dragonflyoss
/
api
mirror of https://github.com/dragonflyoss/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: remove security proto (#403) 

Signed-off-by: Gaius <gaius.qi@gmail.com>
This commit is contained in:
Gaius 2024-10-10 17:54:09 +08:00 committed by GitHub
parent b246448e87
commit 50b7abc20e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 8 additions and 1071 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.lock generated
View File

@ -190,7 +190,7 @@ dependencies = [
[[package]]
name = "dragonfly-api"
version = "2.0.166"
version = "2.0.167"
dependencies = [
"prost",
"prost-types",

2
Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "dragonfly-api"
version = "2.0.166"
version = "2.0.167"
authors = ["Gaius <gaius.qi@gmail.com>"]
edition = "2021"
license = "Apache-2.0"

8
build.rs
View File

@ -2,8 +2,11 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
tonic_build::configure()
.file_descriptor_set_path("src/descriptor.bin")
.protoc_arg("--experimental_allow_proto3_optional")
.type_attribute(".", "#[derive(serde::Serialize, serde::Deserialize)]", )
.type_attribute("scheduler.v2.AnnouncePeerRequest.request", "#[allow(clippy::large_enum_variant)]", )
.type_attribute(".", "#[derive(serde::Serialize, serde::Deserialize)]")
.type_attribute(
"scheduler.v2.AnnouncePeerRequest.request",
"#[allow(clippy::large_enum_variant)]",
)
.extern_path(".google.protobuf.Timestamp", "::prost_wkt_types::Timestamp")
.extern_path(".google.protobuf.Duration", "::prost_wkt_types::Duration")
.out_dir("src")
@ -11,7 +14,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
&[
"proto/common.proto",
"proto/errordetails.proto",
"proto/security.proto",
"proto/dfdaemon.proto",
"proto/manager.proto",
"proto/scheduler.proto",

3
hack/protoc.sh
View File

@ -5,8 +5,7 @@ PROTO_PATH=pkg/apis
LANGUAGE=go
proto_modules="common/v1 common/v2 cdnsystem/v1 dfdaemon/v1 dfdaemon/v2
errordetails/v1 errordetails/v2 manager/v1 manager/v2 scheduler/v1 scheduler/v2
security/v1"
errordetails/v1 errordetails/v2 manager/v1 manager/v2 scheduler/v1 scheduler/v2"
echo "generate protos..."

264
pkg/apis/security/v1/security.pb.go
View File

@ -1,264 +0,0 @@
//
// Copyright 2022 The Dragonfly Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.28.1
// protoc v3.21.6
// source: pkg/apis/security/v1/security.proto
package security
import (
_ "github.com/envoyproxy/protoc-gen-validate/validate"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
durationpb "google.golang.org/protobuf/types/known/durationpb"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// Certificate request type.
// Dragonfly supports peers authentication with Mutual TLS(mTLS)
// For mTLS, all peers need to request TLS certificates for communicating
// The server side may overwrite ant requested certificate filed based on its policies.
type CertificateRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// ASN.1 DER form certificate request.
// The public key in the CSR is used to generate the certificate,
// and other fields in the generated certificate may be overwritten by the CA.
Csr []byte `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"`
// Optional: requested certificate validity period.
ValidityPeriod *durationpb.Duration `protobuf:"bytes,2,opt,name=validity_period,json=validityPeriod,proto3" json:"validity_period,omitempty"`
}
func (x *CertificateRequest) Reset() {
*x = CertificateRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_pkg_apis_security_v1_security_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *CertificateRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*CertificateRequest) ProtoMessage() {}
func (x *CertificateRequest) ProtoReflect() protoreflect.Message {
mi := &file_pkg_apis_security_v1_security_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use CertificateRequest.ProtoReflect.Descriptor instead.
func (*CertificateRequest) Descriptor() ([]byte, []int) {
return file_pkg_apis_security_v1_security_proto_rawDescGZIP(), []int{0}
}
func (x *CertificateRequest) GetCsr() []byte {
if x != nil {
return x.Csr
}
return nil
}
func (x *CertificateRequest) GetValidityPeriod() *durationpb.Duration {
if x != nil {
return x.ValidityPeriod
}
return nil
}
// Certificate response type.
type CertificateResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// ASN.1 DER form certificate chain.
CertificateChain [][]byte `protobuf:"bytes,1,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"`
}
func (x *CertificateResponse) Reset() {
*x = CertificateResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_pkg_apis_security_v1_security_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *CertificateResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*CertificateResponse) ProtoMessage() {}
func (x *CertificateResponse) ProtoReflect() protoreflect.Message {
mi := &file_pkg_apis_security_v1_security_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use CertificateResponse.ProtoReflect.Descriptor instead.
func (*CertificateResponse) Descriptor() ([]byte, []int) {
return file_pkg_apis_security_v1_security_proto_rawDescGZIP(), []int{1}
}
func (x *CertificateResponse) GetCertificateChain() [][]byte {
if x != nil {
return x.CertificateChain
}
return nil
}
var File_pkg_apis_security_v1_security_proto protoreflect.FileDescriptor
var file_pkg_apis_security_v1_security_proto_rawDesc = []byte{
0x0a, 0x23, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72,
0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x1a,
0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
0x17, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61,
0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x7d, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74,
0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19,
0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x42, 0x07, 0xfa, 0x42, 0x04,
0x7a, 0x02, 0x10, 0x01, 0x52, 0x03, 0x63, 0x73, 0x72, 0x12, 0x4c, 0x0a, 0x0f, 0x76, 0x61, 0x6c,
0x69, 0x64, 0x69, 0x74, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x08, 0xfa,
0x42, 0x05, 0xaa, 0x01, 0x02, 0x08, 0x01, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x69, 0x74,
0x79, 0x50, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x4c, 0x0a, 0x13, 0x43, 0x65, 0x72, 0x74, 0x69,
0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x35,
0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68,
0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0c, 0x42, 0x08, 0xfa, 0x42, 0x05, 0x92, 0x01,
0x02, 0x08, 0x01, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
0x43, 0x68, 0x61, 0x69, 0x6e, 0x32, 0x60, 0x0a, 0x0b, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
0x63, 0x61, 0x74, 0x65, 0x12, 0x51, 0x0a, 0x10, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72,
0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52,
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
0x79, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73,
0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x2d, 0x5a, 0x2b, 0x64, 0x37, 0x79, 0x2e, 0x69,
0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x32, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69,
0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x73, 0x65,
0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_pkg_apis_security_v1_security_proto_rawDescOnce sync.Once
file_pkg_apis_security_v1_security_proto_rawDescData = file_pkg_apis_security_v1_security_proto_rawDesc
)
func file_pkg_apis_security_v1_security_proto_rawDescGZIP() []byte {
file_pkg_apis_security_v1_security_proto_rawDescOnce.Do(func() {
file_pkg_apis_security_v1_security_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_apis_security_v1_security_proto_rawDescData)
})
return file_pkg_apis_security_v1_security_proto_rawDescData
}
var file_pkg_apis_security_v1_security_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_pkg_apis_security_v1_security_proto_goTypes = []interface{}{
(*CertificateRequest)(nil), // 0: security.CertificateRequest
(*CertificateResponse)(nil), // 1: security.CertificateResponse
(*durationpb.Duration)(nil), // 2: google.protobuf.Duration
}
var file_pkg_apis_security_v1_security_proto_depIdxs = []int32{
2, // 0: security.CertificateRequest.validity_period:type_name -> google.protobuf.Duration
0, // 1: security.Certificate.IssueCertificate:input_type -> security.CertificateRequest
1, // 2: security.Certificate.IssueCertificate:output_type -> security.CertificateResponse
2, // [2:3] is the sub-list for method output_type
1, // [1:2] is the sub-list for method input_type
1, // [1:1] is the sub-list for extension type_name
1, // [1:1] is the sub-list for extension extendee
0, // [0:1] is the sub-list for field type_name
}
func init() { file_pkg_apis_security_v1_security_proto_init() }
func file_pkg_apis_security_v1_security_proto_init() {
if File_pkg_apis_security_v1_security_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_pkg_apis_security_v1_security_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*CertificateRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_pkg_apis_security_v1_security_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*CertificateResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_pkg_apis_security_v1_security_proto_rawDesc,
NumEnums: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_pkg_apis_security_v1_security_proto_goTypes,
DependencyIndexes: file_pkg_apis_security_v1_security_proto_depIdxs,
MessageInfos: file_pkg_apis_security_v1_security_proto_msgTypes,
}.Build()
File_pkg_apis_security_v1_security_proto = out.File
file_pkg_apis_security_v1_security_proto_rawDesc = nil
file_pkg_apis_security_v1_security_proto_goTypes = nil
file_pkg_apis_security_v1_security_proto_depIdxs = nil
}

273
pkg/apis/security/v1/security.pb.validate.go
View File

@ -1,273 +0,0 @@
// Code generated by protoc-gen-validate. DO NOT EDIT.
// source: pkg/apis/security/v1/security.proto
package security
import (
"bytes"
"errors"
"fmt"
"net"
"net/mail"
"net/url"
"regexp"
"sort"
"strings"
"time"
"unicode/utf8"
"google.golang.org/protobuf/types/known/anypb"
)
// ensure the imports are used
var (
_ = bytes.MinRead
_ = errors.New("")
_ = fmt.Print
_ = utf8.UTFMax
_ = (*regexp.Regexp)(nil)
_ = (*strings.Reader)(nil)
_ = net.IPv4len
_ = time.Duration(0)
_ = (*url.URL)(nil)
_ = (*mail.Address)(nil)
_ = anypb.Any{}
_ = sort.Sort
)
// Validate checks the field values on CertificateRequest with the rules
// defined in the proto definition for this message. If any rules are
// violated, the first error encountered is returned, or nil if there are no violations.
func (m *CertificateRequest) Validate() error {
return m.validate(false)
}
// ValidateAll checks the field values on CertificateRequest with the rules
// defined in the proto definition for this message. If any rules are
// violated, the result is a list of violation errors wrapped in
// CertificateRequestMultiError, or nil if none found.
func (m *CertificateRequest) ValidateAll() error {
return m.validate(true)
}
func (m *CertificateRequest) validate(all bool) error {
if m == nil {
return nil
}
var errors []error
if len(m.GetCsr()) < 1 {
err := CertificateRequestValidationError{
field: "Csr",
reason: "value length must be at least 1 bytes",
}
if !all {
return err
}
errors = append(errors, err)
}
if m.GetValidityPeriod() == nil {
err := CertificateRequestValidationError{
field: "ValidityPeriod",
reason: "value is required",
}
if !all {
return err
}
errors = append(errors, err)
}
if len(errors) > 0 {
return CertificateRequestMultiError(errors)
}
return nil
}
// CertificateRequestMultiError is an error wrapping multiple validation errors
// returned by CertificateRequest.ValidateAll() if the designated constraints
// aren't met.
type CertificateRequestMultiError []error
// Error returns a concatenation of all the error messages it wraps.
func (m CertificateRequestMultiError) Error() string {
var msgs []string
for _, err := range m {
msgs = append(msgs, err.Error())
}
return strings.Join(msgs, "; ")
}
// AllErrors returns a list of validation violation errors.
func (m CertificateRequestMultiError) AllErrors() []error { return m }
// CertificateRequestValidationError is the validation error returned by
// CertificateRequest.Validate if the designated constraints aren't met.
type CertificateRequestValidationError struct {
field string
reason string
cause error
key bool
}
// Field function returns field value.
func (e CertificateRequestValidationError) Field() string { return e.field }
// Reason function returns reason value.
func (e CertificateRequestValidationError) Reason() string { return e.reason }
// Cause function returns cause value.
func (e CertificateRequestValidationError) Cause() error { return e.cause }
// Key function returns key value.
func (e CertificateRequestValidationError) Key() bool { return e.key }
// ErrorName returns error name.
func (e CertificateRequestValidationError) ErrorName() string {
return "CertificateRequestValidationError"
}
// Error satisfies the builtin error interface
func (e CertificateRequestValidationError) Error() string {
cause := ""
if e.cause != nil {
cause = fmt.Sprintf(" | caused by: %v", e.cause)
}
key := ""
if e.key {
key = "key for "
}
return fmt.Sprintf(
"invalid %sCertificateRequest.%s: %s%s",
key,
e.field,
e.reason,
cause)
}
var _ error = CertificateRequestValidationError{}
var _ interface {
Field() string
Reason() string
Key() bool
Cause() error
ErrorName() string
} = CertificateRequestValidationError{}
// Validate checks the field values on CertificateResponse with the rules
// defined in the proto definition for this message. If any rules are
// violated, the first error encountered is returned, or nil if there are no violations.
func (m *CertificateResponse) Validate() error {
return m.validate(false)
}
// ValidateAll checks the field values on CertificateResponse with the rules
// defined in the proto definition for this message. If any rules are
// violated, the result is a list of violation errors wrapped in
// CertificateResponseMultiError, or nil if none found.
func (m *CertificateResponse) ValidateAll() error {
return m.validate(true)
}
func (m *CertificateResponse) validate(all bool) error {
if m == nil {
return nil
}
var errors []error
if len(m.GetCertificateChain()) < 1 {
err := CertificateResponseValidationError{
field: "CertificateChain",
reason: "value must contain at least 1 item(s)",
}
if !all {
return err
}
errors = append(errors, err)
}
if len(errors) > 0 {
return CertificateResponseMultiError(errors)
}
return nil
}
// CertificateResponseMultiError is an error wrapping multiple validation
// errors returned by CertificateResponse.ValidateAll() if the designated
// constraints aren't met.
type CertificateResponseMultiError []error
// Error returns a concatenation of all the error messages it wraps.
func (m CertificateResponseMultiError) Error() string {
var msgs []string
for _, err := range m {
msgs = append(msgs, err.Error())
}
return strings.Join(msgs, "; ")
}
// AllErrors returns a list of validation violation errors.
func (m CertificateResponseMultiError) AllErrors() []error { return m }
// CertificateResponseValidationError is the validation error returned by
// CertificateResponse.Validate if the designated constraints aren't met.
type CertificateResponseValidationError struct {
field string
reason string
cause error
key bool
}
// Field function returns field value.
func (e CertificateResponseValidationError) Field() string { return e.field }
// Reason function returns reason value.
func (e CertificateResponseValidationError) Reason() string { return e.reason }
// Cause function returns cause value.
func (e CertificateResponseValidationError) Cause() error { return e.cause }
// Key function returns key value.
func (e CertificateResponseValidationError) Key() bool { return e.key }
// ErrorName returns error name.
func (e CertificateResponseValidationError) ErrorName() string {
return "CertificateResponseValidationError"
}
// Error satisfies the builtin error interface
func (e CertificateResponseValidationError) Error() string {
cause := ""
if e.cause != nil {
cause = fmt.Sprintf(" | caused by: %v", e.cause)
}
key := ""
if e.key {
key = "key for "
}
return fmt.Sprintf(
"invalid %sCertificateResponse.%s: %s%s",
key,
e.field,
e.reason,
cause)
}
var _ error = CertificateResponseValidationError{}
var _ interface {
Field() string
Reason() string
Key() bool
Cause() error
ErrorName() string
} = CertificateResponseValidationError{}

54
pkg/apis/security/v1/security.proto
View File

@ -1,54 +0,0 @@
/*
* Copyright 2022 The Dragonfly Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
syntax = "proto3";
package security;
import "google/protobuf/duration.proto";
import "validate/validate.proto";
option go_package = "d7y.io/api/v2/pkg/apis/security/v1;security";
// Refer: https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto
// Istio defines similar api for signing certificate, but it's not applicable in Dragonfly.
// Certificate request type.
// Dragonfly supports peers authentication with Mutual TLS(mTLS)
// For mTLS, all peers need to request TLS certificates for communicating
// The server side may overwrite ant requested certificate filed based on its policies.
message CertificateRequest {
// ASN.1 DER form certificate request.
// The public key in the CSR is used to generate the certificate,
// and other fields in the generated certificate may be overwritten by the CA.
bytes csr = 1 [(validate.rules).bytes.min_len = 1];
// Optional: requested certificate validity period.
google.protobuf.Duration validity_period = 2 [(validate.rules).duration.required = true];
}
// Certificate response type.
message CertificateResponse {
// ASN.1 DER form certificate chain.
repeated bytes certificate_chain = 1 [(validate.rules).repeated.min_items = 1];
}
// Service for managing certificates issued by the CA.
service Certificate {
// Using provided CSR, returns a signed certificate.
rpc IssueCertificate(CertificateRequest)
returns (CertificateResponse) {
}
}

105
pkg/apis/security/v1/security_grpc.pb.go
View File

@ -1,105 +0,0 @@
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.2.0
// - protoc v3.21.6
// source: pkg/apis/security/v1/security.proto
package security
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.32.0 or later.
const _ = grpc.SupportPackageIsVersion7
// CertificateClient is the client API for Certificate service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
type CertificateClient interface {
// Using provided CSR, returns a signed certificate.
IssueCertificate(ctx context.Context, in *CertificateRequest, opts ...grpc.CallOption) (*CertificateResponse, error)
}
type certificateClient struct {
cc grpc.ClientConnInterface
}
func NewCertificateClient(cc grpc.ClientConnInterface) CertificateClient {
return &certificateClient{cc}
}
func (c *certificateClient) IssueCertificate(ctx context.Context, in *CertificateRequest, opts ...grpc.CallOption) (*CertificateResponse, error) {
out := new(CertificateResponse)
err := c.cc.Invoke(ctx, "/security.Certificate/IssueCertificate", in, out, opts...)
if err != nil {
return nil, err
}
return out, nil
}
// CertificateServer is the server API for Certificate service.
// All implementations should embed UnimplementedCertificateServer
// for forward compatibility
type CertificateServer interface {
// Using provided CSR, returns a signed certificate.
IssueCertificate(context.Context, *CertificateRequest) (*CertificateResponse, error)
}
// UnimplementedCertificateServer should be embedded to have forward compatible implementations.
type UnimplementedCertificateServer struct {
}
func (UnimplementedCertificateServer) IssueCertificate(context.Context, *CertificateRequest) (*CertificateResponse, error) {
return nil, status.Errorf(codes.Unimplemented, "method IssueCertificate not implemented")
}
// UnsafeCertificateServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to CertificateServer will
// result in compilation errors.
type UnsafeCertificateServer interface {
mustEmbedUnimplementedCertificateServer()
}
func RegisterCertificateServer(s grpc.ServiceRegistrar, srv CertificateServer) {
s.RegisterService(&Certificate_ServiceDesc, srv)
}
func _Certificate_IssueCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
in := new(CertificateRequest)
if err := dec(in); err != nil {
return nil, err
}
if interceptor == nil {
return srv.(CertificateServer).IssueCertificate(ctx, in)
}
info := &grpc.UnaryServerInfo{
Server: srv,
FullMethod: "/security.Certificate/IssueCertificate",
}
handler := func(ctx context.Context, req interface{}) (interface{}, error) {
return srv.(CertificateServer).IssueCertificate(ctx, req.(*CertificateRequest))
}
return interceptor(ctx, in, info, handler)
}
// Certificate_ServiceDesc is the grpc.ServiceDesc for Certificate service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var Certificate_ServiceDesc = grpc.ServiceDesc{
ServiceName: "security.Certificate",
HandlerType: (*CertificateServer)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "IssueCertificate",
Handler: _Certificate_IssueCertificate_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "pkg/apis/security/v1/security.proto",
}

51
proto/security.proto
View File

@ -1,51 +0,0 @@
/*
* Copyright 2022 The Dragonfly Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
syntax = "proto3";
package security;
import "google/protobuf/duration.proto";
// Refer: https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto
// Istio defines similar api for signing certificate, but it's not applicable in Dragonfly.
// Certificate request type.
// Dragonfly supports peers authentication with Mutual TLS(mTLS)
// For mTLS, all peers need to request TLS certificates for communicating
// The server side may overwrite ant requested certificate filed based on its policies.
message CertificateRequest {
// ASN.1 DER form certificate request.
// The public key in the CSR is used to generate the certificate,
// and other fields in the generated certificate may be overwritten by the CA.
bytes csr = 1;
// Optional: requested certificate validity period.
google.protobuf.Duration validity_period = 2;
}
// Certificate response type.
message CertificateResponse {
// ASN.1 DER form certificate chain.
repeated bytes certificate_chain = 1;
}
// Service for managing certificates issued by the CA.
service Certificate {
// Using provided CSR, returns a signed certificate.
rpc IssueCertificate(CertificateRequest)
returns (CertificateResponse) {
}
}

BIN
src/descriptor.bin
View File

Binary file not shown.

2
src/lib.rs
View File

@ -28,7 +28,5 @@ pub mod scheduler {
pub mod v2;
}
pub mod security;
// FILE_DESCRIPTOR_SET is the serialized FileDescriptorSet of the proto files.
pub const FILE_DESCRIPTOR_SET: &[u8] = include_bytes!("descriptor.bin");

315
src/security.rs
View File

@ -1,315 +0,0 @@
// This file is @generated by prost-build.
/// Certificate request type.
/// Dragonfly supports peers authentication with Mutual TLS(mTLS)
/// For mTLS, all peers need to request TLS certificates for communicating
/// The server side may overwrite ant requested certificate filed based on its policies.
#[derive(serde::Serialize, serde::Deserialize)]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct CertificateRequest {
/// ASN.1 DER form certificate request.
/// The public key in the CSR is used to generate the certificate,
/// and other fields in the generated certificate may be overwritten by the CA.
#[prost(bytes = "vec", tag = "1")]
pub csr: ::prost::alloc::vec::Vec<u8>,
/// Optional: requested certificate validity period.
#[prost(message, optional, tag = "2")]
pub validity_period: ::core::option::Option<::prost_wkt_types::Duration>,
}
/// Certificate response type.
#[derive(serde::Serialize, serde::Deserialize)]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct CertificateResponse {
/// ASN.1 DER form certificate chain.
#[prost(bytes = "vec", repeated, tag = "1")]
pub certificate_chain: ::prost::alloc::vec::Vec<::prost::alloc::vec::Vec<u8>>,
}
/// Generated client implementations.
pub mod certificate_client {
#![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)]
use tonic::codegen::*;
use tonic::codegen::http::Uri;
/// Service for managing certificates issued by the CA.
#[derive(Debug, Clone)]
pub struct CertificateClient<T> {
inner: tonic::client::Grpc<T>,
}
impl CertificateClient<tonic::transport::Channel> {
/// Attempt to create a new client by connecting to a given endpoint.
pub async fn connect<D>(dst: D) -> Result<Self, tonic::transport::Error>
where
D: TryInto<tonic::transport::Endpoint>,
D::Error: Into<StdError>,
{
let conn = tonic::transport::Endpoint::new(dst)?.connect().await?;
Ok(Self::new(conn))
}
}
impl<T> CertificateClient<T>
where
T: tonic::client::GrpcService<tonic::body::BoxBody>,
T::Error: Into<StdError>,
T::ResponseBody: Body<Data = Bytes> + std::marker::Send + 'static,
<T::ResponseBody as Body>::Error: Into<StdError> + std::marker::Send,
{
pub fn new(inner: T) -> Self {
let inner = tonic::client::Grpc::new(inner);
Self { inner }
}
pub fn with_origin(inner: T, origin: Uri) -> Self {
let inner = tonic::client::Grpc::with_origin(inner, origin);
Self { inner }
}
pub fn with_interceptor<F>(
inner: T,
interceptor: F,
) -> CertificateClient<InterceptedService<T, F>>
where
F: tonic::service::Interceptor,
T::ResponseBody: Default,
T: tonic::codegen::Service<
http::Request<tonic::body::BoxBody>,
Response = http::Response<
<T as tonic::client::GrpcService<tonic::body::BoxBody>>::ResponseBody,
>,
>,
<T as tonic::codegen::Service<
http::Request<tonic::body::BoxBody>,
>>::Error: Into<StdError> + std::marker::Send + std::marker::Sync,
{
CertificateClient::new(InterceptedService::new(inner, interceptor))
}
/// Compress requests with the given encoding.
///
/// This requires the server to support it otherwise it might respond with an
/// error.
#[must_use]
pub fn send_compressed(mut self, encoding: CompressionEncoding) -> Self {
self.inner = self.inner.send_compressed(encoding);
self
}
/// Enable decompressing responses.
#[must_use]
pub fn accept_compressed(mut self, encoding: CompressionEncoding) -> Self {
self.inner = self.inner.accept_compressed(encoding);
self
}
/// Limits the maximum size of a decoded message.
///
/// Default: `4MB`
#[must_use]
pub fn max_decoding_message_size(mut self, limit: usize) -> Self {
self.inner = self.inner.max_decoding_message_size(limit);
self
}
/// Limits the maximum size of an encoded message.
///
/// Default: `usize::MAX`
#[must_use]
pub fn max_encoding_message_size(mut self, limit: usize) -> Self {
self.inner = self.inner.max_encoding_message_size(limit);
self
}
/// Using provided CSR, returns a signed certificate.
pub async fn issue_certificate(
&mut self,
request: impl tonic::IntoRequest<super::CertificateRequest>,
) -> std::result::Result<
tonic::Response<super::CertificateResponse>,
tonic::Status,
> {
self.inner
.ready()
.await
.map_err(|e| {
tonic::Status::new(
tonic::Code::Unknown,
format!("Service was not ready: {}", e.into()),
)
})?;
let codec = tonic::codec::ProstCodec::default();
let path = http::uri::PathAndQuery::from_static(
"/security.Certificate/IssueCertificate",
);
let mut req = request.into_request();
req.extensions_mut()
.insert(GrpcMethod::new("security.Certificate", "IssueCertificate"));
self.inner.unary(req, path, codec).await
}
}
}
/// Generated server implementations.
pub mod certificate_server {
#![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)]
use tonic::codegen::*;
/// Generated trait containing gRPC methods that should be implemented for use with CertificateServer.
#[async_trait]
pub trait Certificate: std::marker::Send + std::marker::Sync + 'static {
/// Using provided CSR, returns a signed certificate.
async fn issue_certificate(
&self,
request: tonic::Request<super::CertificateRequest>,
) -> std::result::Result<
tonic::Response<super::CertificateResponse>,
tonic::Status,
>;
}
/// Service for managing certificates issued by the CA.
#[derive(Debug)]
pub struct CertificateServer<T> {
inner: Arc<T>,
accept_compression_encodings: EnabledCompressionEncodings,
send_compression_encodings: EnabledCompressionEncodings,
max_decoding_message_size: Option<usize>,
max_encoding_message_size: Option<usize>,
}
impl<T> CertificateServer<T> {
pub fn new(inner: T) -> Self {
Self::from_arc(Arc::new(inner))
}
pub fn from_arc(inner: Arc<T>) -> Self {
Self {
inner,
accept_compression_encodings: Default::default(),
send_compression_encodings: Default::default(),
max_decoding_message_size: None,
max_encoding_message_size: None,
}
}
pub fn with_interceptor<F>(
inner: T,
interceptor: F,
) -> InterceptedService<Self, F>
where
F: tonic::service::Interceptor,
{
InterceptedService::new(Self::new(inner), interceptor)
}
/// Enable decompressing requests with the given encoding.
#[must_use]
pub fn accept_compressed(mut self, encoding: CompressionEncoding) -> Self {
self.accept_compression_encodings.enable(encoding);
self
}
/// Compress responses with the given encoding, if the client supports it.
#[must_use]
pub fn send_compressed(mut self, encoding: CompressionEncoding) -> Self {
self.send_compression_encodings.enable(encoding);
self
}
/// Limits the maximum size of a decoded message.
///
/// Default: `4MB`
#[must_use]
pub fn max_decoding_message_size(mut self, limit: usize) -> Self {
self.max_decoding_message_size = Some(limit);
self
}
/// Limits the maximum size of an encoded message.
///
/// Default: `usize::MAX`
#[must_use]
pub fn max_encoding_message_size(mut self, limit: usize) -> Self {
self.max_encoding_message_size = Some(limit);
self
}
}
impl<T, B> tonic::codegen::Service<http::Request<B>> for CertificateServer<T>
where
T: Certificate,
B: Body + std::marker::Send + 'static,
B::Error: Into<StdError> + std::marker::Send + 'static,
{
type Response = http::Response<tonic::body::BoxBody>;
type Error = std::convert::Infallible;
type Future = BoxFuture<Self::Response, Self::Error>;
fn poll_ready(
&mut self,
_cx: &mut Context<'_>,
) -> Poll<std::result::Result<(), Self::Error>> {
Poll::Ready(Ok(()))
}
fn call(&mut self, req: http::Request<B>) -> Self::Future {
match req.uri().path() {
"/security.Certificate/IssueCertificate" => {
#[allow(non_camel_case_types)]
struct IssueCertificateSvc<T: Certificate>(pub Arc<T>);
impl<
T: Certificate,
> tonic::server::UnaryService<super::CertificateRequest>
for IssueCertificateSvc<T> {
type Response = super::CertificateResponse;
type Future = BoxFuture<
tonic::Response<Self::Response>,
tonic::Status,
>;
fn call(
&mut self,
request: tonic::Request<super::CertificateRequest>,
) -> Self::Future {
let inner = Arc::clone(&self.0);
let fut = async move {
<T as Certificate>::issue_certificate(&inner, request).await
};
Box::pin(fut)
}
}
let accept_compression_encodings = self.accept_compression_encodings;
let send_compression_encodings = self.send_compression_encodings;
let max_decoding_message_size = self.max_decoding_message_size;
let max_encoding_message_size = self.max_encoding_message_size;
let inner = self.inner.clone();
let fut = async move {
let method = IssueCertificateSvc(inner);
let codec = tonic::codec::ProstCodec::default();
let mut grpc = tonic::server::Grpc::new(codec)
.apply_compression_config(
accept_compression_encodings,
send_compression_encodings,
)
.apply_max_message_size_config(
max_decoding_message_size,
max_encoding_message_size,
);
let res = grpc.unary(method, req).await;
Ok(res)
};
Box::pin(fut)
}
_ => {
Box::pin(async move {
Ok(
http::Response::builder()
.status(200)
.header("grpc-status", tonic::Code::Unimplemented as i32)
.header(
http::header::CONTENT_TYPE,
tonic::metadata::GRPC_CONTENT_TYPE,
)
.body(empty_body())
.unwrap(),
)
})
}
}
}
}
impl<T> Clone for CertificateServer<T> {
fn clone(&self) -> Self {
let inner = self.inner.clone();
Self {
inner,
accept_compression_encodings: self.accept_compression_encodings,
send_compression_encodings: self.send_compression_encodings,
max_decoding_message_size: self.max_decoding_message_size,
max_encoding_message_size: self.max_encoding_message_size,
}
}
}
/// Generated gRPC service name
pub const SERVICE_NAME: &str = "security.Certificate";
impl<T> tonic::server::NamedService for CertificateServer<T> {
const NAME: &'static str = SERVICE_NAME;
}
}