mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-07-27 23:19:58 +00:00
AUTH-2596 added new logger package and replaced logrus
This commit is contained in:
Dalton
24
vendor/github.com/cloudflare/cfssl/LICENSE
generated
vendored
24
vendor/github.com/cloudflare/cfssl/LICENSE
generated
vendored
@@ -1,24 +0,0 @@
|
||||
Copyright (c) 2014 CloudFlare Inc.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions
|
||||
are met:
|
||||
|
||||
Redistributions of source code must retain the above copyright notice,
|
||||
this list of conditions and the following disclaimer.
|
||||
|
||||
Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
98
vendor/github.com/cloudflare/cfssl/log/log.go
generated
vendored
98
vendor/github.com/cloudflare/cfssl/log/log.go
generated
vendored
@@ -1,98 +0,0 @@
|
||||
// Package log implements a wrapper around the Go standard library's
|
||||
// logging package. Clients should set the current log level; only
|
||||
// messages below that level will actually be logged. For example, if
|
||||
// Level is set to LevelWarning, only log messages at the Warning,
|
||||
// Error, and Critical levels will be logged.
|
||||
package log
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
golog "log"
|
||||
)
|
||||
|
||||
// The following constants represent logging levels in increasing levels of seriousness.
|
||||
const (
|
||||
LevelDebug = iota
|
||||
LevelInfo
|
||||
LevelWarning
|
||||
LevelError
|
||||
LevelCritical
|
||||
)
|
||||
|
||||
var levelPrefix = [...]string{
|
||||
LevelDebug: "[DEBUG] ",
|
||||
LevelInfo: "[INFO] ",
|
||||
LevelWarning: "[WARNING] ",
|
||||
LevelError: "[ERROR] ",
|
||||
LevelCritical: "[CRITICAL] ",
|
||||
}
|
||||
|
||||
// Level stores the current logging level.
|
||||
var Level = LevelDebug
|
||||
|
||||
func outputf(l int, format string, v []interface{}) {
|
||||
if l >= Level {
|
||||
golog.Printf(fmt.Sprint(levelPrefix[l], format), v...)
|
||||
}
|
||||
}
|
||||
|
||||
func output(l int, v []interface{}) {
|
||||
if l >= Level {
|
||||
golog.Print(levelPrefix[l], fmt.Sprint(v...))
|
||||
}
|
||||
}
|
||||
|
||||
// Criticalf logs a formatted message at the "critical" level. The
|
||||
// arguments are handled in the same manner as fmt.Printf.
|
||||
func Criticalf(format string, v ...interface{}) {
|
||||
outputf(LevelCritical, format, v)
|
||||
}
|
||||
|
||||
// Critical logs its arguments at the "critical" level.
|
||||
func Critical(v ...interface{}) {
|
||||
output(LevelCritical, v)
|
||||
}
|
||||
|
||||
// Errorf logs a formatted message at the "error" level. The arguments
|
||||
// are handled in the same manner as fmt.Printf.
|
||||
func Errorf(format string, v ...interface{}) {
|
||||
outputf(LevelError, format, v)
|
||||
}
|
||||
|
||||
// Error logs its arguments at the "error" level.
|
||||
func Error(v ...interface{}) {
|
||||
output(LevelError, v)
|
||||
}
|
||||
|
||||
// Warningf logs a formatted message at the "warning" level. The
|
||||
// arguments are handled in the same manner as fmt.Printf.
|
||||
func Warningf(format string, v ...interface{}) {
|
||||
outputf(LevelWarning, format, v)
|
||||
}
|
||||
|
||||
// Warning logs its arguments at the "warning" level.
|
||||
func Warning(v ...interface{}) {
|
||||
output(LevelWarning, v)
|
||||
}
|
||||
|
||||
// Infof logs a formatted message at the "info" level. The arguments
|
||||
// are handled in the same manner as fmt.Printf.
|
||||
func Infof(format string, v ...interface{}) {
|
||||
outputf(LevelInfo, format, v)
|
||||
}
|
||||
|
||||
// Info logs its arguments at the "info" level.
|
||||
func Info(v ...interface{}) {
|
||||
output(LevelInfo, v)
|
||||
}
|
||||
|
||||
// Debugf logs a formatted message at the "debug" level. The arguments
|
||||
// are handled in the same manner as fmt.Printf.
|
||||
func Debugf(format string, v ...interface{}) {
|
||||
outputf(LevelDebug, format, v)
|
||||
}
|
||||
|
||||
// Debug logs its arguments at the "debug" level.
|
||||
func Debug(v ...interface{}) {
|
||||
output(LevelDebug, v)
|
||||
}
|
||||
146
vendor/github.com/cloudflare/cfssl/revoke/revoke.go
generated
vendored
146
vendor/github.com/cloudflare/cfssl/revoke/revoke.go
generated
vendored
@@ -1,146 +0,0 @@
|
||||
// Package revoke provides functionality for checking the validity of
|
||||
// a cert. Specifically, the temporal validity of the certificate is
|
||||
// checked first, then any CRL in the cert is checked. OCSP is not
|
||||
// supported at this time.
|
||||
package revoke
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"errors"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
neturl "net/url"
|
||||
"time"
|
||||
|
||||
"github.com/cloudflare/cfssl/log"
|
||||
)
|
||||
|
||||
// HardFail determines whether the failure to check the revocation
|
||||
// status of a certificate (i.e. due to network failure) causes
|
||||
// verification to fail (a hard failure).
|
||||
var HardFail = false
|
||||
|
||||
// TODO (kyle): figure out a good mechanism for OCSP; this requires
|
||||
// presenting both the certificate and the issuer, and we don't have a
|
||||
// good way at this time of getting the issuer.
|
||||
|
||||
// CRLSet associates a PKIX certificate list with the URL the CRL is
|
||||
// fetched from.
|
||||
var CRLSet = map[string]*pkix.CertificateList{}
|
||||
|
||||
// We can't handle LDAP certificates, so this checks to see if the
|
||||
// URL string points to an LDAP resource so that we can ignore it.
|
||||
func ldapURL(url string) bool {
|
||||
u, err := neturl.Parse(url)
|
||||
if err != nil {
|
||||
log.Warningf("invalid url %s: %v", url, err)
|
||||
return false
|
||||
}
|
||||
if u.Scheme == "ldap" {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// revCheck should check the certificate for any revocations. It
|
||||
// returns a pair of booleans: the first indicates whether the certificate
|
||||
// is revoked, the second indicates whether the revocations were
|
||||
// successfully checked.. This leads to the following combinations:
|
||||
//
|
||||
// false, false: an error was encountered while checking revocations.
|
||||
//
|
||||
// false, true: the certificate was checked successfully and
|
||||
// it is not revoked.
|
||||
//
|
||||
// true, true: the certificate was checked successfully and
|
||||
// it is revoked.
|
||||
func revCheck(cert *x509.Certificate) (revoked, ok bool) {
|
||||
for _, url := range cert.CRLDistributionPoints {
|
||||
if ldapURL(url) {
|
||||
log.Infof("skipping LDAP CRL: %s", url)
|
||||
continue
|
||||
}
|
||||
|
||||
if revoked, ok := certIsRevokedCRL(cert, url); !ok {
|
||||
log.Warning("error checking revocation via CRL")
|
||||
if HardFail {
|
||||
return true, false
|
||||
}
|
||||
return false, false
|
||||
} else if revoked {
|
||||
log.Info("certificate is revoked via CRL")
|
||||
return true, true
|
||||
}
|
||||
}
|
||||
|
||||
return false, true
|
||||
}
|
||||
|
||||
// fetchCRL fetches and parses a CRL.
|
||||
func fetchCRL(url string) (*pkix.CertificateList, error) {
|
||||
resp, err := http.Get(url)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else if resp.StatusCode >= 300 {
|
||||
return nil, errors.New("failed to retrieve CRL")
|
||||
}
|
||||
|
||||
body, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp.Body.Close()
|
||||
|
||||
return x509.ParseCRL(body)
|
||||
}
|
||||
|
||||
// check a cert against a specific CRL. Returns the same bool pair
|
||||
// as revCheck.
|
||||
func certIsRevokedCRL(cert *x509.Certificate, url string) (revoked, ok bool) {
|
||||
crl, ok := CRLSet[url]
|
||||
if ok && crl == nil {
|
||||
ok = false
|
||||
delete(CRLSet, url)
|
||||
}
|
||||
|
||||
var shouldFetchCRL = true
|
||||
if ok {
|
||||
if !crl.HasExpired(time.Now()) {
|
||||
shouldFetchCRL = false
|
||||
}
|
||||
}
|
||||
|
||||
if shouldFetchCRL {
|
||||
var err error
|
||||
crl, err = fetchCRL(url)
|
||||
if err != nil {
|
||||
log.Warningf("failed to fetch CRL: %v", err)
|
||||
return false, false
|
||||
}
|
||||
CRLSet[url] = crl
|
||||
}
|
||||
|
||||
for _, revoked := range crl.TBSCertList.RevokedCertificates {
|
||||
if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
|
||||
log.Info("Serial number match: intermediate is revoked.")
|
||||
return true, true
|
||||
}
|
||||
}
|
||||
|
||||
return false, true
|
||||
}
|
||||
|
||||
// VerifyCertificate ensures that the certificate passed in hasn't
|
||||
// expired and checks the CRL for the server.
|
||||
func VerifyCertificate(cert *x509.Certificate) (revoked, ok bool) {
|
||||
if !time.Now().Before(cert.NotAfter) {
|
||||
log.Infof("Certificate expired %s\n", cert.NotAfter)
|
||||
return true, true
|
||||
} else if !time.Now().After(cert.NotBefore) {
|
||||
log.Infof("Certificate isn't valid until %s\n", cert.NotBefore)
|
||||
return true, true
|
||||
}
|
||||
|
||||
return revCheck(cert)
|
||||
}
|
||||
Reference in New Issue
Block a user