central.IssueLocalScannerCertsResponse") +} + +func init() { + proto.RegisterFile("internalapi/central/local_scanner.proto", fileDescriptor_856923c76f63cf0a) +} + +var fileDescriptor_856923c76f63cf0a = []byte{ + // 367 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xc1, 0x4a, 0x23, 0x41, + 0x10, 0x86, 0xb7, 0x27, 0x61, 0x97, 0xe9, 0x64, 0x43, 0xe8, 0x5d, 0x96, 0xd9, 0xb0, 0x19, 0xb2, + 0x39, 0x6c, 0x72, 0x9a, 0x40, 0xf6, 0xb0, 0xf7, 0x55, 0x84, 0xa0, 0xa7, 0x89, 0x27, 0x11, 0x86, + 0x4e, 0x4f, 0x29, 0x8d, 0x63, 0xcf, 0xd8, 0xd5, 0x11, 0xe6, 0xe6, 0xd5, 0x37, 0xf0, 0x45, 0x7c, + 0x07, 0x8f, 0x3e, 0x82, 0xc4, 0x17, 0x91, 0xf4, 0x74, 0x4c, 0x10, 0xa3, 0xde, 0xaa, 0xff, 0xaa, + 0xfa, 0xaa, 0xfa, 0xa7, 0xe8, 0x40, 0x2a, 0x03, 0x5a, 0xf1, 0x8c, 0x17, 0x72, 0x24, 0x40, 0x19, + 0xcd, 0xb3, 0x51, 0x96, 0x0b, 0x9e, 0x25, 0x28, 0xb8, 0x52, 0xa0, 0xa3, 0x42, 0xe7, 0x26, 0x67, + 0x5f, 0x5c, 0xb2, 0x13, 0xa2, 0xc9, 0x35, 0x3f, 0x85, 0x11, 0x82, 0xbe, 0x94, 0x02, 0x12, 0x99, + 0x82, 0x32, 0xd2, 0x94, 0x55, 0x61, 0xff, 0x9a, 0xd0, 0xe0, 0x60, 0x09, 0x98, 0x56, 0xfd, 0x3b, + 0xa0, 0x8d, 0x3c, 0x91, 0x82, 0x1b, 0x40, 0xf6, 0x8f, 0x36, 0x57, 0x6d, 0xa6, 0x2c, 0x20, 0x20, + 0x3d, 0x32, 0x6c, 0x8d, 0xbf, 0x47, 0x8e, 0x19, 0x4d, 0xab, 0xe4, 0x61, 0x59, 0x40, 0xdc, 0xc0, + 0xf5, 0x83, 0xb5, 0xa8, 0x27, 0x78, 0xe0, 0xf5, 0xc8, 0xb0, 0x19, 0x7b, 0x82, 0x33, 0x46, 0xeb, + 0x02, 0xb4, 0x09, 0x6a, 0x56, 0xb1, 0x31, 0x6b, 0xd3, 0xda, 0x19, 0x94, 0x41, 0xdd, 0x4a, 0xcb, + 0xb0, 0x7f, 0x4c, 0xbb, 0x13, 0xc4, 0x39, 0xbc, 0xdc, 0x07, 0x63, 0xb8, 0x98, 0x03, 0x1a, 0xd6, + 0xa5, 0x54, 0x64, 0x73, 0x34, 0xa0, 0x13, 0x99, 0xda, 0x6d, 0xfc, 0xd8, 0x77, 0xca, 0x24, 0x65, + 0xbf, 0xa8, 0xaf, 0xf8, 0x39, 0x60, 0xc1, 0x05, 0xd8, 0xe1, 0x7e, 0xbc, 0x16, 0xfa, 0xb7, 0x84, + 0x86, 0xdb, 0xf0, 0x58, 0xe4, 0x0a, 0x81, 0xed, 0xd1, 0xaf, 0xce, 0xc6, 0x64, 0xb9, 0x22, 0xda, + 0x11, 0x8d, 0xf1, 0xef, 0xc8, 0xb9, 0x19, 0x6d, 0x73, 0x2a, 0x6e, 0xe2, 0x06, 0x8f, 0xed, 0xd3, + 0xf6, 0x8a, 0x93, 0xce, 0x1c, 0xca, 0xfb, 0x28, 0xaa, 0xe5, 0x5a, 0x77, 0x67, 0x16, 0x36, 0xbe, + 0x22, 0xf4, 0xdb, 0x66, 0xb1, 0x33, 0x9d, 0x49, 0xfa, 0xe3, 0xf5, 0xef, 0xb0, 0x3f, 0xcf, 0x43, + 0xde, 0xb4, 0xb3, 0x33, 0x78, 0xb7, 0xae, 0xf2, 0xe5, 0xff, 0xcf, 0xbb, 0x45, 0x48, 0xee, 0x17, + 0x21, 0x79, 0x58, 0x84, 0xe4, 0xe6, 0x31, 0xfc, 0x74, 0xb4, 0xba, 0xaf, 0xd9, 0x67, 0x7b, 0x46, + 0x7f, 0x9f, 0x02, 0x00, 0x00, 0xff, 0xff, 0x0d, 0xbf, 0x2d, 0x64, 0x9a, 0x02, 0x00, 0x00, +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConnInterface + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion6 + +// LocalScannerServiceClient is the client API for LocalScannerService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConnInterface.NewStream. +type LocalScannerServiceClient interface { + IssueLocalScannerCerts(ctx context.Context, in *IssueLocalScannerCertsRequest, opts ...grpc.CallOption) (*IssueLocalScannerCertsResponse, error) +} + +type localScannerServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewLocalScannerServiceClient(cc grpc.ClientConnInterface) LocalScannerServiceClient { + return &localScannerServiceClient{cc} +} + +func (c *localScannerServiceClient) IssueLocalScannerCerts(ctx context.Context, in *IssueLocalScannerCertsRequest, opts ...grpc.CallOption) (*IssueLocalScannerCertsResponse, error) { + out := new(IssueLocalScannerCertsResponse) + err := c.cc.Invoke(ctx, "/central.LocalScannerService/IssueLocalScannerCerts", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// LocalScannerServiceServer is the server API for LocalScannerService service. +type LocalScannerServiceServer interface { + IssueLocalScannerCerts(context.Context, *IssueLocalScannerCertsRequest) (*IssueLocalScannerCertsResponse, error) +} + +// UnimplementedLocalScannerServiceServer can be embedded to have forward compatible implementations. +type UnimplementedLocalScannerServiceServer struct { +} + +func (*UnimplementedLocalScannerServiceServer) IssueLocalScannerCerts(ctx context.Context, req *IssueLocalScannerCertsRequest) (*IssueLocalScannerCertsResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method IssueLocalScannerCerts not implemented") +} + +func RegisterLocalScannerServiceServer(s *grpc.Server, srv LocalScannerServiceServer) { + s.RegisterService(&_LocalScannerService_serviceDesc, srv) +} + +func _LocalScannerService_IssueLocalScannerCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(IssueLocalScannerCertsRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalScannerServiceServer).IssueLocalScannerCerts(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/central.LocalScannerService/IssueLocalScannerCerts", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalScannerServiceServer).IssueLocalScannerCerts(ctx, req.(*IssueLocalScannerCertsRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _LocalScannerService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "central.LocalScannerService", + HandlerType: (*LocalScannerServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "IssueLocalScannerCerts", + Handler: _LocalScannerService_IssueLocalScannerCerts_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "internalapi/central/local_scanner.proto", +} + +func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *LocalScannerCertificates) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Key) > 0 { + i -= len(m.Key) + copy(dAtA[i:], m.Key) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Key))) + i-- + dAtA[i] = 0x22 + } + if len(m.Cert) > 0 { + i -= len(m.Cert) + copy(dAtA[i:], m.Cert) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Cert))) + i-- + dAtA[i] = 0x1a + } + if len(m.Ca) > 0 { + i -= len(m.Ca) + copy(dAtA[i:], m.Ca) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Ca))) + i-- + dAtA[i] = 0x12 + } + if m.ServiceType != 0 { + i = encodeVarintLocalScanner(dAtA, i, uint64(m.ServiceType)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsRequest) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *IssueLocalScannerCertsRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Namespace) > 0 { + i -= len(m.Namespace) + copy(dAtA[i:], m.Namespace) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Namespace))) + i-- + dAtA[i] = 0x12 + } + if len(m.ClusterId) > 0 { + i -= len(m.ClusterId) + copy(dAtA[i:], m.ClusterId) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.ClusterId))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsResponse) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *IssueLocalScannerCertsResponse) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.ScannerDbCerts != nil { + { + size, err := m.ScannerDbCerts.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + if m.ScannerCerts != nil { + { + size, err := m.ScannerCerts.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func encodeVarintLocalScanner(dAtA []byte, offset int, v uint64) int { + offset -= sovLocalScanner(v) + base := offset + for v >= 1<<7 { + dAtA[offset] = uint8(v&0x7f | 0x80) + v >>= 7 + offset++ + } + dAtA[offset] = uint8(v) + return base +} +func (m *LocalScannerCertificates) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ServiceType != 0 { + n += 1 + sovLocalScanner(uint64(m.ServiceType)) + } + l = len(m.Ca) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + l = len(m.Cert) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + l = len(m.Key) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *IssueLocalScannerCertsRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.ClusterId) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + l = len(m.Namespace) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *IssueLocalScannerCertsResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ScannerCerts != nil { + l = m.ScannerCerts.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.ScannerDbCerts != nil { + l = m.ScannerDbCerts.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func sovLocalScanner(x uint64) (n int) { + return (math_bits.Len64(x|1) + 6) / 7 +} +func sozLocalScanner(x uint64) (n int) { + return sovLocalScanner(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: LocalScannerCertificates: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: LocalScannerCertificates: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceType", wireType) + } + m.ServiceType = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.ServiceType |= storage.ServiceType(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Ca", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Ca = append(m.Ca[:0], dAtA[iNdEx:postIndex]...) + if m.Ca == nil { + m.Ca = []byte{} + } + iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Cert = append(m.Cert[:0], dAtA[iNdEx:postIndex]...) + if m.Cert == nil { + m.Cert = []byte{} + } + iNdEx = postIndex + case 4: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Key = append(m.Key[:0], dAtA[iNdEx:postIndex]...) + if m.Key == nil { + m.Key = []byte{} + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: IssueLocalScannerCertsRequest: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: IssueLocalScannerCertsRequest: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ClusterId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ClusterId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Namespace = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: IssueLocalScannerCertsResponse: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: IssueLocalScannerCertsResponse: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ScannerCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.ScannerCerts == nil { + m.ScannerCerts = &LocalScannerCertificates{} + } + if err := m.ScannerCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ScannerDbCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.ScannerDbCerts == nil { + m.ScannerDbCerts = &LocalScannerCertificates{} + } + if err := m.ScannerDbCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func skipLocalScanner(dAtA []byte) (n int, err error) { + l := len(dAtA) + iNdEx := 0 + depth := 0 + for iNdEx < l { + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + wireType := int(wire & 0x7) + switch wireType { + case 0: + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + iNdEx++ + if dAtA[iNdEx-1] < 0x80 { + break + } + } + case 1: + iNdEx += 8 + case 2: + var length int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return 0, ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return 0, io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + length |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if length < 0 { + return 0, ErrInvalidLengthLocalScanner + } + iNdEx += length + case 3: + depth++ + case 4: + if depth == 0 { + return 0, ErrUnexpectedEndOfGroupLocalScanner + } + depth-- + case 5: + iNdEx += 4 + default: + return 0, fmt.Errorf("proto: illegal wireType %d", wireType) + } + if iNdEx < 0 { + return 0, ErrInvalidLengthLocalScanner + } + if depth == 0 { + return iNdEx, nil + } + } + return 0, io.ErrUnexpectedEOF +} + +var ( + ErrInvalidLengthLocalScanner = fmt.Errorf("proto: negative length found during unmarshaling") + ErrIntOverflowLocalScanner = fmt.Errorf("proto: integer overflow") + ErrUnexpectedEndOfGroupLocalScanner = fmt.Errorf("proto: unexpected end of group") +) diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto new file mode 100644 index 0000000000000..08351605c8c1b --- /dev/null +++ b/proto/internalapi/central/local_scanner.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +option go_package = "central"; + +import "storage/service_identity.proto"; + +package central; + +message LocalScannerCertificates { + storage.ServiceType service_type = 1; + bytes ca = 2; + bytes cert = 3; + bytes key = 4; +} + +message IssueLocalScannerCertsRequest { + string cluster_id = 1; + string namespace = 2; +} + +message IssueLocalScannerCertsResponse { + LocalScannerCertificates scanner_certs = 1; + LocalScannerCertificates scanner_db_certs = 2; +} + +service LocalScannerService { + rpc IssueLocalScannerCerts(IssueLocalScannerCertsRequest) returns (IssueLocalScannerCertsResponse); +} \ No newline at end of file From e19fc2e1e23b7da73a41c47b741a79a5b9a0c60e Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 28 Dec 2021 19:08:56 +0100 Subject: [PATCH 02/45] fix style issues --- central/localscanner/service.go | 17 +++++++++-------- proto/internalapi/central/local_scanner.proto | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/central/localscanner/service.go b/central/localscanner/service.go index 167dc73440355..52ced7036b728 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -5,24 +5,25 @@ import ( "github.com/grpc-ecosystem/grpc-gateway/runtime" "github.com/pkg/errors" + "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" pkgGRPC "github.com/stackrox/rox/pkg/grpc" "github.com/stackrox/rox/pkg/mtls" "google.golang.org/grpc" - - "github.com/stackrox/rox/generated/internalapi/central" ) +// Service is the interface for the local scanner service. type Service interface { pkgGRPC.APIService central.LocalScannerServiceServer } +// New creates a new local scanner service. func New() Service { return &serviceImpl{} } -type serviceImpl struct {} +type serviceImpl struct{} func (s *serviceImpl) RegisterServiceServer(server *grpc.Server) { central.RegisterLocalScannerServiceServer(server, s) @@ -34,11 +35,11 @@ func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, func localCertificatesForCertMap(serviceType storage.ServiceType, certificates secretDataMap) *central.LocalScannerCertificates { // FIXME replace secretDataMap in central/localscanner/certificates.go by typed struct - return ¢ral.LocalScannerCertificates { + return ¢ral.LocalScannerCertificates{ ServiceType: serviceType, - Ca: certificates[mtls.CACertFileName], - Cert: certificates[mtls.ServiceCertFileName], - Key: certificates[mtls.ServiceKeyFileName], + Ca: certificates[mtls.CACertFileName], + Cert: certificates[mtls.ServiceCertFileName], + Key: certificates[mtls.ServiceKeyFileName], } } @@ -60,7 +61,7 @@ func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central } return ¢ral.IssueLocalScannerCertsResponse{ - ScannerCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_SERVICE, scannerCertificates), + ScannerCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_SERVICE, scannerCertificates), ScannerDbCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_DB_SERVICE, scannerDBCertificates), }, nil } diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 08351605c8c1b..df044e5854c99 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -25,4 +25,4 @@ message IssueLocalScannerCertsResponse { service LocalScannerService { rpc IssueLocalScannerCerts(IssueLocalScannerCertsRequest) returns (IssueLocalScannerCertsResponse); -} \ No newline at end of file +} From 1d5fda9c27a7191494c5f65ded35ef66c5a19b29 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 3 Jan 2022 12:21:50 +0100 Subject: [PATCH 03/45] Add unit test for LocalScannerService --- central/localscanner/certificates_test.go | 39 +++++++++++++++++++++++ central/localscanner/service.go | 5 +-- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 69088fbddec8f..79062cd0be53b 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -1,12 +1,14 @@ package localscanner import ( + "context" "fmt" "testing" "time" "github.com/cloudflare/cfssl/helpers" testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" + "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" "github.com/stackrox/rox/pkg/mtls" @@ -115,3 +117,40 @@ func (s *localScannerSuite) TestCertificateGeneration() { s.Assert().Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) } } + +func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { + service := New() + ctx := context.Background() + testCases := []struct { + description string + clusterID string + namespace string + shouldFail bool + }{ + {"no parameter missing", clusterID, namespace, false}, + {"namespace missing", clusterID, "", true}, + {"cluster id missing", "", namespace, true}, + {"all parameters missing", "", "", true}, + } + for _, tc := range testCases { + req := central.IssueLocalScannerCertsRequest{ + ClusterId: tc.clusterID, + Namespace: tc.namespace, + } + resp, err := service.IssueLocalScannerCerts(ctx, &req) + if tc.shouldFail { + s.Require().Error(err, tc.description) + continue + } + s.Require().NoError(err, tc.description) + for _, certs := range []*central.LocalScannerCertificates{ + resp.GetScannerCerts(), + resp.GetScannerDbCerts(), + } { + s.Require().NotNil(certs, tc.description) + s.Assert().NotEmpty(certs.GetCa(), tc.description) + s.Assert().NotEmpty(certs.GetCert(), tc.description) + s.Assert().NotEmpty(certs.GetKey(), tc.description) + } + } +} diff --git a/central/localscanner/service.go b/central/localscanner/service.go index 52ced7036b728..e6f3d8e8894e2 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -52,12 +52,13 @@ func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central } scannerCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_SERVICE, request.GetNamespace(), request.GetClusterId()) + errorFormat := "error generating certificate for service %s" if err != nil { - return nil, errors.Wrapf(err, "error generating certificate for service %s", storage.ServiceType_SCANNER_SERVICE) + return nil, errors.Wrapf(err, errorFormat, storage.ServiceType_SCANNER_SERVICE) } scannerDBCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_DB_SERVICE, request.GetNamespace(), request.GetClusterId()) if err != nil { - return nil, errors.Wrapf(err, "error generating certificate for service %s", storage.ServiceType_SCANNER_DB_SERVICE) + return nil, errors.Wrapf(err, errorFormat, storage.ServiceType_SCANNER_DB_SERVICE) } return ¢ral.IssueLocalScannerCertsResponse{ From c3b095935eb7c7f13ebba298bc3be594edc9ebbe Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 4 Jan 2022 16:24:30 +0100 Subject: [PATCH 04/45] Simplify IssueLocalScannerCerts --- central/localscanner/service.go | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/central/localscanner/service.go b/central/localscanner/service.go index e6f3d8e8894e2..d7437b46367a6 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -4,6 +4,7 @@ import ( "context" "github.com/grpc-ecosystem/grpc-gateway/runtime" + "github.com/hashicorp/go-multierror" "github.com/pkg/errors" "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" @@ -33,14 +34,18 @@ func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, return nil } -func localCertificatesForCertMap(serviceType storage.ServiceType, certificates secretDataMap) *central.LocalScannerCertificates { - // FIXME replace secretDataMap in central/localscanner/certificates.go by typed struct +func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { + certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) + if err != nil { + return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) + } + return ¢ral.LocalScannerCertificates{ ServiceType: serviceType, Ca: certificates[mtls.CACertFileName], Cert: certificates[mtls.ServiceCertFileName], Key: certificates[mtls.ServiceKeyFileName], - } + }, nil } func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { @@ -51,18 +56,21 @@ func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central return nil, errors.New("cluster id is required to issue the certificates for the local scanner") } - scannerCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_SERVICE, request.GetNamespace(), request.GetClusterId()) - errorFormat := "error generating certificate for service %s" + var certIssueError error + scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, request.GetNamespace(), request.GetClusterId()) if err != nil { - return nil, errors.Wrapf(err, errorFormat, storage.ServiceType_SCANNER_SERVICE) + certIssueError = multierror.Append(certIssueError, err) } - scannerDBCertificates, err := generateServiceCertMap(storage.ServiceType_SCANNER_DB_SERVICE, request.GetNamespace(), request.GetClusterId()) + scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, request.GetNamespace(), request.GetClusterId()) if err != nil { - return nil, errors.Wrapf(err, errorFormat, storage.ServiceType_SCANNER_DB_SERVICE) + certIssueError = multierror.Append(certIssueError, err) + } + if certIssueError != nil { + return nil, certIssueError } return ¢ral.IssueLocalScannerCertsResponse{ - ScannerCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_SERVICE, scannerCertificates), - ScannerDbCerts: localCertificatesForCertMap(storage.ServiceType_SCANNER_DB_SERVICE, scannerDBCertificates), + ScannerCerts: scannerCertificates, + ScannerDbCerts: scannerDBCertificates, }, nil } From 71d7f13eadd383a34bb5ac33ad31d53d0f4853a8 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 4 Jan 2022 16:27:59 +0100 Subject: [PATCH 05/45] remove redundant field --- central/localscanner/service.go | 1 - .../internalapi/central/local_scanner.pb.go | 96 ++++++------------- proto/internalapi/central/local_scanner.proto | 1 - 3 files changed, 30 insertions(+), 68 deletions(-) diff --git a/central/localscanner/service.go b/central/localscanner/service.go index d7437b46367a6..cce78c1c3f104 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -41,7 +41,6 @@ func localScannerCertificatesFor(serviceType storage.ServiceType, namespace stri } return ¢ral.LocalScannerCertificates{ - ServiceType: serviceType, Ca: certificates[mtls.CACertFileName], Cert: certificates[mtls.ServiceCertFileName], Key: certificates[mtls.ServiceKeyFileName], diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 09bd4880b2d0c..0953e7b76ccb2 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -7,7 +7,7 @@ import ( context "context" fmt "fmt" proto "github.com/golang/protobuf/proto" - storage "github.com/stackrox/rox/generated/storage" + _ "github.com/stackrox/rox/generated/storage" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" @@ -28,13 +28,12 @@ var _ = math.Inf const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package type LocalScannerCertificates struct { - ServiceType storage.ServiceType `protobuf:"varint,1,opt,name=service_type,json=serviceType,proto3,enum=storage.ServiceType" json:"service_type,omitempty"` - Ca []byte `protobuf:"bytes,2,opt,name=ca,proto3" json:"ca,omitempty"` - Cert []byte `protobuf:"bytes,3,opt,name=cert,proto3" json:"cert,omitempty"` - Key []byte `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + Ca []byte `protobuf:"bytes,2,opt,name=ca,proto3" json:"ca,omitempty"` + Cert []byte `protobuf:"bytes,3,opt,name=cert,proto3" json:"cert,omitempty"` + Key []byte `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *LocalScannerCertificates) Reset() { *m = LocalScannerCertificates{} } @@ -70,13 +69,6 @@ func (m *LocalScannerCertificates) XXX_DiscardUnknown() { var xxx_messageInfo_LocalScannerCertificates proto.InternalMessageInfo -func (m *LocalScannerCertificates) GetServiceType() storage.ServiceType { - if m != nil { - return m.ServiceType - } - return storage.ServiceType_UNKNOWN_SERVICE -} - func (m *LocalScannerCertificates) GetCa() []byte { if m != nil { return m.Ca @@ -272,30 +264,29 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 367 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xc1, 0x4a, 0x23, 0x41, - 0x10, 0x86, 0xb7, 0x27, 0x61, 0x97, 0xe9, 0x64, 0x43, 0xe8, 0x5d, 0x96, 0xd9, 0xb0, 0x19, 0xb2, - 0x39, 0x6c, 0x72, 0x9a, 0x40, 0xf6, 0xb0, 0xf7, 0x55, 0x84, 0xa0, 0xa7, 0x89, 0x27, 0x11, 0x86, - 0x4e, 0x4f, 0x29, 0x8d, 0x63, 0xcf, 0xd8, 0xd5, 0x11, 0xe6, 0xe6, 0xd5, 0x37, 0xf0, 0x45, 0x7c, - 0x07, 0x8f, 0x3e, 0x82, 0xc4, 0x17, 0x91, 0xf4, 0x74, 0x4c, 0x10, 0xa3, 0xde, 0xaa, 0xff, 0xaa, - 0xfa, 0xaa, 0xfa, 0xa7, 0xe8, 0x40, 0x2a, 0x03, 0x5a, 0xf1, 0x8c, 0x17, 0x72, 0x24, 0x40, 0x19, - 0xcd, 0xb3, 0x51, 0x96, 0x0b, 0x9e, 0x25, 0x28, 0xb8, 0x52, 0xa0, 0xa3, 0x42, 0xe7, 0x26, 0x67, - 0x5f, 0x5c, 0xb2, 0x13, 0xa2, 0xc9, 0x35, 0x3f, 0x85, 0x11, 0x82, 0xbe, 0x94, 0x02, 0x12, 0x99, - 0x82, 0x32, 0xd2, 0x94, 0x55, 0x61, 0xff, 0x9a, 0xd0, 0xe0, 0x60, 0x09, 0x98, 0x56, 0xfd, 0x3b, - 0xa0, 0x8d, 0x3c, 0x91, 0x82, 0x1b, 0x40, 0xf6, 0x8f, 0x36, 0x57, 0x6d, 0xa6, 0x2c, 0x20, 0x20, - 0x3d, 0x32, 0x6c, 0x8d, 0xbf, 0x47, 0x8e, 0x19, 0x4d, 0xab, 0xe4, 0x61, 0x59, 0x40, 0xdc, 0xc0, - 0xf5, 0x83, 0xb5, 0xa8, 0x27, 0x78, 0xe0, 0xf5, 0xc8, 0xb0, 0x19, 0x7b, 0x82, 0x33, 0x46, 0xeb, - 0x02, 0xb4, 0x09, 0x6a, 0x56, 0xb1, 0x31, 0x6b, 0xd3, 0xda, 0x19, 0x94, 0x41, 0xdd, 0x4a, 0xcb, - 0xb0, 0x7f, 0x4c, 0xbb, 0x13, 0xc4, 0x39, 0xbc, 0xdc, 0x07, 0x63, 0xb8, 0x98, 0x03, 0x1a, 0xd6, - 0xa5, 0x54, 0x64, 0x73, 0x34, 0xa0, 0x13, 0x99, 0xda, 0x6d, 0xfc, 0xd8, 0x77, 0xca, 0x24, 0x65, - 0xbf, 0xa8, 0xaf, 0xf8, 0x39, 0x60, 0xc1, 0x05, 0xd8, 0xe1, 0x7e, 0xbc, 0x16, 0xfa, 0xb7, 0x84, - 0x86, 0xdb, 0xf0, 0x58, 0xe4, 0x0a, 0x81, 0xed, 0xd1, 0xaf, 0xce, 0xc6, 0x64, 0xb9, 0x22, 0xda, - 0x11, 0x8d, 0xf1, 0xef, 0xc8, 0xb9, 0x19, 0x6d, 0x73, 0x2a, 0x6e, 0xe2, 0x06, 0x8f, 0xed, 0xd3, - 0xf6, 0x8a, 0x93, 0xce, 0x1c, 0xca, 0xfb, 0x28, 0xaa, 0xe5, 0x5a, 0x77, 0x67, 0x16, 0x36, 0xbe, - 0x22, 0xf4, 0xdb, 0x66, 0xb1, 0x33, 0x9d, 0x49, 0xfa, 0xe3, 0xf5, 0xef, 0xb0, 0x3f, 0xcf, 0x43, - 0xde, 0xb4, 0xb3, 0x33, 0x78, 0xb7, 0xae, 0xf2, 0xe5, 0xff, 0xcf, 0xbb, 0x45, 0x48, 0xee, 0x17, - 0x21, 0x79, 0x58, 0x84, 0xe4, 0xe6, 0x31, 0xfc, 0x74, 0xb4, 0xba, 0xaf, 0xd9, 0x67, 0x7b, 0x46, - 0x7f, 0x9f, 0x02, 0x00, 0x00, 0xff, 0xff, 0x0d, 0xbf, 0x2d, 0x64, 0x9a, 0x02, 0x00, 0x00, + // 337 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xd1, 0x4a, 0xeb, 0x40, + 0x10, 0x86, 0xcf, 0xa6, 0xe5, 0x1c, 0x32, 0xa7, 0x96, 0xb2, 0x82, 0xc4, 0x62, 0x43, 0xed, 0x85, + 0xed, 0x55, 0x0b, 0xf5, 0x0d, 0x54, 0x84, 0xa2, 0x17, 0x92, 0xde, 0x89, 0x10, 0xb6, 0x9b, 0x51, + 0x16, 0xe3, 0x26, 0xee, 0x6c, 0x85, 0xde, 0xf9, 0x18, 0xbe, 0x88, 0xef, 0xe0, 0xa5, 0x8f, 0x20, + 0xf5, 0x45, 0xa4, 0x9b, 0x54, 0x8b, 0x58, 0xf5, 0x6e, 0xf8, 0x33, 0xf3, 0xfd, 0x99, 0x7f, 0x07, + 0xba, 0x4a, 0x5b, 0x34, 0x5a, 0xa4, 0x22, 0x57, 0x03, 0x89, 0xda, 0x1a, 0x91, 0x0e, 0xd2, 0x4c, + 0x8a, 0x34, 0x26, 0x29, 0xb4, 0x46, 0xd3, 0xcf, 0x4d, 0x66, 0x33, 0xfe, 0xaf, 0xfc, 0xd8, 0x0c, + 0xc9, 0x66, 0x46, 0x5c, 0xe1, 0x80, 0xd0, 0xdc, 0x29, 0x89, 0xb1, 0x4a, 0x50, 0x5b, 0x65, 0x67, + 0x45, 0x63, 0xe7, 0x0c, 0x82, 0xd3, 0xc5, 0xfc, 0xb8, 0x18, 0x3f, 0x44, 0x63, 0xd5, 0xa5, 0x92, + 0xc2, 0x22, 0xf1, 0x3a, 0x78, 0x52, 0x04, 0x5e, 0x9b, 0xf5, 0x6a, 0x91, 0x27, 0x05, 0xe7, 0x50, + 0x95, 0x68, 0x6c, 0x50, 0x71, 0x8a, 0xab, 0x79, 0x03, 0x2a, 0xd7, 0x38, 0x0b, 0xaa, 0x4e, 0x5a, + 0x94, 0x9d, 0x0b, 0x68, 0x8d, 0x88, 0xa6, 0xf8, 0x19, 0x4b, 0x11, 0xde, 0x4e, 0x91, 0x2c, 0x6f, + 0x01, 0xc8, 0x74, 0x4a, 0x16, 0x4d, 0xac, 0x92, 0x80, 0xb5, 0x59, 0xcf, 0x8f, 0xfc, 0x52, 0x19, + 0x25, 0x7c, 0x07, 0x7c, 0x2d, 0x6e, 0x90, 0x72, 0x21, 0xd1, 0x99, 0xfb, 0xd1, 0x87, 0xd0, 0x79, + 0x64, 0x10, 0xae, 0xc3, 0x53, 0x9e, 0x69, 0x42, 0x7e, 0x0c, 0x1b, 0x65, 0x18, 0xf1, 0xe2, 0x17, + 0xc9, 0x59, 0xfc, 0x1f, 0xee, 0xf6, 0xcb, 0x4c, 0xfa, 0xeb, 0x16, 0x8e, 0x6a, 0xb4, 0xc2, 0xe3, + 0x27, 0xd0, 0x58, 0x72, 0x92, 0x49, 0x89, 0xf2, 0x7e, 0x8b, 0xaa, 0x97, 0xa3, 0x47, 0x13, 0x07, + 0x1b, 0xde, 0x33, 0xd8, 0x5c, 0x6d, 0x1e, 0x17, 0xcf, 0xc1, 0x15, 0x6c, 0x7d, 0xbd, 0x0e, 0xdf, + 0x7b, 0x37, 0xf9, 0x36, 0xce, 0x66, 0xf7, 0xc7, 0xbe, 0x22, 0x97, 0x83, 0xed, 0xa7, 0x79, 0xc8, + 0x9e, 0xe7, 0x21, 0x7b, 0x99, 0x87, 0xec, 0xe1, 0x35, 0xfc, 0x73, 0xbe, 0xbc, 0x92, 0xc9, 0x5f, + 0x77, 0x0c, 0xfb, 0x6f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xe3, 0xe2, 0xd8, 0x2e, 0x60, 0x02, 0x00, + 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -423,11 +414,6 @@ func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error i-- dAtA[i] = 0x12 } - if m.ServiceType != 0 { - i = encodeVarintLocalScanner(dAtA, i, uint64(m.ServiceType)) - i-- - dAtA[i] = 0x8 - } return len(dAtA) - i, nil } @@ -540,9 +526,6 @@ func (m *LocalScannerCertificates) Size() (n int) { } var l int _ = l - if m.ServiceType != 0 { - n += 1 + sovLocalScanner(uint64(m.ServiceType)) - } l = len(m.Ca) if l > 0 { n += 1 + l + sovLocalScanner(uint64(l)) @@ -636,25 +619,6 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { return fmt.Errorf("proto: LocalScannerCertificates: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { - case 1: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field ServiceType", wireType) - } - m.ServiceType = 0 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - m.ServiceType |= storage.ServiceType(b&0x7F) << shift - if b < 0x80 { - break - } - } case 2: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Ca", wireType) diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index df044e5854c99..03322383f6d48 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -7,7 +7,6 @@ import "storage/service_identity.proto"; package central; message LocalScannerCertificates { - storage.ServiceType service_type = 1; bytes ca = 2; bytes cert = 3; bytes key = 4; From 2a087bd00e6c7462b1456803e386915cac6a1457 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 4 Jan 2022 17:28:35 +0100 Subject: [PATCH 06/45] Infer cluster id from request context --- central/localscanner/certificates_test.go | 16 +-- central/localscanner/service.go | 36 +++++-- .../internalapi/central/local_scanner.pb.go | 97 +++++-------------- proto/internalapi/central/local_scanner.proto | 3 +- 4 files changed, 55 insertions(+), 97 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 79062cd0be53b..3b462f4e3a0e2 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -1,7 +1,6 @@ package localscanner import ( - "context" "fmt" "testing" "time" @@ -119,25 +118,16 @@ func (s *localScannerSuite) TestCertificateGeneration() { } func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { - service := New() - ctx := context.Background() testCases := []struct { description string - clusterID string namespace string shouldFail bool }{ - {"no parameter missing", clusterID, namespace, false}, - {"namespace missing", clusterID, "", true}, - {"cluster id missing", "", namespace, true}, - {"all parameters missing", "", "", true}, + {"no parameter missing", namespace, false}, + {"namespace missing", "", true}, } for _, tc := range testCases { - req := central.IssueLocalScannerCertsRequest{ - ClusterId: tc.clusterID, - Namespace: tc.namespace, - } - resp, err := service.IssueLocalScannerCerts(ctx, &req) + resp, err := issueLocalScannerCerts(tc.namespace, clusterID) if tc.shouldFail { s.Require().Error(err, tc.description) continue diff --git a/central/localscanner/service.go b/central/localscanner/service.go index cce78c1c3f104..839ac8426524e 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -8,8 +8,11 @@ import ( "github.com/pkg/errors" "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/centralsensor" pkgGRPC "github.com/stackrox/rox/pkg/grpc" + "github.com/stackrox/rox/pkg/grpc/authn" "github.com/stackrox/rox/pkg/mtls" + "github.com/stackrox/rox/sensor/common/clusterid" "google.golang.org/grpc" ) @@ -47,20 +50,17 @@ func localScannerCertificatesFor(serviceType storage.ServiceType, namespace stri }, nil } -func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { - if request.GetNamespace() == "" { +func issueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { + if namespace == "" { return nil, errors.New("namespace is required to issue the certificates for the local scanner") } - if request.GetClusterId() == "" { - return nil, errors.New("cluster id is required to issue the certificates for the local scanner") - } var certIssueError error - scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, request.GetNamespace(), request.GetClusterId()) + scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) if err != nil { certIssueError = multierror.Append(certIssueError, err) } - scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, request.GetNamespace(), request.GetClusterId()) + scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) if err != nil { certIssueError = multierror.Append(certIssueError, err) } @@ -73,3 +73,25 @@ func (s *serviceImpl) IssueLocalScannerCerts(_ context.Context, request *central ScannerDbCerts: scannerDBCertificates, }, nil } + +func getClusterID(ctx context.Context) (string, error) { + var requestingServiceIdentity *storage.ServiceIdentity + if id := authn.IdentityFromContextOrNil(ctx); id != nil { + requestingServiceIdentity = id.Service() + } + clusterID, err := centralsensor.GetClusterID(clusterid.Get(), requestingServiceIdentity.GetId()) + if err != nil { + return "", err + } + + return clusterID, nil +} + +func (s *serviceImpl) IssueLocalScannerCerts(ctx context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { + clusterID, err := getClusterID(ctx) + if err != nil { + return nil, errors.Wrap(err, "could not determine cluster ID") + } + + return issueLocalScannerCerts(request.GetNamespace(), clusterID) +} diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 0953e7b76ccb2..120072ae456c0 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -116,8 +116,7 @@ func (m *LocalScannerCertificates) Clone() *LocalScannerCertificates { } type IssueLocalScannerCertsRequest struct { - ClusterId string `protobuf:"bytes,1,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` - Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"` + Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -156,13 +155,6 @@ func (m *IssueLocalScannerCertsRequest) XXX_DiscardUnknown() { var xxx_messageInfo_IssueLocalScannerCertsRequest proto.InternalMessageInfo -func (m *IssueLocalScannerCertsRequest) GetClusterId() string { - if m != nil { - return m.ClusterId - } - return "" -} - func (m *IssueLocalScannerCertsRequest) GetNamespace() string { if m != nil { return m.Namespace @@ -264,29 +256,27 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 337 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xd1, 0x4a, 0xeb, 0x40, - 0x10, 0x86, 0xcf, 0xa6, 0xe5, 0x1c, 0x32, 0xa7, 0x96, 0xb2, 0x82, 0xc4, 0x62, 0x43, 0xed, 0x85, - 0xed, 0x55, 0x0b, 0xf5, 0x0d, 0x54, 0x84, 0xa2, 0x17, 0x92, 0xde, 0x89, 0x10, 0xb6, 0x9b, 0x51, - 0x16, 0xe3, 0x26, 0xee, 0x6c, 0x85, 0xde, 0xf9, 0x18, 0xbe, 0x88, 0xef, 0xe0, 0xa5, 0x8f, 0x20, - 0xf5, 0x45, 0xa4, 0x9b, 0x54, 0x8b, 0x58, 0xf5, 0x6e, 0xf8, 0x33, 0xf3, 0xfd, 0x99, 0x7f, 0x07, - 0xba, 0x4a, 0x5b, 0x34, 0x5a, 0xa4, 0x22, 0x57, 0x03, 0x89, 0xda, 0x1a, 0x91, 0x0e, 0xd2, 0x4c, - 0x8a, 0x34, 0x26, 0x29, 0xb4, 0x46, 0xd3, 0xcf, 0x4d, 0x66, 0x33, 0xfe, 0xaf, 0xfc, 0xd8, 0x0c, - 0xc9, 0x66, 0x46, 0x5c, 0xe1, 0x80, 0xd0, 0xdc, 0x29, 0x89, 0xb1, 0x4a, 0x50, 0x5b, 0x65, 0x67, - 0x45, 0x63, 0xe7, 0x0c, 0x82, 0xd3, 0xc5, 0xfc, 0xb8, 0x18, 0x3f, 0x44, 0x63, 0xd5, 0xa5, 0x92, - 0xc2, 0x22, 0xf1, 0x3a, 0x78, 0x52, 0x04, 0x5e, 0x9b, 0xf5, 0x6a, 0x91, 0x27, 0x05, 0xe7, 0x50, - 0x95, 0x68, 0x6c, 0x50, 0x71, 0x8a, 0xab, 0x79, 0x03, 0x2a, 0xd7, 0x38, 0x0b, 0xaa, 0x4e, 0x5a, - 0x94, 0x9d, 0x0b, 0x68, 0x8d, 0x88, 0xa6, 0xf8, 0x19, 0x4b, 0x11, 0xde, 0x4e, 0x91, 0x2c, 0x6f, - 0x01, 0xc8, 0x74, 0x4a, 0x16, 0x4d, 0xac, 0x92, 0x80, 0xb5, 0x59, 0xcf, 0x8f, 0xfc, 0x52, 0x19, - 0x25, 0x7c, 0x07, 0x7c, 0x2d, 0x6e, 0x90, 0x72, 0x21, 0xd1, 0x99, 0xfb, 0xd1, 0x87, 0xd0, 0x79, - 0x64, 0x10, 0xae, 0xc3, 0x53, 0x9e, 0x69, 0x42, 0x7e, 0x0c, 0x1b, 0x65, 0x18, 0xf1, 0xe2, 0x17, - 0xc9, 0x59, 0xfc, 0x1f, 0xee, 0xf6, 0xcb, 0x4c, 0xfa, 0xeb, 0x16, 0x8e, 0x6a, 0xb4, 0xc2, 0xe3, - 0x27, 0xd0, 0x58, 0x72, 0x92, 0x49, 0x89, 0xf2, 0x7e, 0x8b, 0xaa, 0x97, 0xa3, 0x47, 0x13, 0x07, - 0x1b, 0xde, 0x33, 0xd8, 0x5c, 0x6d, 0x1e, 0x17, 0xcf, 0xc1, 0x15, 0x6c, 0x7d, 0xbd, 0x0e, 0xdf, - 0x7b, 0x37, 0xf9, 0x36, 0xce, 0x66, 0xf7, 0xc7, 0xbe, 0x22, 0x97, 0x83, 0xed, 0xa7, 0x79, 0xc8, - 0x9e, 0xe7, 0x21, 0x7b, 0x99, 0x87, 0xec, 0xe1, 0x35, 0xfc, 0x73, 0xbe, 0xbc, 0x92, 0xc9, 0x5f, - 0x77, 0x0c, 0xfb, 0x6f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xe3, 0xe2, 0xd8, 0x2e, 0x60, 0x02, 0x00, - 0x00, + // 317 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x41, 0x4a, 0x03, 0x31, + 0x14, 0x86, 0xcd, 0xb4, 0x28, 0x7d, 0xd6, 0x52, 0x22, 0xc8, 0x58, 0x34, 0xd4, 0x2e, 0x6c, 0x57, + 0x2d, 0xd4, 0xb5, 0x1b, 0x15, 0x41, 0x74, 0x21, 0xd3, 0x9d, 0x9b, 0x92, 0xa6, 0x4f, 0x09, 0x8e, + 0x99, 0x31, 0x2f, 0x15, 0xba, 0xf3, 0x18, 0x5e, 0xc4, 0x3b, 0xb8, 0xf4, 0x08, 0x52, 0x2f, 0x22, + 0x93, 0x99, 0x6a, 0x11, 0xab, 0xee, 0x1e, 0x6f, 0xfe, 0xff, 0x9b, 0xfc, 0x7f, 0x02, 0x6d, 0x6d, + 0x1c, 0x5a, 0x23, 0x63, 0x99, 0xea, 0x9e, 0x42, 0xe3, 0xac, 0x8c, 0x7b, 0x71, 0xa2, 0x64, 0x3c, + 0x24, 0x25, 0x8d, 0x41, 0xdb, 0x4d, 0x6d, 0xe2, 0x12, 0xbe, 0x56, 0x7c, 0x6c, 0x08, 0x72, 0x89, + 0x95, 0x37, 0xd8, 0x23, 0xb4, 0x0f, 0x5a, 0xe1, 0x50, 0x8f, 0xd1, 0x38, 0xed, 0xa6, 0xb9, 0xb0, + 0x75, 0x09, 0xe1, 0x45, 0xe6, 0x1f, 0xe4, 0xf6, 0x63, 0xb4, 0x4e, 0x5f, 0x6b, 0x25, 0x1d, 0x12, + 0xaf, 0x41, 0xa0, 0x64, 0x18, 0x34, 0x59, 0xa7, 0x1a, 0x05, 0x4a, 0x72, 0x0e, 0x65, 0x85, 0xd6, + 0x85, 0x25, 0xbf, 0xf1, 0x33, 0xaf, 0x43, 0xe9, 0x16, 0xa7, 0x61, 0xd9, 0xaf, 0xb2, 0xb1, 0x75, + 0x08, 0xbb, 0x67, 0x44, 0x13, 0xfc, 0x8e, 0xa5, 0x08, 0xef, 0x27, 0x48, 0x8e, 0xef, 0x40, 0xc5, + 0xc8, 0x3b, 0xa4, 0x54, 0x2a, 0x0c, 0x59, 0x93, 0x75, 0x2a, 0xd1, 0xd7, 0xa2, 0xf5, 0xcc, 0x40, + 0x2c, 0xf3, 0x53, 0x9a, 0x18, 0x42, 0x7e, 0x0a, 0x1b, 0x45, 0xda, 0x61, 0x76, 0x06, 0xf2, 0x90, + 0xf5, 0xfe, 0x5e, 0xb7, 0x08, 0xdd, 0x5d, 0x96, 0x28, 0xaa, 0xd2, 0x02, 0x8f, 0x9f, 0x43, 0x7d, + 0xce, 0x19, 0x8f, 0x0a, 0x54, 0xf0, 0x5f, 0x54, 0xad, 0xb0, 0x9e, 0x8c, 0x3c, 0xac, 0xff, 0xc8, + 0x60, 0x73, 0x51, 0x3c, 0xc8, 0xfb, 0xe6, 0x1a, 0xb6, 0x7e, 0x8e, 0xc3, 0xf7, 0x3f, 0x7f, 0xf2, + 0x6b, 0x5f, 0x8d, 0xf6, 0x9f, 0xba, 0xbc, 0x97, 0xa3, 0xed, 0x97, 0x99, 0x60, 0xaf, 0x33, 0xc1, + 0xde, 0x66, 0x82, 0x3d, 0xbd, 0x8b, 0x95, 0xab, 0xf9, 0x33, 0x18, 0xad, 0xfa, 0xdb, 0x3e, 0xf8, + 0x08, 0x00, 0x00, 0xff, 0xff, 0xde, 0xd8, 0x2e, 0x78, 0x41, 0x02, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -446,13 +436,6 @@ func (m *IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, copy(dAtA[i:], m.Namespace) i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Namespace))) i-- - dAtA[i] = 0x12 - } - if len(m.ClusterId) > 0 { - i -= len(m.ClusterId) - copy(dAtA[i:], m.ClusterId) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.ClusterId))) - i-- dAtA[i] = 0xa } return len(dAtA) - i, nil @@ -550,10 +533,6 @@ func (m *IssueLocalScannerCertsRequest) Size() (n int) { } var l int _ = l - l = len(m.ClusterId) - if l > 0 { - n += 1 + l + sovLocalScanner(uint64(l)) - } l = len(m.Namespace) if l > 0 { n += 1 + l + sovLocalScanner(uint64(l)) @@ -773,38 +752,6 @@ func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { } switch fieldNum { case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ClusterId", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.ClusterId = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 2: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) } diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 03322383f6d48..789267c222bf0 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -13,8 +13,7 @@ message LocalScannerCertificates { } message IssueLocalScannerCertsRequest { - string cluster_id = 1; - string namespace = 2; + string namespace = 1; } message IssueLocalScannerCertsResponse { From 7a35476011a2a2fd96b8e327c9ad6600e27ecb7c Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 5 Jan 2022 12:56:56 +0100 Subject: [PATCH 07/45] Reorder func to have entry point on top, and aux funcs dowmn --- central/localscanner/service.go | 50 ++++++++++++++++----------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/central/localscanner/service.go b/central/localscanner/service.go index 839ac8426524e..09cd63b043be3 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -37,17 +37,26 @@ func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, return nil } -func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { - certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) +func (s *serviceImpl) IssueLocalScannerCerts(ctx context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { + clusterID, err := getClusterID(ctx) if err != nil { - return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) + return nil, errors.Wrap(err, "could not determine cluster ID") } - return ¢ral.LocalScannerCertificates{ - Ca: certificates[mtls.CACertFileName], - Cert: certificates[mtls.ServiceCertFileName], - Key: certificates[mtls.ServiceKeyFileName], - }, nil + return issueLocalScannerCerts(request.GetNamespace(), clusterID) +} + +func getClusterID(ctx context.Context) (string, error) { + var requestingServiceIdentity *storage.ServiceIdentity + if id := authn.IdentityFromContextOrNil(ctx); id != nil { + requestingServiceIdentity = id.Service() + } + clusterID, err := centralsensor.GetClusterID(clusterid.Get(), requestingServiceIdentity.GetId()) + if err != nil { + return "", err + } + + return clusterID, nil } func issueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { @@ -74,24 +83,15 @@ func issueLocalScannerCerts(namespace string, clusterID string) (*central.IssueL }, nil } -func getClusterID(ctx context.Context) (string, error) { - var requestingServiceIdentity *storage.ServiceIdentity - if id := authn.IdentityFromContextOrNil(ctx); id != nil { - requestingServiceIdentity = id.Service() - } - clusterID, err := centralsensor.GetClusterID(clusterid.Get(), requestingServiceIdentity.GetId()) - if err != nil { - return "", err - } - - return clusterID, nil -} - -func (s *serviceImpl) IssueLocalScannerCerts(ctx context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { - clusterID, err := getClusterID(ctx) +func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { + certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) if err != nil { - return nil, errors.Wrap(err, "could not determine cluster ID") + return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) } - return issueLocalScannerCerts(request.GetNamespace(), clusterID) + return ¢ral.LocalScannerCertificates{ + Ca: certificates[mtls.CACertFileName], + Cert: certificates[mtls.ServiceCertFileName], + Key: certificates[mtls.ServiceKeyFileName], + }, nil } From ff0aee40b15f592b531bb4f1764c2cf7f75a053b Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 5 Jan 2022 14:29:08 +0100 Subject: [PATCH 08/45] Memoize CAForSigning --- pkg/mtls/crypto.go | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/pkg/mtls/crypto.go b/pkg/mtls/crypto.go index 03ff11ba901aa..e5516a414e8f4 100644 --- a/pkg/mtls/crypto.go +++ b/pkg/mtls/crypto.go @@ -105,6 +105,10 @@ var ( readCAKeyOnce sync.Once caKeyFileContents []byte caKeyErr error + + caForSigningOnce sync.Once + caForSigning CA + caForSigningErr error ) // IssuedCert is a representation of an issued certificate @@ -183,16 +187,22 @@ func CACert() (*x509.Certificate, []byte, error) { // CAForSigning reads the cert and key from the local file system and returns // a corresponding CA instance that can be used for signing. func CAForSigning() (CA, error) { - _, certPEM, _, err := readCA() - if err != nil { - return nil, errors.Wrap(err, "could not read CA cert file") - } - keyPEM, err := readCAKey() - if err != nil { - return nil, errors.Wrap(err, "could not read CA key file") - } + caForSigningOnce.Do(func() { + _, certPEM, _, err := readCA() + if err != nil { + caForSigningErr = errors.Wrap(err, "could not read CA cert file") + return + } + keyPEM, err := readCAKey() + if err != nil { + caForSigningErr = errors.Wrap(err, "could not read CA key file") + return + } + + caForSigning, caForSigningErr = LoadCAForSigning(certPEM, keyPEM) + }) - return LoadCAForSigning(certPEM, keyPEM) + return caForSigning, caForSigningErr } func signer() (cfsigner.Signer, error) { From d1b7d623f02e434e115bf4be5f73c6276da9e642 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 5 Jan 2022 14:30:13 +0100 Subject: [PATCH 09/45] fix code style --- pkg/mtls/crypto.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/mtls/crypto.go b/pkg/mtls/crypto.go index e5516a414e8f4..13db9b333100c 100644 --- a/pkg/mtls/crypto.go +++ b/pkg/mtls/crypto.go @@ -106,9 +106,9 @@ var ( caKeyFileContents []byte caKeyErr error - caForSigningOnce sync.Once - caForSigning CA - caForSigningErr error + caForSigningOnce sync.Once + caForSigning CA + caForSigningErr error ) // IssuedCert is a representation of an issued certificate From 3e23314bc5d711c42dffc962ce561312544129ab Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 5 Jan 2022 14:34:50 +0100 Subject: [PATCH 10/45] Number proto message fields starting in 1 --- .../internalapi/central/local_scanner.pb.go | 60 +++++++++---------- proto/internalapi/central/local_scanner.proto | 6 +- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 120072ae456c0..61cc81c5f59b8 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -28,9 +28,9 @@ var _ = math.Inf const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package type LocalScannerCertificates struct { - Ca []byte `protobuf:"bytes,2,opt,name=ca,proto3" json:"ca,omitempty"` - Cert []byte `protobuf:"bytes,3,opt,name=cert,proto3" json:"cert,omitempty"` - Key []byte `protobuf:"bytes,4,opt,name=key,proto3" json:"key,omitempty"` + Ca []byte `protobuf:"bytes,1,opt,name=ca,proto3" json:"ca,omitempty"` + Cert []byte `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` + Key []byte `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -256,27 +256,27 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 317 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x41, 0x4a, 0x03, 0x31, - 0x14, 0x86, 0xcd, 0xb4, 0x28, 0x7d, 0xd6, 0x52, 0x22, 0xc8, 0x58, 0x34, 0xd4, 0x2e, 0x6c, 0x57, - 0x2d, 0xd4, 0xb5, 0x1b, 0x15, 0x41, 0x74, 0x21, 0xd3, 0x9d, 0x9b, 0x92, 0xa6, 0x4f, 0x09, 0x8e, - 0x99, 0x31, 0x2f, 0x15, 0xba, 0xf3, 0x18, 0x5e, 0xc4, 0x3b, 0xb8, 0xf4, 0x08, 0x52, 0x2f, 0x22, - 0x93, 0x99, 0x6a, 0x11, 0xab, 0xee, 0x1e, 0x6f, 0xfe, 0xff, 0x9b, 0xfc, 0x7f, 0x02, 0x6d, 0x6d, - 0x1c, 0x5a, 0x23, 0x63, 0x99, 0xea, 0x9e, 0x42, 0xe3, 0xac, 0x8c, 0x7b, 0x71, 0xa2, 0x64, 0x3c, - 0x24, 0x25, 0x8d, 0x41, 0xdb, 0x4d, 0x6d, 0xe2, 0x12, 0xbe, 0x56, 0x7c, 0x6c, 0x08, 0x72, 0x89, - 0x95, 0x37, 0xd8, 0x23, 0xb4, 0x0f, 0x5a, 0xe1, 0x50, 0x8f, 0xd1, 0x38, 0xed, 0xa6, 0xb9, 0xb0, - 0x75, 0x09, 0xe1, 0x45, 0xe6, 0x1f, 0xe4, 0xf6, 0x63, 0xb4, 0x4e, 0x5f, 0x6b, 0x25, 0x1d, 0x12, - 0xaf, 0x41, 0xa0, 0x64, 0x18, 0x34, 0x59, 0xa7, 0x1a, 0x05, 0x4a, 0x72, 0x0e, 0x65, 0x85, 0xd6, - 0x85, 0x25, 0xbf, 0xf1, 0x33, 0xaf, 0x43, 0xe9, 0x16, 0xa7, 0x61, 0xd9, 0xaf, 0xb2, 0xb1, 0x75, - 0x08, 0xbb, 0x67, 0x44, 0x13, 0xfc, 0x8e, 0xa5, 0x08, 0xef, 0x27, 0x48, 0x8e, 0xef, 0x40, 0xc5, - 0xc8, 0x3b, 0xa4, 0x54, 0x2a, 0x0c, 0x59, 0x93, 0x75, 0x2a, 0xd1, 0xd7, 0xa2, 0xf5, 0xcc, 0x40, - 0x2c, 0xf3, 0x53, 0x9a, 0x18, 0x42, 0x7e, 0x0a, 0x1b, 0x45, 0xda, 0x61, 0x76, 0x06, 0xf2, 0x90, - 0xf5, 0xfe, 0x5e, 0xb7, 0x08, 0xdd, 0x5d, 0x96, 0x28, 0xaa, 0xd2, 0x02, 0x8f, 0x9f, 0x43, 0x7d, - 0xce, 0x19, 0x8f, 0x0a, 0x54, 0xf0, 0x5f, 0x54, 0xad, 0xb0, 0x9e, 0x8c, 0x3c, 0xac, 0xff, 0xc8, - 0x60, 0x73, 0x51, 0x3c, 0xc8, 0xfb, 0xe6, 0x1a, 0xb6, 0x7e, 0x8e, 0xc3, 0xf7, 0x3f, 0x7f, 0xf2, - 0x6b, 0x5f, 0x8d, 0xf6, 0x9f, 0xba, 0xbc, 0x97, 0xa3, 0xed, 0x97, 0x99, 0x60, 0xaf, 0x33, 0xc1, - 0xde, 0x66, 0x82, 0x3d, 0xbd, 0x8b, 0x95, 0xab, 0xf9, 0x33, 0x18, 0xad, 0xfa, 0xdb, 0x3e, 0xf8, - 0x08, 0x00, 0x00, 0xff, 0xff, 0xde, 0xd8, 0x2e, 0x78, 0x41, 0x02, 0x00, 0x00, + // 316 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xc1, 0x4a, 0xf3, 0x40, + 0x14, 0x85, 0xff, 0x49, 0x7f, 0x94, 0x5e, 0x6b, 0x29, 0x23, 0x48, 0x2c, 0x3a, 0x68, 0x17, 0xd6, + 0x55, 0x0b, 0x75, 0xed, 0x46, 0x45, 0x10, 0x5d, 0x48, 0xba, 0x73, 0x53, 0x26, 0xd3, 0xab, 0x0c, + 0xc6, 0x49, 0x9c, 0x3b, 0x15, 0xba, 0xf3, 0x31, 0x7c, 0x11, 0xdf, 0xc1, 0xa5, 0x8f, 0x20, 0xf1, + 0x45, 0x24, 0x93, 0x54, 0x8b, 0x58, 0x75, 0x77, 0xb9, 0x39, 0xe7, 0xcb, 0x9c, 0x33, 0x03, 0x5d, + 0x6d, 0x1c, 0x5a, 0x23, 0x13, 0x99, 0xe9, 0xbe, 0x42, 0xe3, 0xac, 0x4c, 0xfa, 0x49, 0xaa, 0x64, + 0x32, 0x22, 0x25, 0x8d, 0x41, 0xdb, 0xcb, 0x6c, 0xea, 0x52, 0xbe, 0x5c, 0x7d, 0x6c, 0x0b, 0x72, + 0xa9, 0x95, 0xd7, 0xd8, 0x27, 0xb4, 0xf7, 0x5a, 0xe1, 0x48, 0x8f, 0xd1, 0x38, 0xed, 0xa6, 0xa5, + 0xb0, 0x73, 0x01, 0xe1, 0x79, 0xe1, 0x1f, 0x96, 0xf6, 0x23, 0xb4, 0x4e, 0x5f, 0x69, 0x25, 0x1d, + 0x12, 0x6f, 0x42, 0xa0, 0x64, 0xc8, 0xb6, 0xd9, 0x5e, 0x23, 0x0a, 0x94, 0xe4, 0x1c, 0xfe, 0x2b, + 0xb4, 0x2e, 0x0c, 0xfc, 0xc6, 0xcf, 0xbc, 0x05, 0xb5, 0x1b, 0x9c, 0x86, 0x35, 0xbf, 0x2a, 0xc6, + 0xce, 0x01, 0x6c, 0x9d, 0x12, 0x4d, 0xf0, 0x2b, 0x96, 0x22, 0xbc, 0x9b, 0x20, 0x39, 0xbe, 0x09, + 0x75, 0x23, 0x6f, 0x91, 0x32, 0xa9, 0xd0, 0xd3, 0xeb, 0xd1, 0xe7, 0xa2, 0xf3, 0xc4, 0x40, 0x2c, + 0xf2, 0x53, 0x96, 0x1a, 0x42, 0x7e, 0x02, 0xab, 0x55, 0xda, 0x51, 0x71, 0x06, 0xf2, 0x90, 0x95, + 0xc1, 0x4e, 0xaf, 0x0a, 0xdd, 0x5b, 0x94, 0x28, 0x6a, 0xd0, 0x1c, 0x8f, 0x9f, 0x41, 0x6b, 0xc6, + 0x19, 0xc7, 0x15, 0x2a, 0xf8, 0x2b, 0xaa, 0x59, 0x59, 0x8f, 0x63, 0x0f, 0x1b, 0x3c, 0x30, 0x58, + 0x9b, 0x17, 0x0f, 0xcb, 0xbe, 0xb9, 0x86, 0xf5, 0xef, 0xe3, 0xf0, 0xdd, 0x8f, 0x9f, 0xfc, 0xd8, + 0x57, 0xbb, 0xfb, 0xab, 0xae, 0xec, 0xe5, 0x70, 0xe3, 0x39, 0x17, 0xec, 0x25, 0x17, 0xec, 0x35, + 0x17, 0xec, 0xf1, 0x4d, 0xfc, 0xbb, 0x9c, 0x3d, 0x83, 0x78, 0xc9, 0xdf, 0xf6, 0xfe, 0x7b, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x16, 0xc6, 0x41, 0xdf, 0x41, 0x02, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -388,21 +388,21 @@ func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error copy(dAtA[i:], m.Key) i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Key))) i-- - dAtA[i] = 0x22 + dAtA[i] = 0x1a } if len(m.Cert) > 0 { i -= len(m.Cert) copy(dAtA[i:], m.Cert) i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Cert))) i-- - dAtA[i] = 0x1a + dAtA[i] = 0x12 } if len(m.Ca) > 0 { i -= len(m.Ca) copy(dAtA[i:], m.Ca) i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Ca))) i-- - dAtA[i] = 0x12 + dAtA[i] = 0xa } return len(dAtA) - i, nil } @@ -598,7 +598,7 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { return fmt.Errorf("proto: LocalScannerCertificates: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { - case 2: + case 1: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Ca", wireType) } @@ -632,7 +632,7 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { m.Ca = []byte{} } iNdEx = postIndex - case 3: + case 2: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) } @@ -666,7 +666,7 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { m.Cert = []byte{} } iNdEx = postIndex - case 4: + case 3: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType) } diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 789267c222bf0..3663cc608c8e7 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -7,9 +7,9 @@ import "storage/service_identity.proto"; package central; message LocalScannerCertificates { - bytes ca = 2; - bytes cert = 3; - bytes key = 4; + bytes ca = 1; + bytes cert = 2; + bytes key = 3; } message IssueLocalScannerCertsRequest { From b1d908e4eb780fa29c042261ed36a706957e64b3 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 5 Jan 2022 17:08:17 +0100 Subject: [PATCH 11/45] Properly infer cluster id from request context Also add validations on caller identity --- central/localscanner/service.go | 46 ++++++++++++++++++++++++--------- central/main.go | 2 +- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/central/localscanner/service.go b/central/localscanner/service.go index 09cd63b043be3..0bd6d89150131 100644 --- a/central/localscanner/service.go +++ b/central/localscanner/service.go @@ -6,13 +6,14 @@ import ( "github.com/grpc-ecosystem/grpc-gateway/runtime" "github.com/hashicorp/go-multierror" "github.com/pkg/errors" + clusterDataStore "github.com/stackrox/rox/central/cluster/datastore" "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/centralsensor" + "github.com/stackrox/rox/pkg/errorhelpers" pkgGRPC "github.com/stackrox/rox/pkg/grpc" "github.com/stackrox/rox/pkg/grpc/authn" "github.com/stackrox/rox/pkg/mtls" - "github.com/stackrox/rox/sensor/common/clusterid" "google.golang.org/grpc" ) @@ -23,11 +24,15 @@ type Service interface { } // New creates a new local scanner service. -func New() Service { - return &serviceImpl{} +func New(clusters clusterDataStore.DataStore) Service { + return &serviceImpl{ + clusters: clusters, + } } -type serviceImpl struct{} +type serviceImpl struct { + clusters clusterDataStore.DataStore +} func (s *serviceImpl) RegisterServiceServer(server *grpc.Server) { central.RegisterLocalScannerServiceServer(server, s) @@ -38,22 +43,39 @@ func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, } func (s *serviceImpl) IssueLocalScannerCerts(ctx context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { - clusterID, err := getClusterID(ctx) + clusterID, err := s.authorizeAndGetClusterID(ctx) if err != nil { - return nil, errors.Wrap(err, "could not determine cluster ID") + return nil, errors.Wrap(err, "failure fetching cluster ID") } return issueLocalScannerCerts(request.GetNamespace(), clusterID) } -func getClusterID(ctx context.Context) (string, error) { - var requestingServiceIdentity *storage.ServiceIdentity - if id := authn.IdentityFromContextOrNil(ctx); id != nil { - requestingServiceIdentity = id.Service() +func (s *serviceImpl) authorizeAndGetClusterID(ctx context.Context) (string, error) { + identity, err := authn.IdentityFromContext(ctx) + if err != nil { + return "", errors.Wrap(err, "could not determine identity from request context") + } + if identity == nil { + return "", errors.New("could not determine identity from request context") + } + + svc := identity.Service() + if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE { + return "", errorhelpers.NewErrNotAuthorized("only sensor may access this API") + } + + clusterID := svc.GetId() + if centralsensor.IsInitCertClusterID(clusterID) { + return "", errors.Errorf("cannot issue local Scanner credentials for a cluster that has not yet been assigned an ID: found id %q", clusterID) } - clusterID, err := centralsensor.GetClusterID(clusterid.Get(), requestingServiceIdentity.GetId()) + + _, clusterExists, err := s.clusters.GetCluster(ctx, clusterID) if err != nil { - return "", err + return "", errors.Wrapf(err, "error fetching cluster with ID %q", clusterID) + } + if !clusterExists { + return "", errors.Errorf("cluster with ID %q does not exist", clusterID) } return clusterID, nil diff --git a/central/main.go b/central/main.go index e8d8bad090a76..ba3c72a1ada8b 100644 --- a/central/main.go +++ b/central/main.go @@ -313,7 +313,7 @@ func servicesToRegister(registry authproviders.Registry, authzTraceSink observe. imageService.Singleton(), iiService.Singleton(), licenseService.New(false, licenseSingletons.ManagerSingleton()), - localscanner.New(), + localscanner.New(clusterDataStore.Singleton()), integrationHealthService.Singleton(), metadataService.New(), mitreService.Singleton(), From 225f4dbb91798b2cfe49b82dd22d90485af9ef24 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 11 Jan 2022 15:21:11 +0100 Subject: [PATCH 12/45] Replace new gRPC service with new messages in SensorService.Communicate --- central/localscanner/certificates.go | 40 ++ central/localscanner/certificates_test.go | 45 +-- central/localscanner/service.go | 119 ------ .../service/connection/connection_impl.go | 17 + .../internalapi/central/local_scanner.pb.go | 124 +------ .../internalapi/central/sensor_iservice.pb.go | 341 ++++++++++++++---- proto/internalapi/central/local_scanner.proto | 11 +- .../internalapi/central/sensor_iservice.proto | 3 + 8 files changed, 371 insertions(+), 329 deletions(-) delete mode 100644 central/localscanner/service.go diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index 4971aa77f9d8e..2b6a62a10d6b9 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -1,7 +1,9 @@ package localscanner import ( + "github.com/hashicorp/go-multierror" "github.com/pkg/errors" + "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" "github.com/stackrox/rox/pkg/mtls" @@ -10,6 +12,44 @@ import ( // secretDataMap represents data stored as part of a secret. type secretDataMap = map[string][]byte +// IssueLocalScannerCerts issue certificates for Local scaner. +func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { + if namespace == "" { + return nil, errors.New("namespace is required to issue the certificates for the local scanner") + } + + var certIssueError error + scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) + if err != nil { + certIssueError = multierror.Append(certIssueError, err) + } + scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) + if err != nil { + certIssueError = multierror.Append(certIssueError, err) + } + if certIssueError != nil { + return nil, certIssueError + } + + return ¢ral.IssueLocalScannerCertsResponse{ + ScannerCerts: scannerCertificates, + ScannerDbCerts: scannerDBCertificates, + }, nil +} + +func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { + certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) + if err != nil { + return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) + } + + return ¢ral.LocalScannerCertificates{ + Ca: certificates[mtls.CACertFileName], + Cert: certificates[mtls.ServiceCertFileName], + Key: certificates[mtls.ServiceKeyFileName], + }, nil +} + func generateServiceCertMap(serviceType storage.ServiceType, namespace string, clusterID string) (secretDataMap, error) { if serviceType != storage.ServiceType_SCANNER_SERVICE && serviceType != storage.ServiceType_SCANNER_DB_SERVICE { return nil, errors.Errorf("can only generate certificates for Scanner services, service type %s is not supported", diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 3b462f4e3a0e2..db49481cfa0d6 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -118,29 +118,30 @@ func (s *localScannerSuite) TestCertificateGeneration() { } func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { - testCases := []struct { - description string - namespace string - shouldFail bool + testCases := map[string]struct { + namespace string + shouldFail bool }{ - {"no parameter missing", namespace, false}, - {"namespace missing", "", true}, + "no parameter missing": {namespace, false}, + "namespace missing": {"", true}, } - for _, tc := range testCases { - resp, err := issueLocalScannerCerts(tc.namespace, clusterID) - if tc.shouldFail { - s.Require().Error(err, tc.description) - continue - } - s.Require().NoError(err, tc.description) - for _, certs := range []*central.LocalScannerCertificates{ - resp.GetScannerCerts(), - resp.GetScannerDbCerts(), - } { - s.Require().NotNil(certs, tc.description) - s.Assert().NotEmpty(certs.GetCa(), tc.description) - s.Assert().NotEmpty(certs.GetCert(), tc.description) - s.Assert().NotEmpty(certs.GetKey(), tc.description) - } + for tcName, tc := range testCases { + s.Run(tcName, func() { + resp, err := IssueLocalScannerCerts(tc.namespace, clusterID) + if tc.shouldFail { + s.Require().Error(err) + return + } + s.Require().NoError(err) + for _, certs := range []*central.LocalScannerCertificates{ + resp.GetScannerCerts(), + resp.GetScannerDbCerts(), + } { + s.Require().NotNil(certs) + s.Assert().NotEmpty(certs.GetCa()) + s.Assert().NotEmpty(certs.GetCert()) + s.Assert().NotEmpty(certs.GetKey()) + } + }) } } diff --git a/central/localscanner/service.go b/central/localscanner/service.go deleted file mode 100644 index 0bd6d89150131..0000000000000 --- a/central/localscanner/service.go +++ /dev/null @@ -1,119 +0,0 @@ -package localscanner - -import ( - "context" - - "github.com/grpc-ecosystem/grpc-gateway/runtime" - "github.com/hashicorp/go-multierror" - "github.com/pkg/errors" - clusterDataStore "github.com/stackrox/rox/central/cluster/datastore" - "github.com/stackrox/rox/generated/internalapi/central" - "github.com/stackrox/rox/generated/storage" - "github.com/stackrox/rox/pkg/centralsensor" - "github.com/stackrox/rox/pkg/errorhelpers" - pkgGRPC "github.com/stackrox/rox/pkg/grpc" - "github.com/stackrox/rox/pkg/grpc/authn" - "github.com/stackrox/rox/pkg/mtls" - "google.golang.org/grpc" -) - -// Service is the interface for the local scanner service. -type Service interface { - pkgGRPC.APIService - central.LocalScannerServiceServer -} - -// New creates a new local scanner service. -func New(clusters clusterDataStore.DataStore) Service { - return &serviceImpl{ - clusters: clusters, - } -} - -type serviceImpl struct { - clusters clusterDataStore.DataStore -} - -func (s *serviceImpl) RegisterServiceServer(server *grpc.Server) { - central.RegisterLocalScannerServiceServer(server, s) -} - -func (s *serviceImpl) RegisterServiceHandler(context.Context, *runtime.ServeMux, *grpc.ClientConn) error { - return nil -} - -func (s *serviceImpl) IssueLocalScannerCerts(ctx context.Context, request *central.IssueLocalScannerCertsRequest) (*central.IssueLocalScannerCertsResponse, error) { - clusterID, err := s.authorizeAndGetClusterID(ctx) - if err != nil { - return nil, errors.Wrap(err, "failure fetching cluster ID") - } - - return issueLocalScannerCerts(request.GetNamespace(), clusterID) -} - -func (s *serviceImpl) authorizeAndGetClusterID(ctx context.Context) (string, error) { - identity, err := authn.IdentityFromContext(ctx) - if err != nil { - return "", errors.Wrap(err, "could not determine identity from request context") - } - if identity == nil { - return "", errors.New("could not determine identity from request context") - } - - svc := identity.Service() - if svc == nil || svc.GetType() != storage.ServiceType_SENSOR_SERVICE { - return "", errorhelpers.NewErrNotAuthorized("only sensor may access this API") - } - - clusterID := svc.GetId() - if centralsensor.IsInitCertClusterID(clusterID) { - return "", errors.Errorf("cannot issue local Scanner credentials for a cluster that has not yet been assigned an ID: found id %q", clusterID) - } - - _, clusterExists, err := s.clusters.GetCluster(ctx, clusterID) - if err != nil { - return "", errors.Wrapf(err, "error fetching cluster with ID %q", clusterID) - } - if !clusterExists { - return "", errors.Errorf("cluster with ID %q does not exist", clusterID) - } - - return clusterID, nil -} - -func issueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { - if namespace == "" { - return nil, errors.New("namespace is required to issue the certificates for the local scanner") - } - - var certIssueError error - scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) - if err != nil { - certIssueError = multierror.Append(certIssueError, err) - } - scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) - if err != nil { - certIssueError = multierror.Append(certIssueError, err) - } - if certIssueError != nil { - return nil, certIssueError - } - - return ¢ral.IssueLocalScannerCertsResponse{ - ScannerCerts: scannerCertificates, - ScannerDbCerts: scannerDBCertificates, - }, nil -} - -func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { - certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) - if err != nil { - return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) - } - - return ¢ral.LocalScannerCertificates{ - Ca: certificates[mtls.CACertFileName], - Cert: certificates[mtls.ServiceCertFileName], - Key: certificates[mtls.ServiceKeyFileName], - }, nil -} diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index 7d5e1a8d51f33..9c24e30d0922a 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -4,6 +4,7 @@ import ( "context" "github.com/pkg/errors" + "github.com/stackrox/rox/central/localscanner" "github.com/stackrox/rox/central/networkpolicies/graph" "github.com/stackrox/rox/central/scrape" "github.com/stackrox/rox/central/sensor/networkentities" @@ -215,6 +216,8 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.networkPoliciesCtrl.ProcessNetworkPoliciesResponse(m.NetworkPoliciesResponse) case *central.MsgFromSensor_TelemetryDataResponse: return c.telemetryCtrl.ProcessTelemetryDataResponse(m.TelemetryDataResponse) + case *central.MsgFromSensor_IssueLocalScannerCertsRequest: + return c.processIssueLocalScannerCertsRequest(ctx, m.IssueLocalScannerCertsRequest) case *central.MsgFromSensor_Event: // Special case the reprocess deployment because its fields are already set if msg.GetEvent().GetReprocessDeployment() != nil { @@ -234,6 +237,20 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.eventPipeline.Run(ctx, msg, c) } +func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { + namespace := request.GetNamespace() + certs, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) + errMsgTemplate := "Error issuing local Scanner certificates for cluster with ID %s and namespace %s" + if err != nil { + return errors.Wrapf(err, errMsgTemplate, c.clusterID, namespace) + } + err = c.InjectMessage(ctx, ¢ral.MsgToSensor{Msg: ¢ral.MsgToSensor_IssueLocalScannerCertsResponse{IssueLocalScannerCertsResponse: certs}}) + if err != nil { + return errors.Wrapf(err, errMsgTemplate, c.clusterID, namespace) + } + return nil +} + // getPolicySyncMsg fetches stored policies and prepares them for delivery to sensor. func (c *sensorConnection) getPolicySyncMsg(ctx context.Context) (*central.MsgToSensor, error) { policies, err := c.policyMgr.GetAllPolicies(ctx) diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 61cc81c5f59b8..995314c2a3ec8 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -4,13 +4,9 @@ package central import ( - context "context" fmt "fmt" proto "github.com/golang/protobuf/proto" _ "github.com/stackrox/rox/generated/storage" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" io "io" math "math" math_bits "math/bits" @@ -256,107 +252,25 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 316 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xc1, 0x4a, 0xf3, 0x40, - 0x14, 0x85, 0xff, 0x49, 0x7f, 0x94, 0x5e, 0x6b, 0x29, 0x23, 0x48, 0x2c, 0x3a, 0x68, 0x17, 0xd6, - 0x55, 0x0b, 0x75, 0xed, 0x46, 0x45, 0x10, 0x5d, 0x48, 0xba, 0x73, 0x53, 0x26, 0xd3, 0xab, 0x0c, - 0xc6, 0x49, 0x9c, 0x3b, 0x15, 0xba, 0xf3, 0x31, 0x7c, 0x11, 0xdf, 0xc1, 0xa5, 0x8f, 0x20, 0xf1, - 0x45, 0x24, 0x93, 0x54, 0x8b, 0x58, 0x75, 0x77, 0xb9, 0x39, 0xe7, 0xcb, 0x9c, 0x33, 0x03, 0x5d, - 0x6d, 0x1c, 0x5a, 0x23, 0x13, 0x99, 0xe9, 0xbe, 0x42, 0xe3, 0xac, 0x4c, 0xfa, 0x49, 0xaa, 0x64, - 0x32, 0x22, 0x25, 0x8d, 0x41, 0xdb, 0xcb, 0x6c, 0xea, 0x52, 0xbe, 0x5c, 0x7d, 0x6c, 0x0b, 0x72, - 0xa9, 0x95, 0xd7, 0xd8, 0x27, 0xb4, 0xf7, 0x5a, 0xe1, 0x48, 0x8f, 0xd1, 0x38, 0xed, 0xa6, 0xa5, - 0xb0, 0x73, 0x01, 0xe1, 0x79, 0xe1, 0x1f, 0x96, 0xf6, 0x23, 0xb4, 0x4e, 0x5f, 0x69, 0x25, 0x1d, - 0x12, 0x6f, 0x42, 0xa0, 0x64, 0xc8, 0xb6, 0xd9, 0x5e, 0x23, 0x0a, 0x94, 0xe4, 0x1c, 0xfe, 0x2b, - 0xb4, 0x2e, 0x0c, 0xfc, 0xc6, 0xcf, 0xbc, 0x05, 0xb5, 0x1b, 0x9c, 0x86, 0x35, 0xbf, 0x2a, 0xc6, - 0xce, 0x01, 0x6c, 0x9d, 0x12, 0x4d, 0xf0, 0x2b, 0x96, 0x22, 0xbc, 0x9b, 0x20, 0x39, 0xbe, 0x09, - 0x75, 0x23, 0x6f, 0x91, 0x32, 0xa9, 0xd0, 0xd3, 0xeb, 0xd1, 0xe7, 0xa2, 0xf3, 0xc4, 0x40, 0x2c, - 0xf2, 0x53, 0x96, 0x1a, 0x42, 0x7e, 0x02, 0xab, 0x55, 0xda, 0x51, 0x71, 0x06, 0xf2, 0x90, 0x95, - 0xc1, 0x4e, 0xaf, 0x0a, 0xdd, 0x5b, 0x94, 0x28, 0x6a, 0xd0, 0x1c, 0x8f, 0x9f, 0x41, 0x6b, 0xc6, - 0x19, 0xc7, 0x15, 0x2a, 0xf8, 0x2b, 0xaa, 0x59, 0x59, 0x8f, 0x63, 0x0f, 0x1b, 0x3c, 0x30, 0x58, - 0x9b, 0x17, 0x0f, 0xcb, 0xbe, 0xb9, 0x86, 0xf5, 0xef, 0xe3, 0xf0, 0xdd, 0x8f, 0x9f, 0xfc, 0xd8, - 0x57, 0xbb, 0xfb, 0xab, 0xae, 0xec, 0xe5, 0x70, 0xe3, 0x39, 0x17, 0xec, 0x25, 0x17, 0xec, 0x35, - 0x17, 0xec, 0xf1, 0x4d, 0xfc, 0xbb, 0x9c, 0x3d, 0x83, 0x78, 0xc9, 0xdf, 0xf6, 0xfe, 0x7b, 0x00, - 0x00, 0x00, 0xff, 0xff, 0x16, 0xc6, 0x41, 0xdf, 0x41, 0x02, 0x00, 0x00, -} - -// Reference imports to suppress errors if they are not otherwise used. -var _ context.Context -var _ grpc.ClientConnInterface - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -const _ = grpc.SupportPackageIsVersion6 - -// LocalScannerServiceClient is the client API for LocalScannerService service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConnInterface.NewStream. -type LocalScannerServiceClient interface { - IssueLocalScannerCerts(ctx context.Context, in *IssueLocalScannerCertsRequest, opts ...grpc.CallOption) (*IssueLocalScannerCertsResponse, error) -} - -type localScannerServiceClient struct { - cc grpc.ClientConnInterface -} - -func NewLocalScannerServiceClient(cc grpc.ClientConnInterface) LocalScannerServiceClient { - return &localScannerServiceClient{cc} -} - -func (c *localScannerServiceClient) IssueLocalScannerCerts(ctx context.Context, in *IssueLocalScannerCertsRequest, opts ...grpc.CallOption) (*IssueLocalScannerCertsResponse, error) { - out := new(IssueLocalScannerCertsResponse) - err := c.cc.Invoke(ctx, "/central.LocalScannerService/IssueLocalScannerCerts", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// LocalScannerServiceServer is the server API for LocalScannerService service. -type LocalScannerServiceServer interface { - IssueLocalScannerCerts(context.Context, *IssueLocalScannerCertsRequest) (*IssueLocalScannerCertsResponse, error) -} - -// UnimplementedLocalScannerServiceServer can be embedded to have forward compatible implementations. -type UnimplementedLocalScannerServiceServer struct { -} - -func (*UnimplementedLocalScannerServiceServer) IssueLocalScannerCerts(ctx context.Context, req *IssueLocalScannerCertsRequest) (*IssueLocalScannerCertsResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method IssueLocalScannerCerts not implemented") -} - -func RegisterLocalScannerServiceServer(s *grpc.Server, srv LocalScannerServiceServer) { - s.RegisterService(&_LocalScannerService_serviceDesc, srv) -} - -func _LocalScannerService_IssueLocalScannerCerts_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(IssueLocalScannerCertsRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(LocalScannerServiceServer).IssueLocalScannerCerts(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/central.LocalScannerService/IssueLocalScannerCerts", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(LocalScannerServiceServer).IssueLocalScannerCerts(ctx, req.(*IssueLocalScannerCertsRequest)) - } - return interceptor(ctx, in, info, handler) -} - -var _LocalScannerService_serviceDesc = grpc.ServiceDesc{ - ServiceName: "central.LocalScannerService", - HandlerType: (*LocalScannerServiceServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "IssueLocalScannerCerts", - Handler: _LocalScannerService_IssueLocalScannerCerts_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "internalapi/central/local_scanner.proto", + // 282 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x91, 0xc1, 0x4a, 0xc4, 0x30, + 0x10, 0x86, 0x4d, 0x57, 0x94, 0x8d, 0xeb, 0xb2, 0xe4, 0x54, 0x45, 0x83, 0xee, 0x45, 0x4f, 0x2d, + 0xe8, 0xd9, 0x8b, 0x8a, 0x20, 0x7a, 0x90, 0x7a, 0xf3, 0x52, 0xa6, 0xd9, 0x51, 0x82, 0x35, 0xad, + 0x99, 0x59, 0x61, 0xdf, 0xc4, 0x17, 0xf1, 0x1d, 0x3c, 0xfa, 0x08, 0x52, 0x5f, 0x44, 0x9a, 0xed, + 0xa2, 0x08, 0x0b, 0xde, 0x86, 0x3f, 0xf9, 0x3e, 0xf2, 0x67, 0xe4, 0x81, 0x75, 0x8c, 0xde, 0x41, + 0x09, 0xb5, 0x4d, 0x0d, 0x3a, 0xf6, 0x50, 0xa6, 0x65, 0x65, 0xa0, 0xcc, 0xc9, 0x80, 0x73, 0xe8, + 0x93, 0xda, 0x57, 0x5c, 0xa9, 0xf5, 0xee, 0x70, 0x5b, 0x13, 0x57, 0x1e, 0x1e, 0x30, 0x25, 0xf4, + 0x2f, 0xd6, 0x60, 0x6e, 0x27, 0xe8, 0xd8, 0xf2, 0x6c, 0x7e, 0x71, 0x7c, 0x23, 0xe3, 0xeb, 0x96, + 0xbf, 0x9d, 0xe3, 0x67, 0xe8, 0xd9, 0xde, 0x5b, 0x03, 0x8c, 0xa4, 0x86, 0x32, 0x32, 0x10, 0x8b, + 0x3d, 0x71, 0x38, 0xc8, 0x22, 0x03, 0x4a, 0xc9, 0x55, 0x83, 0x9e, 0xe3, 0x28, 0x24, 0x61, 0x56, + 0x23, 0xd9, 0x7b, 0xc4, 0x59, 0xdc, 0x0b, 0x51, 0x3b, 0x8e, 0x4f, 0xe4, 0xee, 0x25, 0xd1, 0x14, + 0xff, 0x6a, 0x29, 0xc3, 0xe7, 0x29, 0x12, 0xab, 0x1d, 0xd9, 0x77, 0xf0, 0x84, 0x54, 0x83, 0xc1, + 0x60, 0xef, 0x67, 0x3f, 0xc1, 0xf8, 0x4d, 0x48, 0xbd, 0x8c, 0xa7, 0xba, 0x72, 0x84, 0xea, 0x42, + 0x6e, 0x76, 0x6d, 0xf3, 0xf6, 0x0d, 0x14, 0x24, 0x1b, 0x47, 0xfb, 0x49, 0x57, 0x3a, 0x59, 0xd6, + 0x28, 0x1b, 0xd0, 0x2f, 0x9f, 0xba, 0x92, 0xa3, 0x85, 0x67, 0x52, 0x74, 0xaa, 0xe8, 0xbf, 0xaa, + 0x61, 0x87, 0x9e, 0x17, 0x41, 0x76, 0xba, 0xf5, 0xde, 0x68, 0xf1, 0xd1, 0x68, 0xf1, 0xd9, 0x68, + 0xf1, 0xfa, 0xa5, 0x57, 0xee, 0x16, 0x3b, 0x28, 0xd6, 0xc2, 0x57, 0x1f, 0x7f, 0x07, 0x00, 0x00, + 0xff, 0xff, 0xf1, 0xa2, 0x6a, 0x5a, 0xbe, 0x01, 0x00, 0x00, } func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { diff --git a/generated/internalapi/central/sensor_iservice.pb.go b/generated/internalapi/central/sensor_iservice.pb.go index 62421f690467b..b48e16d56bca3 100644 --- a/generated/internalapi/central/sensor_iservice.pb.go +++ b/generated/internalapi/central/sensor_iservice.pb.go @@ -40,6 +40,7 @@ type MsgFromSensor struct { // *MsgFromSensor_ClusterHealthInfo // *MsgFromSensor_Hello // *MsgFromSensor_AuditLogStatusInfo + // *MsgFromSensor_IssueLocalScannerCertsRequest Msg isMsgFromSensor_Msg `protobuf_oneof:"msg"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -113,6 +114,9 @@ type MsgFromSensor_Hello struct { type MsgFromSensor_AuditLogStatusInfo struct { AuditLogStatusInfo *AuditLogStatusInfo `protobuf:"bytes,11,opt,name=audit_log_status_info,json=auditLogStatusInfo,proto3,oneof" json:"audit_log_status_info,omitempty"` } +type MsgFromSensor_IssueLocalScannerCertsRequest struct { + IssueLocalScannerCertsRequest *IssueLocalScannerCertsRequest `protobuf:"bytes,12,opt,name=issue_local_scanner_certs_request,json=issueLocalScannerCertsRequest,proto3,oneof" json:"issue_local_scanner_certs_request,omitempty"` +} func (*MsgFromSensor_Event) isMsgFromSensor_Msg() {} func (m *MsgFromSensor_Event) Clone() isMsgFromSensor_Msg { @@ -213,6 +217,17 @@ func (m *MsgFromSensor_AuditLogStatusInfo) Clone() isMsgFromSensor_Msg { cloned.AuditLogStatusInfo = m.AuditLogStatusInfo.Clone() return cloned } +func (*MsgFromSensor_IssueLocalScannerCertsRequest) isMsgFromSensor_Msg() {} +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) Clone() isMsgFromSensor_Msg { + if m == nil { + return nil + } + cloned := new(MsgFromSensor_IssueLocalScannerCertsRequest) + *cloned = *m + + cloned.IssueLocalScannerCertsRequest = m.IssueLocalScannerCertsRequest.Clone() + return cloned +} func (m *MsgFromSensor) GetMsg() isMsgFromSensor_Msg { if m != nil { @@ -298,6 +313,13 @@ func (m *MsgFromSensor) GetAuditLogStatusInfo() *AuditLogStatusInfo { return nil } +func (m *MsgFromSensor) GetIssueLocalScannerCertsRequest() *IssueLocalScannerCertsRequest { + if x, ok := m.GetMsg().(*MsgFromSensor_IssueLocalScannerCertsRequest); ok { + return x.IssueLocalScannerCertsRequest + } + return nil +} + // XXX_OneofWrappers is for the internal use of the proto package. func (*MsgFromSensor) XXX_OneofWrappers() []interface{} { return []interface{}{ @@ -310,6 +332,7 @@ func (*MsgFromSensor) XXX_OneofWrappers() []interface{} { (*MsgFromSensor_ClusterHealthInfo)(nil), (*MsgFromSensor_Hello)(nil), (*MsgFromSensor_AuditLogStatusInfo)(nil), + (*MsgFromSensor_IssueLocalScannerCertsRequest)(nil), } } @@ -399,6 +422,7 @@ type MsgToSensor struct { // *MsgToSensor_AuditLogSync // *MsgToSensor_ReprocessDeployment // *MsgToSensor_InvalidateImageCache + // *MsgToSensor_IssueLocalScannerCertsResponse Msg isMsgToSensor_Msg `protobuf_oneof:"msg"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -493,6 +517,9 @@ type MsgToSensor_ReprocessDeployment struct { type MsgToSensor_InvalidateImageCache struct { InvalidateImageCache *InvalidateImageCache `protobuf:"bytes,16,opt,name=invalidate_image_cache,json=invalidateImageCache,proto3,oneof" json:"invalidate_image_cache,omitempty"` } +type MsgToSensor_IssueLocalScannerCertsResponse struct { + IssueLocalScannerCertsResponse *IssueLocalScannerCertsResponse `protobuf:"bytes,17,opt,name=issue_local_scanner_certs_response,json=issueLocalScannerCertsResponse,proto3,oneof" json:"issue_local_scanner_certs_response,omitempty"` +} func (*MsgToSensor_Enforcement) isMsgToSensor_Msg() {} func (m *MsgToSensor_Enforcement) Clone() isMsgToSensor_Msg { @@ -670,6 +697,17 @@ func (m *MsgToSensor_InvalidateImageCache) Clone() isMsgToSensor_Msg { cloned.InvalidateImageCache = m.InvalidateImageCache.Clone() return cloned } +func (*MsgToSensor_IssueLocalScannerCertsResponse) isMsgToSensor_Msg() {} +func (m *MsgToSensor_IssueLocalScannerCertsResponse) Clone() isMsgToSensor_Msg { + if m == nil { + return nil + } + cloned := new(MsgToSensor_IssueLocalScannerCertsResponse) + *cloned = *m + + cloned.IssueLocalScannerCertsResponse = m.IssueLocalScannerCertsResponse.Clone() + return cloned +} func (m *MsgToSensor) GetMsg() isMsgToSensor_Msg { if m != nil { @@ -790,6 +828,13 @@ func (m *MsgToSensor) GetInvalidateImageCache() *InvalidateImageCache { return nil } +func (m *MsgToSensor) GetIssueLocalScannerCertsResponse() *IssueLocalScannerCertsResponse { + if x, ok := m.GetMsg().(*MsgToSensor_IssueLocalScannerCertsResponse); ok { + return x.IssueLocalScannerCertsResponse + } + return nil +} + // XXX_OneofWrappers is for the internal use of the proto package. func (*MsgToSensor) XXX_OneofWrappers() []interface{} { return []interface{}{ @@ -809,6 +854,7 @@ func (*MsgToSensor) XXX_OneofWrappers() []interface{} { (*MsgToSensor_AuditLogSync)(nil), (*MsgToSensor_ReprocessDeployment)(nil), (*MsgToSensor_InvalidateImageCache)(nil), + (*MsgToSensor_IssueLocalScannerCertsResponse)(nil), } } @@ -1176,82 +1222,87 @@ func init() { } var fileDescriptor_9d0a66b7b73dbb5d = []byte{ - // 1198 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xdd, 0x4e, 0x1b, 0x47, - 0x14, 0xf6, 0x86, 0x12, 0xf0, 0x18, 0x13, 0x32, 0x60, 0xc7, 0x38, 0x85, 0x50, 0x47, 0x21, 0x54, - 0x6a, 0x4d, 0x4a, 0xa5, 0xb6, 0xaa, 0xd2, 0x46, 0x85, 0x80, 0x8c, 0x12, 0x28, 0x5d, 0xe0, 0xa2, - 0x3f, 0xea, 0x6a, 0xd8, 0x3d, 0xb6, 0x57, 0x8c, 0x67, 0xb7, 0x3b, 0xb3, 0x20, 0xbf, 0x49, 0x1f, - 0xa2, 0x0f, 0xd2, 0xcb, 0x3e, 0x42, 0x45, 0x7b, 0x5b, 0xa9, 0xea, 0x13, 0x54, 0xf3, 0xb3, 0x3f, - 0xac, 0x17, 0xab, 0x97, 0xbd, 0xf2, 0xce, 0x39, 0xdf, 0xf9, 0xe6, 0xcc, 0x99, 0x6f, 0xce, 0x8c, - 0xd1, 0xfb, 0x3e, 0x13, 0x10, 0x31, 0x42, 0x49, 0xe8, 0x6f, 0xbb, 0xc0, 0x44, 0x44, 0xe8, 0x36, - 0x07, 0xc6, 0x83, 0xc8, 0xf1, 0x39, 0x44, 0x57, 0xbe, 0x0b, 0xdd, 0x30, 0x0a, 0x44, 0x80, 0xe7, - 0x8c, 0xbb, 0xbd, 0x55, 0x16, 0xe3, 0xd2, 0x98, 0x0b, 0x88, 0x1c, 0x37, 0x60, 0x7d, 0x7f, 0xa0, - 0x43, 0xa6, 0x23, 0xb9, 0x20, 0x22, 0xe6, 0x06, 0xb9, 0x59, 0x86, 0x64, 0x20, 0xae, 0x83, 0xe8, - 0xd2, 0xe9, 0xd3, 0xe0, 0xda, 0xe0, 0x9e, 0x95, 0xe1, 0xc2, 0x80, 0xfa, 0xee, 0xd8, 0xe1, 0x63, - 0xe6, 0x1a, 0xd8, 0xf3, 0x29, 0xcb, 0x82, 0x2b, 0x60, 0x82, 0x4f, 0xcb, 0xd0, 0x00, 0xe3, 0x70, - 0x10, 0x11, 0xcf, 0x2c, 0xbf, 0xfd, 0xb4, 0x0c, 0x29, 0x80, 0xc2, 0x08, 0x44, 0x34, 0x9e, 0x36, - 0xef, 0x05, 0xe1, 0x40, 0x7d, 0x06, 0xf9, 0x04, 0x9f, 0x94, 0x01, 0x87, 0x40, 0x69, 0x60, 0x00, - 0xdb, 0xd3, 0x0a, 0x52, 0xc6, 0xd8, 0xe0, 0x22, 0x88, 0xc8, 0x00, 0x92, 0xfa, 0x6a, 0x73, 0xe7, - 0xaf, 0x59, 0x54, 0x3f, 0xe2, 0x83, 0x83, 0x28, 0x18, 0x9d, 0xaa, 0x65, 0xe1, 0x55, 0x34, 0x3f, - 0x24, 0x7c, 0xe8, 0x5c, 0xc2, 0xb8, 0x35, 0xb7, 0x61, 0x6d, 0x55, 0xed, 0x39, 0x39, 0x7e, 0x03, - 0x63, 0xbc, 0x86, 0x90, 0x07, 0x5e, 0x1c, 0x82, 0x72, 0xce, 0x2b, 0x67, 0x55, 0x5b, 0xa4, 0xfb, - 0x03, 0x34, 0xab, 0x8a, 0xd7, 0xb2, 0x36, 0xac, 0xad, 0xda, 0xce, 0x4a, 0xd7, 0xe4, 0xd5, 0xd5, - 0xcc, 0xfb, 0xd2, 0xd7, 0xab, 0xd8, 0x1a, 0x84, 0xdf, 0xa2, 0xe5, 0xfc, 0x06, 0x3a, 0x71, 0xe8, - 0x11, 0x01, 0xad, 0x7b, 0x2a, 0xb6, 0x9d, 0xc6, 0x1e, 0x6b, 0xcc, 0x01, 0x0d, 0xae, 0xcf, 0x15, - 0xa2, 0x57, 0xb1, 0x1f, 0xb2, 0xa2, 0x11, 0xbf, 0x44, 0x75, 0xee, 0x46, 0x24, 0x84, 0x84, 0x67, - 0x46, 0xf1, 0x34, 0xb2, 0x1c, 0x94, 0x37, 0xa5, 0x58, 0xe0, 0xb9, 0x31, 0xfe, 0x11, 0xad, 0x26, - 0xb9, 0x28, 0xb1, 0xf8, 0xc0, 0x9d, 0x08, 0x78, 0x18, 0x30, 0x0e, 0xad, 0x77, 0x14, 0xd3, 0x46, - 0x31, 0xa3, 0x13, 0x03, 0xb4, 0x0d, 0xae, 0x57, 0xb1, 0x1f, 0xb1, 0x72, 0x17, 0xb6, 0x51, 0xe3, - 0xb6, 0xac, 0x93, 0x2c, 0x67, 0x15, 0xf7, 0xbb, 0x29, 0xf7, 0x9e, 0x46, 0x9d, 0x2a, 0x50, 0x9a, - 0xec, 0xb2, 0x3b, 0x69, 0xc6, 0x3f, 0xa0, 0x47, 0xa9, 0xbc, 0x1c, 0x8f, 0x08, 0x92, 0x65, 0x7c, - 0x5f, 0xb1, 0x76, 0x52, 0xd6, 0x93, 0x98, 0xd2, 0xb3, 0x04, 0xfb, 0x9a, 0x08, 0x92, 0xcb, 0xb9, - 0x21, 0xca, 0x1c, 0xf8, 0x6b, 0x94, 0x4c, 0xea, 0x0c, 0x81, 0x50, 0x31, 0x74, 0x7c, 0xd6, 0x0f, - 0x5a, 0x55, 0xc5, 0xbc, 0x96, 0x32, 0xdb, 0xe4, 0xda, 0xa4, 0xdc, 0x53, 0xa8, 0x43, 0xd6, 0x0f, - 0xe4, 0x06, 0xb9, 0x45, 0xa3, 0x14, 0x87, 0xd2, 0x6f, 0x0b, 0x95, 0x8a, 0xa3, 0x27, 0x7d, 0x52, - 0x1c, 0x0a, 0x84, 0x4f, 0x50, 0x83, 0xc4, 0x9e, 0x2f, 0x1c, 0x1a, 0x0c, 0x92, 0x92, 0xa9, 0x04, - 0x6a, 0x2a, 0xfa, 0x71, 0x1a, 0xfd, 0x95, 0x44, 0xbd, 0x0d, 0x06, 0xba, 0x34, 0x66, 0x7a, 0x4c, - 0x26, 0xac, 0xbb, 0xb3, 0x68, 0x66, 0xc4, 0x07, 0x1d, 0x8c, 0x96, 0x6c, 0x20, 0x9c, 0x03, 0xe7, - 0xc9, 0x2e, 0x75, 0xfe, 0xa9, 0xa2, 0xda, 0x11, 0x1f, 0x9c, 0x05, 0xe6, 0x04, 0x7c, 0x89, 0x6a, - 0xc0, 0xfa, 0x41, 0xe4, 0xc2, 0x28, 0x53, 0x73, 0xbb, 0xa8, 0xe6, 0x0c, 0xd1, 0xab, 0xd8, 0xf9, - 0x00, 0xfc, 0x0a, 0x2d, 0x1a, 0x2d, 0xba, 0xc1, 0x68, 0x44, 0x98, 0x67, 0x44, 0xdd, 0x2c, 0x88, - 0x71, 0x4f, 0x7b, 0x7b, 0x15, 0xdb, 0x68, 0xd7, 0x18, 0xf0, 0xf7, 0xa8, 0x35, 0x21, 0xc7, 0x84, - 0x4a, 0xeb, 0xfa, 0xc9, 0x5d, 0x6a, 0xcc, 0x38, 0x9b, 0xac, 0xd4, 0x23, 0xb3, 0xbb, 0xdd, 0x8c, - 0x8d, 0xc0, 0x9b, 0x45, 0x11, 0xee, 0x29, 0xaf, 0xcc, 0xce, 0xcd, 0x1b, 0xf0, 0x39, 0x6a, 0xde, - 0xee, 0x80, 0x8e, 0x88, 0xfc, 0xc1, 0x00, 0x22, 0xa3, 0xe6, 0xb5, 0x42, 0xa5, 0xce, 0x35, 0xea, - 0x4c, 0x83, 0x7a, 0x15, 0x7b, 0x85, 0x97, 0xd8, 0xf1, 0xb7, 0xa8, 0x39, 0xa1, 0xe7, 0x9f, 0x62, - 0xe0, 0xc2, 0xc8, 0xf9, 0xbd, 0x69, 0x72, 0x56, 0x40, 0x49, 0x2d, 0x4a, 0xec, 0xf8, 0x13, 0x54, - 0xcb, 0xdd, 0x01, 0xaa, 0xab, 0xd5, 0x76, 0x96, 0x33, 0x3e, 0xe5, 0x3b, 0x1d, 0x33, 0xb7, 0x57, - 0xb1, 0x51, 0x98, 0x8e, 0x70, 0x0f, 0x3d, 0x8c, 0x8c, 0x58, 0xd2, 0x8d, 0x50, 0x6d, 0xaf, 0xb6, - 0xb3, 0x9a, 0x1d, 0x81, 0x82, 0x9c, 0x7a, 0x15, 0x7b, 0x29, 0x2a, 0xd8, 0x64, 0x7b, 0xba, 0xd5, - 0x94, 0xcd, 0x41, 0xca, 0xda, 0xd3, 0xae, 0xf1, 0x9a, 0x2c, 0x16, 0x2e, 0x72, 0x63, 0x1c, 0xa3, - 0x8e, 0x4b, 0x98, 0x0b, 0xd4, 0x09, 0x63, 0x4a, 0x9d, 0x3b, 0xca, 0xa4, 0x0f, 0xd6, 0xf3, 0x6c, - 0x1b, 0x55, 0xc8, 0x94, 0x62, 0xad, 0xbb, 0x53, 0x11, 0x78, 0x88, 0xd6, 0xc2, 0x98, 0x0f, 0x9d, - 0x44, 0x8b, 0xc0, 0x84, 0x2f, 0x74, 0x6b, 0xd4, 0x33, 0xea, 0xc3, 0xf8, 0x34, 0xb7, 0x31, 0x7c, - 0x68, 0xf4, 0xb8, 0x6f, 0xb0, 0xd9, 0x6c, 0xed, 0xf0, 0x4e, 0x2f, 0xfe, 0x30, 0x69, 0x0e, 0x0b, - 0x85, 0xb2, 0xec, 0xe9, 0xdf, 0x42, 0x77, 0xb0, 0x51, 0xa3, 0xf4, 0xaa, 0x6b, 0xd5, 0x0b, 0xed, - 0xd4, 0x4c, 0x57, 0x28, 0x6e, 0x72, 0xef, 0xe4, 0xcd, 0xf8, 0x0b, 0xb4, 0x98, 0xeb, 0x38, 0x92, - 0x6c, 0xb1, 0x90, 0x4b, 0xda, 0x6a, 0xcc, 0x16, 0x91, 0xdc, 0x18, 0x7f, 0x83, 0x56, 0x22, 0x08, - 0xa3, 0xc0, 0x95, 0x5a, 0xf1, 0x20, 0xa4, 0xc1, 0x58, 0x35, 0x8f, 0x07, 0x85, 0x8c, 0xec, 0x04, - 0xf4, 0x3a, 0xc5, 0xc8, 0x8c, 0xa2, 0x49, 0xb3, 0x3c, 0x67, 0x3e, 0xbb, 0x22, 0xd4, 0x97, 0xed, - 0xde, 0xf1, 0x47, 0x64, 0x00, 0x8e, 0x4b, 0xdc, 0x21, 0xb4, 0x96, 0x0a, 0xe7, 0xec, 0x30, 0x85, - 0x1d, 0x4a, 0xd4, 0x9e, 0x04, 0xc9, 0xc3, 0xe0, 0x97, 0xd8, 0x93, 0x46, 0xf8, 0xa7, 0x85, 0x16, - 0xf2, 0x2b, 0xc2, 0x23, 0xd4, 0x66, 0x81, 0x07, 0x4e, 0x56, 0x85, 0xbe, 0x4f, 0x41, 0x35, 0x5f, - 0xe0, 0x2d, 0x6b, 0x63, 0x66, 0xab, 0xb6, 0xf3, 0x51, 0x69, 0x31, 0xba, 0xc7, 0x81, 0x07, 0x89, - 0xe1, 0xc0, 0xa7, 0x70, 0xaa, 0x62, 0xf6, 0x99, 0x88, 0xc6, 0x76, 0x93, 0x95, 0x3a, 0xdb, 0x80, - 0x1e, 0x4f, 0x09, 0xc3, 0x4b, 0x68, 0x46, 0xbe, 0x31, 0x2c, 0xf5, 0xc6, 0x90, 0x9f, 0xf8, 0x05, - 0x9a, 0xbd, 0x22, 0x34, 0xce, 0x5e, 0x08, 0xe6, 0x41, 0xd3, 0x9d, 0xa0, 0xb0, 0x35, 0xf0, 0xf3, - 0x7b, 0x9f, 0x59, 0x9d, 0xbf, 0x2d, 0x84, 0x27, 0xef, 0x08, 0xcc, 0xff, 0xc3, 0x62, 0x3f, 0x9d, - 0x72, 0xc9, 0xfc, 0x9f, 0x97, 0xfc, 0x12, 0x2d, 0x97, 0xa8, 0x0c, 0x3f, 0x43, 0x8b, 0x99, 0x2e, - 0x1d, 0xdf, 0xd3, 0xcb, 0xac, 0xda, 0xf5, 0xcc, 0x7a, 0xe8, 0xf1, 0xce, 0x2f, 0x16, 0x5a, 0x29, - 0xd3, 0x13, 0xde, 0x47, 0x48, 0x6b, 0xf0, 0x12, 0xc6, 0x49, 0x89, 0x36, 0xa7, 0x4a, 0xb0, 0xab, - 0x3e, 0xdf, 0xc0, 0xd8, 0xae, 0xfa, 0xe6, 0x8b, 0xb7, 0x8f, 0xd0, 0x7c, 0x62, 0x96, 0x4f, 0x4d, - 0x4d, 0xe9, 0x7b, 0x66, 0xd9, 0x73, 0x6a, 0x7c, 0xe8, 0xe1, 0x4d, 0xf4, 0x40, 0xbb, 0xfa, 0xb2, - 0xe3, 0x31, 0x32, 0xd2, 0x45, 0xa8, 0xda, 0x75, 0x65, 0x3e, 0x88, 0x29, 0x3d, 0x26, 0x23, 0xd8, - 0x39, 0x41, 0x75, 0x7d, 0xcb, 0x9c, 0xea, 0x3f, 0x23, 0xf8, 0x15, 0xaa, 0xc9, 0x9b, 0x2e, 0x66, - 0xbe, 0x2b, 0x5f, 0x49, 0xd9, 0xad, 0x76, 0xeb, 0x95, 0xdb, 0x5e, 0xc9, 0xdb, 0x93, 0x9b, 0x7f, - 0xcb, 0x7a, 0x61, 0xed, 0xae, 0xfe, 0x7a, 0xb3, 0x6e, 0xfd, 0x76, 0xb3, 0x6e, 0xfd, 0x7e, 0xb3, - 0x6e, 0xfd, 0xfc, 0xc7, 0x7a, 0xe5, 0xbb, 0xe4, 0x9f, 0xcd, 0xc5, 0x7d, 0xf5, 0x66, 0xfe, 0xf8, - 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0x7f, 0x93, 0x65, 0xd7, 0x16, 0x0d, 0x00, 0x00, + // 1275 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xdb, 0x6e, 0x1c, 0x45, + 0x13, 0xde, 0x89, 0x7f, 0xc7, 0x71, 0xaf, 0xed, 0x38, 0xed, 0x43, 0xd6, 0x9b, 0xdf, 0x8e, 0xb3, + 0x51, 0x1c, 0x23, 0x81, 0x13, 0x8c, 0x04, 0x08, 0x05, 0x22, 0xe2, 0xd8, 0x5a, 0x2b, 0x07, 0xcc, + 0x38, 0xb9, 0xe0, 0x20, 0x46, 0x9d, 0x99, 0xda, 0xdd, 0x56, 0x7a, 0x7b, 0x86, 0xee, 0x1e, 0x5b, + 0xfb, 0x26, 0x3c, 0x04, 0x0f, 0xc2, 0x25, 0x8f, 0x00, 0x81, 0x1b, 0xee, 0x78, 0x04, 0xd4, 0x87, + 0x39, 0x78, 0x76, 0x3c, 0xe2, 0x92, 0xab, 0xdd, 0xae, 0xfa, 0xaa, 0xba, 0xba, 0xfa, 0xab, 0xaa, + 0x1e, 0xf4, 0x1e, 0xe5, 0x0a, 0x04, 0x27, 0x8c, 0x24, 0xf4, 0x41, 0x08, 0x5c, 0x09, 0xc2, 0x1e, + 0x48, 0xe0, 0x32, 0x16, 0x01, 0x95, 0x20, 0xce, 0x68, 0x08, 0x7b, 0x89, 0x88, 0x55, 0x8c, 0xe7, + 0x9c, 0xba, 0xbb, 0x5b, 0x67, 0x13, 0xb2, 0x54, 0x2a, 0x10, 0x41, 0x18, 0xf3, 0x01, 0x1d, 0x5a, + 0x93, 0x66, 0xa4, 0x54, 0x44, 0xa5, 0xd2, 0x21, 0x77, 0xea, 0x90, 0x1c, 0xd4, 0x79, 0x2c, 0xde, + 0x06, 0x03, 0x16, 0x9f, 0x3b, 0xdc, 0xbd, 0x3a, 0x5c, 0x12, 0x33, 0x1a, 0x4e, 0x02, 0x39, 0xe1, + 0xa1, 0x83, 0xdd, 0x6f, 0x38, 0x16, 0x9c, 0x01, 0x57, 0xb2, 0x29, 0x42, 0x07, 0x4c, 0x93, 0xa1, + 0x20, 0x91, 0x3b, 0x7e, 0xf7, 0x6e, 0x1d, 0x52, 0x01, 0x83, 0x31, 0x28, 0x31, 0x69, 0xda, 0xf7, + 0x0d, 0x91, 0xc0, 0x28, 0x87, 0x72, 0x80, 0xb7, 0xeb, 0x80, 0x23, 0x60, 0x2c, 0x76, 0x80, 0x07, + 0x4d, 0x09, 0xa9, 0xf3, 0x58, 0xbb, 0x35, 0x8b, 0x43, 0xc2, 0x02, 0x19, 0x12, 0xce, 0x41, 0x38, + 0xe0, 0x9a, 0x54, 0xb1, 0x20, 0x43, 0xc8, 0x2e, 0xc2, 0x8a, 0x7b, 0xbf, 0x5f, 0x45, 0x8b, 0x2f, + 0xe4, 0xf0, 0x48, 0xc4, 0xe3, 0x53, 0x73, 0x7e, 0xbc, 0x81, 0xae, 0x8d, 0x88, 0x1c, 0x05, 0x6f, + 0x61, 0xd2, 0x99, 0xdb, 0xf6, 0x76, 0xe7, 0xfd, 0x39, 0xbd, 0x7e, 0x06, 0x13, 0xbc, 0x89, 0x50, + 0x04, 0x51, 0x9a, 0x80, 0x51, 0x5e, 0x33, 0xca, 0x79, 0x2b, 0xd1, 0xea, 0xf7, 0xd1, 0xac, 0xc9, + 0x72, 0xc7, 0xdb, 0xf6, 0x76, 0xdb, 0xfb, 0xab, 0x7b, 0x2e, 0x9e, 0x3d, 0xeb, 0xf9, 0x50, 0xeb, + 0xfa, 0x2d, 0xdf, 0x82, 0xf0, 0x73, 0xb4, 0x52, 0xbe, 0xe9, 0x20, 0x4d, 0x22, 0xa2, 0xa0, 0x73, + 0xc5, 0xd8, 0x76, 0x73, 0xdb, 0x97, 0x16, 0x73, 0xc4, 0xe2, 0xf3, 0xd7, 0x06, 0xd1, 0x6f, 0xf9, + 0x37, 0x78, 0x55, 0x88, 0x1f, 0xa1, 0x45, 0x19, 0x0a, 0x92, 0x40, 0xe6, 0x67, 0xc6, 0xf8, 0x59, + 0x2b, 0x62, 0x30, 0xda, 0xdc, 0xc5, 0x82, 0x2c, 0xad, 0xf1, 0x0f, 0x68, 0x23, 0x8b, 0xc5, 0xb0, + 0x8a, 0x82, 0x0c, 0x04, 0xc8, 0x24, 0xe6, 0x12, 0x3a, 0xff, 0x33, 0x9e, 0xb6, 0xab, 0x11, 0x9d, + 0x38, 0xa0, 0xef, 0x70, 0xfd, 0x96, 0x7f, 0x93, 0xd7, 0xab, 0xb0, 0x8f, 0xd6, 0x2e, 0xf2, 0x3f, + 0x8b, 0x72, 0xd6, 0xf8, 0xfe, 0x7f, 0xee, 0xfb, 0xc0, 0xa2, 0x4e, 0x0d, 0x28, 0x0f, 0x76, 0x25, + 0x9c, 0x16, 0xe3, 0xef, 0xd1, 0xcd, 0x9c, 0x87, 0x41, 0x44, 0x14, 0x29, 0x22, 0xbe, 0x6a, 0xbc, + 0xf6, 0x72, 0xaf, 0x27, 0x29, 0x63, 0xaf, 0x32, 0xec, 0x53, 0xa2, 0x48, 0x29, 0xe6, 0x35, 0x55, + 0xa7, 0xc0, 0x5f, 0xa1, 0x6c, 0xd3, 0x60, 0x04, 0x84, 0xa9, 0x51, 0x40, 0xf9, 0x20, 0xee, 0xcc, + 0x1b, 0xcf, 0x9b, 0xb9, 0x67, 0x9f, 0x9c, 0xbb, 0x90, 0xfb, 0x06, 0x75, 0xcc, 0x07, 0xb1, 0xbe, + 0xa0, 0xb0, 0x2a, 0xd4, 0xe4, 0x30, 0x44, 0xef, 0xa0, 0x5a, 0x72, 0xf4, 0xb5, 0x4e, 0x93, 0xc3, + 0x80, 0xf0, 0x09, 0x5a, 0x23, 0x69, 0x44, 0x55, 0xc0, 0xe2, 0x61, 0x96, 0x32, 0x13, 0x40, 0xdb, + 0x58, 0xdf, 0xca, 0xad, 0xbf, 0xd4, 0xa8, 0xe7, 0xf1, 0xd0, 0xa6, 0xc6, 0x6d, 0x8f, 0xc9, 0x94, + 0x14, 0x0b, 0x74, 0x87, 0x4a, 0x99, 0x42, 0x70, 0xa1, 0x38, 0x82, 0x10, 0x84, 0xd2, 0x77, 0xfd, + 0x63, 0x0a, 0x52, 0x75, 0x16, 0x8c, 0xf7, 0x9d, 0xdc, 0xfb, 0xb1, 0xb6, 0x78, 0xae, 0x0d, 0x4e, + 0x2d, 0xfe, 0x40, 0xc3, 0x7d, 0x8b, 0xee, 0xb7, 0xfc, 0x4d, 0xda, 0x04, 0x78, 0x32, 0x8b, 0x66, + 0xc6, 0x72, 0xd8, 0xc3, 0x68, 0xd9, 0x07, 0x22, 0x25, 0x48, 0x99, 0x31, 0xa3, 0xf7, 0x17, 0x42, + 0xed, 0x17, 0x72, 0xf8, 0x2a, 0x76, 0x55, 0xf7, 0x05, 0x6a, 0x03, 0x1f, 0xc4, 0x22, 0x84, 0x71, + 0x51, 0x41, 0xdd, 0x6a, 0x05, 0x15, 0x88, 0x7e, 0xcb, 0x2f, 0x1b, 0xe0, 0xc7, 0x68, 0xc9, 0xf1, + 0x3f, 0x8c, 0xc7, 0x63, 0xc2, 0x23, 0x57, 0x48, 0xeb, 0x95, 0x02, 0x38, 0xb0, 0xda, 0x7e, 0xcb, + 0x77, 0xf5, 0xe2, 0x04, 0xf8, 0x3b, 0xd4, 0x99, 0x2a, 0x81, 0xcc, 0x95, 0xad, 0xa5, 0xdb, 0x97, + 0x55, 0x40, 0xe1, 0x73, 0x9d, 0xd7, 0x6a, 0x74, 0x74, 0x17, 0x27, 0x85, 0x2b, 0xaa, 0xf5, 0x2a, + 0xf1, 0x0f, 0x8c, 0x56, 0x47, 0x17, 0x96, 0x05, 0xf8, 0x35, 0x5a, 0xbf, 0xd8, 0x9e, 0x03, 0x25, + 0xe8, 0x70, 0x08, 0xc2, 0x55, 0xd0, 0x66, 0x25, 0x53, 0xaf, 0x2d, 0xea, 0x95, 0x05, 0xf5, 0x5b, + 0xfe, 0xaa, 0xac, 0x91, 0xe3, 0x6f, 0xd0, 0xfa, 0x54, 0x0d, 0x59, 0x26, 0xd8, 0x12, 0xba, 0xd3, + 0x54, 0x42, 0x19, 0x09, 0x56, 0x55, 0x8d, 0x1c, 0x7f, 0x8c, 0xda, 0xa5, 0x01, 0x65, 0x3a, 0x69, + 0x7b, 0x7f, 0xa5, 0xf0, 0x67, 0x74, 0xa7, 0x13, 0x1e, 0xf6, 0x5b, 0x3e, 0x4a, 0xf2, 0x15, 0xee, + 0xa3, 0x1b, 0xc2, 0x91, 0x25, 0xbf, 0x08, 0xd3, 0x6a, 0xdb, 0xfb, 0x1b, 0x45, 0xd9, 0x55, 0xe8, + 0xd4, 0x6f, 0xf9, 0xcb, 0xa2, 0x22, 0xd3, 0x2d, 0xf1, 0xc2, 0xc4, 0x70, 0xc5, 0x5b, 0xb4, 0xc4, + 0x27, 0x4e, 0xeb, 0xa2, 0x58, 0x78, 0x53, 0x5a, 0xe3, 0x14, 0xf5, 0x42, 0xc2, 0x43, 0x60, 0x41, + 0x92, 0x32, 0x16, 0x5c, 0x92, 0x26, 0x5b, 0xcc, 0xf7, 0x8b, 0x6b, 0x34, 0x26, 0x0d, 0xc9, 0xda, + 0x0a, 0x1b, 0x11, 0x78, 0x84, 0x36, 0x93, 0x54, 0x8e, 0x82, 0x8c, 0x8b, 0xc0, 0x15, 0x55, 0xb6, + 0x1d, 0xdb, 0x1d, 0x6d, 0x03, 0xb8, 0x5b, 0xba, 0x18, 0x39, 0x72, 0x7c, 0x3c, 0x74, 0xd8, 0x62, + 0xb7, 0x6e, 0x72, 0xa9, 0x16, 0x7f, 0x90, 0x35, 0xa4, 0x85, 0x4a, 0x5a, 0x0e, 0xec, 0x6f, 0xa5, + 0x23, 0xf9, 0x68, 0xad, 0x76, 0x0e, 0x77, 0x16, 0x2b, 0x2d, 0xdc, 0x6d, 0x57, 0x49, 0x6e, 0x36, + 0xeb, 0xca, 0x62, 0xfc, 0x39, 0x5a, 0x2a, 0x75, 0x39, 0xed, 0x6c, 0xa9, 0x12, 0x4b, 0xde, 0xde, + 0xdc, 0x15, 0x91, 0xd2, 0x1a, 0x7f, 0x8d, 0x56, 0x05, 0x24, 0x22, 0x0e, 0x35, 0x57, 0x22, 0x48, + 0x58, 0x3c, 0x31, 0xcd, 0xe3, 0x7a, 0x25, 0x22, 0x3f, 0x03, 0x3d, 0xcd, 0x31, 0x3a, 0x22, 0x31, + 0x2d, 0xd6, 0x75, 0x46, 0xf9, 0x19, 0x61, 0x54, 0x8f, 0x98, 0x80, 0x8e, 0xc9, 0x10, 0x82, 0x90, + 0x84, 0x23, 0xe8, 0x2c, 0x57, 0xea, 0xec, 0x38, 0x87, 0x1d, 0x6b, 0xd4, 0x81, 0x06, 0xe9, 0x62, + 0xa0, 0x35, 0x72, 0x4d, 0xa6, 0xa6, 0xe6, 0xeb, 0xc6, 0xd6, 0x8d, 0x0a, 0x99, 0x2e, 0xeb, 0xbe, + 0xf9, 0xec, 0xda, 0xa2, 0x8d, 0x88, 0xac, 0xff, 0xfe, 0xe9, 0xa1, 0x85, 0x72, 0x22, 0xf1, 0x18, + 0x75, 0x79, 0x1c, 0x41, 0x50, 0x24, 0x7f, 0x40, 0x19, 0x98, 0x39, 0x03, 0xb2, 0xe3, 0x6d, 0xcf, + 0xec, 0xb6, 0xf7, 0x3f, 0xac, 0xbd, 0x83, 0xbd, 0x97, 0x71, 0x04, 0x99, 0xe0, 0x88, 0x32, 0x38, + 0x35, 0x36, 0x87, 0x5c, 0x89, 0x89, 0xbf, 0xce, 0x6b, 0x95, 0x5d, 0x40, 0xb7, 0x1a, 0xcc, 0xf0, + 0x32, 0x9a, 0xd1, 0xcf, 0x29, 0xcf, 0x3c, 0xa7, 0xf4, 0x5f, 0xfc, 0x10, 0xcd, 0x9e, 0x11, 0x96, + 0x16, 0x8f, 0x21, 0xf7, 0x76, 0xdb, 0x9b, 0x72, 0xe1, 0x5b, 0xe0, 0x67, 0x57, 0x3e, 0xf5, 0x7a, + 0x7f, 0x7b, 0x08, 0x4f, 0x8f, 0x43, 0x2c, 0xff, 0xc5, 0x61, 0x3f, 0x69, 0x98, 0xa7, 0xff, 0xe5, + 0x23, 0x3f, 0x42, 0x2b, 0x35, 0xe4, 0xc6, 0xf7, 0xd0, 0x52, 0x51, 0x0e, 0x01, 0x8d, 0xec, 0x31, + 0xe7, 0xfd, 0xc5, 0x42, 0x7a, 0x1c, 0xc9, 0xde, 0xcf, 0x1e, 0x5a, 0xad, 0xa3, 0x31, 0x3e, 0x44, + 0xc8, 0x52, 0xff, 0x2d, 0x4c, 0xb2, 0x14, 0xed, 0x34, 0x32, 0x7f, 0xcf, 0xfc, 0x7d, 0x06, 0x13, + 0x7f, 0x9e, 0xba, 0x7f, 0xb2, 0xfb, 0x02, 0x5d, 0xcb, 0xc4, 0xfa, 0x55, 0x6d, 0x5d, 0xd2, 0xc8, + 0x1d, 0x7b, 0xce, 0xac, 0x8f, 0x23, 0xbc, 0x83, 0xae, 0x5b, 0xd5, 0x40, 0x37, 0x5a, 0x4e, 0xc6, + 0x36, 0x09, 0xf3, 0xfe, 0xa2, 0x11, 0x1f, 0xa5, 0x8c, 0xbd, 0x24, 0x63, 0xd8, 0x3f, 0x41, 0x8b, + 0x76, 0xb8, 0x9d, 0xda, 0x0f, 0x34, 0xfc, 0x18, 0xb5, 0xf5, 0x80, 0x4d, 0x39, 0x0d, 0xf5, 0x83, + 0xb0, 0x18, 0xa6, 0x17, 0x1e, 0xf4, 0xdd, 0xd5, 0xb2, 0x3c, 0x7b, 0x70, 0xec, 0x7a, 0x0f, 0xbd, + 0x27, 0x1b, 0xbf, 0xbc, 0xdb, 0xf2, 0x7e, 0x7d, 0xb7, 0xe5, 0xfd, 0xf6, 0x6e, 0xcb, 0xfb, 0xe9, + 0x8f, 0xad, 0xd6, 0xb7, 0xd9, 0xd7, 0xde, 0x9b, 0xab, 0xe6, 0xf3, 0xe0, 0xa3, 0x7f, 0x02, 0x00, + 0x00, 0xff, 0xff, 0xad, 0x38, 0xed, 0x01, 0x2a, 0x0e, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -1605,6 +1656,27 @@ func (m *MsgFromSensor_AuditLogStatusInfo) MarshalToSizedBuffer(dAtA []byte) (in } return len(dAtA) - i, nil } +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.IssueLocalScannerCertsRequest != nil { + { + size, err := m.IssueLocalScannerCertsRequest.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintSensorIservice(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x62 + } + return len(dAtA) - i, nil +} func (m *ReassessPolicies) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2006,6 +2078,29 @@ func (m *MsgToSensor_InvalidateImageCache) MarshalToSizedBuffer(dAtA []byte) (in } return len(dAtA) - i, nil } +func (m *MsgToSensor_IssueLocalScannerCertsResponse) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *MsgToSensor_IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.IssueLocalScannerCertsResponse != nil { + { + size, err := m.IssueLocalScannerCertsResponse.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintSensorIservice(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x8a + } + return len(dAtA) - i, nil +} func (m *AuditLogSync) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -2372,6 +2467,18 @@ func (m *MsgFromSensor_AuditLogStatusInfo) Size() (n int) { } return n } +func (m *MsgFromSensor_IssueLocalScannerCertsRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.IssueLocalScannerCertsRequest != nil { + l = m.IssueLocalScannerCertsRequest.Size() + n += 1 + l + sovSensorIservice(uint64(l)) + } + return n +} func (m *ReassessPolicies) Size() (n int) { if m == nil { return 0 @@ -2591,6 +2698,18 @@ func (m *MsgToSensor_InvalidateImageCache) Size() (n int) { } return n } +func (m *MsgToSensor_IssueLocalScannerCertsResponse) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.IssueLocalScannerCertsResponse != nil { + l = m.IssueLocalScannerCertsResponse.Size() + n += 2 + l + sovSensorIservice(uint64(l)) + } + return n +} func (m *AuditLogSync) Size() (n int) { if m == nil { return 0 @@ -3111,6 +3230,41 @@ func (m *MsgFromSensor) Unmarshal(dAtA []byte) error { } m.Msg = &MsgFromSensor_AuditLogStatusInfo{v} iNdEx = postIndex + case 12: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IssueLocalScannerCertsRequest", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowSensorIservice + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthSensorIservice + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthSensorIservice + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &IssueLocalScannerCertsRequest{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Msg = &MsgFromSensor_IssueLocalScannerCertsRequest{v} + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipSensorIservice(dAtA[iNdEx:]) @@ -3773,6 +3927,41 @@ func (m *MsgToSensor) Unmarshal(dAtA []byte) error { } m.Msg = &MsgToSensor_InvalidateImageCache{v} iNdEx = postIndex + case 17: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field IssueLocalScannerCertsResponse", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowSensorIservice + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthSensorIservice + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthSensorIservice + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + v := &IssueLocalScannerCertsResponse{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + m.Msg = &MsgToSensor_IssueLocalScannerCertsResponse{v} + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipSensorIservice(dAtA[iNdEx:]) diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 3663cc608c8e7..37bad2a335ab0 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -7,13 +7,13 @@ import "storage/service_identity.proto"; package central; message LocalScannerCertificates { - bytes ca = 1; - bytes cert = 2; - bytes key = 3; + bytes ca = 1; + bytes cert = 2; + bytes key = 3; } message IssueLocalScannerCertsRequest { - string namespace = 1; + string namespace = 1; } message IssueLocalScannerCertsResponse { @@ -21,6 +21,3 @@ message IssueLocalScannerCertsResponse { LocalScannerCertificates scanner_db_certs = 2; } -service LocalScannerService { - rpc IssueLocalScannerCerts(IssueLocalScannerCertsRequest) returns (IssueLocalScannerCertsResponse); -} diff --git a/proto/internalapi/central/sensor_iservice.proto b/proto/internalapi/central/sensor_iservice.proto index 2dd96176af088..fe9d2a2c53410 100644 --- a/proto/internalapi/central/sensor_iservice.proto +++ b/proto/internalapi/central/sensor_iservice.proto @@ -12,6 +12,7 @@ import "internalapi/central/telemetry.proto"; import "internalapi/central/baseline_sync.proto"; import "internalapi/central/hello.proto"; import "internalapi/central/network_baseline_sync.proto"; +import "internalapi/central/local_scanner.proto"; import "storage/cluster.proto"; package central; @@ -29,6 +30,7 @@ message MsgFromSensor { RawClusterHealthInfo cluster_health_info = 9; SensorHello hello = 10; AuditLogStatusInfo audit_log_status_info = 11; + IssueLocalScannerCertsRequest issue_local_scanner_certs_request = 12; } } @@ -52,6 +54,7 @@ message MsgToSensor { AuditLogSync audit_log_sync = 14; ReprocessDeployment reprocess_deployment = 15; InvalidateImageCache invalidate_image_cache = 16; + IssueLocalScannerCertsResponse issue_local_scanner_certs_response = 17; } } From 2057450cdfa8d7bfd140f4006dbb7010f4901956 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 12 Jan 2022 09:28:41 +0100 Subject: [PATCH 13/45] fix checkstyle --- central/main.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/central/main.go b/central/main.go index ba3c72a1ada8b..aaebf0246b1c0 100644 --- a/central/main.go +++ b/central/main.go @@ -67,7 +67,6 @@ import ( "github.com/stackrox/rox/central/jwt" licenseService "github.com/stackrox/rox/central/license/service" licenseSingletons "github.com/stackrox/rox/central/license/singleton" - "github.com/stackrox/rox/central/localscanner" logimbueHandler "github.com/stackrox/rox/central/logimbue/handler" logimbueStore "github.com/stackrox/rox/central/logimbue/store" metadataService "github.com/stackrox/rox/central/metadata/service" @@ -313,7 +312,6 @@ func servicesToRegister(registry authproviders.Registry, authzTraceSink observe. imageService.Singleton(), iiService.Singleton(), licenseService.New(false, licenseSingletons.ManagerSingleton()), - localscanner.New(clusterDataStore.Singleton()), integrationHealthService.Singleton(), metadataService.New(), mitreService.Singleton(), From 1e09c1fa6cbffce5ec45e37d428286923f747740 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 10:31:19 +0100 Subject: [PATCH 14/45] fix typo and error message --- central/localscanner/certificates.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index 2b6a62a10d6b9..a7f613d66619d 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -12,7 +12,7 @@ import ( // secretDataMap represents data stored as part of a secret. type secretDataMap = map[string][]byte -// IssueLocalScannerCerts issue certificates for Local scaner. +// IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { if namespace == "" { return nil, errors.New("namespace is required to issue the certificates for the local scanner") @@ -40,7 +40,7 @@ func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueL func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) if err != nil { - return nil, errors.Wrapf(err, "error generating certificate for service %s", serviceType) + return nil, errors.Wrapf(err, "generating certificate for service %s", serviceType) } return ¢ral.LocalScannerCertificates{ From bbde9a351add5e71b94af3462027074ff6fadcfa Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 10:32:25 +0100 Subject: [PATCH 15/45] protect IssueLocalScannerCerts with feature flag LocalImageScanning --- central/localscanner/certificates.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index a7f613d66619d..eddb7f1838f27 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -6,14 +6,22 @@ import ( "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/mtls" ) +var ( + featureFlag = features.LocalImageScanning +) + // secretDataMap represents data stored as part of a secret. type secretDataMap = map[string][]byte // IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { + if !featureFlag.Enabled() { + return nil, errors.Errorf("feature '%s' is disabled", featureFlag.Name()) + } if namespace == "" { return nil, errors.New("namespace is required to issue the certificates for the local scanner") } From c3c97b3cefdc4db263abf117c5b7aba59a696832 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 11:48:58 +0100 Subject: [PATCH 16/45] enable IssueLocalScannerCerts feature flag for tests --- central/localscanner/certificates_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index db49481cfa0d6..5668e410f6b00 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -40,6 +40,7 @@ func (s *localScannerSuite) TearDownTest() { func (s *localScannerSuite) SetupTest() { err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) s.Require().NoError(err) + s.envIsolator.Setenv(featureFlag.EnvVar(), "true") } func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { From 6951eb8a2a1b72b272864e2189d851a3fe5035e3 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 15:43:05 +0100 Subject: [PATCH 17/45] Return a failure message on local certificate issue error --- central/localscanner/certificates.go | 4 +- central/localscanner/certificates_test.go | 6 +- .../service/connection/connection_impl.go | 25 +- .../internalapi/central/local_scanner.pb.go | 678 ++++++++++++++++-- proto/internalapi/central/local_scanner.proto | 15 +- 5 files changed, 659 insertions(+), 69 deletions(-) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index eddb7f1838f27..531e3692743ef 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -18,7 +18,7 @@ var ( type secretDataMap = map[string][]byte // IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. -func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueLocalScannerCertsResponse, error) { +func IssueLocalScannerCerts(namespace string, clusterID string) (*central.LocalScannerCertificateSet, error) { if !featureFlag.Enabled() { return nil, errors.Errorf("feature '%s' is disabled", featureFlag.Name()) } @@ -39,7 +39,7 @@ func IssueLocalScannerCerts(namespace string, clusterID string) (*central.IssueL return nil, certIssueError } - return ¢ral.IssueLocalScannerCertsResponse{ + return ¢ral.LocalScannerCertificateSet{ ScannerCerts: scannerCertificates, ScannerDbCerts: scannerDBCertificates, }, nil diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 5668e410f6b00..f4ab5b0bee10b 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -128,15 +128,15 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { } for tcName, tc := range testCases { s.Run(tcName, func() { - resp, err := IssueLocalScannerCerts(tc.namespace, clusterID) + certs, err := IssueLocalScannerCerts(tc.namespace, clusterID) if tc.shouldFail { s.Require().Error(err) return } s.Require().NoError(err) for _, certs := range []*central.LocalScannerCertificates{ - resp.GetScannerCerts(), - resp.GetScannerDbCerts(), + certs.GetScannerCerts(), + certs.GetScannerDbCerts(), } { s.Require().NotNil(certs) s.Assert().NotEmpty(certs.GetCa()) diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index 9c24e30d0922a..1865e05fc57a3 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -2,6 +2,7 @@ package connection import ( "context" + "fmt" "github.com/pkg/errors" "github.com/stackrox/rox/central/localscanner" @@ -239,14 +240,28 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { namespace := request.GetNamespace() - certs, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) - errMsgTemplate := "Error issuing local Scanner certificates for cluster with ID %s and namespace %s" + certificates, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) + errMsg := fmt.Sprintf("issuing local Scanner certificates for cluster with ID %s and namespace %s", + c.clusterID, namespace) + response := ¢ral.IssueLocalScannerCertsResponse{ + Response: ¢ral.IssueLocalScannerCertsResponse_Certificates{ + Certificates: certificates, + }, + } if err != nil { - return errors.Wrapf(err, errMsgTemplate, c.clusterID, namespace) + response = ¢ral.IssueLocalScannerCertsResponse{ + Response: ¢ral.IssueLocalScannerCertsResponse_Error{ + Error: ¢ral.LocalScannerCertsIssueError{ + Message: fmt.Sprintf("%s: %s", errMsg, err.Error()), + }, + }, + } } - err = c.InjectMessage(ctx, ¢ral.MsgToSensor{Msg: ¢ral.MsgToSensor_IssueLocalScannerCertsResponse{IssueLocalScannerCertsResponse: certs}}) + err = c.InjectMessage(ctx, ¢ral.MsgToSensor{ + Msg: ¢ral.MsgToSensor_IssueLocalScannerCertsResponse{IssueLocalScannerCertsResponse: response}, + }) if err != nil { - return errors.Wrapf(err, errMsgTemplate, c.clusterID, namespace) + return errors.Wrap(err, errMsg) } return nil } diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 995314c2a3ec8..aeff0122461a0 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -111,6 +111,136 @@ func (m *LocalScannerCertificates) Clone() *LocalScannerCertificates { return cloned } +type LocalScannerCertificateSet struct { + ScannerCerts *LocalScannerCertificates `protobuf:"bytes,1,opt,name=scanner_certs,json=scannerCerts,proto3" json:"scanner_certs,omitempty"` + ScannerDbCerts *LocalScannerCertificates `protobuf:"bytes,2,opt,name=scanner_db_certs,json=scannerDbCerts,proto3" json:"scanner_db_certs,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *LocalScannerCertificateSet) Reset() { *m = LocalScannerCertificateSet{} } +func (m *LocalScannerCertificateSet) String() string { return proto.CompactTextString(m) } +func (*LocalScannerCertificateSet) ProtoMessage() {} +func (*LocalScannerCertificateSet) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{1} +} +func (m *LocalScannerCertificateSet) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *LocalScannerCertificateSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_LocalScannerCertificateSet.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *LocalScannerCertificateSet) XXX_Merge(src proto.Message) { + xxx_messageInfo_LocalScannerCertificateSet.Merge(m, src) +} +func (m *LocalScannerCertificateSet) XXX_Size() int { + return m.Size() +} +func (m *LocalScannerCertificateSet) XXX_DiscardUnknown() { + xxx_messageInfo_LocalScannerCertificateSet.DiscardUnknown(m) +} + +var xxx_messageInfo_LocalScannerCertificateSet proto.InternalMessageInfo + +func (m *LocalScannerCertificateSet) GetScannerCerts() *LocalScannerCertificates { + if m != nil { + return m.ScannerCerts + } + return nil +} + +func (m *LocalScannerCertificateSet) GetScannerDbCerts() *LocalScannerCertificates { + if m != nil { + return m.ScannerDbCerts + } + return nil +} + +func (m *LocalScannerCertificateSet) MessageClone() proto.Message { + return m.Clone() +} +func (m *LocalScannerCertificateSet) Clone() *LocalScannerCertificateSet { + if m == nil { + return nil + } + cloned := new(LocalScannerCertificateSet) + *cloned = *m + + cloned.ScannerCerts = m.ScannerCerts.Clone() + cloned.ScannerDbCerts = m.ScannerDbCerts.Clone() + return cloned +} + +type LocalScannerCertsIssueError struct { + Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *LocalScannerCertsIssueError) Reset() { *m = LocalScannerCertsIssueError{} } +func (m *LocalScannerCertsIssueError) String() string { return proto.CompactTextString(m) } +func (*LocalScannerCertsIssueError) ProtoMessage() {} +func (*LocalScannerCertsIssueError) Descriptor() ([]byte, []int) { + return fileDescriptor_856923c76f63cf0a, []int{2} +} +func (m *LocalScannerCertsIssueError) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *LocalScannerCertsIssueError) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_LocalScannerCertsIssueError.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *LocalScannerCertsIssueError) XXX_Merge(src proto.Message) { + xxx_messageInfo_LocalScannerCertsIssueError.Merge(m, src) +} +func (m *LocalScannerCertsIssueError) XXX_Size() int { + return m.Size() +} +func (m *LocalScannerCertsIssueError) XXX_DiscardUnknown() { + xxx_messageInfo_LocalScannerCertsIssueError.DiscardUnknown(m) +} + +var xxx_messageInfo_LocalScannerCertsIssueError proto.InternalMessageInfo + +func (m *LocalScannerCertsIssueError) GetMessage() string { + if m != nil { + return m.Message + } + return "" +} + +func (m *LocalScannerCertsIssueError) MessageClone() proto.Message { + return m.Clone() +} +func (m *LocalScannerCertsIssueError) Clone() *LocalScannerCertsIssueError { + if m == nil { + return nil + } + cloned := new(LocalScannerCertsIssueError) + *cloned = *m + + return cloned +} + type IssueLocalScannerCertsRequest struct { Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -122,7 +252,7 @@ func (m *IssueLocalScannerCertsRequest) Reset() { *m = IssueLocalScanner func (m *IssueLocalScannerCertsRequest) String() string { return proto.CompactTextString(m) } func (*IssueLocalScannerCertsRequest) ProtoMessage() {} func (*IssueLocalScannerCertsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{1} + return fileDescriptor_856923c76f63cf0a, []int{3} } func (m *IssueLocalScannerCertsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -172,18 +302,20 @@ func (m *IssueLocalScannerCertsRequest) Clone() *IssueLocalScannerCertsRequest { } type IssueLocalScannerCertsResponse struct { - ScannerCerts *LocalScannerCertificates `protobuf:"bytes,1,opt,name=scanner_certs,json=scannerCerts,proto3" json:"scanner_certs,omitempty"` - ScannerDbCerts *LocalScannerCertificates `protobuf:"bytes,2,opt,name=scanner_db_certs,json=scannerDbCerts,proto3" json:"scanner_db_certs,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` + // Types that are valid to be assigned to Response: + // *IssueLocalScannerCertsResponse_Certificates + // *IssueLocalScannerCertsResponse_Error + Response isIssueLocalScannerCertsResponse_Response `protobuf_oneof:"response"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` } func (m *IssueLocalScannerCertsResponse) Reset() { *m = IssueLocalScannerCertsResponse{} } func (m *IssueLocalScannerCertsResponse) String() string { return proto.CompactTextString(m) } func (*IssueLocalScannerCertsResponse) ProtoMessage() {} func (*IssueLocalScannerCertsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{2} + return fileDescriptor_856923c76f63cf0a, []int{4} } func (m *IssueLocalScannerCertsResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -212,20 +344,72 @@ func (m *IssueLocalScannerCertsResponse) XXX_DiscardUnknown() { var xxx_messageInfo_IssueLocalScannerCertsResponse proto.InternalMessageInfo -func (m *IssueLocalScannerCertsResponse) GetScannerCerts() *LocalScannerCertificates { +type isIssueLocalScannerCertsResponse_Response interface { + isIssueLocalScannerCertsResponse_Response() + MarshalTo([]byte) (int, error) + Size() int + Clone() isIssueLocalScannerCertsResponse_Response +} + +type IssueLocalScannerCertsResponse_Certificates struct { + Certificates *LocalScannerCertificateSet `protobuf:"bytes,1,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` +} +type IssueLocalScannerCertsResponse_Error struct { + Error *LocalScannerCertsIssueError `protobuf:"bytes,2,opt,name=error,proto3,oneof" json:"error,omitempty"` +} + +func (*IssueLocalScannerCertsResponse_Certificates) isIssueLocalScannerCertsResponse_Response() {} +func (m *IssueLocalScannerCertsResponse_Certificates) Clone() isIssueLocalScannerCertsResponse_Response { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse_Certificates) + *cloned = *m + + cloned.Certificates = m.Certificates.Clone() + return cloned +} +func (*IssueLocalScannerCertsResponse_Error) isIssueLocalScannerCertsResponse_Response() {} +func (m *IssueLocalScannerCertsResponse_Error) Clone() isIssueLocalScannerCertsResponse_Response { + if m == nil { + return nil + } + cloned := new(IssueLocalScannerCertsResponse_Error) + *cloned = *m + + cloned.Error = m.Error.Clone() + return cloned +} + +func (m *IssueLocalScannerCertsResponse) GetResponse() isIssueLocalScannerCertsResponse_Response { if m != nil { - return m.ScannerCerts + return m.Response } return nil } -func (m *IssueLocalScannerCertsResponse) GetScannerDbCerts() *LocalScannerCertificates { - if m != nil { - return m.ScannerDbCerts +func (m *IssueLocalScannerCertsResponse) GetCertificates() *LocalScannerCertificateSet { + if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Certificates); ok { + return x.Certificates } return nil } +func (m *IssueLocalScannerCertsResponse) GetError() *LocalScannerCertsIssueError { + if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Error); ok { + return x.Error + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*IssueLocalScannerCertsResponse) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*IssueLocalScannerCertsResponse_Certificates)(nil), + (*IssueLocalScannerCertsResponse_Error)(nil), + } +} + func (m *IssueLocalScannerCertsResponse) MessageClone() proto.Message { return m.Clone() } @@ -236,13 +420,16 @@ func (m *IssueLocalScannerCertsResponse) Clone() *IssueLocalScannerCertsResponse cloned := new(IssueLocalScannerCertsResponse) *cloned = *m - cloned.ScannerCerts = m.ScannerCerts.Clone() - cloned.ScannerDbCerts = m.ScannerDbCerts.Clone() + if m.Response != nil { + cloned.Response = m.Response.Clone() + } return cloned } func init() { proto.RegisterType((*LocalScannerCertificates)(nil), "central.LocalScannerCertificates") + proto.RegisterType((*LocalScannerCertificateSet)(nil), "central.LocalScannerCertificateSet") + proto.RegisterType((*LocalScannerCertsIssueError)(nil), "central.LocalScannerCertsIssueError") proto.RegisterType((*IssueLocalScannerCertsRequest)(nil), "central.IssueLocalScannerCertsRequest") proto.RegisterType((*IssueLocalScannerCertsResponse)(nil), "central.IssueLocalScannerCertsResponse") } @@ -252,25 +439,30 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 282 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x91, 0xc1, 0x4a, 0xc4, 0x30, - 0x10, 0x86, 0x4d, 0x57, 0x94, 0x8d, 0xeb, 0xb2, 0xe4, 0x54, 0x45, 0x83, 0xee, 0x45, 0x4f, 0x2d, - 0xe8, 0xd9, 0x8b, 0x8a, 0x20, 0x7a, 0x90, 0x7a, 0xf3, 0x52, 0xa6, 0xd9, 0x51, 0x82, 0x35, 0xad, - 0x99, 0x59, 0x61, 0xdf, 0xc4, 0x17, 0xf1, 0x1d, 0x3c, 0xfa, 0x08, 0x52, 0x5f, 0x44, 0x9a, 0xed, - 0xa2, 0x08, 0x0b, 0xde, 0x86, 0x3f, 0xf9, 0x3e, 0xf2, 0x67, 0xe4, 0x81, 0x75, 0x8c, 0xde, 0x41, - 0x09, 0xb5, 0x4d, 0x0d, 0x3a, 0xf6, 0x50, 0xa6, 0x65, 0x65, 0xa0, 0xcc, 0xc9, 0x80, 0x73, 0xe8, - 0x93, 0xda, 0x57, 0x5c, 0xa9, 0xf5, 0xee, 0x70, 0x5b, 0x13, 0x57, 0x1e, 0x1e, 0x30, 0x25, 0xf4, - 0x2f, 0xd6, 0x60, 0x6e, 0x27, 0xe8, 0xd8, 0xf2, 0x6c, 0x7e, 0x71, 0x7c, 0x23, 0xe3, 0xeb, 0x96, - 0xbf, 0x9d, 0xe3, 0x67, 0xe8, 0xd9, 0xde, 0x5b, 0x03, 0x8c, 0xa4, 0x86, 0x32, 0x32, 0x10, 0x8b, - 0x3d, 0x71, 0x38, 0xc8, 0x22, 0x03, 0x4a, 0xc9, 0x55, 0x83, 0x9e, 0xe3, 0x28, 0x24, 0x61, 0x56, - 0x23, 0xd9, 0x7b, 0xc4, 0x59, 0xdc, 0x0b, 0x51, 0x3b, 0x8e, 0x4f, 0xe4, 0xee, 0x25, 0xd1, 0x14, - 0xff, 0x6a, 0x29, 0xc3, 0xe7, 0x29, 0x12, 0xab, 0x1d, 0xd9, 0x77, 0xf0, 0x84, 0x54, 0x83, 0xc1, - 0x60, 0xef, 0x67, 0x3f, 0xc1, 0xf8, 0x4d, 0x48, 0xbd, 0x8c, 0xa7, 0xba, 0x72, 0x84, 0xea, 0x42, - 0x6e, 0x76, 0x6d, 0xf3, 0xf6, 0x0d, 0x14, 0x24, 0x1b, 0x47, 0xfb, 0x49, 0x57, 0x3a, 0x59, 0xd6, - 0x28, 0x1b, 0xd0, 0x2f, 0x9f, 0xba, 0x92, 0xa3, 0x85, 0x67, 0x52, 0x74, 0xaa, 0xe8, 0xbf, 0xaa, - 0x61, 0x87, 0x9e, 0x17, 0x41, 0x76, 0xba, 0xf5, 0xde, 0x68, 0xf1, 0xd1, 0x68, 0xf1, 0xd9, 0x68, - 0xf1, 0xfa, 0xa5, 0x57, 0xee, 0x16, 0x3b, 0x28, 0xd6, 0xc2, 0x57, 0x1f, 0x7f, 0x07, 0x00, 0x00, - 0xff, 0xff, 0xf1, 0xa2, 0x6a, 0x5a, 0xbe, 0x01, 0x00, 0x00, + // 363 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xcf, 0x4e, 0xea, 0x40, + 0x14, 0xc6, 0x69, 0xb9, 0xf7, 0x72, 0x39, 0x97, 0x4b, 0xc8, 0xac, 0x7a, 0xb9, 0xda, 0x68, 0x35, + 0xd1, 0x15, 0x24, 0xba, 0x70, 0xa3, 0x1b, 0xfc, 0x13, 0x88, 0x2e, 0x4c, 0xd9, 0xb9, 0x21, 0xc3, + 0x70, 0x24, 0x8d, 0x65, 0x5a, 0xe7, 0x0c, 0x26, 0xbc, 0x89, 0xaf, 0xe1, 0xc2, 0x77, 0x70, 0xe9, + 0x23, 0x18, 0x7c, 0x11, 0xd3, 0x61, 0x1a, 0x50, 0xd3, 0xe8, 0x6e, 0xfa, 0xf5, 0xfc, 0x7e, 0xf9, + 0xce, 0x64, 0x60, 0x27, 0x92, 0x1a, 0x95, 0xe4, 0x31, 0x4f, 0xa3, 0xb6, 0x40, 0xa9, 0x15, 0x8f, + 0xdb, 0x71, 0x22, 0x78, 0x3c, 0x20, 0xc1, 0xa5, 0x44, 0xd5, 0x4a, 0x55, 0xa2, 0x13, 0x56, 0xb1, + 0x3f, 0x9b, 0x3e, 0xe9, 0x44, 0xf1, 0x31, 0xb6, 0x09, 0xd5, 0x5d, 0x24, 0x70, 0x10, 0x8d, 0x50, + 0xea, 0x48, 0xcf, 0x16, 0x83, 0xc1, 0x25, 0x78, 0x17, 0x19, 0xdf, 0x5f, 0xe0, 0xc7, 0xa8, 0x74, + 0x74, 0x1d, 0x09, 0xae, 0x91, 0x58, 0x1d, 0x5c, 0xc1, 0x3d, 0x67, 0xc3, 0xd9, 0xad, 0x85, 0xae, + 0xe0, 0x8c, 0xc1, 0x0f, 0x81, 0x4a, 0x7b, 0xae, 0x49, 0xcc, 0x99, 0x35, 0xa0, 0x7c, 0x83, 0x33, + 0xaf, 0x6c, 0xa2, 0xec, 0x18, 0x3c, 0x38, 0xd0, 0x2c, 0x50, 0xf6, 0x51, 0xb3, 0x33, 0xf8, 0x6b, + 0xab, 0x0e, 0x32, 0x01, 0x19, 0xff, 0x9f, 0xbd, 0xcd, 0x96, 0x6d, 0xdc, 0x2a, 0xaa, 0x13, 0xd6, + 0x68, 0x19, 0x12, 0x3b, 0x87, 0x46, 0xee, 0x19, 0x0d, 0xad, 0xca, 0xfd, 0xae, 0xaa, 0x6e, 0xd1, + 0x93, 0xa1, 0x91, 0x05, 0x07, 0xf0, 0xff, 0xe3, 0x2c, 0xf5, 0x88, 0xa6, 0x78, 0xaa, 0x54, 0xa2, + 0x98, 0x07, 0x95, 0x09, 0x12, 0xf1, 0x31, 0x9a, 0xb6, 0xd5, 0x30, 0xff, 0x0c, 0x8e, 0x60, 0xdd, + 0xcc, 0x7d, 0xa2, 0x43, 0xbc, 0x9d, 0x22, 0x69, 0xb6, 0x06, 0x55, 0xc9, 0x27, 0x48, 0x29, 0x17, + 0x39, 0xbc, 0x0c, 0x82, 0x47, 0x07, 0xfc, 0x22, 0x9e, 0xd2, 0x44, 0x12, 0xb2, 0x1e, 0xd4, 0xc4, + 0x4a, 0x75, 0x7b, 0x5d, 0x5b, 0x5f, 0xed, 0xd8, 0x47, 0xdd, 0x2d, 0x85, 0xef, 0x50, 0x76, 0x08, + 0x3f, 0x31, 0xdb, 0xc7, 0xde, 0xd3, 0x76, 0xa1, 0x63, 0x65, 0xf7, 0x6e, 0x29, 0x5c, 0x40, 0x1d, + 0x80, 0xdf, 0xca, 0x96, 0xea, 0xfc, 0x7b, 0x9a, 0xfb, 0xce, 0xf3, 0xdc, 0x77, 0x5e, 0xe6, 0xbe, + 0x73, 0xff, 0xea, 0x97, 0xae, 0xf2, 0x07, 0x37, 0xfc, 0x65, 0xde, 0xd5, 0xfe, 0x5b, 0x00, 0x00, + 0x00, 0xff, 0xff, 0xb8, 0x4a, 0x6b, 0x5d, 0xab, 0x02, 0x00, 0x00, } func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { @@ -321,6 +513,91 @@ func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error return len(dAtA) - i, nil } +func (m *LocalScannerCertificateSet) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *LocalScannerCertificateSet) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *LocalScannerCertificateSet) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.ScannerDbCerts != nil { + { + size, err := m.ScannerDbCerts.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + if m.ScannerCerts != nil { + { + size, err := m.ScannerCerts.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintLocalScanner(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *LocalScannerCertsIssueError) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *LocalScannerCertsIssueError) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *LocalScannerCertsIssueError) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Message) > 0 { + i -= len(m.Message) + copy(dAtA[i:], m.Message) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Message))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func (m *IssueLocalScannerCertsRequest) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -379,9 +656,28 @@ func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if m.ScannerDbCerts != nil { + if m.Response != nil { { - size, err := m.ScannerDbCerts.MarshalToSizedBuffer(dAtA[:i]) + size := m.Response.Size() + i -= size + if _, err := m.Response.MarshalTo(dAtA[i:]); err != nil { + return 0, err + } + } + } + return len(dAtA) - i, nil +} + +func (m *IssueLocalScannerCertsResponse_Certificates) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse_Certificates) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.Certificates != nil { + { + size, err := m.Certificates.MarshalToSizedBuffer(dAtA[:i]) if err != nil { return 0, err } @@ -389,11 +685,20 @@ func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, i = encodeVarintLocalScanner(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0x12 + dAtA[i] = 0xa } - if m.ScannerCerts != nil { + return len(dAtA) - i, nil +} +func (m *IssueLocalScannerCertsResponse_Error) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *IssueLocalScannerCertsResponse_Error) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + if m.Error != nil { { - size, err := m.ScannerCerts.MarshalToSizedBuffer(dAtA[:i]) + size, err := m.Error.MarshalToSizedBuffer(dAtA[:i]) if err != nil { return 0, err } @@ -401,11 +706,10 @@ func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, i = encodeVarintLocalScanner(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0xa + dAtA[i] = 0x12 } return len(dAtA) - i, nil } - func encodeVarintLocalScanner(dAtA []byte, offset int, v uint64) int { offset -= sovLocalScanner(v) base := offset @@ -441,6 +745,42 @@ func (m *LocalScannerCertificates) Size() (n int) { return n } +func (m *LocalScannerCertificateSet) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ScannerCerts != nil { + l = m.ScannerCerts.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.ScannerDbCerts != nil { + l = m.ScannerDbCerts.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func (m *LocalScannerCertsIssueError) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Message) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func (m *IssueLocalScannerCertsRequest) Size() (n int) { if m == nil { return 0 @@ -463,13 +803,8 @@ func (m *IssueLocalScannerCertsResponse) Size() (n int) { } var l int _ = l - if m.ScannerCerts != nil { - l = m.ScannerCerts.Size() - n += 1 + l + sovLocalScanner(uint64(l)) - } - if m.ScannerDbCerts != nil { - l = m.ScannerDbCerts.Size() - n += 1 + l + sovLocalScanner(uint64(l)) + if m.Response != nil { + n += m.Response.Size() } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) @@ -477,6 +812,31 @@ func (m *IssueLocalScannerCertsResponse) Size() (n int) { return n } +func (m *IssueLocalScannerCertsResponse_Certificates) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Certificates != nil { + l = m.Certificates.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + return n +} +func (m *IssueLocalScannerCertsResponse_Error) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.Error != nil { + l = m.Error.Size() + n += 1 + l + sovLocalScanner(uint64(l)) + } + return n +} + func sovLocalScanner(x uint64) (n int) { return (math_bits.Len64(x|1) + 6) / 7 } @@ -636,6 +996,212 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { } return nil } +func (m *LocalScannerCertificateSet) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: LocalScannerCertificateSet: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: LocalScannerCertificateSet: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ScannerCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.ScannerCerts == nil { + m.ScannerCerts = &LocalScannerCertificates{} + } + if err := m.ScannerCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ScannerDbCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.ScannerDbCerts == nil { + m.ScannerDbCerts = &LocalScannerCertificates{} + } + if err := m.ScannerDbCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *LocalScannerCertsIssueError) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: LocalScannerCertsIssueError: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: LocalScannerCertsIssueError: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Message = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipLocalScanner(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthLocalScanner + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -750,7 +1316,7 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ScannerCerts", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Certificates", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -777,16 +1343,15 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - if m.ScannerCerts == nil { - m.ScannerCerts = &LocalScannerCertificates{} - } - if err := m.ScannerCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + v := &LocalScannerCertificateSet{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } + m.Response = &IssueLocalScannerCertsResponse_Certificates{v} iNdEx = postIndex case 2: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ScannerDbCerts", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType) } var msglen int for shift := uint(0); ; shift += 7 { @@ -813,12 +1378,11 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - if m.ScannerDbCerts == nil { - m.ScannerDbCerts = &LocalScannerCertificates{} - } - if err := m.ScannerDbCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + v := &LocalScannerCertsIssueError{} + if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } + m.Response = &IssueLocalScannerCertsResponse_Error{v} iNdEx = postIndex default: iNdEx = preIndex diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 37bad2a335ab0..e9d938f5a511f 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -12,12 +12,23 @@ message LocalScannerCertificates { bytes key = 3; } +message LocalScannerCertificateSet { + LocalScannerCertificates scanner_certs = 1; + LocalScannerCertificates scanner_db_certs = 2; +} + +message LocalScannerCertsIssueError { + string message = 1; +} + message IssueLocalScannerCertsRequest { string namespace = 1; } message IssueLocalScannerCertsResponse { - LocalScannerCertificates scanner_certs = 1; - LocalScannerCertificates scanner_db_certs = 2; + oneof response { + LocalScannerCertificateSet certificates = 1; + LocalScannerCertsIssueError error = 2; + } } From b88111d96f4fd9c22534011f2203755327de792d Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 17:33:29 +0100 Subject: [PATCH 18/45] Add test for processIssueLocalScannerCertsRequest --- .../service/connection/connection_test.go | 95 ++++++++++++++++--- 1 file changed, 81 insertions(+), 14 deletions(-) diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index fceb9fc5526e1..25c490b505608 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -3,19 +3,46 @@ package connection import ( "context" "testing" + "time" "github.com/gogo/protobuf/types" "github.com/golang/mock/gomock" clusterMgrMock "github.com/stackrox/rox/central/sensor/service/common/mocks" + testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/booleanpolicy/policyversion" "github.com/stackrox/rox/pkg/centralsensor" + "github.com/stackrox/rox/pkg/concurrency" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/testutils/envisolator" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/suite" "google.golang.org/grpc" ) +func TestHandler(t *testing.T) { + suite.Run(t, new(testSuite)) +} + +type testSuite struct { + suite.Suite + envIsolator *envisolator.EnvIsolator +} + +func (s *testSuite) SetupSuite() { + s.envIsolator = envisolator.NewEnvIsolator(s.T()) +} + +func (s *testSuite) TearDownTest() { + s.envIsolator.RestoreAll() +} + +func (s *testSuite) SetupTest() { + err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) + s.Require().NoError(err) + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") +} + type mockServer struct { grpc.ServerStream sentList []*central.MsgToSensor @@ -33,7 +60,7 @@ func (c *mockServer) Recv() (*central.MsgFromSensor, error) { // TestGetPolicySyncMsgFromPolicies verifies that the sensor connection is // capable of downgrading policies to the version known of the underlying // sensor. The test uses specific policy versions and not a general approach. -func TestGetPolicySyncMsgFromPolicies(t *testing.T) { +func (s *testSuite) TestGetPolicySyncMsgFromPolicies() { centralVersion := policyversion.CurrentVersion() sensorVersion := policyversion.Version1() sensorHello := ¢ral.SensorHello{ @@ -47,18 +74,15 @@ func TestGetPolicySyncMsgFromPolicies(t *testing.T) { } msg, err := sensorMockConn.getPolicySyncMsgFromPolicies([]*storage.Policy{policy}) - assert.NoError(t, err) + s.Assert().NoError(err) policySync := msg.GetPolicySync() - assert.NotNil(t, policySync) - assert.NotEmpty(t, policySync.Policies) - assert.Equal(t, sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) + s.Assert().NotNil(policySync) + s.Assert().NotEmpty(policySync.Policies) + s.Assert().Equal(sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) } -func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { - envIsolator := envisolator.NewEnvIsolator(t) - defer envIsolator.RestoreAll() - +func (s *testSuite) TestSendsAuditLogSyncMessageIfEnabledOnRun() { ctx := context.Background() clusterID := "this-cluster" auditLogState := map[string]*storage.AuditLogFileState{ @@ -73,7 +97,7 @@ func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { AuditLogState: auditLogState, } - ctrl := gomock.NewController(t) + ctrl := gomock.NewController(s.T()) mgrMock := clusterMgrMock.NewMockClusterManager(ctrl) sensorMockConn := &sensorConnection{ @@ -87,15 +111,58 @@ func TestSendsAuditLogSyncMessageIfEnabledOnRun(t *testing.T) { mgrMock.EXPECT().GetCluster(ctx, clusterID).Return(cluster, true, nil).AnyTimes() - assert.NoError(t, sensorMockConn.Run(ctx, server, caps)) + s.Assert().NoError(sensorMockConn.Run(ctx, server, caps)) for _, msg := range server.sentList { if syncMsg := msg.GetAuditLogSync(); syncMsg != nil { - assert.Equal(t, auditLogState, syncMsg.GetNodeAuditLogFileStates()) + s.Assert().Equal(auditLogState, syncMsg.GetNodeAuditLogFileStates()) return } } - assert.FailNow(t, "Audit log sync message was not sent") + s.Assert().FailNow("Audit log sync message was not sent") +} +func (s *testSuite) TestIssueLocalScannerCerts() { + testCases := map[string]struct { + clusterID string + shouldFail bool + }{ + "empty cluster id": {"", true}, + "non empty cluster id": {"clusterID", false}, + } + for tcName, tc := range testCases { + s.Run(tcName, func() { + sendC := make(chan *central.MsgToSensor) + sensorMockConn := &sensorConnection{ + clusterID: tc.clusterID, + sendC: sendC, + stopSig: concurrency.NewErrorSignal(), + } + ctx := context.Background() + ctx, cancel := context.WithTimeout(ctx, 1*time.Second) + defer cancel() + namespace := "namespace" + request := ¢ral.MsgFromSensor{ + Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{Namespace: namespace}, + }, + } + + go func() { + s.Assert().NoError(sensorMockConn.handleMessage(ctx, request)) + }() + + select { + case msgToSensor := <-sendC: + if tc.shouldFail { + s.Assert().NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetError()) + } else { + s.Assert().NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetCertificates()) + } + case <-ctx.Done(): + s.Fail(ctx.Err().Error()) + } + }) + } } From 83e208cda0b992e451e8a0a11b6e8dc778424013 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 13 Jan 2022 18:44:44 +0100 Subject: [PATCH 19/45] Skip tests when feature flag dependency is disabled `envisolator` doesn't enable env vars in release builds --- central/localscanner/certificates_test.go | 5 ++++- central/sensor/service/connection/connection_test.go | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index f4ab5b0bee10b..a30a939b4ce3e 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -40,7 +40,6 @@ func (s *localScannerSuite) TearDownTest() { func (s *localScannerSuite) SetupTest() { err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) s.Require().NoError(err) - s.envIsolator.Setenv(featureFlag.EnvVar(), "true") } func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { @@ -119,6 +118,10 @@ func (s *localScannerSuite) TestCertificateGeneration() { } func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { + s.envIsolator.Setenv(featureFlag.EnvVar(), "true") + if !featureFlag.Enabled() { + s.T().Skip() + } testCases := map[string]struct { namespace string shouldFail bool diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index 25c490b505608..64976d40e40ec 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -40,7 +40,6 @@ func (s *testSuite) TearDownTest() { func (s *testSuite) SetupTest() { err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) s.Require().NoError(err) - s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") } type mockServer struct { @@ -124,6 +123,10 @@ func (s *testSuite) TestSendsAuditLogSyncMessageIfEnabledOnRun() { } func (s *testSuite) TestIssueLocalScannerCerts() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") + if !features.LocalImageScanning.Enabled() { + s.T().Skip() + } testCases := map[string]struct { clusterID string shouldFail bool From 8921d8588406f9effd63b8dc7c9d7de505148d73 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 09:22:48 +0100 Subject: [PATCH 20/45] Use features.LocalImageScanning always directly Also add test to check the right feature flag is being used. --- central/localscanner/certificates.go | 8 ++------ central/localscanner/certificates_test.go | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index 531e3692743ef..ae4edf33c10db 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -10,17 +10,13 @@ import ( "github.com/stackrox/rox/pkg/mtls" ) -var ( - featureFlag = features.LocalImageScanning -) - // secretDataMap represents data stored as part of a secret. type secretDataMap = map[string][]byte // IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. func IssueLocalScannerCerts(namespace string, clusterID string) (*central.LocalScannerCertificateSet, error) { - if !featureFlag.Enabled() { - return nil, errors.Errorf("feature '%s' is disabled", featureFlag.Name()) + if !features.LocalImageScanning.Enabled() { + return nil, errors.Errorf("feature '%s' is disabled", features.LocalImageScanning.Name()) } if namespace == "" { return nil, errors.New("namespace is required to issue the certificates for the local scanner") diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index a30a939b4ce3e..d4eccd7f6d4ce 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -10,6 +10,7 @@ import ( "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" + "github.com/stackrox/rox/pkg/features" "github.com/stackrox/rox/pkg/mtls" "github.com/stackrox/rox/pkg/testutils/envisolator" "github.com/stretchr/testify/suite" @@ -117,9 +118,20 @@ func (s *localScannerSuite) TestCertificateGeneration() { } } +func (s *localScannerSuite) TestServiceIssueLocalScannerCertsFeatureFlagDisabled() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "false") + if features.LocalImageScanning.Enabled() { + s.T().Skip() + } + + _, err := IssueLocalScannerCerts(namespace, clusterID) + + s.Assert().Error(err) +} + func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { - s.envIsolator.Setenv(featureFlag.EnvVar(), "true") - if !featureFlag.Enabled() { + s.envIsolator.Setenv(features.LocalImageScanning.EnvVar(), "true") + if !features.LocalImageScanning.Enabled() { s.T().Skip() } testCases := map[string]struct { From 4fe13ce2a50eefa70075e5998f84298ecedb4f63 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 09:24:49 +0100 Subject: [PATCH 21/45] Quote namespace in error log --- central/sensor/service/connection/connection_impl.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index 1865e05fc57a3..d6ed763155c87 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -241,7 +241,7 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { namespace := request.GetNamespace() certificates, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) - errMsg := fmt.Sprintf("issuing local Scanner certificates for cluster with ID %s and namespace %s", + errMsg := fmt.Sprintf("issuing local Scanner certificates for cluster with ID %s and namespace %q", c.clusterID, namespace) response := ¢ral.IssueLocalScannerCertsResponse{ Response: ¢ral.IssueLocalScannerCertsResponse_Certificates{ From 1f5bd757631e4b52764cdfb0f5faa5452f87ae96 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 09:34:59 +0100 Subject: [PATCH 22/45] Use assertion methods directly insted of through s.Assert() --- central/localscanner/certificates_test.go | 26 +++++++++---------- .../service/connection/connection_test.go | 20 +++++++------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index d4eccd7f6d4ce..6ef5291099540 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -62,9 +62,9 @@ func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { s.Require().NoError(err, tc.service) } expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} - s.Assert().Equal(len(expectedFiles), len(certMap)) + s.Equal(len(expectedFiles), len(certMap)) for _, key := range expectedFiles { - s.Assert().Contains(certMap, key, tc.service) + s.Contains(certMap, key, tc.service) } } } @@ -80,7 +80,7 @@ func (s *localScannerSuite) TestValidateServiceCertificate() { s.Require().NoError(err, serviceType) validatingCA, err := mtls.LoadCAForValidation(certMap["ca.pem"]) s.Require().NoError(err, serviceType) - s.Assert().NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, ""), serviceType) + s.NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, ""), serviceType) } } @@ -104,17 +104,17 @@ func (s *localScannerSuite) TestCertificateGeneration() { subject := cert.Subject certOUs := subject.OrganizationalUnit - s.Assert().Equal(1, len(certOUs), tc.service) - s.Assert().Equal(tc.expectOU, certOUs[0], tc.service) + s.Equal(1, len(certOUs), tc.service) + s.Equal(tc.expectOU, certOUs[0], tc.service) - s.Assert().Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) + s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) certAlternativeNames := cert.DNSNames - s.Assert().Equal(len(tc.expectedAlternativeNames), len(certAlternativeNames), tc.service) + s.Equal(len(tc.expectedAlternativeNames), len(certAlternativeNames), tc.service) for _, name := range tc.expectedAlternativeNames { - s.Assert().Contains(certAlternativeNames, name, tc.service) + s.Contains(certAlternativeNames, name, tc.service) } - s.Assert().Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) + s.Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) } } @@ -126,7 +126,7 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCertsFeatureFlagDisabled _, err := IssueLocalScannerCerts(namespace, clusterID) - s.Assert().Error(err) + s.Error(err) } func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { @@ -154,9 +154,9 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { certs.GetScannerDbCerts(), } { s.Require().NotNil(certs) - s.Assert().NotEmpty(certs.GetCa()) - s.Assert().NotEmpty(certs.GetCert()) - s.Assert().NotEmpty(certs.GetKey()) + s.NotEmpty(certs.GetCa()) + s.NotEmpty(certs.GetCert()) + s.NotEmpty(certs.GetKey()) } }) } diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index 64976d40e40ec..b044497fcf689 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -73,12 +73,12 @@ func (s *testSuite) TestGetPolicySyncMsgFromPolicies() { } msg, err := sensorMockConn.getPolicySyncMsgFromPolicies([]*storage.Policy{policy}) - s.Assert().NoError(err) + s.NoError(err) policySync := msg.GetPolicySync() - s.Assert().NotNil(policySync) - s.Assert().NotEmpty(policySync.Policies) - s.Assert().Equal(sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) + s.NotNil(policySync) + s.NotEmpty(policySync.Policies) + s.Equal(sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) } func (s *testSuite) TestSendsAuditLogSyncMessageIfEnabledOnRun() { @@ -110,16 +110,16 @@ func (s *testSuite) TestSendsAuditLogSyncMessageIfEnabledOnRun() { mgrMock.EXPECT().GetCluster(ctx, clusterID).Return(cluster, true, nil).AnyTimes() - s.Assert().NoError(sensorMockConn.Run(ctx, server, caps)) + s.NoError(sensorMockConn.Run(ctx, server, caps)) for _, msg := range server.sentList { if syncMsg := msg.GetAuditLogSync(); syncMsg != nil { - s.Assert().Equal(auditLogState, syncMsg.GetNodeAuditLogFileStates()) + s.Equal(auditLogState, syncMsg.GetNodeAuditLogFileStates()) return } } - s.Assert().FailNow("Audit log sync message was not sent") + s.FailNow("Audit log sync message was not sent") } func (s *testSuite) TestIssueLocalScannerCerts() { @@ -153,15 +153,15 @@ func (s *testSuite) TestIssueLocalScannerCerts() { } go func() { - s.Assert().NoError(sensorMockConn.handleMessage(ctx, request)) + s.NoError(sensorMockConn.handleMessage(ctx, request)) }() select { case msgToSensor := <-sendC: if tc.shouldFail { - s.Assert().NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetError()) + s.NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetError()) } else { - s.Assert().NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetCertificates()) + s.NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetCertificates()) } case <-ctx.Done(): s.Fail(ctx.Err().Error()) From 1a1b1fd0a393c227429216e88ccc67c7bb1239f7 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 09:43:12 +0100 Subject: [PATCH 23/45] Make sure the result of handleMessage is always checked --- central/sensor/service/connection/connection_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index b044497fcf689..b9b38ee2c04ab 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -152,8 +152,9 @@ func (s *testSuite) TestIssueLocalScannerCerts() { }, } + handleDoneErrSig := concurrency.NewErrorSignal() go func() { - s.NoError(sensorMockConn.handleMessage(ctx, request)) + handleDoneErrSig.SignalWithError(sensorMockConn.handleMessage(ctx, request)) }() select { @@ -166,6 +167,10 @@ func (s *testSuite) TestIssueLocalScannerCerts() { case <-ctx.Done(): s.Fail(ctx.Err().Error()) } + + handleErr, ok := handleDoneErrSig.WaitUntil(ctx) + s.Require().True(ok) + s.NoError(handleErr) }) } } From 7bfbd6ccd2f92586fa5fc7abfa1f5994353a6605 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 10:17:16 +0100 Subject: [PATCH 24/45] Add format to proto field names for certs and keys --- central/localscanner/certificates.go | 6 +- central/localscanner/certificates_test.go | 6 +- .../internalapi/central/local_scanner.pb.go | 139 +++++++++--------- proto/internalapi/central/local_scanner.proto | 6 +- 4 files changed, 79 insertions(+), 78 deletions(-) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index ae4edf33c10db..81c43117af724 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -48,9 +48,9 @@ func localScannerCertificatesFor(serviceType storage.ServiceType, namespace stri } return ¢ral.LocalScannerCertificates{ - Ca: certificates[mtls.CACertFileName], - Cert: certificates[mtls.ServiceCertFileName], - Key: certificates[mtls.ServiceKeyFileName], + CaPem: certificates[mtls.CACertFileName], + CertPem: certificates[mtls.ServiceCertFileName], + KeyPem: certificates[mtls.ServiceKeyFileName], }, nil } diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 6ef5291099540..c3e1d2f310f70 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -154,9 +154,9 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { certs.GetScannerDbCerts(), } { s.Require().NotNil(certs) - s.NotEmpty(certs.GetCa()) - s.NotEmpty(certs.GetCert()) - s.NotEmpty(certs.GetKey()) + s.NotEmpty(certs.GetCaPem()) + s.NotEmpty(certs.GetCertPem()) + s.NotEmpty(certs.GetKeyPem()) } }) } diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index aeff0122461a0..fa7a72d7493d1 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -24,9 +24,9 @@ var _ = math.Inf const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package type LocalScannerCertificates struct { - Ca []byte `protobuf:"bytes,1,opt,name=ca,proto3" json:"ca,omitempty"` - Cert []byte `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` - Key []byte `protobuf:"bytes,3,opt,name=key,proto3" json:"key,omitempty"` + CaPem []byte `protobuf:"bytes,1,opt,name=ca_pem,json=caPem,proto3" json:"ca_pem,omitempty"` + CertPem []byte `protobuf:"bytes,2,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` + KeyPem []byte `protobuf:"bytes,3,opt,name=key_pem,json=keyPem,proto3" json:"key_pem,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -65,23 +65,23 @@ func (m *LocalScannerCertificates) XXX_DiscardUnknown() { var xxx_messageInfo_LocalScannerCertificates proto.InternalMessageInfo -func (m *LocalScannerCertificates) GetCa() []byte { +func (m *LocalScannerCertificates) GetCaPem() []byte { if m != nil { - return m.Ca + return m.CaPem } return nil } -func (m *LocalScannerCertificates) GetCert() []byte { +func (m *LocalScannerCertificates) GetCertPem() []byte { if m != nil { - return m.Cert + return m.CertPem } return nil } -func (m *LocalScannerCertificates) GetKey() []byte { +func (m *LocalScannerCertificates) GetKeyPem() []byte { if m != nil { - return m.Key + return m.KeyPem } return nil } @@ -96,17 +96,17 @@ func (m *LocalScannerCertificates) Clone() *LocalScannerCertificates { cloned := new(LocalScannerCertificates) *cloned = *m - if m.Ca != nil { - cloned.Ca = make([]byte, len(m.Ca)) - copy(cloned.Ca, m.Ca) + if m.CaPem != nil { + cloned.CaPem = make([]byte, len(m.CaPem)) + copy(cloned.CaPem, m.CaPem) } - if m.Cert != nil { - cloned.Cert = make([]byte, len(m.Cert)) - copy(cloned.Cert, m.Cert) + if m.CertPem != nil { + cloned.CertPem = make([]byte, len(m.CertPem)) + copy(cloned.CertPem, m.CertPem) } - if m.Key != nil { - cloned.Key = make([]byte, len(m.Key)) - copy(cloned.Key, m.Key) + if m.KeyPem != nil { + cloned.KeyPem = make([]byte, len(m.KeyPem)) + copy(cloned.KeyPem, m.KeyPem) } return cloned } @@ -439,30 +439,31 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 363 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xcf, 0x4e, 0xea, 0x40, - 0x14, 0xc6, 0x69, 0xb9, 0xf7, 0x72, 0x39, 0x97, 0x4b, 0xc8, 0xac, 0x7a, 0xb9, 0xda, 0x68, 0x35, - 0xd1, 0x15, 0x24, 0xba, 0x70, 0xa3, 0x1b, 0xfc, 0x13, 0x88, 0x2e, 0x4c, 0xd9, 0xb9, 0x21, 0xc3, - 0x70, 0x24, 0x8d, 0x65, 0x5a, 0xe7, 0x0c, 0x26, 0xbc, 0x89, 0xaf, 0xe1, 0xc2, 0x77, 0x70, 0xe9, - 0x23, 0x18, 0x7c, 0x11, 0xd3, 0x61, 0x1a, 0x50, 0xd3, 0xe8, 0x6e, 0xfa, 0xf5, 0xfc, 0x7e, 0xf9, - 0xce, 0x64, 0x60, 0x27, 0x92, 0x1a, 0x95, 0xe4, 0x31, 0x4f, 0xa3, 0xb6, 0x40, 0xa9, 0x15, 0x8f, - 0xdb, 0x71, 0x22, 0x78, 0x3c, 0x20, 0xc1, 0xa5, 0x44, 0xd5, 0x4a, 0x55, 0xa2, 0x13, 0x56, 0xb1, - 0x3f, 0x9b, 0x3e, 0xe9, 0x44, 0xf1, 0x31, 0xb6, 0x09, 0xd5, 0x5d, 0x24, 0x70, 0x10, 0x8d, 0x50, - 0xea, 0x48, 0xcf, 0x16, 0x83, 0xc1, 0x25, 0x78, 0x17, 0x19, 0xdf, 0x5f, 0xe0, 0xc7, 0xa8, 0x74, - 0x74, 0x1d, 0x09, 0xae, 0x91, 0x58, 0x1d, 0x5c, 0xc1, 0x3d, 0x67, 0xc3, 0xd9, 0xad, 0x85, 0xae, - 0xe0, 0x8c, 0xc1, 0x0f, 0x81, 0x4a, 0x7b, 0xae, 0x49, 0xcc, 0x99, 0x35, 0xa0, 0x7c, 0x83, 0x33, - 0xaf, 0x6c, 0xa2, 0xec, 0x18, 0x3c, 0x38, 0xd0, 0x2c, 0x50, 0xf6, 0x51, 0xb3, 0x33, 0xf8, 0x6b, - 0xab, 0x0e, 0x32, 0x01, 0x19, 0xff, 0x9f, 0xbd, 0xcd, 0x96, 0x6d, 0xdc, 0x2a, 0xaa, 0x13, 0xd6, - 0x68, 0x19, 0x12, 0x3b, 0x87, 0x46, 0xee, 0x19, 0x0d, 0xad, 0xca, 0xfd, 0xae, 0xaa, 0x6e, 0xd1, - 0x93, 0xa1, 0x91, 0x05, 0x07, 0xf0, 0xff, 0xe3, 0x2c, 0xf5, 0x88, 0xa6, 0x78, 0xaa, 0x54, 0xa2, - 0x98, 0x07, 0x95, 0x09, 0x12, 0xf1, 0x31, 0x9a, 0xb6, 0xd5, 0x30, 0xff, 0x0c, 0x8e, 0x60, 0xdd, - 0xcc, 0x7d, 0xa2, 0x43, 0xbc, 0x9d, 0x22, 0x69, 0xb6, 0x06, 0x55, 0xc9, 0x27, 0x48, 0x29, 0x17, - 0x39, 0xbc, 0x0c, 0x82, 0x47, 0x07, 0xfc, 0x22, 0x9e, 0xd2, 0x44, 0x12, 0xb2, 0x1e, 0xd4, 0xc4, - 0x4a, 0x75, 0x7b, 0x5d, 0x5b, 0x5f, 0xed, 0xd8, 0x47, 0xdd, 0x2d, 0x85, 0xef, 0x50, 0x76, 0x08, - 0x3f, 0x31, 0xdb, 0xc7, 0xde, 0xd3, 0x76, 0xa1, 0x63, 0x65, 0xf7, 0x6e, 0x29, 0x5c, 0x40, 0x1d, - 0x80, 0xdf, 0xca, 0x96, 0xea, 0xfc, 0x7b, 0x9a, 0xfb, 0xce, 0xf3, 0xdc, 0x77, 0x5e, 0xe6, 0xbe, - 0x73, 0xff, 0xea, 0x97, 0xae, 0xf2, 0x07, 0x37, 0xfc, 0x65, 0xde, 0xd5, 0xfe, 0x5b, 0x00, 0x00, - 0x00, 0xff, 0xff, 0xb8, 0x4a, 0x6b, 0x5d, 0xab, 0x02, 0x00, 0x00, + // 378 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xcd, 0x6e, 0xda, 0x40, + 0x14, 0x85, 0x31, 0x15, 0x18, 0x6e, 0x69, 0x55, 0x8d, 0x54, 0x15, 0x68, 0x6b, 0xb5, 0x6e, 0xa5, + 0x76, 0x05, 0x52, 0xbb, 0xe8, 0xa6, 0xd9, 0x90, 0x1f, 0x81, 0x92, 0x05, 0x32, 0xbb, 0x6c, 0xac, + 0x61, 0xb8, 0x41, 0x16, 0xf6, 0xd8, 0x99, 0x3b, 0x44, 0xe2, 0x4d, 0xf2, 0x1a, 0x59, 0xe4, 0x1d, + 0xb2, 0xcc, 0x23, 0x44, 0xe4, 0x45, 0x22, 0x0f, 0x63, 0x41, 0x12, 0x59, 0xc9, 0x72, 0xe6, 0xdc, + 0xef, 0xcc, 0x39, 0xa3, 0x0b, 0xbf, 0x22, 0xa9, 0x51, 0x49, 0x1e, 0xf3, 0x2c, 0xea, 0x0b, 0x94, + 0x5a, 0xf1, 0xb8, 0x1f, 0xa7, 0x82, 0xc7, 0x21, 0x09, 0x2e, 0x25, 0xaa, 0x5e, 0xa6, 0x52, 0x9d, + 0x32, 0xd7, 0x8a, 0x5d, 0x8f, 0x74, 0xaa, 0xf8, 0x1c, 0xfb, 0x84, 0xea, 0x22, 0x12, 0x18, 0x46, + 0x33, 0x94, 0x3a, 0xd2, 0xab, 0xcd, 0xa0, 0x8f, 0xd0, 0x3e, 0xc9, 0xf9, 0xc9, 0x06, 0xdf, 0x47, + 0xa5, 0xa3, 0xb3, 0x48, 0x70, 0x8d, 0xc4, 0x3e, 0x42, 0x5d, 0xf0, 0x30, 0xc3, 0xa4, 0xed, 0x7c, + 0x73, 0x7e, 0xb7, 0x82, 0x9a, 0xe0, 0x63, 0x4c, 0x58, 0x07, 0x1a, 0x02, 0x95, 0x36, 0x42, 0xd5, + 0x08, 0x6e, 0x7e, 0xce, 0xa5, 0x4f, 0xe0, 0x2e, 0x70, 0x65, 0x94, 0x37, 0x46, 0xa9, 0x2f, 0x70, + 0x35, 0xc6, 0xc4, 0xbf, 0x72, 0xa0, 0x5b, 0xf2, 0xce, 0x04, 0x35, 0x3b, 0x82, 0x77, 0x36, 0x7f, + 0x98, 0x5b, 0x91, 0x79, 0xf0, 0xed, 0x9f, 0xef, 0x3d, 0x5b, 0xa3, 0x57, 0x96, 0x31, 0x68, 0xd1, + 0xf6, 0x92, 0xd8, 0x31, 0x7c, 0x28, 0x7c, 0x66, 0x53, 0x6b, 0x55, 0x7d, 0xad, 0xd5, 0x7b, 0x8b, + 0x1e, 0x4c, 0x8d, 0x99, 0xff, 0x0f, 0x3e, 0x3f, 0x9d, 0xa5, 0x11, 0xd1, 0x12, 0x0f, 0x95, 0x4a, + 0x15, 0x6b, 0x83, 0x9b, 0x20, 0x11, 0x9f, 0xa3, 0x49, 0xdb, 0x0c, 0x8a, 0xa3, 0xbf, 0x07, 0x5f, + 0xcd, 0xdc, 0x33, 0x3a, 0xc0, 0xf3, 0x25, 0x92, 0x66, 0x5f, 0xa0, 0x29, 0x79, 0x82, 0x94, 0x71, + 0x51, 0xc0, 0xdb, 0x0b, 0xff, 0xda, 0x01, 0xaf, 0x8c, 0xa7, 0x2c, 0x95, 0x84, 0x6c, 0x04, 0x2d, + 0xb1, 0x13, 0xdd, 0x7e, 0xd7, 0x8f, 0x97, 0x3a, 0x4e, 0x50, 0x0f, 0x2b, 0xc1, 0x23, 0x94, 0xfd, + 0x87, 0x1a, 0xe6, 0x7d, 0xec, 0x3f, 0xfd, 0x2c, 0xf5, 0xd8, 0xe9, 0x3e, 0xac, 0x04, 0x1b, 0x68, + 0x00, 0xd0, 0x50, 0x36, 0xd4, 0xa0, 0x73, 0xb3, 0xf6, 0x9c, 0xdb, 0xb5, 0xe7, 0xdc, 0xad, 0x3d, + 0xe7, 0xf2, 0xde, 0xab, 0x9c, 0x16, 0x5b, 0x38, 0xad, 0x9b, 0x65, 0xfb, 0xfb, 0x10, 0x00, 0x00, + 0xff, 0xff, 0x85, 0x77, 0x5b, 0xb9, 0xc0, 0x02, 0x00, 0x00, } func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { @@ -489,24 +490,24 @@ func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if len(m.Key) > 0 { - i -= len(m.Key) - copy(dAtA[i:], m.Key) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Key))) + if len(m.KeyPem) > 0 { + i -= len(m.KeyPem) + copy(dAtA[i:], m.KeyPem) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.KeyPem))) i-- dAtA[i] = 0x1a } - if len(m.Cert) > 0 { - i -= len(m.Cert) - copy(dAtA[i:], m.Cert) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Cert))) + if len(m.CertPem) > 0 { + i -= len(m.CertPem) + copy(dAtA[i:], m.CertPem) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.CertPem))) i-- dAtA[i] = 0x12 } - if len(m.Ca) > 0 { - i -= len(m.Ca) - copy(dAtA[i:], m.Ca) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Ca))) + if len(m.CaPem) > 0 { + i -= len(m.CaPem) + copy(dAtA[i:], m.CaPem) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.CaPem))) i-- dAtA[i] = 0xa } @@ -727,15 +728,15 @@ func (m *LocalScannerCertificates) Size() (n int) { } var l int _ = l - l = len(m.Ca) + l = len(m.CaPem) if l > 0 { n += 1 + l + sovLocalScanner(uint64(l)) } - l = len(m.Cert) + l = len(m.CertPem) if l > 0 { n += 1 + l + sovLocalScanner(uint64(l)) } - l = len(m.Key) + l = len(m.KeyPem) if l > 0 { n += 1 + l + sovLocalScanner(uint64(l)) } @@ -874,7 +875,7 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { switch fieldNum { case 1: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Ca", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field CaPem", wireType) } var byteLen int for shift := uint(0); ; shift += 7 { @@ -901,14 +902,14 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Ca = append(m.Ca[:0], dAtA[iNdEx:postIndex]...) - if m.Ca == nil { - m.Ca = []byte{} + m.CaPem = append(m.CaPem[:0], dAtA[iNdEx:postIndex]...) + if m.CaPem == nil { + m.CaPem = []byte{} } iNdEx = postIndex case 2: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field CertPem", wireType) } var byteLen int for shift := uint(0); ; shift += 7 { @@ -935,14 +936,14 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Cert = append(m.Cert[:0], dAtA[iNdEx:postIndex]...) - if m.Cert == nil { - m.Cert = []byte{} + m.CertPem = append(m.CertPem[:0], dAtA[iNdEx:postIndex]...) + if m.CertPem == nil { + m.CertPem = []byte{} } iNdEx = postIndex case 3: if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType) + return fmt.Errorf("proto: wrong wireType = %d for field KeyPem", wireType) } var byteLen int for shift := uint(0); ; shift += 7 { @@ -969,9 +970,9 @@ func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Key = append(m.Key[:0], dAtA[iNdEx:postIndex]...) - if m.Key == nil { - m.Key = []byte{} + m.KeyPem = append(m.KeyPem[:0], dAtA[iNdEx:postIndex]...) + if m.KeyPem == nil { + m.KeyPem = []byte{} } iNdEx = postIndex default: diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index e9d938f5a511f..9eaa678f45665 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -7,9 +7,9 @@ import "storage/service_identity.proto"; package central; message LocalScannerCertificates { - bytes ca = 1; - bytes cert = 2; - bytes key = 3; + bytes ca_pem = 1; + bytes cert_pem = 2; + bytes key_pem = 3; } message LocalScannerCertificateSet { From a2b5ceff479dac2a706873d130dcfd4f6f0589ec Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 10:56:03 +0100 Subject: [PATCH 25/45] get namespace from sensor hello insteadof request parameter Also extend test cases to cover more missing parameters combinations --- central/localscanner/certificates_test.go | 8 +- .../service/connection/connection_impl.go | 6 +- .../service/connection/connection_test.go | 15 ++- .../internalapi/central/local_scanner.pb.go | 100 +++++------------- proto/internalapi/central/local_scanner.proto | 4 +- 5 files changed, 44 insertions(+), 89 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index c3e1d2f310f70..1fdaf179f9f57 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -136,14 +136,16 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { } testCases := map[string]struct { namespace string + clusterID string shouldFail bool }{ - "no parameter missing": {namespace, false}, - "namespace missing": {"", true}, + "no parameter missing": {namespace: namespace, clusterID: clusterID, shouldFail: false}, + "namespace missing": {namespace: "", clusterID: clusterID, shouldFail: true}, + "clusterID missing": {namespace: namespace, clusterID: "", shouldFail: true}, } for tcName, tc := range testCases { s.Run(tcName, func() { - certs, err := IssueLocalScannerCerts(tc.namespace, clusterID) + certs, err := IssueLocalScannerCerts(tc.namespace, tc.clusterID) if tc.shouldFail { s.Require().Error(err) return diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index d6ed763155c87..faad823567600 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -218,7 +218,7 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr case *central.MsgFromSensor_TelemetryDataResponse: return c.telemetryCtrl.ProcessTelemetryDataResponse(m.TelemetryDataResponse) case *central.MsgFromSensor_IssueLocalScannerCertsRequest: - return c.processIssueLocalScannerCertsRequest(ctx, m.IssueLocalScannerCertsRequest) + return c.processIssueLocalScannerCertsRequest(ctx) case *central.MsgFromSensor_Event: // Special case the reprocess deployment because its fields are already set if msg.GetEvent().GetReprocessDeployment() != nil { @@ -238,8 +238,8 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.eventPipeline.Run(ctx, msg, c) } -func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { - namespace := request.GetNamespace() +func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context) error { + namespace := c.sensorHello.GetDeploymentIdentification().GetAppNamespace() certificates, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) errMsg := fmt.Sprintf("issuing local Scanner certificates for cluster with ID %s and namespace %q", c.clusterID, namespace) diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index b9b38ee2c04ab..1db1d0b816419 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -127,12 +127,15 @@ func (s *testSuite) TestIssueLocalScannerCerts() { if !features.LocalImageScanning.Enabled() { s.T().Skip() } + namespace, clusterID := "namespace", "clusterID" testCases := map[string]struct { + namespace string clusterID string shouldFail bool }{ - "empty cluster id": {"", true}, - "non empty cluster id": {"clusterID", false}, + "no parameter missing": {namespace: namespace, clusterID: clusterID, shouldFail: false}, + "namespace missing": {namespace: "", clusterID: clusterID, shouldFail: true}, + "clusterID missing": {namespace: namespace, clusterID: "", shouldFail: true}, } for tcName, tc := range testCases { s.Run(tcName, func() { @@ -141,14 +144,18 @@ func (s *testSuite) TestIssueLocalScannerCerts() { clusterID: tc.clusterID, sendC: sendC, stopSig: concurrency.NewErrorSignal(), + sensorHello: ¢ral.SensorHello{ + DeploymentIdentification: &storage.SensorDeploymentIdentification{ + AppNamespace: tc.namespace, + }, + }, } ctx := context.Background() ctx, cancel := context.WithTimeout(ctx, 1*time.Second) defer cancel() - namespace := "namespace" request := ¢ral.MsgFromSensor{ Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ - IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{Namespace: namespace}, + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{}, }, } diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index fa7a72d7493d1..195d5dcdf6aec 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -242,7 +242,6 @@ func (m *LocalScannerCertsIssueError) Clone() *LocalScannerCertsIssueError { } type IssueLocalScannerCertsRequest struct { - Namespace string `protobuf:"bytes,1,opt,name=namespace,proto3" json:"namespace,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -281,13 +280,6 @@ func (m *IssueLocalScannerCertsRequest) XXX_DiscardUnknown() { var xxx_messageInfo_IssueLocalScannerCertsRequest proto.InternalMessageInfo -func (m *IssueLocalScannerCertsRequest) GetNamespace() string { - if m != nil { - return m.Namespace - } - return "" -} - func (m *IssueLocalScannerCertsRequest) MessageClone() proto.Message { return m.Clone() } @@ -439,31 +431,30 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 378 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xcd, 0x6e, 0xda, 0x40, - 0x14, 0x85, 0x31, 0x15, 0x18, 0x6e, 0x69, 0x55, 0x8d, 0x54, 0x15, 0x68, 0x6b, 0xb5, 0x6e, 0xa5, - 0x76, 0x05, 0x52, 0xbb, 0xe8, 0xa6, 0xd9, 0x90, 0x1f, 0x81, 0x92, 0x05, 0x32, 0xbb, 0x6c, 0xac, - 0x61, 0xb8, 0x41, 0x16, 0xf6, 0xd8, 0x99, 0x3b, 0x44, 0xe2, 0x4d, 0xf2, 0x1a, 0x59, 0xe4, 0x1d, - 0xb2, 0xcc, 0x23, 0x44, 0xe4, 0x45, 0x22, 0x0f, 0x63, 0x41, 0x12, 0x59, 0xc9, 0x72, 0xe6, 0xdc, - 0xef, 0xcc, 0x39, 0xa3, 0x0b, 0xbf, 0x22, 0xa9, 0x51, 0x49, 0x1e, 0xf3, 0x2c, 0xea, 0x0b, 0x94, - 0x5a, 0xf1, 0xb8, 0x1f, 0xa7, 0x82, 0xc7, 0x21, 0x09, 0x2e, 0x25, 0xaa, 0x5e, 0xa6, 0x52, 0x9d, - 0x32, 0xd7, 0x8a, 0x5d, 0x8f, 0x74, 0xaa, 0xf8, 0x1c, 0xfb, 0x84, 0xea, 0x22, 0x12, 0x18, 0x46, - 0x33, 0x94, 0x3a, 0xd2, 0xab, 0xcd, 0xa0, 0x8f, 0xd0, 0x3e, 0xc9, 0xf9, 0xc9, 0x06, 0xdf, 0x47, - 0xa5, 0xa3, 0xb3, 0x48, 0x70, 0x8d, 0xc4, 0x3e, 0x42, 0x5d, 0xf0, 0x30, 0xc3, 0xa4, 0xed, 0x7c, - 0x73, 0x7e, 0xb7, 0x82, 0x9a, 0xe0, 0x63, 0x4c, 0x58, 0x07, 0x1a, 0x02, 0x95, 0x36, 0x42, 0xd5, - 0x08, 0x6e, 0x7e, 0xce, 0xa5, 0x4f, 0xe0, 0x2e, 0x70, 0x65, 0x94, 0x37, 0x46, 0xa9, 0x2f, 0x70, - 0x35, 0xc6, 0xc4, 0xbf, 0x72, 0xa0, 0x5b, 0xf2, 0xce, 0x04, 0x35, 0x3b, 0x82, 0x77, 0x36, 0x7f, - 0x98, 0x5b, 0x91, 0x79, 0xf0, 0xed, 0x9f, 0xef, 0x3d, 0x5b, 0xa3, 0x57, 0x96, 0x31, 0x68, 0xd1, - 0xf6, 0x92, 0xd8, 0x31, 0x7c, 0x28, 0x7c, 0x66, 0x53, 0x6b, 0x55, 0x7d, 0xad, 0xd5, 0x7b, 0x8b, - 0x1e, 0x4c, 0x8d, 0x99, 0xff, 0x0f, 0x3e, 0x3f, 0x9d, 0xa5, 0x11, 0xd1, 0x12, 0x0f, 0x95, 0x4a, - 0x15, 0x6b, 0x83, 0x9b, 0x20, 0x11, 0x9f, 0xa3, 0x49, 0xdb, 0x0c, 0x8a, 0xa3, 0xbf, 0x07, 0x5f, - 0xcd, 0xdc, 0x33, 0x3a, 0xc0, 0xf3, 0x25, 0x92, 0x66, 0x5f, 0xa0, 0x29, 0x79, 0x82, 0x94, 0x71, - 0x51, 0xc0, 0xdb, 0x0b, 0xff, 0xda, 0x01, 0xaf, 0x8c, 0xa7, 0x2c, 0x95, 0x84, 0x6c, 0x04, 0x2d, - 0xb1, 0x13, 0xdd, 0x7e, 0xd7, 0x8f, 0x97, 0x3a, 0x4e, 0x50, 0x0f, 0x2b, 0xc1, 0x23, 0x94, 0xfd, - 0x87, 0x1a, 0xe6, 0x7d, 0xec, 0x3f, 0xfd, 0x2c, 0xf5, 0xd8, 0xe9, 0x3e, 0xac, 0x04, 0x1b, 0x68, - 0x00, 0xd0, 0x50, 0x36, 0xd4, 0xa0, 0x73, 0xb3, 0xf6, 0x9c, 0xdb, 0xb5, 0xe7, 0xdc, 0xad, 0x3d, - 0xe7, 0xf2, 0xde, 0xab, 0x9c, 0x16, 0x5b, 0x38, 0xad, 0x9b, 0x65, 0xfb, 0xfb, 0x10, 0x00, 0x00, - 0xff, 0xff, 0x85, 0x77, 0x5b, 0xb9, 0xc0, 0x02, 0x00, 0x00, + // 359 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0x4b, 0x4e, 0x32, 0x41, + 0x10, 0x66, 0xf8, 0x03, 0xc3, 0x5f, 0xa2, 0x31, 0x9d, 0x18, 0x01, 0xe3, 0xa8, 0xa3, 0x89, 0xae, + 0x20, 0xd1, 0x85, 0x1b, 0x57, 0xf8, 0x08, 0x44, 0x17, 0x64, 0xd8, 0xb9, 0x99, 0x34, 0x4d, 0x49, + 0x26, 0xcc, 0xcb, 0xae, 0xc6, 0x84, 0x9b, 0x78, 0x0d, 0x17, 0xde, 0xc1, 0xa5, 0x47, 0x30, 0x78, + 0x11, 0x33, 0x4d, 0x13, 0x51, 0x33, 0xd1, 0x65, 0xf7, 0xf7, 0xa8, 0xef, 0xab, 0x14, 0x1c, 0x06, + 0xb1, 0x42, 0x19, 0xf3, 0x90, 0xa7, 0x41, 0x4b, 0x60, 0xac, 0x24, 0x0f, 0x5b, 0x61, 0x22, 0x78, + 0xe8, 0x93, 0xe0, 0x71, 0x8c, 0xb2, 0x99, 0xca, 0x44, 0x25, 0xcc, 0x36, 0x60, 0xc3, 0x21, 0x95, + 0x48, 0x3e, 0xc2, 0x16, 0xa1, 0x7c, 0x08, 0x04, 0xfa, 0xc1, 0x10, 0x63, 0x15, 0xa8, 0xe9, 0x9c, + 0xe8, 0x22, 0xd4, 0x6e, 0x32, 0x7d, 0x7f, 0x2e, 0x3f, 0x47, 0xa9, 0x82, 0xbb, 0x40, 0x70, 0x85, + 0xc4, 0x36, 0xa0, 0x2c, 0xb8, 0x9f, 0x62, 0x54, 0xb3, 0x76, 0xad, 0xa3, 0xaa, 0x57, 0x12, 0xbc, + 0x87, 0x11, 0xab, 0x43, 0x45, 0xa0, 0x54, 0x1a, 0x28, 0x6a, 0xc0, 0xce, 0xde, 0x19, 0xb4, 0x09, + 0xf6, 0x18, 0xa7, 0x1a, 0xf9, 0xa7, 0x91, 0xf2, 0x18, 0xa7, 0x3d, 0x8c, 0xdc, 0x27, 0x0b, 0x1a, + 0x39, 0x73, 0xfa, 0xa8, 0xd8, 0x15, 0xac, 0x9a, 0xfc, 0x7e, 0x66, 0x45, 0x7a, 0xe0, 0xca, 0xf1, + 0x5e, 0xd3, 0xd4, 0x68, 0xe6, 0x65, 0xf4, 0xaa, 0xf4, 0xf9, 0x49, 0xec, 0x1a, 0xd6, 0x17, 0x3e, + 0xc3, 0x81, 0xb1, 0x2a, 0xfe, 0xd5, 0x6a, 0xcd, 0x48, 0x2f, 0x06, 0xda, 0xcc, 0x3d, 0x85, 0xad, + 0xef, 0x5c, 0xea, 0x12, 0x4d, 0xf0, 0x52, 0xca, 0x44, 0xb2, 0x1a, 0xd8, 0x11, 0x12, 0xf1, 0x11, + 0xea, 0xb4, 0xff, 0xbd, 0xc5, 0xd3, 0xdd, 0x81, 0x6d, 0xcd, 0xfb, 0xa1, 0xf6, 0xf0, 0x7e, 0x82, + 0xa4, 0xdc, 0x67, 0x0b, 0x9c, 0x3c, 0x06, 0xa5, 0x49, 0x4c, 0xc8, 0xba, 0x50, 0x15, 0x4b, 0xe1, + 0xcc, 0x42, 0xf6, 0x7f, 0x6b, 0xd1, 0x47, 0xd5, 0x29, 0x78, 0x5f, 0xa4, 0xec, 0x0c, 0x4a, 0x98, + 0x25, 0x36, 0x9b, 0x38, 0xc8, 0xf5, 0x58, 0x6a, 0xd7, 0x29, 0x78, 0x73, 0x51, 0x1b, 0xa0, 0x22, + 0x4d, 0xa8, 0x76, 0xfd, 0x65, 0xe6, 0x58, 0xaf, 0x33, 0xc7, 0x7a, 0x9b, 0x39, 0xd6, 0xe3, 0xbb, + 0x53, 0xb8, 0x5d, 0xdc, 0xd9, 0xa0, 0xac, 0xcf, 0xe9, 0xe4, 0x23, 0x00, 0x00, 0xff, 0xff, 0x94, + 0x88, 0x70, 0x56, 0xa2, 0x02, 0x00, 0x00, } func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { @@ -623,13 +614,6 @@ func (m *IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } - if len(m.Namespace) > 0 { - i -= len(m.Namespace) - copy(dAtA[i:], m.Namespace) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.Namespace))) - i-- - dAtA[i] = 0xa - } return len(dAtA) - i, nil } @@ -788,10 +772,6 @@ func (m *IssueLocalScannerCertsRequest) Size() (n int) { } var l int _ = l - l = len(m.Namespace) - if l > 0 { - n += 1 + l + sovLocalScanner(uint64(l)) - } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -1232,38 +1212,6 @@ func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { return fmt.Errorf("proto: IssueLocalScannerCertsRequest: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Namespace = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipLocalScanner(dAtA[iNdEx:]) diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 9eaa678f45665..b121e3a233def 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -21,9 +21,7 @@ message LocalScannerCertsIssueError { string message = 1; } -message IssueLocalScannerCertsRequest { - string namespace = 1; -} +message IssueLocalScannerCertsRequest {} message IssueLocalScannerCertsResponse { oneof response { From a771af3733035caa58db3675649da24070a96ddf Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 12:18:06 +0100 Subject: [PATCH 26/45] Avoid redundancies and generalize proto messages --- central/localscanner/certificates.go | 35 +- central/localscanner/certificates_test.go | 16 +- .../internalapi/central/local_scanner.pb.go | 635 +------------ generated/storage/service_identity.pb.go | 837 +++++++++++++++++- proto/internalapi/central/local_scanner.proto | 14 +- proto/storage/service_identity.proto | 15 + 6 files changed, 872 insertions(+), 680 deletions(-) diff --git a/central/localscanner/certificates.go b/central/localscanner/certificates.go index 81c43117af724..398037cb85942 100644 --- a/central/localscanner/certificates.go +++ b/central/localscanner/certificates.go @@ -3,7 +3,6 @@ package localscanner import ( "github.com/hashicorp/go-multierror" "github.com/pkg/errors" - "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" "github.com/stackrox/rox/pkg/features" @@ -14,7 +13,7 @@ import ( type secretDataMap = map[string][]byte // IssueLocalScannerCerts issue certificates for a local scanner running in secured clusters. -func IssueLocalScannerCerts(namespace string, clusterID string) (*central.LocalScannerCertificateSet, error) { +func IssueLocalScannerCerts(namespace string, clusterID string) (*storage.TypedServiceCertificateSet, error) { if !features.LocalImageScanning.Enabled() { return nil, errors.Errorf("feature '%s' is disabled", features.LocalImageScanning.Name()) } @@ -23,11 +22,11 @@ func IssueLocalScannerCerts(namespace string, clusterID string) (*central.LocalS } var certIssueError error - scannerCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) + caPem, scannerCertificate, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_SERVICE, namespace, clusterID) if err != nil { certIssueError = multierror.Append(certIssueError, err) } - scannerDBCertificates, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) + _, scannerDBCertificate, err := localScannerCertificatesFor(storage.ServiceType_SCANNER_DB_SERVICE, namespace, clusterID) if err != nil { certIssueError = multierror.Append(certIssueError, err) } @@ -35,23 +34,29 @@ func IssueLocalScannerCerts(namespace string, clusterID string) (*central.LocalS return nil, certIssueError } - return ¢ral.LocalScannerCertificateSet{ - ScannerCerts: scannerCertificates, - ScannerDbCerts: scannerDBCertificates, + return &storage.TypedServiceCertificateSet{ + CaPem: caPem, + ServiceCerts: []*storage.TypedServiceCertificate{ + scannerCertificate, + scannerDBCertificate, + }, }, nil } -func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (*central.LocalScannerCertificates, error) { +func localScannerCertificatesFor(serviceType storage.ServiceType, namespace string, clusterID string) (caPem []byte, cert *storage.TypedServiceCertificate, err error) { certificates, err := generateServiceCertMap(serviceType, namespace, clusterID) if err != nil { - return nil, errors.Wrapf(err, "generating certificate for service %s", serviceType) + return nil, nil, errors.Wrapf(err, "generating certificate for service %s", serviceType) } - - return ¢ral.LocalScannerCertificates{ - CaPem: certificates[mtls.CACertFileName], - CertPem: certificates[mtls.ServiceCertFileName], - KeyPem: certificates[mtls.ServiceKeyFileName], - }, nil + caPem = certificates[mtls.CACertFileName] + cert = &storage.TypedServiceCertificate{ + ServiceType: serviceType, + Cert: &storage.ServiceCertificate{ + CertPem: certificates[mtls.ServiceCertFileName], + KeyPem: certificates[mtls.ServiceKeyFileName], + }, + } + return } func generateServiceCertMap(serviceType storage.ServiceType, namespace string, clusterID string) (secretDataMap, error) { diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 1fdaf179f9f57..341f860b1170d 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -7,7 +7,6 @@ import ( "github.com/cloudflare/cfssl/helpers" testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" - "github.com/stackrox/rox/generated/internalapi/central" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/certgen" "github.com/stackrox/rox/pkg/features" @@ -151,14 +150,13 @@ func (s *localScannerSuite) TestServiceIssueLocalScannerCerts() { return } s.Require().NoError(err) - for _, certs := range []*central.LocalScannerCertificates{ - certs.GetScannerCerts(), - certs.GetScannerDbCerts(), - } { - s.Require().NotNil(certs) - s.NotEmpty(certs.GetCaPem()) - s.NotEmpty(certs.GetCertPem()) - s.NotEmpty(certs.GetKeyPem()) + s.Require().NotNil(certs.GetCaPem()) + s.Require().NotEmpty(certs.GetServiceCerts()) + for _, cert := range certs.ServiceCerts { + s.Contains([]storage.ServiceType{storage.ServiceType_SCANNER_SERVICE, + storage.ServiceType_SCANNER_DB_SERVICE}, cert.GetServiceType()) + s.NotEmpty(cert.GetCert().GetCertPem()) + s.NotEmpty(cert.GetCert().GetKeyPem()) } }) } diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index 195d5dcdf6aec..d4a6b0fa567ab 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -6,7 +6,7 @@ package central import ( fmt "fmt" proto "github.com/golang/protobuf/proto" - _ "github.com/stackrox/rox/generated/storage" + storage "github.com/stackrox/rox/generated/storage" io "io" math "math" math_bits "math/bits" @@ -23,164 +23,6 @@ var _ = math.Inf // proto package needs to be updated. const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package -type LocalScannerCertificates struct { - CaPem []byte `protobuf:"bytes,1,opt,name=ca_pem,json=caPem,proto3" json:"ca_pem,omitempty"` - CertPem []byte `protobuf:"bytes,2,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` - KeyPem []byte `protobuf:"bytes,3,opt,name=key_pem,json=keyPem,proto3" json:"key_pem,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *LocalScannerCertificates) Reset() { *m = LocalScannerCertificates{} } -func (m *LocalScannerCertificates) String() string { return proto.CompactTextString(m) } -func (*LocalScannerCertificates) ProtoMessage() {} -func (*LocalScannerCertificates) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{0} -} -func (m *LocalScannerCertificates) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *LocalScannerCertificates) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_LocalScannerCertificates.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *LocalScannerCertificates) XXX_Merge(src proto.Message) { - xxx_messageInfo_LocalScannerCertificates.Merge(m, src) -} -func (m *LocalScannerCertificates) XXX_Size() int { - return m.Size() -} -func (m *LocalScannerCertificates) XXX_DiscardUnknown() { - xxx_messageInfo_LocalScannerCertificates.DiscardUnknown(m) -} - -var xxx_messageInfo_LocalScannerCertificates proto.InternalMessageInfo - -func (m *LocalScannerCertificates) GetCaPem() []byte { - if m != nil { - return m.CaPem - } - return nil -} - -func (m *LocalScannerCertificates) GetCertPem() []byte { - if m != nil { - return m.CertPem - } - return nil -} - -func (m *LocalScannerCertificates) GetKeyPem() []byte { - if m != nil { - return m.KeyPem - } - return nil -} - -func (m *LocalScannerCertificates) MessageClone() proto.Message { - return m.Clone() -} -func (m *LocalScannerCertificates) Clone() *LocalScannerCertificates { - if m == nil { - return nil - } - cloned := new(LocalScannerCertificates) - *cloned = *m - - if m.CaPem != nil { - cloned.CaPem = make([]byte, len(m.CaPem)) - copy(cloned.CaPem, m.CaPem) - } - if m.CertPem != nil { - cloned.CertPem = make([]byte, len(m.CertPem)) - copy(cloned.CertPem, m.CertPem) - } - if m.KeyPem != nil { - cloned.KeyPem = make([]byte, len(m.KeyPem)) - copy(cloned.KeyPem, m.KeyPem) - } - return cloned -} - -type LocalScannerCertificateSet struct { - ScannerCerts *LocalScannerCertificates `protobuf:"bytes,1,opt,name=scanner_certs,json=scannerCerts,proto3" json:"scanner_certs,omitempty"` - ScannerDbCerts *LocalScannerCertificates `protobuf:"bytes,2,opt,name=scanner_db_certs,json=scannerDbCerts,proto3" json:"scanner_db_certs,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *LocalScannerCertificateSet) Reset() { *m = LocalScannerCertificateSet{} } -func (m *LocalScannerCertificateSet) String() string { return proto.CompactTextString(m) } -func (*LocalScannerCertificateSet) ProtoMessage() {} -func (*LocalScannerCertificateSet) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{1} -} -func (m *LocalScannerCertificateSet) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *LocalScannerCertificateSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_LocalScannerCertificateSet.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *LocalScannerCertificateSet) XXX_Merge(src proto.Message) { - xxx_messageInfo_LocalScannerCertificateSet.Merge(m, src) -} -func (m *LocalScannerCertificateSet) XXX_Size() int { - return m.Size() -} -func (m *LocalScannerCertificateSet) XXX_DiscardUnknown() { - xxx_messageInfo_LocalScannerCertificateSet.DiscardUnknown(m) -} - -var xxx_messageInfo_LocalScannerCertificateSet proto.InternalMessageInfo - -func (m *LocalScannerCertificateSet) GetScannerCerts() *LocalScannerCertificates { - if m != nil { - return m.ScannerCerts - } - return nil -} - -func (m *LocalScannerCertificateSet) GetScannerDbCerts() *LocalScannerCertificates { - if m != nil { - return m.ScannerDbCerts - } - return nil -} - -func (m *LocalScannerCertificateSet) MessageClone() proto.Message { - return m.Clone() -} -func (m *LocalScannerCertificateSet) Clone() *LocalScannerCertificateSet { - if m == nil { - return nil - } - cloned := new(LocalScannerCertificateSet) - *cloned = *m - - cloned.ScannerCerts = m.ScannerCerts.Clone() - cloned.ScannerDbCerts = m.ScannerDbCerts.Clone() - return cloned -} - type LocalScannerCertsIssueError struct { Message string `protobuf:"bytes,1,opt,name=message,proto3" json:"message,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` @@ -192,7 +34,7 @@ func (m *LocalScannerCertsIssueError) Reset() { *m = LocalScannerCertsIs func (m *LocalScannerCertsIssueError) String() string { return proto.CompactTextString(m) } func (*LocalScannerCertsIssueError) ProtoMessage() {} func (*LocalScannerCertsIssueError) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{2} + return fileDescriptor_856923c76f63cf0a, []int{0} } func (m *LocalScannerCertsIssueError) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -251,7 +93,7 @@ func (m *IssueLocalScannerCertsRequest) Reset() { *m = IssueLocalScanner func (m *IssueLocalScannerCertsRequest) String() string { return proto.CompactTextString(m) } func (*IssueLocalScannerCertsRequest) ProtoMessage() {} func (*IssueLocalScannerCertsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{3} + return fileDescriptor_856923c76f63cf0a, []int{1} } func (m *IssueLocalScannerCertsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -307,7 +149,7 @@ func (m *IssueLocalScannerCertsResponse) Reset() { *m = IssueLocalScanne func (m *IssueLocalScannerCertsResponse) String() string { return proto.CompactTextString(m) } func (*IssueLocalScannerCertsResponse) ProtoMessage() {} func (*IssueLocalScannerCertsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_856923c76f63cf0a, []int{4} + return fileDescriptor_856923c76f63cf0a, []int{2} } func (m *IssueLocalScannerCertsResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -344,7 +186,7 @@ type isIssueLocalScannerCertsResponse_Response interface { } type IssueLocalScannerCertsResponse_Certificates struct { - Certificates *LocalScannerCertificateSet `protobuf:"bytes,1,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` + Certificates *storage.TypedServiceCertificateSet `protobuf:"bytes,1,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` } type IssueLocalScannerCertsResponse_Error struct { Error *LocalScannerCertsIssueError `protobuf:"bytes,2,opt,name=error,proto3,oneof" json:"error,omitempty"` @@ -380,7 +222,7 @@ func (m *IssueLocalScannerCertsResponse) GetResponse() isIssueLocalScannerCertsR return nil } -func (m *IssueLocalScannerCertsResponse) GetCertificates() *LocalScannerCertificateSet { +func (m *IssueLocalScannerCertsResponse) GetCertificates() *storage.TypedServiceCertificateSet { if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Certificates); ok { return x.Certificates } @@ -419,8 +261,6 @@ func (m *IssueLocalScannerCertsResponse) Clone() *IssueLocalScannerCertsResponse } func init() { - proto.RegisterType((*LocalScannerCertificates)(nil), "central.LocalScannerCertificates") - proto.RegisterType((*LocalScannerCertificateSet)(nil), "central.LocalScannerCertificateSet") proto.RegisterType((*LocalScannerCertsIssueError)(nil), "central.LocalScannerCertsIssueError") proto.RegisterType((*IssueLocalScannerCertsRequest)(nil), "central.IssueLocalScannerCertsRequest") proto.RegisterType((*IssueLocalScannerCertsResponse)(nil), "central.IssueLocalScannerCertsResponse") @@ -431,129 +271,24 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 359 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x52, 0x4b, 0x4e, 0x32, 0x41, - 0x10, 0x66, 0xf8, 0x03, 0xc3, 0x5f, 0xa2, 0x31, 0x9d, 0x18, 0x01, 0xe3, 0xa8, 0xa3, 0x89, 0xae, - 0x20, 0xd1, 0x85, 0x1b, 0x57, 0xf8, 0x08, 0x44, 0x17, 0x64, 0xd8, 0xb9, 0x99, 0x34, 0x4d, 0x49, - 0x26, 0xcc, 0xcb, 0xae, 0xc6, 0x84, 0x9b, 0x78, 0x0d, 0x17, 0xde, 0xc1, 0xa5, 0x47, 0x30, 0x78, - 0x11, 0x33, 0x4d, 0x13, 0x51, 0x33, 0xd1, 0x65, 0xf7, 0xf7, 0xa8, 0xef, 0xab, 0x14, 0x1c, 0x06, - 0xb1, 0x42, 0x19, 0xf3, 0x90, 0xa7, 0x41, 0x4b, 0x60, 0xac, 0x24, 0x0f, 0x5b, 0x61, 0x22, 0x78, - 0xe8, 0x93, 0xe0, 0x71, 0x8c, 0xb2, 0x99, 0xca, 0x44, 0x25, 0xcc, 0x36, 0x60, 0xc3, 0x21, 0x95, - 0x48, 0x3e, 0xc2, 0x16, 0xa1, 0x7c, 0x08, 0x04, 0xfa, 0xc1, 0x10, 0x63, 0x15, 0xa8, 0xe9, 0x9c, - 0xe8, 0x22, 0xd4, 0x6e, 0x32, 0x7d, 0x7f, 0x2e, 0x3f, 0x47, 0xa9, 0x82, 0xbb, 0x40, 0x70, 0x85, - 0xc4, 0x36, 0xa0, 0x2c, 0xb8, 0x9f, 0x62, 0x54, 0xb3, 0x76, 0xad, 0xa3, 0xaa, 0x57, 0x12, 0xbc, - 0x87, 0x11, 0xab, 0x43, 0x45, 0xa0, 0x54, 0x1a, 0x28, 0x6a, 0xc0, 0xce, 0xde, 0x19, 0xb4, 0x09, - 0xf6, 0x18, 0xa7, 0x1a, 0xf9, 0xa7, 0x91, 0xf2, 0x18, 0xa7, 0x3d, 0x8c, 0xdc, 0x27, 0x0b, 0x1a, - 0x39, 0x73, 0xfa, 0xa8, 0xd8, 0x15, 0xac, 0x9a, 0xfc, 0x7e, 0x66, 0x45, 0x7a, 0xe0, 0xca, 0xf1, - 0x5e, 0xd3, 0xd4, 0x68, 0xe6, 0x65, 0xf4, 0xaa, 0xf4, 0xf9, 0x49, 0xec, 0x1a, 0xd6, 0x17, 0x3e, - 0xc3, 0x81, 0xb1, 0x2a, 0xfe, 0xd5, 0x6a, 0xcd, 0x48, 0x2f, 0x06, 0xda, 0xcc, 0x3d, 0x85, 0xad, - 0xef, 0x5c, 0xea, 0x12, 0x4d, 0xf0, 0x52, 0xca, 0x44, 0xb2, 0x1a, 0xd8, 0x11, 0x12, 0xf1, 0x11, - 0xea, 0xb4, 0xff, 0xbd, 0xc5, 0xd3, 0xdd, 0x81, 0x6d, 0xcd, 0xfb, 0xa1, 0xf6, 0xf0, 0x7e, 0x82, - 0xa4, 0xdc, 0x67, 0x0b, 0x9c, 0x3c, 0x06, 0xa5, 0x49, 0x4c, 0xc8, 0xba, 0x50, 0x15, 0x4b, 0xe1, - 0xcc, 0x42, 0xf6, 0x7f, 0x6b, 0xd1, 0x47, 0xd5, 0x29, 0x78, 0x5f, 0xa4, 0xec, 0x0c, 0x4a, 0x98, - 0x25, 0x36, 0x9b, 0x38, 0xc8, 0xf5, 0x58, 0x6a, 0xd7, 0x29, 0x78, 0x73, 0x51, 0x1b, 0xa0, 0x22, - 0x4d, 0xa8, 0x76, 0xfd, 0x65, 0xe6, 0x58, 0xaf, 0x33, 0xc7, 0x7a, 0x9b, 0x39, 0xd6, 0xe3, 0xbb, - 0x53, 0xb8, 0x5d, 0xdc, 0xd9, 0xa0, 0xac, 0xcf, 0xe9, 0xe4, 0x23, 0x00, 0x00, 0xff, 0xff, 0x94, - 0x88, 0x70, 0x56, 0xa2, 0x02, 0x00, 0x00, -} - -func (m *LocalScannerCertificates) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *LocalScannerCertificates) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *LocalScannerCertificates) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.KeyPem) > 0 { - i -= len(m.KeyPem) - copy(dAtA[i:], m.KeyPem) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.KeyPem))) - i-- - dAtA[i] = 0x1a - } - if len(m.CertPem) > 0 { - i -= len(m.CertPem) - copy(dAtA[i:], m.CertPem) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.CertPem))) - i-- - dAtA[i] = 0x12 - } - if len(m.CaPem) > 0 { - i -= len(m.CaPem) - copy(dAtA[i:], m.CaPem) - i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.CaPem))) - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil -} - -func (m *LocalScannerCertificateSet) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *LocalScannerCertificateSet) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *LocalScannerCertificateSet) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if m.ScannerDbCerts != nil { - { - size, err := m.ScannerDbCerts.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintLocalScanner(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x12 - } - if m.ScannerCerts != nil { - { - size, err := m.ScannerCerts.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintLocalScanner(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil + // 270 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x90, 0xbf, 0x4a, 0x03, 0x41, + 0x10, 0xc6, 0x6f, 0x05, 0x8d, 0xae, 0x56, 0x57, 0x9d, 0x8a, 0xab, 0x9c, 0x82, 0x56, 0x7b, 0xa0, + 0x85, 0x8d, 0x55, 0x82, 0x90, 0x80, 0xd5, 0x9d, 0x95, 0x4d, 0x58, 0x37, 0x63, 0x58, 0x38, 0x77, + 0xcf, 0x99, 0x89, 0x90, 0x37, 0xf1, 0x45, 0x7c, 0x07, 0x4b, 0x1f, 0x41, 0xce, 0x17, 0x91, 0xdc, + 0x1f, 0x44, 0x44, 0xcb, 0x65, 0xbf, 0xdf, 0xcc, 0x6f, 0x3e, 0x79, 0xea, 0x3c, 0x03, 0x7a, 0x53, + 0x9a, 0xca, 0x65, 0x16, 0x3c, 0xa3, 0x29, 0xb3, 0x32, 0x58, 0x53, 0x4e, 0xc9, 0x1a, 0xef, 0x01, + 0x75, 0x85, 0x81, 0x43, 0x3c, 0xe8, 0x3e, 0xf7, 0x14, 0x71, 0x40, 0x33, 0x87, 0x8c, 0x00, 0x9f, + 0x9d, 0x85, 0xa9, 0x9b, 0x81, 0x67, 0xc7, 0xcb, 0x36, 0x98, 0x5e, 0xca, 0xfd, 0x9b, 0x15, 0x5f, + 0xb4, 0xf8, 0x08, 0x90, 0x69, 0x42, 0xb4, 0x80, 0x6b, 0xc4, 0x80, 0x71, 0x22, 0x07, 0x8f, 0x40, + 0x64, 0xe6, 0x90, 0x88, 0x23, 0x71, 0xb6, 0x95, 0xf7, 0xcf, 0xf4, 0x50, 0x1e, 0x34, 0xb9, 0x5f, + 0x74, 0x0e, 0x4f, 0x0b, 0x20, 0x4e, 0x5f, 0x85, 0x54, 0x7f, 0x25, 0xa8, 0x0a, 0x9e, 0x20, 0x9e, + 0xc8, 0x1d, 0x0b, 0xc8, 0xee, 0xc1, 0x59, 0xc3, 0x40, 0xcd, 0x8a, 0xed, 0xf3, 0x63, 0xdd, 0x39, + 0xeb, 0xdb, 0x65, 0x05, 0xb3, 0xa2, 0x15, 0x1f, 0x7d, 0x07, 0x0b, 0xe0, 0x71, 0x94, 0xff, 0x40, + 0xe3, 0x2b, 0xb9, 0x0e, 0x2b, 0xe3, 0x64, 0xad, 0x99, 0x71, 0xa2, 0xbb, 0x02, 0xf4, 0x3f, 0xd7, + 0x8d, 0xa3, 0xbc, 0x85, 0x86, 0x52, 0x6e, 0x62, 0x27, 0x35, 0xdc, 0x7d, 0xab, 0x95, 0x78, 0xaf, + 0x95, 0xf8, 0xa8, 0x95, 0x78, 0xf9, 0x54, 0xd1, 0x5d, 0x5f, 0xe6, 0xfd, 0x46, 0xd3, 0xd9, 0xc5, + 0x57, 0x00, 0x00, 0x00, 0xff, 0xff, 0xb5, 0x7f, 0xfb, 0xc4, 0x87, 0x01, 0x00, 0x00, } func (m *LocalScannerCertsIssueError) Marshal() (dAtA []byte, err error) { @@ -706,50 +441,6 @@ func encodeVarintLocalScanner(dAtA []byte, offset int, v uint64) int { dAtA[offset] = uint8(v) return base } -func (m *LocalScannerCertificates) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - l = len(m.CaPem) - if l > 0 { - n += 1 + l + sovLocalScanner(uint64(l)) - } - l = len(m.CertPem) - if l > 0 { - n += 1 + l + sovLocalScanner(uint64(l)) - } - l = len(m.KeyPem) - if l > 0 { - n += 1 + l + sovLocalScanner(uint64(l)) - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *LocalScannerCertificateSet) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if m.ScannerCerts != nil { - l = m.ScannerCerts.Size() - n += 1 + l + sovLocalScanner(uint64(l)) - } - if m.ScannerDbCerts != nil { - l = m.ScannerDbCerts.Size() - n += 1 + l + sovLocalScanner(uint64(l)) - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - func (m *LocalScannerCertsIssueError) Size() (n int) { if m == nil { return 0 @@ -824,282 +515,6 @@ func sovLocalScanner(x uint64) (n int) { func sozLocalScanner(x uint64) (n int) { return sovLocalScanner(uint64((x << 1) ^ uint64((int64(x) >> 63)))) } -func (m *LocalScannerCertificates) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: LocalScannerCertificates: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: LocalScannerCertificates: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field CaPem", wireType) - } - var byteLen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - byteLen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if byteLen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + byteLen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.CaPem = append(m.CaPem[:0], dAtA[iNdEx:postIndex]...) - if m.CaPem == nil { - m.CaPem = []byte{} - } - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field CertPem", wireType) - } - var byteLen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - byteLen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if byteLen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + byteLen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.CertPem = append(m.CertPem[:0], dAtA[iNdEx:postIndex]...) - if m.CertPem == nil { - m.CertPem = []byte{} - } - iNdEx = postIndex - case 3: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field KeyPem", wireType) - } - var byteLen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - byteLen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if byteLen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + byteLen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.KeyPem = append(m.KeyPem[:0], dAtA[iNdEx:postIndex]...) - if m.KeyPem == nil { - m.KeyPem = []byte{} - } - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipLocalScanner(dAtA[iNdEx:]) - if err != nil { - return err - } - if (skippy < 0) || (iNdEx+skippy) < 0 { - return ErrInvalidLengthLocalScanner - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *LocalScannerCertificateSet) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: LocalScannerCertificateSet: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: LocalScannerCertificateSet: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ScannerCerts", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.ScannerCerts == nil { - m.ScannerCerts = &LocalScannerCertificates{} - } - if err := m.ScannerCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field ScannerDbCerts", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowLocalScanner - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthLocalScanner - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthLocalScanner - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.ScannerDbCerts == nil { - m.ScannerDbCerts = &LocalScannerCertificates{} - } - if err := m.ScannerDbCerts.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipLocalScanner(dAtA[iNdEx:]) - if err != nil { - return err - } - if (skippy < 0) || (iNdEx+skippy) < 0 { - return ErrInvalidLengthLocalScanner - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} func (m *LocalScannerCertsIssueError) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -1292,7 +707,7 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - v := &LocalScannerCertificateSet{} + v := &storage.TypedServiceCertificateSet{} if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { return err } diff --git a/generated/storage/service_identity.pb.go b/generated/storage/service_identity.pb.go index 48fdce7f4ce08..11ae6163c4f8e 100644 --- a/generated/storage/service_identity.pb.go +++ b/generated/storage/service_identity.pb.go @@ -225,41 +225,275 @@ func (m *ServiceIdentity) Clone() *ServiceIdentity { return cloned } +type ServiceCertificate struct { + CertPem []byte `protobuf:"bytes,1,opt,name=cert_pem,json=certPem,proto3" json:"cert_pem,omitempty"` + KeyPem []byte `protobuf:"bytes,2,opt,name=key_pem,json=keyPem,proto3" json:"key_pem,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ServiceCertificate) Reset() { *m = ServiceCertificate{} } +func (m *ServiceCertificate) String() string { return proto.CompactTextString(m) } +func (*ServiceCertificate) ProtoMessage() {} +func (*ServiceCertificate) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{1} +} +func (m *ServiceCertificate) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *ServiceCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_ServiceCertificate.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *ServiceCertificate) XXX_Merge(src proto.Message) { + xxx_messageInfo_ServiceCertificate.Merge(m, src) +} +func (m *ServiceCertificate) XXX_Size() int { + return m.Size() +} +func (m *ServiceCertificate) XXX_DiscardUnknown() { + xxx_messageInfo_ServiceCertificate.DiscardUnknown(m) +} + +var xxx_messageInfo_ServiceCertificate proto.InternalMessageInfo + +func (m *ServiceCertificate) GetCertPem() []byte { + if m != nil { + return m.CertPem + } + return nil +} + +func (m *ServiceCertificate) GetKeyPem() []byte { + if m != nil { + return m.KeyPem + } + return nil +} + +func (m *ServiceCertificate) MessageClone() proto.Message { + return m.Clone() +} +func (m *ServiceCertificate) Clone() *ServiceCertificate { + if m == nil { + return nil + } + cloned := new(ServiceCertificate) + *cloned = *m + + if m.CertPem != nil { + cloned.CertPem = make([]byte, len(m.CertPem)) + copy(cloned.CertPem, m.CertPem) + } + if m.KeyPem != nil { + cloned.KeyPem = make([]byte, len(m.KeyPem)) + copy(cloned.KeyPem, m.KeyPem) + } + return cloned +} + +type TypedServiceCertificate struct { + ServiceType ServiceType `protobuf:"varint,1,opt,name=service_type,json=serviceType,proto3,enum=storage.ServiceType" json:"service_type,omitempty"` + Cert *ServiceCertificate `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *TypedServiceCertificate) Reset() { *m = TypedServiceCertificate{} } +func (m *TypedServiceCertificate) String() string { return proto.CompactTextString(m) } +func (*TypedServiceCertificate) ProtoMessage() {} +func (*TypedServiceCertificate) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{2} +} +func (m *TypedServiceCertificate) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *TypedServiceCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_TypedServiceCertificate.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *TypedServiceCertificate) XXX_Merge(src proto.Message) { + xxx_messageInfo_TypedServiceCertificate.Merge(m, src) +} +func (m *TypedServiceCertificate) XXX_Size() int { + return m.Size() +} +func (m *TypedServiceCertificate) XXX_DiscardUnknown() { + xxx_messageInfo_TypedServiceCertificate.DiscardUnknown(m) +} + +var xxx_messageInfo_TypedServiceCertificate proto.InternalMessageInfo + +func (m *TypedServiceCertificate) GetServiceType() ServiceType { + if m != nil { + return m.ServiceType + } + return ServiceType_UNKNOWN_SERVICE +} + +func (m *TypedServiceCertificate) GetCert() *ServiceCertificate { + if m != nil { + return m.Cert + } + return nil +} + +func (m *TypedServiceCertificate) MessageClone() proto.Message { + return m.Clone() +} +func (m *TypedServiceCertificate) Clone() *TypedServiceCertificate { + if m == nil { + return nil + } + cloned := new(TypedServiceCertificate) + *cloned = *m + + cloned.Cert = m.Cert.Clone() + return cloned +} + +type TypedServiceCertificateSet struct { + CaPem []byte `protobuf:"bytes,1,opt,name=ca_pem,json=caPem,proto3" json:"ca_pem,omitempty"` + ServiceCerts []*TypedServiceCertificate `protobuf:"bytes,2,rep,name=service_certs,json=serviceCerts,proto3" json:"service_certs,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *TypedServiceCertificateSet) Reset() { *m = TypedServiceCertificateSet{} } +func (m *TypedServiceCertificateSet) String() string { return proto.CompactTextString(m) } +func (*TypedServiceCertificateSet) ProtoMessage() {} +func (*TypedServiceCertificateSet) Descriptor() ([]byte, []int) { + return fileDescriptor_a988b93c2073ff63, []int{3} +} +func (m *TypedServiceCertificateSet) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *TypedServiceCertificateSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_TypedServiceCertificateSet.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *TypedServiceCertificateSet) XXX_Merge(src proto.Message) { + xxx_messageInfo_TypedServiceCertificateSet.Merge(m, src) +} +func (m *TypedServiceCertificateSet) XXX_Size() int { + return m.Size() +} +func (m *TypedServiceCertificateSet) XXX_DiscardUnknown() { + xxx_messageInfo_TypedServiceCertificateSet.DiscardUnknown(m) +} + +var xxx_messageInfo_TypedServiceCertificateSet proto.InternalMessageInfo + +func (m *TypedServiceCertificateSet) GetCaPem() []byte { + if m != nil { + return m.CaPem + } + return nil +} + +func (m *TypedServiceCertificateSet) GetServiceCerts() []*TypedServiceCertificate { + if m != nil { + return m.ServiceCerts + } + return nil +} + +func (m *TypedServiceCertificateSet) MessageClone() proto.Message { + return m.Clone() +} +func (m *TypedServiceCertificateSet) Clone() *TypedServiceCertificateSet { + if m == nil { + return nil + } + cloned := new(TypedServiceCertificateSet) + *cloned = *m + + if m.CaPem != nil { + cloned.CaPem = make([]byte, len(m.CaPem)) + copy(cloned.CaPem, m.CaPem) + } + if m.ServiceCerts != nil { + cloned.ServiceCerts = make([]*TypedServiceCertificate, len(m.ServiceCerts)) + for idx, v := range m.ServiceCerts { + cloned.ServiceCerts[idx] = v.Clone() + } + } + return cloned +} + func init() { proto.RegisterEnum("storage.ServiceType", ServiceType_name, ServiceType_value) proto.RegisterType((*ServiceIdentity)(nil), "storage.ServiceIdentity") + proto.RegisterType((*ServiceCertificate)(nil), "storage.ServiceCertificate") + proto.RegisterType((*TypedServiceCertificate)(nil), "storage.TypedServiceCertificate") + proto.RegisterType((*TypedServiceCertificateSet)(nil), "storage.TypedServiceCertificateSet") } func init() { proto.RegisterFile("storage/service_identity.proto", fileDescriptor_a988b93c2073ff63) } var fileDescriptor_a988b93c2073ff63 = []byte{ - // 402 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x5c, 0x92, 0xdf, 0x8a, 0xd3, 0x40, - 0x14, 0xc6, 0x3b, 0xe9, 0x9f, 0xb5, 0x67, 0xa5, 0xab, 0xa3, 0x2b, 0x29, 0x68, 0x2c, 0xe2, 0x45, - 0xf1, 0xa2, 0x82, 0xfa, 0x02, 0xcd, 0xec, 0x60, 0x87, 0x4d, 0x66, 0x60, 0x26, 0xab, 0xe0, 0x4d, - 0xe8, 0x6e, 0x82, 0x0c, 0x96, 0xa6, 0x4c, 0x46, 0xb1, 0x6f, 0xe2, 0x53, 0x78, 0xeb, 0x2b, 0x78, - 0xe9, 0x23, 0x48, 0x7d, 0x11, 0x99, 0x24, 0xcd, 0x86, 0xbd, 0x0b, 0xbf, 0xdf, 0x97, 0xf3, 0x9d, - 0x90, 0x03, 0x41, 0x69, 0x0b, 0xb3, 0xfe, 0x9c, 0xbf, 0x2e, 0x73, 0xf3, 0x4d, 0xdf, 0xe4, 0xa9, - 0xce, 0xf2, 0xad, 0xd5, 0x76, 0xbf, 0xd8, 0x99, 0xc2, 0x16, 0xf8, 0xa4, 0xf1, 0x2f, 0x7e, 0x21, - 0x38, 0x53, 0x75, 0x86, 0x35, 0x11, 0xfc, 0x14, 0x46, 0x65, 0x6e, 0xf4, 0x7a, 0xe3, 0xa3, 0x19, - 0x9a, 0xf7, 0x43, 0xcf, 0x47, 0xab, 0x9e, 0x6c, 0x18, 0x7e, 0x0e, 0x50, 0x3f, 0xa5, 0xa5, 0x35, - 0xfe, 0x60, 0x86, 0xe6, 0xe3, 0x55, 0x4f, 0x8e, 0x6b, 0xa6, 0xac, 0xc1, 0x13, 0xf0, 0x74, 0xe6, - 0x7b, 0x4e, 0x48, 0x4f, 0x67, 0x78, 0x0e, 0x03, 0xbb, 0xdf, 0xe5, 0x7e, 0x7f, 0x86, 0xe6, 0x93, - 0x37, 0x8f, 0x17, 0x4d, 0xf5, 0xa2, 0xa9, 0x4d, 0xf6, 0xbb, 0x5c, 0x56, 0x09, 0xfc, 0x12, 0x26, - 0x7a, 0xab, 0x6d, 0x7a, 0xfd, 0x75, 0x9b, 0x6d, 0xdc, 0xce, 0xfe, 0xb0, 0x9a, 0x72, 0xdf, 0xd1, - 0xb0, 0x82, 0x2c, 0x0b, 0x87, 0xd0, 0x2f, 0xcd, 0xe6, 0xd5, 0x4f, 0x0f, 0x4e, 0x3b, 0x23, 0xf0, - 0x23, 0x38, 0xbb, 0xe2, 0x97, 0x5c, 0x7c, 0xe4, 0xa9, 0xa2, 0xf2, 0x03, 0x23, 0xf4, 0x41, 0x0f, - 0x63, 0x98, 0x28, 0xca, 0x95, 0x90, 0x2d, 0x43, 0x2e, 0x48, 0x28, 0x4f, 0xe4, 0x32, 0x6a, 0xa1, - 0xe7, 0x82, 0x92, 0xc6, 0x22, 0xa1, 0x2d, 0xeb, 0xe3, 0x73, 0x78, 0x48, 0x44, 0x14, 0x51, 0x92, - 0x74, 0xde, 0x1f, 0xe0, 0x29, 0x9c, 0xc7, 0x82, 0xb3, 0x44, 0x48, 0xc6, 0xdf, 0xa7, 0x57, 0xac, - 0x55, 0xc3, 0x3b, 0xea, 0x22, 0x6c, 0xd5, 0x08, 0x3f, 0x83, 0x69, 0x47, 0x91, 0x88, 0x51, 0x9e, - 0xb4, 0xfa, 0xc4, 0x75, 0x85, 0x94, 0x93, 0x55, 0xbc, 0x94, 0x97, 0x2d, 0xbe, 0xe7, 0x76, 0x55, - 0x64, 0xc9, 0x39, 0xbd, 0x5d, 0x60, 0x8c, 0x9f, 0x00, 0x3e, 0xc2, 0x4e, 0x05, 0xb8, 0x8a, 0xe5, - 0x45, 0xcc, 0x94, 0x62, 0x82, 0xa7, 0x44, 0xf0, 0x44, 0x8a, 0xdb, 0x4f, 0x3c, 0x0d, 0xdf, 0xfd, - 0x3e, 0x04, 0xe8, 0xcf, 0x21, 0x40, 0x7f, 0x0f, 0x01, 0xfa, 0xf1, 0x2f, 0xe8, 0xc1, 0x54, 0x17, - 0x8b, 0xd2, 0xae, 0x6f, 0xbe, 0x98, 0xe2, 0x7b, 0x7d, 0x18, 0xc7, 0x9f, 0xf3, 0xe9, 0x78, 0x20, - 0xd7, 0xa3, 0x8a, 0xbf, 0xfd, 0x1f, 0x00, 0x00, 0xff, 0xff, 0xf0, 0xd4, 0xa1, 0x53, 0x52, 0x02, - 0x00, 0x00, + // 535 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x93, 0xcb, 0x6e, 0xd3, 0x4e, + 0x18, 0xc5, 0x33, 0xce, 0xad, 0xfd, 0x92, 0x7f, 0xfa, 0x67, 0x20, 0xd4, 0xe1, 0x12, 0xa2, 0x88, + 0x45, 0xc4, 0x22, 0x95, 0x02, 0x12, 0xeb, 0xd8, 0x1d, 0x11, 0xab, 0xc9, 0xb8, 0x1a, 0xbb, 0x20, + 0xb1, 0xb1, 0x5c, 0x7b, 0x40, 0xa3, 0x5c, 0x65, 0x0f, 0x88, 0xb0, 0xe5, 0x25, 0x78, 0x0a, 0xb6, + 0xbc, 0x02, 0x4b, 0x1e, 0x01, 0x85, 0x17, 0x41, 0xe3, 0xd8, 0x8e, 0x55, 0x51, 0x76, 0x99, 0xdf, + 0xf9, 0xe6, 0x3b, 0xe7, 0xc4, 0x1a, 0xe8, 0xc6, 0x72, 0x1d, 0xf9, 0xef, 0xf9, 0x59, 0xcc, 0xa3, + 0x8f, 0x22, 0xe0, 0x9e, 0x08, 0xf9, 0x4a, 0x0a, 0xb9, 0x1d, 0x6e, 0xa2, 0xb5, 0x5c, 0xe3, 0x7a, + 0xaa, 0xf7, 0xbf, 0x23, 0x38, 0x71, 0xf6, 0x33, 0x56, 0x3a, 0x82, 0x1f, 0x41, 0x2d, 0xe6, 0x91, + 0xf0, 0x17, 0x3a, 0xea, 0xa1, 0x41, 0xd9, 0xd0, 0x74, 0x34, 0x29, 0xb1, 0x94, 0xe1, 0x27, 0x00, + 0xfb, 0x5f, 0x5e, 0x2c, 0x23, 0xbd, 0xd2, 0x43, 0x83, 0xe3, 0x49, 0x89, 0x1d, 0xef, 0x99, 0x23, + 0x23, 0xdc, 0x02, 0x4d, 0x84, 0xba, 0xa6, 0x04, 0xa6, 0x89, 0x10, 0x0f, 0xa0, 0x22, 0xb7, 0x1b, + 0xae, 0x97, 0x7b, 0x68, 0xd0, 0x1a, 0xdd, 0x1b, 0xa6, 0xd6, 0xc3, 0xd4, 0xd6, 0xdd, 0x6e, 0x38, + 0x4b, 0x26, 0xf0, 0x53, 0x68, 0x89, 0x95, 0x90, 0xde, 0xf5, 0x87, 0x55, 0xb8, 0x50, 0x99, 0xf5, + 0x6a, 0xb2, 0xa5, 0xa9, 0xa8, 0x91, 0x40, 0x2b, 0x34, 0xaa, 0x50, 0x8e, 0xa3, 0x45, 0x7f, 0x02, + 0x38, 0xdd, 0x60, 0xf2, 0x48, 0x8a, 0x77, 0x22, 0xf0, 0x25, 0xc7, 0x1d, 0x38, 0x0a, 0x78, 0x24, + 0xbd, 0x0d, 0x5f, 0x26, 0xe9, 0x9b, 0xac, 0xae, 0xce, 0x97, 0x7c, 0x89, 0x4f, 0xa1, 0x3e, 0xe7, + 0xdb, 0x44, 0xd1, 0x12, 0xa5, 0x36, 0xe7, 0xdb, 0x4b, 0xbe, 0xec, 0x7f, 0x41, 0x70, 0xaa, 0x52, + 0x84, 0x7f, 0xd9, 0xf7, 0x12, 0x9a, 0xd9, 0x5f, 0x98, 0x94, 0x40, 0xff, 0x28, 0xd1, 0x88, 0x0f, + 0x07, 0x7c, 0x06, 0x15, 0x65, 0x9c, 0x58, 0x35, 0x46, 0x0f, 0x6f, 0x5e, 0x28, 0x78, 0xb0, 0x64, + 0xb0, 0xff, 0x19, 0x1e, 0xdc, 0x12, 0xc2, 0xe1, 0x12, 0xb7, 0xa1, 0x16, 0xf8, 0x85, 0x56, 0xd5, + 0xc0, 0x57, 0x9d, 0x08, 0xfc, 0x97, 0xc5, 0x53, 0x4b, 0x62, 0x5d, 0xeb, 0x95, 0x07, 0x8d, 0x51, + 0x2f, 0xb7, 0xbb, 0x65, 0x25, 0xcb, 0x5a, 0x29, 0x16, 0x3f, 0xfb, 0xa6, 0x41, 0xa3, 0xd0, 0x04, + 0xdf, 0x85, 0x93, 0x2b, 0x7a, 0x41, 0xed, 0x37, 0xd4, 0x73, 0x08, 0x7b, 0x6d, 0x99, 0xe4, 0xff, + 0x12, 0xc6, 0xd0, 0x72, 0x08, 0x75, 0x6c, 0x96, 0x33, 0xa4, 0x06, 0x4d, 0x42, 0x5d, 0x36, 0x9e, + 0xe6, 0x50, 0x53, 0x83, 0x8c, 0xcc, 0x6c, 0x97, 0xe4, 0xac, 0x8c, 0xdb, 0x70, 0xc7, 0xb4, 0xa7, + 0x53, 0x62, 0xba, 0x85, 0xfb, 0x15, 0xdc, 0x81, 0xf6, 0xcc, 0xa6, 0x96, 0x6b, 0x33, 0x8b, 0xbe, + 0xf2, 0xae, 0xac, 0x5c, 0xaa, 0xde, 0x90, 0xce, 0x8d, 0x5c, 0xaa, 0xe1, 0xc7, 0xd0, 0x29, 0x48, + 0xe6, 0xd4, 0x22, 0xd4, 0xcd, 0xe5, 0xba, 0xf2, 0x32, 0x08, 0x35, 0x27, 0xb3, 0x31, 0xbb, 0xc8, + 0xf1, 0x91, 0xca, 0xea, 0x98, 0x63, 0x4a, 0xc9, 0x21, 0xc0, 0x31, 0xbe, 0x0f, 0x38, 0x83, 0x05, + 0x0b, 0x50, 0x16, 0xe3, 0xf3, 0x99, 0xe5, 0x38, 0x96, 0x4d, 0x3d, 0xd3, 0xa6, 0x2e, 0xb3, 0x0f, + 0x15, 0x1b, 0xc6, 0x8b, 0x1f, 0xbb, 0x2e, 0xfa, 0xb9, 0xeb, 0xa2, 0x5f, 0xbb, 0x2e, 0xfa, 0xfa, + 0xbb, 0x5b, 0x82, 0x8e, 0x58, 0x0f, 0x63, 0xe9, 0x07, 0xf3, 0x68, 0xfd, 0x69, 0xff, 0xc8, 0xb2, + 0x6f, 0xf0, 0x36, 0x7b, 0x6c, 0xd7, 0xb5, 0x84, 0x3f, 0xff, 0x13, 0x00, 0x00, 0xff, 0xff, 0x44, + 0xd1, 0x58, 0x4a, 0x9e, 0x03, 0x00, 0x00, } func (m *ServiceIdentity) Marshal() (dAtA []byte, err error) { @@ -343,6 +577,139 @@ func (m *ServiceIdentity_SerialStr) MarshalToSizedBuffer(dAtA []byte) (int, erro dAtA[i] = 0x22 return len(dAtA) - i, nil } +func (m *ServiceCertificate) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *ServiceCertificate) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *ServiceCertificate) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.KeyPem) > 0 { + i -= len(m.KeyPem) + copy(dAtA[i:], m.KeyPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.KeyPem))) + i-- + dAtA[i] = 0x12 + } + if len(m.CertPem) > 0 { + i -= len(m.CertPem) + copy(dAtA[i:], m.CertPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.CertPem))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + +func (m *TypedServiceCertificate) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *TypedServiceCertificate) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *TypedServiceCertificate) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if m.Cert != nil { + { + size, err := m.Cert.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintServiceIdentity(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + if m.ServiceType != 0 { + i = encodeVarintServiceIdentity(dAtA, i, uint64(m.ServiceType)) + i-- + dAtA[i] = 0x8 + } + return len(dAtA) - i, nil +} + +func (m *TypedServiceCertificateSet) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *TypedServiceCertificateSet) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *TypedServiceCertificateSet) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.ServiceCerts) > 0 { + for iNdEx := len(m.ServiceCerts) - 1; iNdEx >= 0; iNdEx-- { + { + size, err := m.ServiceCerts[iNdEx].MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintServiceIdentity(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + } + if len(m.CaPem) > 0 { + i -= len(m.CaPem) + copy(dAtA[i:], m.CaPem) + i = encodeVarintServiceIdentity(dAtA, i, uint64(len(m.CaPem))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func encodeVarintServiceIdentity(dAtA []byte, offset int, v uint64) int { offset -= sovServiceIdentity(v) base := offset @@ -399,14 +766,74 @@ func (m *ServiceIdentity_SerialStr) Size() (n int) { n += 1 + l + sovServiceIdentity(uint64(l)) return n } - -func sovServiceIdentity(x uint64) (n int) { - return (math_bits.Len64(x|1) + 6) / 7 +func (m *ServiceCertificate) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.CertPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + l = len(m.KeyPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n } -func sozServiceIdentity(x uint64) (n int) { - return sovServiceIdentity(uint64((x << 1) ^ uint64((int64(x) >> 63)))) + +func (m *TypedServiceCertificate) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + if m.ServiceType != 0 { + n += 1 + sovServiceIdentity(uint64(m.ServiceType)) + } + if m.Cert != nil { + l = m.Cert.Size() + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n } -func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { + +func (m *TypedServiceCertificateSet) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.CaPem) + if l > 0 { + n += 1 + l + sovServiceIdentity(uint64(l)) + } + if len(m.ServiceCerts) > 0 { + for _, e := range m.ServiceCerts { + l = e.Size() + n += 1 + l + sovServiceIdentity(uint64(l)) + } + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + +func sovServiceIdentity(x uint64) (n int) { + return (math_bits.Len64(x|1) + 6) / 7 +} +func sozServiceIdentity(x uint64) (n int) { + return sovServiceIdentity(uint64((x << 1) ^ uint64((int64(x) >> 63)))) +} +func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 for iNdEx < l { @@ -592,6 +1019,350 @@ func (m *ServiceIdentity) Unmarshal(dAtA []byte) error { } return nil } +func (m *ServiceCertificate) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: ServiceCertificate: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: ServiceCertificate: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CertPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CertPem = append(m.CertPem[:0], dAtA[iNdEx:postIndex]...) + if m.CertPem == nil { + m.CertPem = []byte{} + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field KeyPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.KeyPem = append(m.KeyPem[:0], dAtA[iNdEx:postIndex]...) + if m.KeyPem == nil { + m.KeyPem = []byte{} + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *TypedServiceCertificate) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: TypedServiceCertificate: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: TypedServiceCertificate: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceType", wireType) + } + m.ServiceType = 0 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + m.ServiceType |= ServiceType(b&0x7F) << shift + if b < 0x80 { + break + } + } + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Cert", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Cert == nil { + m.Cert = &ServiceCertificate{} + } + if err := m.Cert.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *TypedServiceCertificateSet) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: TypedServiceCertificateSet: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: TypedServiceCertificateSet: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field CaPem", wireType) + } + var byteLen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + byteLen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if byteLen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + byteLen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.CaPem = append(m.CaPem[:0], dAtA[iNdEx:postIndex]...) + if m.CaPem == nil { + m.CaPem = []byte{} + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ServiceCerts", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowServiceIdentity + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthServiceIdentity + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthServiceIdentity + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.ServiceCerts = append(m.ServiceCerts, &TypedServiceCertificate{}) + if err := m.ServiceCerts[len(m.ServiceCerts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipServiceIdentity(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthServiceIdentity + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipServiceIdentity(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index b121e3a233def..79af1ba87a5e2 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -6,17 +6,6 @@ import "storage/service_identity.proto"; package central; -message LocalScannerCertificates { - bytes ca_pem = 1; - bytes cert_pem = 2; - bytes key_pem = 3; -} - -message LocalScannerCertificateSet { - LocalScannerCertificates scanner_certs = 1; - LocalScannerCertificates scanner_db_certs = 2; -} - message LocalScannerCertsIssueError { string message = 1; } @@ -25,8 +14,7 @@ message IssueLocalScannerCertsRequest {} message IssueLocalScannerCertsResponse { oneof response { - LocalScannerCertificateSet certificates = 1; + storage.TypedServiceCertificateSet certificates = 1; LocalScannerCertsIssueError error = 2; } } - diff --git a/proto/storage/service_identity.proto b/proto/storage/service_identity.proto index 9ca023fd37c20..ef9d60ea242c9 100644 --- a/proto/storage/service_identity.proto +++ b/proto/storage/service_identity.proto @@ -29,3 +29,18 @@ enum ServiceType { SCANNER_DB_SERVICE = 10; ADMISSION_CONTROL_SERVICE = 11; } + +message ServiceCertificate { + bytes cert_pem = 1; + bytes key_pem = 2; +} + +message TypedServiceCertificate { + ServiceType service_type = 1; + ServiceCertificate cert = 2; +} + +message TypedServiceCertificateSet { + bytes ca_pem = 1; + repeated TypedServiceCertificate service_certs = 2; +} From 40a6fa0ce74e357ec6b99d2f8156f972f2231b51 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 12:44:46 +0100 Subject: [PATCH 27/45] Add request id for pairing responses with their requests --- .../service/connection/connection_impl.go | 31 ++-- .../service/connection/connection_test.go | 20 ++- .../internalapi/central/local_scanner.pb.go | 150 +++++++++++++++--- proto/internalapi/central/local_scanner.proto | 9 +- 4 files changed, 168 insertions(+), 42 deletions(-) diff --git a/central/sensor/service/connection/connection_impl.go b/central/sensor/service/connection/connection_impl.go index faad823567600..0bc2cb29c5716 100644 --- a/central/sensor/service/connection/connection_impl.go +++ b/central/sensor/service/connection/connection_impl.go @@ -218,7 +218,7 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr case *central.MsgFromSensor_TelemetryDataResponse: return c.telemetryCtrl.ProcessTelemetryDataResponse(m.TelemetryDataResponse) case *central.MsgFromSensor_IssueLocalScannerCertsRequest: - return c.processIssueLocalScannerCertsRequest(ctx) + return c.processIssueLocalScannerCertsRequest(ctx, m.IssueLocalScannerCertsRequest) case *central.MsgFromSensor_Event: // Special case the reprocess deployment because its fields are already set if msg.GetEvent().GetReprocessDeployment() != nil { @@ -238,18 +238,31 @@ func (c *sensorConnection) handleMessage(ctx context.Context, msg *central.MsgFr return c.eventPipeline.Run(ctx, msg, c) } -func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context) error { +func (c *sensorConnection) processIssueLocalScannerCertsRequest(ctx context.Context, request *central.IssueLocalScannerCertsRequest) error { + requestID := request.GetRequestId() + clusterID := c.clusterID namespace := c.sensorHello.GetDeploymentIdentification().GetAppNamespace() - certificates, err := localscanner.IssueLocalScannerCerts(namespace, c.clusterID) - errMsg := fmt.Sprintf("issuing local Scanner certificates for cluster with ID %s and namespace %q", - c.clusterID, namespace) - response := ¢ral.IssueLocalScannerCertsResponse{ - Response: ¢ral.IssueLocalScannerCertsResponse_Certificates{ - Certificates: certificates, - }, + errMsg := fmt.Sprintf("issuing local Scanner certificates for request ID %q, cluster ID %q and namespace %q", + requestID, clusterID, namespace) + var ( + err error + response *central.IssueLocalScannerCertsResponse + ) + if requestID == "" { + err = errors.New("requestID is required to issue the certificates for the local scanner") + } else { + certificates, issueErr := localscanner.IssueLocalScannerCerts(namespace, clusterID) + err = issueErr + response = ¢ral.IssueLocalScannerCertsResponse{ + RequestId: requestID, + Response: ¢ral.IssueLocalScannerCertsResponse_Certificates{ + Certificates: certificates, + }, + } } if err != nil { response = ¢ral.IssueLocalScannerCertsResponse{ + RequestId: requestID, Response: ¢ral.IssueLocalScannerCertsResponse_Error{ Error: ¢ral.LocalScannerCertsIssueError{ Message: fmt.Sprintf("%s: %s", errMsg, err.Error()), diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index 1db1d0b816419..c1b2a12554bea 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -127,15 +127,17 @@ func (s *testSuite) TestIssueLocalScannerCerts() { if !features.LocalImageScanning.Enabled() { s.T().Skip() } - namespace, clusterID := "namespace", "clusterID" + namespace, clusterID, requestID := "namespace", "clusterID", "requestID" testCases := map[string]struct { + requestID string namespace string clusterID string shouldFail bool }{ - "no parameter missing": {namespace: namespace, clusterID: clusterID, shouldFail: false}, - "namespace missing": {namespace: "", clusterID: clusterID, shouldFail: true}, - "clusterID missing": {namespace: namespace, clusterID: "", shouldFail: true}, + "no parameter missing": {requestID: requestID, namespace: namespace, clusterID: clusterID, shouldFail: false}, + "requestID missing": {requestID: "", namespace: namespace, clusterID: clusterID, shouldFail: true}, + "namespace missing": {requestID: requestID, namespace: "", clusterID: clusterID, shouldFail: true}, + "clusterID missing": {requestID: requestID, namespace: namespace, clusterID: "", shouldFail: true}, } for tcName, tc := range testCases { s.Run(tcName, func() { @@ -155,7 +157,9 @@ func (s *testSuite) TestIssueLocalScannerCerts() { defer cancel() request := ¢ral.MsgFromSensor{ Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ - IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{}, + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ + RequestId: tc.requestID, + }, }, } @@ -166,10 +170,12 @@ func (s *testSuite) TestIssueLocalScannerCerts() { select { case msgToSensor := <-sendC: + response := msgToSensor.GetIssueLocalScannerCertsResponse() + s.Equal(tc.requestID, response.GetRequestId()) if tc.shouldFail { - s.NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetError()) + s.NotNil(response.GetError()) } else { - s.NotNil(msgToSensor.GetIssueLocalScannerCertsResponse().GetCertificates()) + s.NotNil(response.GetCertificates()) } case <-ctx.Done(): s.Fail(ctx.Err().Error()) diff --git a/generated/internalapi/central/local_scanner.pb.go b/generated/internalapi/central/local_scanner.pb.go index d4a6b0fa567ab..d9ee4a3695c03 100644 --- a/generated/internalapi/central/local_scanner.pb.go +++ b/generated/internalapi/central/local_scanner.pb.go @@ -84,6 +84,7 @@ func (m *LocalScannerCertsIssueError) Clone() *LocalScannerCertsIssueError { } type IssueLocalScannerCertsRequest struct { + RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -122,6 +123,13 @@ func (m *IssueLocalScannerCertsRequest) XXX_DiscardUnknown() { var xxx_messageInfo_IssueLocalScannerCertsRequest proto.InternalMessageInfo +func (m *IssueLocalScannerCertsRequest) GetRequestId() string { + if m != nil { + return m.RequestId + } + return "" +} + func (m *IssueLocalScannerCertsRequest) MessageClone() proto.Message { return m.Clone() } @@ -136,6 +144,7 @@ func (m *IssueLocalScannerCertsRequest) Clone() *IssueLocalScannerCertsRequest { } type IssueLocalScannerCertsResponse struct { + RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"` // Types that are valid to be assigned to Response: // *IssueLocalScannerCertsResponse_Certificates // *IssueLocalScannerCertsResponse_Error @@ -186,10 +195,10 @@ type isIssueLocalScannerCertsResponse_Response interface { } type IssueLocalScannerCertsResponse_Certificates struct { - Certificates *storage.TypedServiceCertificateSet `protobuf:"bytes,1,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` + Certificates *storage.TypedServiceCertificateSet `protobuf:"bytes,2,opt,name=certificates,proto3,oneof" json:"certificates,omitempty"` } type IssueLocalScannerCertsResponse_Error struct { - Error *LocalScannerCertsIssueError `protobuf:"bytes,2,opt,name=error,proto3,oneof" json:"error,omitempty"` + Error *LocalScannerCertsIssueError `protobuf:"bytes,3,opt,name=error,proto3,oneof" json:"error,omitempty"` } func (*IssueLocalScannerCertsResponse_Certificates) isIssueLocalScannerCertsResponse_Response() {} @@ -222,6 +231,13 @@ func (m *IssueLocalScannerCertsResponse) GetResponse() isIssueLocalScannerCertsR return nil } +func (m *IssueLocalScannerCertsResponse) GetRequestId() string { + if m != nil { + return m.RequestId + } + return "" +} + func (m *IssueLocalScannerCertsResponse) GetCertificates() *storage.TypedServiceCertificateSet { if x, ok := m.GetResponse().(*IssueLocalScannerCertsResponse_Certificates); ok { return x.Certificates @@ -271,24 +287,26 @@ func init() { } var fileDescriptor_856923c76f63cf0a = []byte{ - // 270 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x90, 0xbf, 0x4a, 0x03, 0x41, - 0x10, 0xc6, 0x6f, 0x05, 0x8d, 0xae, 0x56, 0x57, 0x9d, 0x8a, 0xab, 0x9c, 0x82, 0x56, 0x7b, 0xa0, - 0x85, 0x8d, 0x55, 0x82, 0x90, 0x80, 0xd5, 0x9d, 0x95, 0x4d, 0x58, 0x37, 0x63, 0x58, 0x38, 0x77, - 0xcf, 0x99, 0x89, 0x90, 0x37, 0xf1, 0x45, 0x7c, 0x07, 0x4b, 0x1f, 0x41, 0xce, 0x17, 0x91, 0xdc, - 0x1f, 0x44, 0x44, 0xcb, 0x65, 0xbf, 0xdf, 0xcc, 0x6f, 0x3e, 0x79, 0xea, 0x3c, 0x03, 0x7a, 0x53, - 0x9a, 0xca, 0x65, 0x16, 0x3c, 0xa3, 0x29, 0xb3, 0x32, 0x58, 0x53, 0x4e, 0xc9, 0x1a, 0xef, 0x01, - 0x75, 0x85, 0x81, 0x43, 0x3c, 0xe8, 0x3e, 0xf7, 0x14, 0x71, 0x40, 0x33, 0x87, 0x8c, 0x00, 0x9f, - 0x9d, 0x85, 0xa9, 0x9b, 0x81, 0x67, 0xc7, 0xcb, 0x36, 0x98, 0x5e, 0xca, 0xfd, 0x9b, 0x15, 0x5f, - 0xb4, 0xf8, 0x08, 0x90, 0x69, 0x42, 0xb4, 0x80, 0x6b, 0xc4, 0x80, 0x71, 0x22, 0x07, 0x8f, 0x40, - 0x64, 0xe6, 0x90, 0x88, 0x23, 0x71, 0xb6, 0x95, 0xf7, 0xcf, 0xf4, 0x50, 0x1e, 0x34, 0xb9, 0x5f, - 0x74, 0x0e, 0x4f, 0x0b, 0x20, 0x4e, 0x5f, 0x85, 0x54, 0x7f, 0x25, 0xa8, 0x0a, 0x9e, 0x20, 0x9e, - 0xc8, 0x1d, 0x0b, 0xc8, 0xee, 0xc1, 0x59, 0xc3, 0x40, 0xcd, 0x8a, 0xed, 0xf3, 0x63, 0xdd, 0x39, - 0xeb, 0xdb, 0x65, 0x05, 0xb3, 0xa2, 0x15, 0x1f, 0x7d, 0x07, 0x0b, 0xe0, 0x71, 0x94, 0xff, 0x40, - 0xe3, 0x2b, 0xb9, 0x0e, 0x2b, 0xe3, 0x64, 0xad, 0x99, 0x71, 0xa2, 0xbb, 0x02, 0xf4, 0x3f, 0xd7, - 0x8d, 0xa3, 0xbc, 0x85, 0x86, 0x52, 0x6e, 0x62, 0x27, 0x35, 0xdc, 0x7d, 0xab, 0x95, 0x78, 0xaf, - 0x95, 0xf8, 0xa8, 0x95, 0x78, 0xf9, 0x54, 0xd1, 0x5d, 0x5f, 0xe6, 0xfd, 0x46, 0xd3, 0xd9, 0xc5, - 0x57, 0x00, 0x00, 0x00, 0xff, 0xff, 0xb5, 0x7f, 0xfb, 0xc4, 0x87, 0x01, 0x00, 0x00, + // 289 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x91, 0xcd, 0x4a, 0xc3, 0x40, + 0x14, 0x85, 0x3b, 0x8a, 0xd6, 0x8e, 0xae, 0xb2, 0x8a, 0x4a, 0x87, 0x12, 0x05, 0xbb, 0x4a, 0x40, + 0x17, 0x6e, 0xc4, 0x45, 0x8b, 0xd0, 0x80, 0xab, 0xc4, 0x95, 0x9b, 0x30, 0x4e, 0xae, 0x65, 0x20, + 0xce, 0xc4, 0x7b, 0xa7, 0x42, 0xdf, 0xc4, 0x47, 0x72, 0xe9, 0xc2, 0x07, 0x90, 0xf8, 0x22, 0xd2, + 0x64, 0x8a, 0x88, 0xa8, 0xbb, 0xf9, 0x39, 0xdf, 0xe1, 0x9e, 0x73, 0xf9, 0x89, 0x36, 0x0e, 0xd0, + 0xc8, 0x4a, 0xd6, 0x3a, 0x51, 0x60, 0x1c, 0xca, 0x2a, 0xa9, 0xac, 0x92, 0x55, 0x41, 0x4a, 0x1a, + 0x03, 0x18, 0xd7, 0x68, 0x9d, 0x0d, 0xfa, 0xfe, 0xf3, 0x40, 0x90, 0xb3, 0x28, 0xe7, 0x90, 0x10, + 0xe0, 0x93, 0x56, 0x50, 0xe8, 0x12, 0x8c, 0xd3, 0x6e, 0xd9, 0x09, 0xa3, 0x73, 0x7e, 0x78, 0xbd, + 0xe2, 0xf3, 0x0e, 0x9f, 0x02, 0x3a, 0x4a, 0x89, 0x16, 0x70, 0x85, 0x68, 0x31, 0x08, 0x79, 0xff, + 0x01, 0x88, 0xe4, 0x1c, 0x42, 0x36, 0x62, 0xe3, 0x41, 0xb6, 0xbe, 0x46, 0x97, 0x7c, 0xd8, 0xea, + 0x7e, 0xd0, 0x19, 0x3c, 0x2e, 0x80, 0x5c, 0x30, 0xe4, 0x1c, 0xbb, 0x63, 0xa1, 0x4b, 0x4f, 0x0f, + 0xfc, 0x4b, 0x5a, 0x46, 0x6f, 0x8c, 0x8b, 0xdf, 0x0c, 0xa8, 0xb6, 0x86, 0xe0, 0x1f, 0x87, 0x20, + 0xe5, 0x7b, 0x0a, 0xd0, 0xe9, 0x7b, 0xad, 0xa4, 0x03, 0x0a, 0x37, 0x46, 0x6c, 0xbc, 0x7b, 0x7a, + 0x14, 0xfb, 0xc4, 0xf1, 0xcd, 0xb2, 0x86, 0x32, 0xef, 0x62, 0x4f, 0xbf, 0x84, 0x39, 0xb8, 0x59, + 0x2f, 0xfb, 0x86, 0x06, 0x17, 0x7c, 0x0b, 0x56, 0x79, 0xc3, 0xcd, 0xd6, 0xe3, 0x38, 0xf6, 0xf5, + 0xc5, 0x7f, 0x74, 0x33, 0xeb, 0x65, 0x1d, 0x34, 0xe1, 0x7c, 0x07, 0xfd, 0xcc, 0x93, 0xfd, 0x97, + 0x46, 0xb0, 0xd7, 0x46, 0xb0, 0xf7, 0x46, 0xb0, 0xe7, 0x0f, 0xd1, 0xbb, 0x5d, 0xaf, 0xe2, 0x6e, + 0xbb, 0x6d, 0xfc, 0xec, 0x33, 0x00, 0x00, 0xff, 0xff, 0xbd, 0x93, 0x4a, 0x05, 0xc5, 0x01, 0x00, + 0x00, } func (m *LocalScannerCertsIssueError) Marshal() (dAtA []byte, err error) { @@ -349,6 +367,13 @@ func (m *IssueLocalScannerCertsRequest) MarshalToSizedBuffer(dAtA []byte) (int, i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.RequestId) > 0 { + i -= len(m.RequestId) + copy(dAtA[i:], m.RequestId) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.RequestId))) + i-- + dAtA[i] = 0xa + } return len(dAtA) - i, nil } @@ -385,6 +410,13 @@ func (m *IssueLocalScannerCertsResponse) MarshalToSizedBuffer(dAtA []byte) (int, } } } + if len(m.RequestId) > 0 { + i -= len(m.RequestId) + copy(dAtA[i:], m.RequestId) + i = encodeVarintLocalScanner(dAtA, i, uint64(len(m.RequestId))) + i-- + dAtA[i] = 0xa + } return len(dAtA) - i, nil } @@ -405,7 +437,7 @@ func (m *IssueLocalScannerCertsResponse_Certificates) MarshalToSizedBuffer(dAtA i = encodeVarintLocalScanner(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0xa + dAtA[i] = 0x12 } return len(dAtA) - i, nil } @@ -426,7 +458,7 @@ func (m *IssueLocalScannerCertsResponse_Error) MarshalToSizedBuffer(dAtA []byte) i = encodeVarintLocalScanner(dAtA, i, uint64(size)) } i-- - dAtA[i] = 0x12 + dAtA[i] = 0x1a } return len(dAtA) - i, nil } @@ -463,6 +495,10 @@ func (m *IssueLocalScannerCertsRequest) Size() (n int) { } var l int _ = l + l = len(m.RequestId) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -475,6 +511,10 @@ func (m *IssueLocalScannerCertsResponse) Size() (n int) { } var l int _ = l + l = len(m.RequestId) + if l > 0 { + n += 1 + l + sovLocalScanner(uint64(l)) + } if m.Response != nil { n += m.Response.Size() } @@ -627,6 +667,38 @@ func (m *IssueLocalScannerCertsRequest) Unmarshal(dAtA []byte) error { return fmt.Errorf("proto: IssueLocalScannerCertsRequest: illegal tag %d (wire type %d)", fieldNum, wire) } switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RequestId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.RequestId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipLocalScanner(dAtA[iNdEx:]) @@ -679,6 +751,38 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { } switch fieldNum { case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field RequestId", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowLocalScanner + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthLocalScanner + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthLocalScanner + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.RequestId = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + case 2: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Certificates", wireType) } @@ -713,7 +817,7 @@ func (m *IssueLocalScannerCertsResponse) Unmarshal(dAtA []byte) error { } m.Response = &IssueLocalScannerCertsResponse_Certificates{v} iNdEx = postIndex - case 2: + case 3: if wireType != 2 { return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType) } diff --git a/proto/internalapi/central/local_scanner.proto b/proto/internalapi/central/local_scanner.proto index 79af1ba87a5e2..2a05dab413401 100644 --- a/proto/internalapi/central/local_scanner.proto +++ b/proto/internalapi/central/local_scanner.proto @@ -10,11 +10,14 @@ message LocalScannerCertsIssueError { string message = 1; } -message IssueLocalScannerCertsRequest {} +message IssueLocalScannerCertsRequest { + string request_id = 1; +} message IssueLocalScannerCertsResponse { + string request_id = 1; oneof response { - storage.TypedServiceCertificateSet certificates = 1; - LocalScannerCertsIssueError error = 2; + storage.TypedServiceCertificateSet certificates = 2; + LocalScannerCertsIssueError error = 3; } } From b1703fe12467b5ae8bfd9f25754a9895278d9641 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 14:09:37 +0100 Subject: [PATCH 28/45] Use Len assertion instead of Equal of `len` Co-authored-by: Malte Isberner <2822367+misberner@users.noreply.github.com> --- central/localscanner/certificates_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 341f860b1170d..d8c18779f6b51 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -61,7 +61,7 @@ func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { s.Require().NoError(err, tc.service) } expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} - s.Equal(len(expectedFiles), len(certMap)) + s.Len(certMap, len(expectedFiles)) for _, key := range expectedFiles { s.Contains(certMap, key, tc.service) } From 2e3b639c79d06b961c6bc4046cc67370cbe7d085 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 14:10:56 +0100 Subject: [PATCH 29/45] Use require to avoid panic later on in test Co-authored-by: Malte Isberner <2822367+misberner@users.noreply.github.com> --- central/localscanner/certificates_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index d8c18779f6b51..4da8057413b18 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -103,7 +103,7 @@ func (s *localScannerSuite) TestCertificateGeneration() { subject := cert.Subject certOUs := subject.OrganizationalUnit - s.Equal(1, len(certOUs), tc.service) + s.Require().Len(certOUs, 1, tc.service) s.Equal(tc.expectOU, certOUs[0], tc.service) s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) From 06e8eaa7717188fcbcf49e5a4b81aaf670fe43a0 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 14:15:21 +0100 Subject: [PATCH 30/45] use proper list comparison instead of a loop and len check --- central/localscanner/certificates_test.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 4da8057413b18..52794f4e415a3 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -109,10 +109,7 @@ func (s *localScannerSuite) TestCertificateGeneration() { s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) certAlternativeNames := cert.DNSNames - s.Equal(len(tc.expectedAlternativeNames), len(certAlternativeNames), tc.service) - for _, name := range tc.expectedAlternativeNames { - s.Contains(certAlternativeNames, name, tc.service) - } + s.ElementsMatch(tc.expectedAlternativeNames, certAlternativeNames, tc.service) s.Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) } } From 98bb61b0690a4aff20f8bfdacbd73c265867f3d8 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 14:23:47 +0100 Subject: [PATCH 31/45] use subtest for all test tables instead of assertions with info --- central/localscanner/certificates_test.go | 63 ++++++++++++----------- 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/central/localscanner/certificates_test.go b/central/localscanner/certificates_test.go index 52794f4e415a3..c9027c8381d54 100644 --- a/central/localscanner/certificates_test.go +++ b/central/localscanner/certificates_test.go @@ -53,18 +53,19 @@ func (s *localScannerSuite) TestCertMapContainsExpectedFiles() { } for _, tc := range testCases { - certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) - if tc.expectError { - s.Require().Error(err, tc.service) - continue - } else { - s.Require().NoError(err, tc.service) - } - expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} - s.Len(certMap, len(expectedFiles)) - for _, key := range expectedFiles { - s.Contains(certMap, key, tc.service) - } + s.Run(tc.service.String(), func() { + certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) + if tc.expectError { + s.Require().Error(err) + return + } + s.Require().NoError(err) + expectedFiles := []string{"ca.pem", "cert.pem", "key.pem"} + s.Len(certMap, len(expectedFiles)) + for _, key := range expectedFiles { + s.Contains(certMap, key) + } + }) } } @@ -75,11 +76,13 @@ func (s *localScannerSuite) TestValidateServiceCertificate() { } for _, serviceType := range testCases { - certMap, err := generateServiceCertMap(serviceType, namespace, clusterID) - s.Require().NoError(err, serviceType) - validatingCA, err := mtls.LoadCAForValidation(certMap["ca.pem"]) - s.Require().NoError(err, serviceType) - s.NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, ""), serviceType) + s.Run(serviceType.String(), func() { + certMap, err := generateServiceCertMap(serviceType, namespace, clusterID) + s.Require().NoError(err) + validatingCA, err := mtls.LoadCAForValidation(certMap["ca.pem"]) + s.Require().NoError(err) + s.NoError(certgen.VerifyServiceCert(certMap, validatingCA, serviceType, "")) + }) } } @@ -96,21 +99,23 @@ func (s *localScannerSuite) TestCertificateGeneration() { } for _, tc := range testCases { - certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) - s.Require().NoError(err, tc.service) - cert, err := helpers.ParseCertificatePEM(certMap["cert.pem"]) - s.Require().NoError(err, tc.service) + s.Run(tc.service.String(), func() { + certMap, err := generateServiceCertMap(tc.service, namespace, clusterID) + s.Require().NoError(err) + cert, err := helpers.ParseCertificatePEM(certMap["cert.pem"]) + s.Require().NoError(err) - subject := cert.Subject - certOUs := subject.OrganizationalUnit - s.Require().Len(certOUs, 1, tc.service) - s.Equal(tc.expectOU, certOUs[0], tc.service) + subject := cert.Subject + certOUs := subject.OrganizationalUnit + s.Require().Len(certOUs, 1) + s.Equal(tc.expectOU, certOUs[0]) - s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName, tc.service) + s.Equal(fmt.Sprintf("%s: %s", tc.expectOU, clusterID), subject.CommonName) - certAlternativeNames := cert.DNSNames - s.ElementsMatch(tc.expectedAlternativeNames, certAlternativeNames, tc.service) - s.Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter, tc.service) + certAlternativeNames := cert.DNSNames + s.ElementsMatch(tc.expectedAlternativeNames, certAlternativeNames) + s.Equal(cert.NotBefore.Add(2*24*time.Hour), cert.NotAfter) + }) } } From 7356d0e3250003747d88b1380cd0e36ae1e37020 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 14:26:10 +0100 Subject: [PATCH 32/45] use require instead of assert to prevent potential test panic --- central/sensor/service/connection/connection_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/central/sensor/service/connection/connection_test.go b/central/sensor/service/connection/connection_test.go index c1b2a12554bea..c8177ac72a1cc 100644 --- a/central/sensor/service/connection/connection_test.go +++ b/central/sensor/service/connection/connection_test.go @@ -76,7 +76,7 @@ func (s *testSuite) TestGetPolicySyncMsgFromPolicies() { s.NoError(err) policySync := msg.GetPolicySync() - s.NotNil(policySync) + s.Require().NotNil(policySync) s.NotEmpty(policySync.Policies) s.Equal(sensorVersion.String(), policySync.Policies[0].GetPolicyVersion()) } From d578d40d469beb0ca5fbae2b7e930f61f0c9b3ad Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 11 Jan 2022 18:01:41 +0100 Subject: [PATCH 33/45] Draft of local scanner certificate refresh --- pkg/centralsensor/caps_list.go | 3 + sensor/kubernetes/localscanner/operator.go | 250 +++++++++++++++++++++ sensor/kubernetes/sensor/sensor.go | 26 ++- 3 files changed, 267 insertions(+), 12 deletions(-) create mode 100644 sensor/kubernetes/localscanner/operator.go diff --git a/pkg/centralsensor/caps_list.go b/pkg/centralsensor/caps_list.go index e31cd51e8a556..e0b85406eee2b 100644 --- a/pkg/centralsensor/caps_list.go +++ b/pkg/centralsensor/caps_list.go @@ -24,4 +24,7 @@ const ( // AuditLogEventsCap identifies the capability to handle audit log event detection. AuditLogEventsCap SensorCapability = "AuditLogEvents" + + // LocalScannerCredentialsRefresh identifies the capability to maintain the Local scanner TLS credentials refreshed. + LocalScannerCredentialsRefresh SensorCapability = "LocalScannerCredentialsRefresh" ) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go new file mode 100644 index 0000000000000..0d8b343a69a7d --- /dev/null +++ b/sensor/kubernetes/localscanner/operator.go @@ -0,0 +1,250 @@ +package localscanner + +import ( + "context" + "math/rand" + "time" + + "github.com/cloudflare/cfssl/helpers" + "github.com/pkg/errors" + "github.com/stackrox/rox/generated/internalapi/central" + "github.com/stackrox/rox/pkg/centralsensor" + "github.com/stackrox/rox/pkg/logging" + "github.com/stackrox/rox/pkg/mtls" + "github.com/stackrox/rox/sensor/common" + v1 "k8s.io/api/core/v1" + k8sErrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes" + corev1 "k8s.io/client-go/kubernetes/typed/core/v1" +) + +const ( + issueCertificatesTimeout = 2 * time.Minute + fetchSecretsTimeout = 2 * time.Minute + updateSecretsTimeout = 2 * time.Minute + refreshSecretsMaxNumAttempts = uint(5) + refreshSecretAttemptWaitTime = 5 * time.Minute + refreshSecretAllAttemptsFailedWaitTime = 2 * time.Hour + localScannerCredentialsSecretName = "scanner-local-tls" + localScannerDBCredentialsSecretName = "scanner-db-local-tls" +) + +var ( + log = logging.LoggerForModule() +) + +// NewLocalScannerOperator creates a Sensor component that maintains the local Scanner TLS certificates +// up to date. FIXME rename? +func NewLocalScannerOperator (k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { + return &localscannerOperatorImpl{ + sensorNamespace: sensorNamespace, + secretsClient: k8sClient.CoreV1().Secrets(sensorNamespace), + ctx: context.Background(), + responsesC: make(chan *central.MsgFromSensor), + } +} + +type localscannerOperatorImpl struct { + sensorNamespace string + secretsClient corev1.SecretInterface + numLocalScannerSecretRefreshAttempts uint + refreshTimer *time.Timer + ctx context.Context + responsesC chan *central.MsgFromSensor +} + +func (o localscannerOperatorImpl) Start() error { + log.Info("starting local scanner operator.") + + if err := o.scheduleLocalScannerSecretsRefresh(); err != nil { + return errors.Wrapf(err, "failure scheduling local scanner secrets refresh") + } + + log.Info("local scanner operator started.") + + return nil +} + +func (o localscannerOperatorImpl) Stop(err error) { + if o.refreshTimer != nil { + o.refreshTimer.Stop() + } + log.Info("local scanner operator stopped.") +} + +func (o localscannerOperatorImpl) Capabilities() []centralsensor.SensorCapability { + return []centralsensor.SensorCapability{centralsensor.LocalScannerCredentialsRefresh} +} + +func (o localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error { + switch m := msg.GetMsg().(type) { + case *central.MsgToSensor_IssueLocalScannerCertsResponse: + certs := m.IssueLocalScannerCertsResponse + nextTimeToRefresh, err := o.refreshLocalScannerSecrets(certs) + if err == nil { + log.Infof("successfully refreshed local Scanner credential secrets %s and %s, " + + "will refresh again in %s", + localScannerCredentialsSecretName, localScannerDBCredentialsSecretName, nextTimeToRefresh) + o.numLocalScannerSecretRefreshAttempts = 0 + o.doScheduleLocalScannerSecretsRefresh(nextTimeToRefresh) + return nil + } + // note centralReceiverImpl just logs the error + err = errors.Wrapf(err, "Attempt %d to refresh local Scanner credential secrets, will retry in %s", + o.numLocalScannerSecretRefreshAttempts, refreshSecretAttemptWaitTime) + o.numLocalScannerSecretRefreshAttempts++ + if o.numLocalScannerSecretRefreshAttempts < refreshSecretsMaxNumAttempts { + o.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) + } else { + err = errors.Wrapf(err, "Failed to refresh local Scanner credential secrets after %d attempts, " + + "will wait %s and restart the retry cycle", + refreshSecretsMaxNumAttempts, refreshSecretAllAttemptsFailedWaitTime) + o.numLocalScannerSecretRefreshAttempts = 0 + o.doScheduleLocalScannerSecretsRefresh(refreshSecretAllAttemptsFailedWaitTime) + } + return err + + default: + return nil + } +} + +func (o localscannerOperatorImpl) ResponsesC() <-chan *central.MsgFromSensor { + return o.responsesC +} + +func (o *localscannerOperatorImpl) scheduleLocalScannerSecretsRefresh() error { + localScannerCredsSecret, localScannerDBCredsSecret, fetchErr := o.fetchLocalScannerSecrets() + if k8sErrors.IsNotFound(fetchErr) { + log.Warnf("some local scanner secret is missing, "+ + "operator will not maintain any local scanner secret fresh : %v", fetchErr) + return nil + } + if fetchErr != nil { + // FIXME wrap + return fetchErr + } + + // if certificates are already expired this refreshes immediately. + o.doScheduleLocalScannerSecretsRefresh(getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret)) + return nil +} + +func (o *localscannerOperatorImpl) doScheduleLocalScannerSecretsRefresh(timeToRefresh time.Duration) { + o.refreshTimer = time.AfterFunc(timeToRefresh, func() { + if err := o.issueScannerCertificates(); err != nil { + // FIXME log and treat as o.numLocalScannerSecretRefreshAttempts >= refreshSecretsMaxNumAttempts + } + }) +} + +func getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret *v1.Secret) time.Duration { + scannerDuration := getScannerSecretDuration(localScannerCredsSecret) + scannerDBDuration := getScannerSecretDuration(localScannerDBCredsSecret) + if scannerDuration > scannerDBDuration { + return scannerDBDuration + } + return scannerDuration +} + +func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { + scannerCertsData := scannerSecret.Data + scannerCertBytes := scannerCertsData[mtls.ServiceCertFileName] + scannerCert, err := helpers.ParseCertificatePEM(scannerCertBytes) + if err != nil { + // Note this also covers a secret with no certificates stored, which should be refreshed immediately. + return 0 + } + + certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() + durationBeforeRenewalAttempt := + time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10))) + certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) + timeToRefresh := time.Until(certRenewalTime) + if timeToRefresh.Seconds() <= 0 { + // Certificate is already expired. + return 0 + } + return timeToRefresh +} + +func (o *localscannerOperatorImpl) issueScannerCertificates() error { + // We only support local Scanner running on the same namespace as Sensor. + localScannerNamespace := o.sensorNamespace + + ctx, cancel := context.WithTimeout(o.ctx, issueCertificatesTimeout) + defer cancel() + msg := ¢ral.MsgFromSensor{ + Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ + IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ + Namespace: localScannerNamespace, + }, + }, + } + select { + case o.responsesC <- msg: + return nil + case <-ctx.Done(): + return ctx.Err() + } +} + +func (o *localscannerOperatorImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.Secret, error) { + ctx, cancel := context.WithTimeout(o.ctx, fetchSecretsTimeout) + defer cancel() + + // FIXME multierror + localScannerCredsSecret, err := o.secretsClient.Get(ctx, localScannerCredentialsSecretName, metav1.GetOptions{}) + if err != nil { + return nil, nil, errors.Wrapf(err, "for secret %s", localScannerCredentialsSecretName) + } + localScannerDBCredsSecret, err := o.secretsClient.Get(ctx, localScannerDBCredentialsSecretName, metav1.GetOptions{}) + if err != nil { + return nil, nil, errors.Wrapf(err, "for secret %s", localScannerDBCredentialsSecretName) + } + + return localScannerCredsSecret, localScannerDBCredsSecret, nil +} + +func updateLocalScannerSecret(secret *v1.Secret, certificates *central.LocalScannerCertificates) { + secret.Data = map[string][]byte{ + mtls.ServiceCertFileName: certificates.Cert, + mtls.CACertFileName: certificates.Ca, + mtls.ServiceKeyFileName: certificates.Key, + } +} + +// When any of the secrets is missing this returns and err such that k8sErrors.IsNotFound(err) is true +// On success it returns the duration after which the secrets should be refreshed +func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(certificates *central.IssueLocalScannerCertsResponse) (time.Duration, error) { + localScannerCredsSecret, localScannerDBCredsSecret, err := o.fetchLocalScannerSecrets() + if err != nil { + // FIXME wrap + return 0, err + } + + if err != nil { + // FIXME wrap + return 0, err + } + updateLocalScannerSecret(localScannerCredsSecret, certificates.ScannerCerts) + updateLocalScannerSecret(localScannerDBCredsSecret, certificates.ScannerDbCerts) + + ctx, cancel := context.WithTimeout(o.ctx, updateSecretsTimeout) + defer cancel() + // FIXME do a loop, and apply pattern elsewhere + localScannerCredsSecret, err = o.secretsClient.Update(ctx, localScannerCredsSecret, metav1.UpdateOptions{}) + if err != nil { + // FIXME wrap + return 0, err + } + localScannerDBCredsSecret, err = o.secretsClient.Update(ctx, localScannerDBCredsSecret, metav1.UpdateOptions{}) + if err != nil { + // FIXME wrap + return 0, err + } + + timeToRefresh := getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret) + return timeToRefresh, nil +} \ No newline at end of file diff --git a/sensor/kubernetes/sensor/sensor.go b/sensor/kubernetes/sensor/sensor.go index c54609364aee3..f84a761bd67e8 100644 --- a/sensor/kubernetes/sensor/sensor.go +++ b/sensor/kubernetes/sensor/sensor.go @@ -45,6 +45,7 @@ import ( "github.com/stackrox/rox/sensor/kubernetes/fake" "github.com/stackrox/rox/sensor/kubernetes/listener" "github.com/stackrox/rox/sensor/kubernetes/listener/resources" + "github.com/stackrox/rox/sensor/kubernetes/localscanner" "github.com/stackrox/rox/sensor/kubernetes/networkpolicies" "github.com/stackrox/rox/sensor/kubernetes/orchestrator" "github.com/stackrox/rox/sensor/kubernetes/telemetry" @@ -115,6 +116,18 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager imageService := image.NewService(imageCache) complianceCommandHandler := compliance.NewCommandHandler(complianceService) + sensorNamespace, err := satoken.LoadNamespaceFromFile() + if err != nil { + log.Errorf("Failed to determine namespace from service account token file: %s", err) + } + if sensorNamespace == "" { + sensorNamespace = os.Getenv("POD_NAMESPACE") + } + if sensorNamespace == "" { + sensorNamespace = namespaces.StackRox + log.Warnf("Unable to determine Sensor namespace, defaulting to %s", sensorNamespace) + } + // Create Process Pipeline indicators := make(chan *central.MsgFromSensor) processPipeline := processsignal.NewProcessPipeline(indicators, clusterentities.StoreInstance(), processfilter.Singleton(), policyDetector) @@ -135,24 +148,13 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager externalsrcs.Singleton(), admissioncontroller.AlertHandlerSingleton(), auditLogCollectionManager, + localscanner.NewLocalScannerOperator(client.Kubernetes(), sensorNamespace), } if features.VulnRiskManagement.Enabled() { components = append(components, reprocessor.NewHandler(admCtrlSettingsMgr, policyDetector, imageCache)) } - sensorNamespace, err := satoken.LoadNamespaceFromFile() - if err != nil { - log.Errorf("Failed to determine namespace from service account token file: %s", err) - } - if sensorNamespace == "" { - sensorNamespace = os.Getenv("POD_NAMESPACE") - } - if sensorNamespace == "" { - sensorNamespace = namespaces.StackRox - log.Warnf("Unable to determine Sensor namespace, defaulting to %s", sensorNamespace) - } - if admCtrlSettingsMgr != nil { components = append(components, k8sadmctrl.NewConfigMapSettingsPersister(client.Kubernetes(), admCtrlSettingsMgr, sensorNamespace)) } From 62efeb63b6c8ff638417f1ec32b26d2977109ecd Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 12 Jan 2022 09:25:08 +0100 Subject: [PATCH 34/45] fix style --- sensor/kubernetes/localscanner/operator.go | 41 ++++++++++------------ 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 0d8b343a69a7d..d96e789d3fcdc 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -20,45 +20,45 @@ import ( ) const ( - issueCertificatesTimeout = 2 * time.Minute - fetchSecretsTimeout = 2 * time.Minute - updateSecretsTimeout = 2 * time.Minute - refreshSecretsMaxNumAttempts = uint(5) - refreshSecretAttemptWaitTime = 5 * time.Minute + issueCertificatesTimeout = 2 * time.Minute + fetchSecretsTimeout = 2 * time.Minute + updateSecretsTimeout = 2 * time.Minute + refreshSecretsMaxNumAttempts = uint(5) + refreshSecretAttemptWaitTime = 5 * time.Minute refreshSecretAllAttemptsFailedWaitTime = 2 * time.Hour - localScannerCredentialsSecretName = "scanner-local-tls" - localScannerDBCredentialsSecretName = "scanner-db-local-tls" + localScannerCredentialsSecretName = "scanner-local-tls" + localScannerDBCredentialsSecretName = "scanner-db-local-tls" ) var ( - log = logging.LoggerForModule() + log = logging.LoggerForModule() ) // NewLocalScannerOperator creates a Sensor component that maintains the local Scanner TLS certificates // up to date. FIXME rename? -func NewLocalScannerOperator (k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { +func NewLocalScannerOperator(k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { return &localscannerOperatorImpl{ sensorNamespace: sensorNamespace, - secretsClient: k8sClient.CoreV1().Secrets(sensorNamespace), - ctx: context.Background(), - responsesC: make(chan *central.MsgFromSensor), + secretsClient: k8sClient.CoreV1().Secrets(sensorNamespace), + ctx: context.Background(), + responsesC: make(chan *central.MsgFromSensor), } } type localscannerOperatorImpl struct { - sensorNamespace string + sensorNamespace string secretsClient corev1.SecretInterface numLocalScannerSecretRefreshAttempts uint refreshTimer *time.Timer ctx context.Context - responsesC chan *central.MsgFromSensor + responsesC chan *central.MsgFromSensor } func (o localscannerOperatorImpl) Start() error { log.Info("starting local scanner operator.") if err := o.scheduleLocalScannerSecretsRefresh(); err != nil { - return errors.Wrapf(err, "failure scheduling local scanner secrets refresh") + return errors.Wrap(err, "failure scheduling local scanner secrets refresh") } log.Info("local scanner operator started.") @@ -83,7 +83,7 @@ func (o localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error certs := m.IssueLocalScannerCertsResponse nextTimeToRefresh, err := o.refreshLocalScannerSecrets(certs) if err == nil { - log.Infof("successfully refreshed local Scanner credential secrets %s and %s, " + + log.Infof("successfully refreshed local Scanner credential secrets %s and %s, "+ "will refresh again in %s", localScannerCredentialsSecretName, localScannerDBCredentialsSecretName, nextTimeToRefresh) o.numLocalScannerSecretRefreshAttempts = 0 @@ -97,7 +97,7 @@ func (o localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error if o.numLocalScannerSecretRefreshAttempts < refreshSecretsMaxNumAttempts { o.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) } else { - err = errors.Wrapf(err, "Failed to refresh local Scanner credential secrets after %d attempts, " + + err = errors.Wrapf(err, "Failed to refresh local Scanner credential secrets after %d attempts, "+ "will wait %s and restart the retry cycle", refreshSecretsMaxNumAttempts, refreshSecretAllAttemptsFailedWaitTime) o.numLocalScannerSecretRefreshAttempts = 0 @@ -135,6 +135,7 @@ func (o *localscannerOperatorImpl) doScheduleLocalScannerSecretsRefresh(timeToRe o.refreshTimer = time.AfterFunc(timeToRefresh, func() { if err := o.issueScannerCertificates(); err != nil { // FIXME log and treat as o.numLocalScannerSecretRefreshAttempts >= refreshSecretsMaxNumAttempts + log.Error("FIXME") } }) } @@ -224,10 +225,6 @@ func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(certificates *cent return 0, err } - if err != nil { - // FIXME wrap - return 0, err - } updateLocalScannerSecret(localScannerCredsSecret, certificates.ScannerCerts) updateLocalScannerSecret(localScannerDBCredsSecret, certificates.ScannerDbCerts) @@ -247,4 +244,4 @@ func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(certificates *cent timeToRefresh := getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret) return timeToRefresh, nil -} \ No newline at end of file +} From e243eaca903754efb7f58f320cb6fafb7339efc3 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 12 Jan 2022 15:39:26 +0100 Subject: [PATCH 35/45] Bug fixes - Add missing `time.Second *` to computation of certs duration - Use pointer receiver in ProcessMessage to keep retry count --- sensor/kubernetes/localscanner/operator.go | 54 +++++++++++-------- .../kubernetes/localscanner/operators_test.go | 28 ++++++++++ 2 files changed, 59 insertions(+), 23 deletions(-) create mode 100644 sensor/kubernetes/localscanner/operators_test.go diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index d96e789d3fcdc..8d762c2d57f47 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -2,6 +2,7 @@ package localscanner import ( "context" + "crypto/x509" "math/rand" "time" @@ -54,7 +55,7 @@ type localscannerOperatorImpl struct { responsesC chan *central.MsgFromSensor } -func (o localscannerOperatorImpl) Start() error { +func (o *localscannerOperatorImpl) Start() error { log.Info("starting local scanner operator.") if err := o.scheduleLocalScannerSecretsRefresh(); err != nil { @@ -66,38 +67,37 @@ func (o localscannerOperatorImpl) Start() error { return nil } -func (o localscannerOperatorImpl) Stop(err error) { +func (o *localscannerOperatorImpl) Stop(err error) { if o.refreshTimer != nil { o.refreshTimer.Stop() } log.Info("local scanner operator stopped.") } -func (o localscannerOperatorImpl) Capabilities() []centralsensor.SensorCapability { +func (o *localscannerOperatorImpl) Capabilities() []centralsensor.SensorCapability { return []centralsensor.SensorCapability{centralsensor.LocalScannerCredentialsRefresh} } -func (o localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error { +func (o *localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error { switch m := msg.GetMsg().(type) { case *central.MsgToSensor_IssueLocalScannerCertsResponse: certs := m.IssueLocalScannerCertsResponse - nextTimeToRefresh, err := o.refreshLocalScannerSecrets(certs) - if err == nil { - log.Infof("successfully refreshed local Scanner credential secrets %s and %s, "+ - "will refresh again in %s", - localScannerCredentialsSecretName, localScannerDBCredentialsSecretName, nextTimeToRefresh) + nextTimeToRefresh, refreshErr := o.refreshLocalScannerSecrets(certs) + if refreshErr == nil { + log.Infof("successfully refreshed local Scanner credential secrets %s and %s", + localScannerCredentialsSecretName, localScannerDBCredentialsSecretName) o.numLocalScannerSecretRefreshAttempts = 0 o.doScheduleLocalScannerSecretsRefresh(nextTimeToRefresh) return nil } // note centralReceiverImpl just logs the error - err = errors.Wrapf(err, "Attempt %d to refresh local Scanner credential secrets, will retry in %s", + err := errors.Wrapf(refreshErr, "attempt %d to refresh local Scanner credential secrets, will retry in %s", o.numLocalScannerSecretRefreshAttempts, refreshSecretAttemptWaitTime) o.numLocalScannerSecretRefreshAttempts++ - if o.numLocalScannerSecretRefreshAttempts < refreshSecretsMaxNumAttempts { + if o.numLocalScannerSecretRefreshAttempts <= refreshSecretsMaxNumAttempts { o.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) } else { - err = errors.Wrapf(err, "Failed to refresh local Scanner credential secrets after %d attempts, "+ + err = errors.Wrapf(refreshErr, "Failed to refresh local Scanner credential secrets after %d attempts, "+ "will wait %s and restart the retry cycle", refreshSecretsMaxNumAttempts, refreshSecretAllAttemptsFailedWaitTime) o.numLocalScannerSecretRefreshAttempts = 0 @@ -110,7 +110,7 @@ func (o localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error } } -func (o localscannerOperatorImpl) ResponsesC() <-chan *central.MsgFromSensor { +func (o *localscannerOperatorImpl) ResponsesC() <-chan *central.MsgFromSensor { return o.responsesC } @@ -132,6 +132,7 @@ func (o *localscannerOperatorImpl) scheduleLocalScannerSecretsRefresh() error { } func (o *localscannerOperatorImpl) doScheduleLocalScannerSecretsRefresh(timeToRefresh time.Duration) { + log.Infof("local scanner certificates scheduled to be refreshed in %s", timeToRefresh) o.refreshTimer = time.AfterFunc(timeToRefresh, func() { if err := o.issueScannerCertificates(); err != nil { // FIXME log and treat as o.numLocalScannerSecretRefreshAttempts >= refreshSecretsMaxNumAttempts @@ -149,25 +150,31 @@ func getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecre return scannerDuration } +func getScannerSecretDurationFromCertificate(scannerCert *x509.Certificate) time.Duration { + certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() + durationBeforeRenewalAttempt := time.Second * + (time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10)))) + certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) + timeToRefresh := time.Until(certRenewalTime) + if timeToRefresh.Seconds() <= 0 { + // Certificate is already expired. + return 0 + } + return timeToRefresh +} + func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { scannerCertsData := scannerSecret.Data scannerCertBytes := scannerCertsData[mtls.ServiceCertFileName] scannerCert, err := helpers.ParseCertificatePEM(scannerCertBytes) if err != nil { // Note this also covers a secret with no certificates stored, which should be refreshed immediately. + log.Warnf("failure parsing certificate for secret %s, will refresh secret immediately %v", + scannerSecret.GetName(), err) return 0 } - certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() - durationBeforeRenewalAttempt := - time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10))) - certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) - timeToRefresh := time.Until(certRenewalTime) - if timeToRefresh.Seconds() <= 0 { - // Certificate is already expired. - return 0 - } - return timeToRefresh + return getScannerSecretDurationFromCertificate(scannerCert) } func (o *localscannerOperatorImpl) issueScannerCertificates() error { @@ -185,6 +192,7 @@ func (o *localscannerOperatorImpl) issueScannerCertificates() error { } select { case o.responsesC <- msg: + log.Infof("Request to issue local Scanner certificates sent to Central succesfully: %v", msg) return nil case <-ctx.Done(): return ctx.Err() diff --git a/sensor/kubernetes/localscanner/operators_test.go b/sensor/kubernetes/localscanner/operators_test.go new file mode 100644 index 0000000000000..25a0dc38be1ce --- /dev/null +++ b/sensor/kubernetes/localscanner/operators_test.go @@ -0,0 +1,28 @@ +package localscanner + +import ( + "crypto/x509" + "testing" + "time" + + "github.com/stretchr/testify/suite" +) + +func TestHandler(t *testing.T) { + suite.Run(t, new(operatorSuite)) +} + +type operatorSuite struct { + suite.Suite +} + +func (s *operatorSuite) TestGetScannerSecretDurationFromCertificate() { + now := time.Now() + afterOffset := 2 * 24 * time.Hour + scannerCert := &x509.Certificate{ + NotBefore: now, + NotAfter: now.Add(afterOffset), + } + certDuration := getScannerSecretDurationFromCertificate(scannerCert) + s.Assert().LessOrEqual(certDuration, afterOffset/2) +} \ No newline at end of file From 41488800668842ffdb72d9a159dff1d6b0d154b4 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 12 Jan 2022 15:41:16 +0100 Subject: [PATCH 36/45] checkstyle --- sensor/kubernetes/localscanner/operators_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/operators_test.go b/sensor/kubernetes/localscanner/operators_test.go index 25a0dc38be1ce..49b9476f43755 100644 --- a/sensor/kubernetes/localscanner/operators_test.go +++ b/sensor/kubernetes/localscanner/operators_test.go @@ -25,4 +25,4 @@ func (s *operatorSuite) TestGetScannerSecretDurationFromCertificate() { } certDuration := getScannerSecretDurationFromCertificate(scannerCert) s.Assert().LessOrEqual(certDuration, afterOffset/2) -} \ No newline at end of file +} From 1d5355fa50368dd77f463f76141c7e28a1d51a61 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 16:24:08 +0100 Subject: [PATCH 37/45] adapt client to proto changes --- sensor/kubernetes/localscanner/operator.go | 48 ++++++++++++++++------ 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 8d762c2d57f47..0eb076c3b7038 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -9,9 +9,11 @@ import ( "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/internalapi/central" + "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/centralsensor" "github.com/stackrox/rox/pkg/logging" "github.com/stackrox/rox/pkg/mtls" + "github.com/stackrox/rox/pkg/uuid" "github.com/stackrox/rox/sensor/common" v1 "k8s.io/api/core/v1" k8sErrors "k8s.io/apimachinery/pkg/api/errors" @@ -106,6 +108,7 @@ func (o *localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) erro return err default: + // FIXME return err return nil } } @@ -178,15 +181,12 @@ func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { } func (o *localscannerOperatorImpl) issueScannerCertificates() error { - // We only support local Scanner running on the same namespace as Sensor. - localScannerNamespace := o.sensorNamespace - ctx, cancel := context.WithTimeout(o.ctx, issueCertificatesTimeout) defer cancel() msg := ¢ral.MsgFromSensor{ Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ - Namespace: localScannerNamespace, + RequestId: uuid.NewV4().String(), }, }, } @@ -216,25 +216,49 @@ func (o *localscannerOperatorImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.S return localScannerCredsSecret, localScannerDBCredsSecret, nil } -func updateLocalScannerSecret(secret *v1.Secret, certificates *central.LocalScannerCertificates) { - secret.Data = map[string][]byte{ - mtls.ServiceCertFileName: certificates.Cert, - mtls.CACertFileName: certificates.Ca, - mtls.ServiceKeyFileName: certificates.Key, +func updateLocalScannerSecret(scannerSecret, scannerDBSecert *v1.Secret, certificates *storage.TypedServiceCertificateSet) error { + // FIXME: validate all fields present + for _, cert := range certificates.GetServiceCerts() { + switch cert.GetServiceType() { + case storage.ServiceType_SCANNER_SERVICE: + scannerSecret.Data = map[string][]byte{ + mtls.ServiceCertFileName: cert.GetCert().GetCertPem(), + mtls.CACertFileName: certificates.GetCaPem(), + mtls.ServiceKeyFileName: cert.GetCert().GetKeyPem(), + } + case storage.ServiceType_SCANNER_DB_SERVICE: + scannerDBSecert.Data = map[string][]byte{ + mtls.ServiceCertFileName: cert.GetCert().GetCertPem(), + mtls.CACertFileName: certificates.GetCaPem(), + mtls.ServiceKeyFileName: cert.GetCert().GetKeyPem(), + } + + default: + return errors.New("FIXME") + } } + + return nil } // When any of the secrets is missing this returns and err such that k8sErrors.IsNotFound(err) is true // On success it returns the duration after which the secrets should be refreshed -func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(certificates *central.IssueLocalScannerCertsResponse) (time.Duration, error) { +func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(issueCertsResponse *central.IssueLocalScannerCertsResponse) (time.Duration, error) { localScannerCredsSecret, localScannerDBCredsSecret, err := o.fetchLocalScannerSecrets() if err != nil { // FIXME wrap return 0, err } - updateLocalScannerSecret(localScannerCredsSecret, certificates.ScannerCerts) - updateLocalScannerSecret(localScannerDBCredsSecret, certificates.ScannerDbCerts) + if issueCertsResponse.GetError() != nil { + // FIXME Wrap + return 0, errors.New(issueCertsResponse.GetError().GetMessage()) + } + + if err := updateLocalScannerSecret(localScannerCredsSecret, localScannerDBCredsSecret, issueCertsResponse.GetCertificates()); err != nil { + // FIXME wrap + return 0, err + } ctx, cancel := context.WithTimeout(o.ctx, updateSecretsTimeout) defer cancel() From b60b336b1b0f116f303c7fdcdb0bb8d7c005609b Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 16:56:00 +0100 Subject: [PATCH 38/45] add FIXME for handling request id --- sensor/kubernetes/localscanner/operator.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 0eb076c3b7038..9435eec20770a 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -83,8 +83,8 @@ func (o *localscannerOperatorImpl) Capabilities() []centralsensor.SensorCapabili func (o *localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error { switch m := msg.GetMsg().(type) { case *central.MsgToSensor_IssueLocalScannerCertsResponse: - certs := m.IssueLocalScannerCertsResponse - nextTimeToRefresh, refreshErr := o.refreshLocalScannerSecrets(certs) + issueCertsResponse := m.IssueLocalScannerCertsResponse + nextTimeToRefresh, refreshErr := o.refreshLocalScannerSecrets(issueCertsResponse) if refreshErr == nil { log.Infof("successfully refreshed local Scanner credential secrets %s and %s", localScannerCredentialsSecretName, localScannerDBCredentialsSecretName) @@ -183,10 +183,11 @@ func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { func (o *localscannerOperatorImpl) issueScannerCertificates() error { ctx, cancel := context.WithTimeout(o.ctx, issueCertificatesTimeout) defer cancel() + requestID := uuid.NewV4().String() // FIXME validate response has the same request ID msg := ¢ral.MsgFromSensor{ Msg: ¢ral.MsgFromSensor_IssueLocalScannerCertsRequest{ IssueLocalScannerCertsRequest: ¢ral.IssueLocalScannerCertsRequest{ - RequestId: uuid.NewV4().String(), + RequestId: requestID, }, }, } From a34c51507a28906c0472cd27a3a398823c4fbbb0 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 16:56:55 +0100 Subject: [PATCH 39/45] Remove unnecessary intermediate variable --- sensor/kubernetes/localscanner/operator.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 9435eec20770a..2bc9e638b2887 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -167,8 +167,7 @@ func getScannerSecretDurationFromCertificate(scannerCert *x509.Certificate) time } func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { - scannerCertsData := scannerSecret.Data - scannerCertBytes := scannerCertsData[mtls.ServiceCertFileName] + scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] scannerCert, err := helpers.ParseCertificatePEM(scannerCertBytes) if err != nil { // Note this also covers a secret with no certificates stored, which should be refreshed immediately. From 1a721db7241f8619617f5492b1dde001f8663d0e Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 17:01:14 +0100 Subject: [PATCH 40/45] check cert bytes are not empty before parsing them --- sensor/kubernetes/localscanner/operator.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 2bc9e638b2887..65c6f9ac3ac61 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -168,7 +168,16 @@ func getScannerSecretDurationFromCertificate(scannerCert *x509.Certificate) time func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] - scannerCert, err := helpers.ParseCertificatePEM(scannerCertBytes) + var ( + scannerCert *x509.Certificate + err error + ) + if len(scannerCertBytes) == 0 { + err = errors.Errorf("empty certificate for secret %s, will refresh secret immediately", + scannerSecret.GetName()) + } else { + scannerCert, err = helpers.ParseCertificatePEM(scannerCertBytes) + } if err != nil { // Note this also covers a secret with no certificates stored, which should be refreshed immediately. log.Warnf("failure parsing certificate for secret %s, will refresh secret immediately %v", From 58941a138ccfef009d30295eb513d0d58e6d0a72 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 17:06:44 +0100 Subject: [PATCH 41/45] rename aux func, and lower log level --- sensor/kubernetes/localscanner/operator.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/operator.go index 65c6f9ac3ac61..af18fed120429 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/operator.go @@ -201,7 +201,7 @@ func (o *localscannerOperatorImpl) issueScannerCertificates() error { } select { case o.responsesC <- msg: - log.Infof("Request to issue local Scanner certificates sent to Central succesfully: %v", msg) + log.Debugf("Request to issue local Scanner certificates sent to Central succesfully: %v", msg) return nil case <-ctx.Done(): return ctx.Err() @@ -225,7 +225,7 @@ func (o *localscannerOperatorImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.S return localScannerCredsSecret, localScannerDBCredsSecret, nil } -func updateLocalScannerSecret(scannerSecret, scannerDBSecert *v1.Secret, certificates *storage.TypedServiceCertificateSet) error { +func setScannerCerts(scannerSecret, scannerDBSecert *v1.Secret, certificates *storage.TypedServiceCertificateSet) error { // FIXME: validate all fields present for _, cert := range certificates.GetServiceCerts() { switch cert.GetServiceType() { @@ -264,7 +264,7 @@ func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(issueCertsResponse return 0, errors.New(issueCertsResponse.GetError().GetMessage()) } - if err := updateLocalScannerSecret(localScannerCredsSecret, localScannerDBCredsSecret, issueCertsResponse.GetCertificates()); err != nil { + if err := setScannerCerts(localScannerCredsSecret, localScannerDBCredsSecret, issueCertsResponse.GetCertificates()); err != nil { // FIXME wrap return 0, err } From f07bcba43ff3cc461a1ddf17c4ac275e69399743 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 17:22:20 +0100 Subject: [PATCH 42/45] Use "TLSIssuer" instead of "operator" --- .../{operator.go => tls_issuer.go} | 92 +++++++++---------- .../{operators_test.go => tls_issuer_test.go} | 8 +- sensor/kubernetes/sensor/sensor.go | 2 +- 3 files changed, 50 insertions(+), 52 deletions(-) rename sensor/kubernetes/localscanner/{operator.go => tls_issuer.go} (72%) rename sensor/kubernetes/localscanner/{operators_test.go => tls_issuer_test.go} (66%) diff --git a/sensor/kubernetes/localscanner/operator.go b/sensor/kubernetes/localscanner/tls_issuer.go similarity index 72% rename from sensor/kubernetes/localscanner/operator.go rename to sensor/kubernetes/localscanner/tls_issuer.go index af18fed120429..6a8f9ced21ef3 100644 --- a/sensor/kubernetes/localscanner/operator.go +++ b/sensor/kubernetes/localscanner/tls_issuer.go @@ -37,10 +37,9 @@ var ( log = logging.LoggerForModule() ) -// NewLocalScannerOperator creates a Sensor component that maintains the local Scanner TLS certificates -// up to date. FIXME rename? -func NewLocalScannerOperator(k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { - return &localscannerOperatorImpl{ +// NewLocalScannerTLSIssuer creates a Sensor component that maintains the local Scanner TLS certificates +func NewLocalScannerTLSIssuer(k8sClient kubernetes.Interface, sensorNamespace string) common.SensorComponent { + return &localScannerTLSIssuerImpl{ sensorNamespace: sensorNamespace, secretsClient: k8sClient.CoreV1().Secrets(sensorNamespace), ctx: context.Background(), @@ -48,7 +47,7 @@ func NewLocalScannerOperator(k8sClient kubernetes.Interface, sensorNamespace str } } -type localscannerOperatorImpl struct { +type localScannerTLSIssuerImpl struct { sensorNamespace string secretsClient corev1.SecretInterface numLocalScannerSecretRefreshAttempts uint @@ -57,53 +56,52 @@ type localscannerOperatorImpl struct { responsesC chan *central.MsgFromSensor } -func (o *localscannerOperatorImpl) Start() error { - log.Info("starting local scanner operator.") +func (i *localScannerTLSIssuerImpl) Start() error { + log.Info("starting local scanner TLS issuer.") - if err := o.scheduleLocalScannerSecretsRefresh(); err != nil { + if err := i.scheduleLocalScannerSecretsRefresh(); err != nil { return errors.Wrap(err, "failure scheduling local scanner secrets refresh") } - log.Info("local scanner operator started.") + log.Info("local scanner TLS issuer started.") return nil } -func (o *localscannerOperatorImpl) Stop(err error) { - if o.refreshTimer != nil { - o.refreshTimer.Stop() +func (i *localScannerTLSIssuerImpl) Stop(err error) { + if i.refreshTimer != nil { + i.refreshTimer.Stop() } - log.Info("local scanner operator stopped.") + log.Info("local scanner TLS issuer stopped.") } -func (o *localscannerOperatorImpl) Capabilities() []centralsensor.SensorCapability { +func (i *localScannerTLSIssuerImpl) Capabilities() []centralsensor.SensorCapability { return []centralsensor.SensorCapability{centralsensor.LocalScannerCredentialsRefresh} } -func (o *localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) error { +func (i *localScannerTLSIssuerImpl) ProcessMessage(msg *central.MsgToSensor) error { switch m := msg.GetMsg().(type) { case *central.MsgToSensor_IssueLocalScannerCertsResponse: - issueCertsResponse := m.IssueLocalScannerCertsResponse - nextTimeToRefresh, refreshErr := o.refreshLocalScannerSecrets(issueCertsResponse) + nextTimeToRefresh, refreshErr := i.refreshLocalScannerSecrets(m.IssueLocalScannerCertsResponse) if refreshErr == nil { log.Infof("successfully refreshed local Scanner credential secrets %s and %s", localScannerCredentialsSecretName, localScannerDBCredentialsSecretName) - o.numLocalScannerSecretRefreshAttempts = 0 - o.doScheduleLocalScannerSecretsRefresh(nextTimeToRefresh) + i.numLocalScannerSecretRefreshAttempts = 0 + i.doScheduleLocalScannerSecretsRefresh(nextTimeToRefresh) return nil } // note centralReceiverImpl just logs the error err := errors.Wrapf(refreshErr, "attempt %d to refresh local Scanner credential secrets, will retry in %s", - o.numLocalScannerSecretRefreshAttempts, refreshSecretAttemptWaitTime) - o.numLocalScannerSecretRefreshAttempts++ - if o.numLocalScannerSecretRefreshAttempts <= refreshSecretsMaxNumAttempts { - o.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) + i.numLocalScannerSecretRefreshAttempts, refreshSecretAttemptWaitTime) + i.numLocalScannerSecretRefreshAttempts++ + if i.numLocalScannerSecretRefreshAttempts <= refreshSecretsMaxNumAttempts { + i.doScheduleLocalScannerSecretsRefresh(refreshSecretAttemptWaitTime) } else { err = errors.Wrapf(refreshErr, "Failed to refresh local Scanner credential secrets after %d attempts, "+ "will wait %s and restart the retry cycle", refreshSecretsMaxNumAttempts, refreshSecretAllAttemptsFailedWaitTime) - o.numLocalScannerSecretRefreshAttempts = 0 - o.doScheduleLocalScannerSecretsRefresh(refreshSecretAllAttemptsFailedWaitTime) + i.numLocalScannerSecretRefreshAttempts = 0 + i.doScheduleLocalScannerSecretsRefresh(refreshSecretAllAttemptsFailedWaitTime) } return err @@ -113,15 +111,15 @@ func (o *localscannerOperatorImpl) ProcessMessage(msg *central.MsgToSensor) erro } } -func (o *localscannerOperatorImpl) ResponsesC() <-chan *central.MsgFromSensor { - return o.responsesC +func (i *localScannerTLSIssuerImpl) ResponsesC() <-chan *central.MsgFromSensor { + return i.responsesC } -func (o *localscannerOperatorImpl) scheduleLocalScannerSecretsRefresh() error { - localScannerCredsSecret, localScannerDBCredsSecret, fetchErr := o.fetchLocalScannerSecrets() +func (i *localScannerTLSIssuerImpl) scheduleLocalScannerSecretsRefresh() error { + localScannerCredsSecret, localScannerDBCredsSecret, fetchErr := i.fetchLocalScannerSecrets() if k8sErrors.IsNotFound(fetchErr) { log.Warnf("some local scanner secret is missing, "+ - "operator will not maintain any local scanner secret fresh : %v", fetchErr) + "TLS issuer will not maintain any local scanner secret fresh : %v", fetchErr) return nil } if fetchErr != nil { @@ -130,14 +128,14 @@ func (o *localscannerOperatorImpl) scheduleLocalScannerSecretsRefresh() error { } // if certificates are already expired this refreshes immediately. - o.doScheduleLocalScannerSecretsRefresh(getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret)) + i.doScheduleLocalScannerSecretsRefresh(getScannerSecretsDuration(localScannerCredsSecret, localScannerDBCredsSecret)) return nil } -func (o *localscannerOperatorImpl) doScheduleLocalScannerSecretsRefresh(timeToRefresh time.Duration) { +func (i *localScannerTLSIssuerImpl) doScheduleLocalScannerSecretsRefresh(timeToRefresh time.Duration) { log.Infof("local scanner certificates scheduled to be refreshed in %s", timeToRefresh) - o.refreshTimer = time.AfterFunc(timeToRefresh, func() { - if err := o.issueScannerCertificates(); err != nil { + i.refreshTimer = time.AfterFunc(timeToRefresh, func() { + if err := i.issueScannerCertificates(); err != nil { // FIXME log and treat as o.numLocalScannerSecretRefreshAttempts >= refreshSecretsMaxNumAttempts log.Error("FIXME") } @@ -170,7 +168,7 @@ func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] var ( scannerCert *x509.Certificate - err error + err error ) if len(scannerCertBytes) == 0 { err = errors.Errorf("empty certificate for secret %s, will refresh secret immediately", @@ -188,8 +186,8 @@ func getScannerSecretDuration(scannerSecret *v1.Secret) time.Duration { return getScannerSecretDurationFromCertificate(scannerCert) } -func (o *localscannerOperatorImpl) issueScannerCertificates() error { - ctx, cancel := context.WithTimeout(o.ctx, issueCertificatesTimeout) +func (i *localScannerTLSIssuerImpl) issueScannerCertificates() error { + ctx, cancel := context.WithTimeout(i.ctx, issueCertificatesTimeout) defer cancel() requestID := uuid.NewV4().String() // FIXME validate response has the same request ID msg := ¢ral.MsgFromSensor{ @@ -200,7 +198,7 @@ func (o *localscannerOperatorImpl) issueScannerCertificates() error { }, } select { - case o.responsesC <- msg: + case i.responsesC <- msg: log.Debugf("Request to issue local Scanner certificates sent to Central succesfully: %v", msg) return nil case <-ctx.Done(): @@ -208,16 +206,16 @@ func (o *localscannerOperatorImpl) issueScannerCertificates() error { } } -func (o *localscannerOperatorImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.Secret, error) { - ctx, cancel := context.WithTimeout(o.ctx, fetchSecretsTimeout) +func (i *localScannerTLSIssuerImpl) fetchLocalScannerSecrets() (*v1.Secret, *v1.Secret, error) { + ctx, cancel := context.WithTimeout(i.ctx, fetchSecretsTimeout) defer cancel() // FIXME multierror - localScannerCredsSecret, err := o.secretsClient.Get(ctx, localScannerCredentialsSecretName, metav1.GetOptions{}) + localScannerCredsSecret, err := i.secretsClient.Get(ctx, localScannerCredentialsSecretName, metav1.GetOptions{}) if err != nil { return nil, nil, errors.Wrapf(err, "for secret %s", localScannerCredentialsSecretName) } - localScannerDBCredsSecret, err := o.secretsClient.Get(ctx, localScannerDBCredentialsSecretName, metav1.GetOptions{}) + localScannerDBCredsSecret, err := i.secretsClient.Get(ctx, localScannerDBCredentialsSecretName, metav1.GetOptions{}) if err != nil { return nil, nil, errors.Wrapf(err, "for secret %s", localScannerDBCredentialsSecretName) } @@ -252,8 +250,8 @@ func setScannerCerts(scannerSecret, scannerDBSecert *v1.Secret, certificates *st // When any of the secrets is missing this returns and err such that k8sErrors.IsNotFound(err) is true // On success it returns the duration after which the secrets should be refreshed -func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(issueCertsResponse *central.IssueLocalScannerCertsResponse) (time.Duration, error) { - localScannerCredsSecret, localScannerDBCredsSecret, err := o.fetchLocalScannerSecrets() +func (i *localScannerTLSIssuerImpl) refreshLocalScannerSecrets(issueCertsResponse *central.IssueLocalScannerCertsResponse) (time.Duration, error) { + localScannerCredsSecret, localScannerDBCredsSecret, err := i.fetchLocalScannerSecrets() if err != nil { // FIXME wrap return 0, err @@ -269,15 +267,15 @@ func (o *localscannerOperatorImpl) refreshLocalScannerSecrets(issueCertsResponse return 0, err } - ctx, cancel := context.WithTimeout(o.ctx, updateSecretsTimeout) + ctx, cancel := context.WithTimeout(i.ctx, updateSecretsTimeout) defer cancel() // FIXME do a loop, and apply pattern elsewhere - localScannerCredsSecret, err = o.secretsClient.Update(ctx, localScannerCredsSecret, metav1.UpdateOptions{}) + localScannerCredsSecret, err = i.secretsClient.Update(ctx, localScannerCredsSecret, metav1.UpdateOptions{}) if err != nil { // FIXME wrap return 0, err } - localScannerDBCredsSecret, err = o.secretsClient.Update(ctx, localScannerDBCredsSecret, metav1.UpdateOptions{}) + localScannerDBCredsSecret, err = i.secretsClient.Update(ctx, localScannerDBCredsSecret, metav1.UpdateOptions{}) if err != nil { // FIXME wrap return 0, err diff --git a/sensor/kubernetes/localscanner/operators_test.go b/sensor/kubernetes/localscanner/tls_issuer_test.go similarity index 66% rename from sensor/kubernetes/localscanner/operators_test.go rename to sensor/kubernetes/localscanner/tls_issuer_test.go index 49b9476f43755..01848e2c7e3e0 100644 --- a/sensor/kubernetes/localscanner/operators_test.go +++ b/sensor/kubernetes/localscanner/tls_issuer_test.go @@ -9,14 +9,14 @@ import ( ) func TestHandler(t *testing.T) { - suite.Run(t, new(operatorSuite)) + suite.Run(t, new(tlsIssuerSuite)) } -type operatorSuite struct { +type tlsIssuerSuite struct { suite.Suite } -func (s *operatorSuite) TestGetScannerSecretDurationFromCertificate() { +func (s *tlsIssuerSuite) TestGetScannerSecretDurationFromCertificate() { now := time.Now() afterOffset := 2 * 24 * time.Hour scannerCert := &x509.Certificate{ @@ -24,5 +24,5 @@ func (s *operatorSuite) TestGetScannerSecretDurationFromCertificate() { NotAfter: now.Add(afterOffset), } certDuration := getScannerSecretDurationFromCertificate(scannerCert) - s.Assert().LessOrEqual(certDuration, afterOffset/2) + s.LessOrEqual(certDuration, afterOffset/2) } diff --git a/sensor/kubernetes/sensor/sensor.go b/sensor/kubernetes/sensor/sensor.go index f84a761bd67e8..b76617c94d582 100644 --- a/sensor/kubernetes/sensor/sensor.go +++ b/sensor/kubernetes/sensor/sensor.go @@ -148,7 +148,7 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager externalsrcs.Singleton(), admissioncontroller.AlertHandlerSingleton(), auditLogCollectionManager, - localscanner.NewLocalScannerOperator(client.Kubernetes(), sensorNamespace), + localscanner.NewLocalScannerTLSIssuer(client.Kubernetes(), sensorNamespace), } if features.VulnRiskManagement.Enabled() { From b298a2d18a7c8baf6fd31bc6ea6d7c3768e9843d Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 17:28:57 +0100 Subject: [PATCH 43/45] fix typo in comment --- sensor/kubernetes/localscanner/tls_issuer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/tls_issuer.go b/sensor/kubernetes/localscanner/tls_issuer.go index 6a8f9ced21ef3..cf06d1317cad4 100644 --- a/sensor/kubernetes/localscanner/tls_issuer.go +++ b/sensor/kubernetes/localscanner/tls_issuer.go @@ -248,7 +248,7 @@ func setScannerCerts(scannerSecret, scannerDBSecert *v1.Secret, certificates *st return nil } -// When any of the secrets is missing this returns and err such that k8sErrors.IsNotFound(err) is true +// When any of the secrets is missing this returns an err such that k8sErrors.IsNotFound(err) is true // On success it returns the duration after which the secrets should be refreshed func (i *localScannerTLSIssuerImpl) refreshLocalScannerSecrets(issueCertsResponse *central.IssueLocalScannerCertsResponse) (time.Duration, error) { localScannerCredsSecret, localScannerDBCredsSecret, err := i.fetchLocalScannerSecrets() From 0985ef8e3f9ffed2f4ac0513309258c7a850f376 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 14 Jan 2022 17:29:14 +0100 Subject: [PATCH 44/45] launch local scanner TLS issue only if feature flag activated --- sensor/kubernetes/sensor/sensor.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sensor/kubernetes/sensor/sensor.go b/sensor/kubernetes/sensor/sensor.go index b76617c94d582..7b1213130f4d9 100644 --- a/sensor/kubernetes/sensor/sensor.go +++ b/sensor/kubernetes/sensor/sensor.go @@ -148,13 +148,16 @@ func CreateSensor(client client.Interface, workloadHandler *fake.WorkloadManager externalsrcs.Singleton(), admissioncontroller.AlertHandlerSingleton(), auditLogCollectionManager, - localscanner.NewLocalScannerTLSIssuer(client.Kubernetes(), sensorNamespace), } if features.VulnRiskManagement.Enabled() { components = append(components, reprocessor.NewHandler(admCtrlSettingsMgr, policyDetector, imageCache)) } + if !features.LocalImageScanning.Enabled() { + components = append(components, localscanner.NewLocalScannerTLSIssuer(client.Kubernetes(), sensorNamespace)) + } + if admCtrlSettingsMgr != nil { components = append(components, k8sadmctrl.NewConfigMapSettingsPersister(client.Kubernetes(), admCtrlSettingsMgr, sensorNamespace)) } From abefd5cf18b538e979522d8dea1a8328c71282d1 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 17 Jan 2022 10:25:40 +0100 Subject: [PATCH 45/45] Use nil casting trick to typecheck SensorComponent implementation --- sensor/kubernetes/localscanner/tls_issuer.go | 1 + 1 file changed, 1 insertion(+) diff --git a/sensor/kubernetes/localscanner/tls_issuer.go b/sensor/kubernetes/localscanner/tls_issuer.go index cf06d1317cad4..7d91212ff320a 100644 --- a/sensor/kubernetes/localscanner/tls_issuer.go +++ b/sensor/kubernetes/localscanner/tls_issuer.go @@ -35,6 +35,7 @@ const ( var ( log = logging.LoggerForModule() + _ common.SensorComponent = (*localScannerTLSIssuerImpl)(nil) ) // NewLocalScannerTLSIssuer creates a Sensor component that maintains the local Scanner TLS certificates