Update vendoring via vndr

2025-06-21 13:46:31 +00:00 · 2017-07-12 17:58:36 +01:00
parent e1849a8f49
commit 283d311b08
6506 changed files with 25916 additions and 1506849 deletions
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/certpool_go17.go
@ -5,8 +5,6 @@ package tlsconfig
 import (
 	"crypto/x509"
 	"runtime"
-
-	"github.com/Sirupsen/logrus"
 )

 // SystemCertPool returns a copy of the system cert pool,
@ -14,7 +12,6 @@ import (
 func SystemCertPool() (*x509.CertPool, error) {
 	certpool, err := x509.SystemCertPool()
 	if err != nil && runtime.GOOS == "windows" {
-		logrus.Infof("Unable to use system certificate pool: %v", err)
 		return x509.NewCertPool(), nil
 	}
 	return certpool, err
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/certpool_other.go
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/certpool_other.go
@ -5,12 +5,10 @@ package tlsconfig
 import (
 	"crypto/x509"

-	"github.com/Sirupsen/logrus"
 )

 // SystemCertPool returns an new empty cert pool,
 // accessing system cert pool is supported in go 1.7
 func SystemCertPool() (*x509.CertPool, error) {
-	logrus.Warn("Unable to use system certificate pool: requires building with go 1.7 or later")
 	return x509.NewCertPool(), nil
 }
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/config.go
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/config.go
@ -13,7 +13,6 @@ import (
 	"io/ioutil"
 	"os"

-	"github.com/Sirupsen/logrus"
 	"github.com/pkg/errors"
 )

@ -106,7 +105,6 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	if !certPool.AppendCertsFromPEM(pem) {
 		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
 	}
-	logrus.Debugf("Trusting %d certs", len(certPool.Subjects()))
 	return certPool, nil
 }

--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/config_test.go
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/config_test.go
@ -1,651 +0,0 @@
-package tlsconfig
-
-import (
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"os"
-	"reflect"
-	"testing"
-)
-
-// This is the currently active LetsEncrypt IdenTrust cross-signed CA cert.  It expires Mar 17, 2021.
-const (
-	systemRootTrustedCert = `
-----BEGIN CERTIFICATE-----
-MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
-SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
-GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
-q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
-SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
-Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
-a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
-/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
-AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
-CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
-bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
-c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
-VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
-ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
-MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
-Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
-AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
-uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
-wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
-X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
-PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
-KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-`
-	rsaPrivateKeyFile             = "fixtures/key.pem"
-	certificateFile               = "fixtures/cert.pem"
-	multiCertificateFile          = "fixtures/multi.pem"
-	rsaEncryptedPrivateKeyFile    = "fixtures/encrypted_key.pem"
-	certificateOfEncryptedKeyFile = "fixtures/cert_of_encrypted_key.pem"
-)
-
-// returns the name of a pre-generated, multiple-certificate CA file
-// with both RSA and ECDSA certs.
-func getMultiCert() string {
-	return multiCertificateFile
-}
-
-// returns the names of pre-generated key and certificate files.
-func getCertAndKey() (string, string) {
-	return rsaPrivateKeyFile, certificateFile
-}
-
-// returns the names of pre-generated, encrypted private key and
-// corresponding certificate file
-func getCertAndEncryptedKey() (string, string) {
-	return rsaEncryptedPrivateKeyFile, certificateOfEncryptedKeyFile
-}
-
-// If the cert files and directory are provided but are invalid, an error is
-// returned.
-func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) {
-	key, cert := getCertAndKey()
-	ca := getMultiCert()
-
-	tempFile, err := ioutil.TempFile("", "cert-test")
-	if err != nil {
-		t.Fatal("Unable to create temporary empty file")
-	}
-	defer os.RemoveAll(tempFile.Name())
-	tempFile.Close()
-
-	for _, badFile := range []string{"not-a-file", tempFile.Name()} {
-		for i := 0; i < 3; i++ {
-			files := []string{cert, key, ca}
-			files[i] = badFile
-
-			result, err := Server(Options{
-				CertFile:   files[0],
-				KeyFile:    files[1],
-				CAFile:     files[2],
-				ClientAuth: tls.VerifyClientCertIfGiven,
-			})
-			if err == nil || result != nil {
-				t.Fatal("Expected a non-real file to error and return a nil TLS config")
-			}
-		}
-	}
-}
-
-// If server cert and key are provided and client auth and client CA are not
-// set, a tls config with only the server certs will be returned.
-func TestConfigServerTLSServerCertsOnly(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	keypair, err := tls.LoadX509KeyPair(cert, key)
-	if err != nil {
-		t.Fatal("Unable to load the generated cert and key")
-	}
-
-	tlsConfig, err := Server(Options{
-		CertFile: cert,
-		KeyFile:  key,
-	})
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	if len(tlsConfig.Certificates) != 1 {
-		t.Fatal("Unexpected server certificates")
-	}
-	if len(tlsConfig.Certificates[0].Certificate) != len(keypair.Certificate) {
-		t.Fatal("Unexpected server certificates")
-	}
-	for i, cert := range tlsConfig.Certificates[0].Certificate {
-		if !bytes.Equal(cert, keypair.Certificate[i]) {
-			t.Fatal("Unexpected server certificates")
-		}
-	}
-
-	if !reflect.DeepEqual(tlsConfig.CipherSuites, DefaultServerAcceptedCiphers) {
-		t.Fatal("Unexpected server cipher suites")
-	}
-	if !tlsConfig.PreferServerCipherSuites {
-		t.Fatal("Expected server to prefer cipher suites")
-	}
-	if tlsConfig.MinVersion != tls.VersionTLS10 {
-		t.Fatal("Unexpected server TLS version")
-	}
-}
-
-// If client CA is provided, it will only be used if the client auth is >=
-// VerifyClientCertIfGiven
-func TestConfigServerTLSClientCANotSetIfClientAuthTooLow(t *testing.T) {
-	key, cert := getCertAndKey()
-	ca := getMultiCert()
-
-	tlsConfig, err := Server(Options{
-		CertFile:   cert,
-		KeyFile:    key,
-		ClientAuth: tls.RequestClientCert,
-		CAFile:     ca,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	if len(tlsConfig.Certificates) != 1 {
-		t.Fatal("Unexpected server certificates")
-	}
-	if tlsConfig.ClientAuth != tls.RequestClientCert {
-		t.Fatal("ClientAuth was not set to what was in the options")
-	}
-	if tlsConfig.ClientCAs != nil {
-		t.Fatalf("Client CAs should never have been set")
-	}
-}
-
-// If client CA is provided, it will only be used if the client auth is >=
-// VerifyClientCertIfGiven
-func TestConfigServerTLSClientCASet(t *testing.T) {
-	key, cert := getCertAndKey()
-	ca := getMultiCert()
-
-	tlsConfig, err := Server(Options{
-		CertFile:   cert,
-		KeyFile:    key,
-		ClientAuth: tls.VerifyClientCertIfGiven,
-		CAFile:     ca,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	if len(tlsConfig.Certificates) != 1 {
-		t.Fatal("Unexpected server certificates")
-	}
-	if tlsConfig.ClientAuth != tls.VerifyClientCertIfGiven {
-		t.Fatal("ClientAuth was not set to what was in the options")
-	}
-	basePool, err := SystemCertPool()
-	if err != nil {
-		basePool = x509.NewCertPool()
-	}
-	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
-	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 {
-		t.Fatalf("Client CAs were never set correctly")
-	}
-}
-
-// Exclusive root pools determines whether the CA pool will be a union of the system
-// certificate pool and custom certs, or an exclusive or of the custom certs and system pool
-func TestConfigServerExclusiveRootPools(t *testing.T) {
-	key, cert := getCertAndKey()
-	ca := getMultiCert()
-
-	caBytes, err := ioutil.ReadFile(ca)
-	if err != nil {
-		t.Fatal("Unable to read CA certs", err)
-	}
-
-	var testCerts []*x509.Certificate
-	for _, pemBytes := range [][]byte{caBytes, []byte(systemRootTrustedCert)} {
-		pemBlock, _ := pem.Decode(pemBytes)
-		if pemBlock == nil {
-			t.Fatal("Malformed certificate")
-		}
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			t.Fatal("Unable to parse certificate")
-		}
-		testCerts = append(testCerts, cert)
-	}
-
-	// ExclusiveRootPools not set, so should be able to verify both system-signed certs
-	// and custom CA-signed certs
-	tlsConfig, err := Server(Options{
-		CertFile:   cert,
-		KeyFile:    key,
-		ClientAuth: tls.VerifyClientCertIfGiven,
-		CAFile:     ca,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		if _, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs}); err != nil {
-			t.Fatalf("Unable to verify certificate %d: %v", i, err)
-		}
-	}
-
-	// ExclusiveRootPools set and custom CA provided, so system certs should not be verifiable
-	// and custom CA-signed certs should be verifiable
-	tlsConfig, err = Server(Options{
-		CertFile:           cert,
-		KeyFile:            key,
-		ClientAuth:         tls.VerifyClientCertIfGiven,
-		CAFile:             ca,
-		ExclusiveRootPools: true,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs})
-		switch {
-		case i == 0 && err != nil:
-			t.Fatal("Unable to verify custom certificate, even though the root pool should have only the custom CA", err)
-		case i == 1 && err == nil:
-			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the cusotm CA", err)
-		}
-	}
-
-	// No CA file provided, system cert should be verifiable only
-	tlsConfig, err = Server(Options{
-		CertFile: cert,
-		KeyFile:  key,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure server TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs})
-		switch {
-		case i == 1 && err != nil:
-			t.Fatal("Unable to verify system root-signed certificate, even though the root pool should be the system pool only", err)
-		case i == 0 && err == nil:
-			t.Fatal("Successfully verified custom certificate though the root pool should be the system pool only", err)
-		}
-	}
-}
-
-// If a valid minimum version is specified in the options, the server's
-// minimum version should be set accordingly
-func TestConfigServerTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
-	versions := []uint16{
-		tls.VersionTLS11,
-		tls.VersionTLS12,
-	}
-	key, cert := getCertAndKey()
-
-	for _, v := range versions {
-		tlsConfig, err := Server(Options{
-			MinVersion: v,
-			CertFile:   cert,
-			KeyFile:    key,
-		})
-
-		if err != nil || tlsConfig == nil {
-			t.Fatal("Unable to configure server TLS", err)
-		}
-
-		if tlsConfig.MinVersion != v {
-			t.Fatal("Unexpected minimum TLS version: ", tlsConfig.MinVersion)
-		}
-	}
-}
-
-// An error should be returned if the specified minimum version for the server
-// is too low, i.e. less than VersionTLS10
-func TestConfigServerTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	_, err := Server(Options{
-		MinVersion: tls.VersionSSL30,
-		CertFile:   cert,
-		KeyFile:    key,
-	})
-
-	if err == nil {
-		t.Fatal("Should have returned an error for minimum version below TLS10")
-	}
-}
-
-// An error should be returned if an invalid minimum version for the server is
-// in the options struct
-func TestConfigServerTLSMinVersionNotSetIfMinVersionIsInvalid(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	_, err := Server(Options{
-		MinVersion: 1,
-		CertFile:   cert,
-		KeyFile:    key,
-	})
-
-	if err == nil {
-		t.Fatal("Should have returned error on invalid minimum version option")
-	}
-}
-
-// The root CA is never set if InsecureSkipBoolean is set to true, but the
-// default client options are set
-func TestConfigClientTLSNoVerify(t *testing.T) {
-	ca := getMultiCert()
-
-	tlsConfig, err := Client(Options{CAFile: ca, InsecureSkipVerify: true})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	if tlsConfig.RootCAs != nil {
-		t.Fatal("Should not have set Root CAs", err)
-	}
-
-	if !reflect.DeepEqual(tlsConfig.CipherSuites, clientCipherSuites) {
-		t.Fatal("Unexpected client cipher suites")
-	}
-	if tlsConfig.MinVersion != tls.VersionTLS12 {
-		t.Fatal("Unexpected client TLS version")
-	}
-
-	if tlsConfig.Certificates != nil {
-		t.Fatal("Somehow client certificates were set")
-	}
-}
-
-// The root CA is never set if InsecureSkipBoolean is set to false and root CA
-// is not provided.
-func TestConfigClientTLSNoRoot(t *testing.T) {
-	tlsConfig, err := Client(Options{})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	if tlsConfig.RootCAs != nil {
-		t.Fatal("Should not have set Root CAs", err)
-	}
-
-	if !reflect.DeepEqual(tlsConfig.CipherSuites, clientCipherSuites) {
-		t.Fatal("Unexpected client cipher suites")
-	}
-	if tlsConfig.MinVersion != tls.VersionTLS12 {
-		t.Fatal("Unexpected client TLS version")
-	}
-
-	if tlsConfig.Certificates != nil {
-		t.Fatal("Somehow client certificates were set")
-	}
-}
-
-// The RootCA is set if the file is provided and InsecureSkipVerify is false
-func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
-	ca := getMultiCert()
-
-	tlsConfig, err := Client(Options{CAFile: ca})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-	basePool, err := SystemCertPool()
-	if err != nil {
-		basePool = x509.NewCertPool()
-	}
-	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
-	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 {
-		t.Fatal("Root CAs not set properly", err)
-	}
-	if tlsConfig.Certificates != nil {
-		t.Fatal("Somehow client certificates were set")
-	}
-}
-
-// An error is returned if a root CA is provided but the file doesn't exist.
-func TestConfigClientTLSNonexistentRootCAFile(t *testing.T) {
-	tlsConfig, err := Client(Options{CAFile: "nonexistent"})
-
-	if err == nil || tlsConfig != nil {
-		t.Fatal("Should not have been able to configure client TLS", err)
-	}
-}
-
-// An error is returned if either the client cert or the key are provided
-// but invalid or blank.
-func TestConfigClientTLSClientCertOrKeyInvalid(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	tempFile, err := ioutil.TempFile("", "cert-test")
-	if err != nil {
-		t.Fatal("Unable to create temporary empty file")
-	}
-	defer os.Remove(tempFile.Name())
-	tempFile.Close()
-
-	for i := 0; i < 2; i++ {
-		for _, invalid := range []string{"not-a-file", "", tempFile.Name()} {
-			files := []string{cert, key}
-			files[i] = invalid
-
-			tlsConfig, err := Client(Options{CertFile: files[0], KeyFile: files[1]})
-			if err == nil || tlsConfig != nil {
-				t.Fatal("Should not have been able to configure client TLS", err)
-			}
-		}
-	}
-}
-
-// The certificate is set if the client cert and client key are provided and
-// valid.
-func TestConfigClientTLSValidClientCertAndKey(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	keypair, err := tls.LoadX509KeyPair(cert, key)
-	if err != nil {
-		t.Fatal("Unable to load the generated cert and key")
-	}
-
-	tlsConfig, err := Client(Options{CertFile: cert, KeyFile: key})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	if len(tlsConfig.Certificates) != 1 {
-		t.Fatal("Unexpected client certificates")
-	}
-	if len(tlsConfig.Certificates[0].Certificate) != len(keypair.Certificate) {
-		t.Fatal("Unexpected client certificates")
-	}
-	for i, cert := range tlsConfig.Certificates[0].Certificate {
-		if !bytes.Equal(cert, keypair.Certificate[i]) {
-			t.Fatal("Unexpected client certificates")
-		}
-	}
-
-	if tlsConfig.RootCAs != nil {
-		t.Fatal("Root CAs should not have been set", err)
-	}
-}
-
-// The certificate is set if the client cert and encrypted client key are
-// provided and valid and passphrase can decrypt the key
-func TestConfigClientTLSValidClientCertAndEncryptedKey(t *testing.T) {
-	key, cert := getCertAndEncryptedKey()
-
-	tlsConfig, err := Client(Options{
-		CertFile:   cert,
-		KeyFile:    key,
-		Passphrase: "FooBar123",
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	if len(tlsConfig.Certificates) != 1 {
-		t.Fatal("Unexpected client certificates")
-	}
-}
-
-// The certificate is not set if the provided passphrase cannot decrypt
-// the encrypted key.
-func TestConfigClientTLSNotSetWithInvalidPassphrase(t *testing.T) {
-	key, cert := getCertAndEncryptedKey()
-
-	tlsConfig, err := Client(Options{
-		CertFile:   cert,
-		KeyFile:    key,
-		Passphrase: "InvalidPassphrase",
-	})
-
-	if !IsErrEncryptedKey(err) || tlsConfig != nil {
-		t.Fatal("Expected failure due to incorrect passphrase.")
-	}
-}
-
-// Exclusive root pools determines whether the CA pool will be a union of the system
-// certificate pool and custom certs, or an exclusive or of the custom certs and system pool
-func TestConfigClientExclusiveRootPools(t *testing.T) {
-	ca := getMultiCert()
-
-	caBytes, err := ioutil.ReadFile(ca)
-	if err != nil {
-		t.Fatal("Unable to read CA certs", err)
-	}
-
-	var testCerts []*x509.Certificate
-	for _, pemBytes := range [][]byte{caBytes, []byte(systemRootTrustedCert)} {
-		pemBlock, _ := pem.Decode(pemBytes)
-		if pemBlock == nil {
-			t.Fatal("Malformed certificate")
-		}
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			t.Fatal("Unable to parse certificate")
-		}
-		testCerts = append(testCerts, cert)
-	}
-
-	// ExclusiveRootPools not set, so should be able to verify both system-signed certs
-	// and custom CA-signed certs
-	tlsConfig, err := Client(Options{CAFile: ca})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		if _, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs}); err != nil {
-			t.Fatalf("Unable to verify certificate %d: %v", i, err)
-		}
-	}
-
-	// ExclusiveRootPools set and custom CA provided, so system certs should not be verifiable
-	// and custom CA-signed certs should be verifiable
-	tlsConfig, err = Client(Options{
-		CAFile:             ca,
-		ExclusiveRootPools: true,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs})
-		switch {
-		case i == 0 && err != nil:
-			t.Fatal("Unable to verify custom certificate, even though the root pool should have only the custom CA", err)
-		case i == 1 && err == nil:
-			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the cusotm CA", err)
-		}
-	}
-
-	// No CA file provided, system cert should be verifiable only
-	tlsConfig, err = Client(Options{})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs})
-		switch {
-		case i == 1 && err != nil:
-			t.Fatal("Unable to verify system root-signed certificate, even though the root pool should be the system pool only", err)
-		case i == 0 && err == nil:
-			t.Fatal("Successfully verified custom certificate though the root pool should be the system pool only", err)
-		}
-	}
-}
-
-// If a valid MinVersion is specified in the options, the client's
-// minimum version should be set accordingly
-func TestConfigClientTLSMinVersionIsSetBasedOnOptions(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	tlsConfig, err := Client(Options{
-		MinVersion: tls.VersionTLS12,
-		CertFile:   cert,
-		KeyFile:    key,
-	})
-
-	if err != nil || tlsConfig == nil {
-		t.Fatal("Unable to configure client TLS", err)
-	}
-
-	if tlsConfig.MinVersion != tls.VersionTLS12 {
-		t.Fatal("Unexpected minimum TLS version: ", tlsConfig.MinVersion)
-	}
-}
-
-// An error should be returned if the specified minimum version for the client
-// is too low, i.e. less than VersionTLS12
-func TestConfigClientTLSMinVersionNotSetIfMinVersionIsTooLow(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	_, err := Client(Options{
-		MinVersion: tls.VersionTLS11,
-		CertFile:   cert,
-		KeyFile:    key,
-	})
-
-	if err == nil {
-		t.Fatal("Should have returned an error for minimum version below TLS12")
-	}
-}
-
-// An error should be returned if an invalid minimum version for the client is
-// in the options struct
-func TestConfigClientTLSMinVersionNotSetIfMinVersionIsInvalid(t *testing.T) {
-	key, cert := getCertAndKey()
-
-	_, err := Client(Options{
-		MinVersion: 1,
-		CertFile:   cert,
-		KeyFile:    key,
-	})
-
-	if err == nil {
-		t.Fatal("Should have returned error on invalid minimum version option")
-	}
-}
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/cert.pem
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/cert.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb6gAwIBAgIDAw0/MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMTBHRl
-c3QwHhcNMTYwMzI4MTg0MTQ3WhcNMjcwMzI4MTg0MTQ3WjAPMQ0wCwYDVQQDEwR0
-ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1k1NO4wzCpxZ71Bo
-SiYSWh8SE9jHtg6lz0QjMQXzFuLhpedjHJYx9fYbD+JVk5vnRbUqNUeZVKAGahfR
-9vhm5I+cm359gYU0gHawLw91oh4JCiwUu77U2obHvtvcXLf6Fb/+MoSA5wH7vbL3
-T4vR1+hLt+R+kILAEHq/IlSdLD8CA0iA+ypHfCPOi5F2wVjAyMnQXgVDkAhzefpu
-JkhN1yUgb5WK4qoSuOUDUYq/bRosLdHXDJiWRuqaU2zxO5cHVlrNAE5RuspfEzl4
-YP6boZTOomLEDbBTSJWgX2/ybvY7o4sCw7KrvyBIqSK9HbfaK1nFMFGoiSH6+1m4
-amWKrwIDAQABozswOTAOBgNVHQ8BAf8EBAMCBaAwGQYDVR0lBBIwEAYIKwYBBQUH
-AwMGBFUdJQAwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEADuXjLtGk
-tU5ql+LFB32Cc2Laa0iO8aqJccOcXYKg4FD0um+1+YQO1CBZZqWjItH4CuJl5+2j
-Tc9sFgrIVH5CmvUkOUFPCNDAJtxBvF6RQqRpehjheHDaNsYo9JNKHKEJB6OJrDgy
-N5krM5FKyAp/EDTbIrGIZFMdxQGxK5MfpfPkKK44JgOQM3QWeR+LqIpfd34MD1jZ
-jjYdl0+quIHiIdFR0a4Uam7o9GfUmcWe1VFthLb5pNhV6t+wyuLyMXVMNacKZSz/
-nOMWVQfgViZk6rHOPSMrFMc7Pp488I907MJKCryd21LcLqMuhb4BpWcJghnY8Lbs
-uIPLsUHr3Pfp9Q==
-----END CERTIFICATE-----
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/cert_of_encrypted_key.pem
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/cert_of_encrypted_key.pem
@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC1jCCAb6gAwIBAgIDAw0/MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMTBHRl
-c3QwHhcNMTYwNDIyMDQyMjM1WhcNMTgwNDIyMDQyMjM1WjAPMQ0wCwYDVQQDEwR0
-ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4GRTos+Ik6kQG7wn
-8E4HqPwgWXbY0T59UQsrbR+YbyxbUKV67Pgl4VImuUmYaism6Tm3EFYzeom5baMc
-vW0hC+WbwVr1rq5ddBE8akYhlPY40SxFlh563vOi7lcFGM7xuUbTlhtAhYa5xc5U
-thHYa8Mdqc2kMrmU4JBhNHoRk2mnRBo2J2/8RfOfioM6mH0t/MVtB/jSGpcwbbfj
-2twKOpB9CoX57szVo7+DCFHpLxeuop+69REu5Egc2a5BtBuUf0fkUBKuF7yUy2xI
-IbgjCiGb3Z+PCIC0CjNt9wExowPAGfxAJ8s1nNlpZav3707VZRtz7Js1skRjm9aU
-8fhYNQIDAQABozswOTAOBgNVHQ8BAf8EBAMCBaAwGQYDVR0lBBIwEAYIKwYBBQUH
-AwMGBFUdJQAwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAcKCCV5Os
-O2U7Ekp0jzOusV2+ykZzUe4sEds+ikblxK9SHV/pAPIVuAevdyE1LKmJ6ZGgeU2M
-4MC6jC/XTlYNhsYCfKaJn53UscKI2urXFlk1Gv5VQP5EOrMWb76A5uj1nElxKe2C
-bMVoUuMwRd9jnz6594D80jGGYpHRaF7yLtGbiflDjB+yv1OU6WnuVNr0nOb9ShR6
-WPlrQj5TUSpRHF/oKy9LVWuxYA9aiY1YREDZhhauw9pGAMx1lImfJcJ077MdxN4A
-DwKAx3ooajAu1n3McY1oncWW+rWs2Ptvp6lKMGoZ50ElEPCMw4/hPtPMLq/DTWNj
-l342KLVWgchlIA==
-----END CERTIFICATE-----
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/encrypted_key.pem
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/encrypted_key.pem
@ -1,30 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,68ce1d54f187b663e152d9c5dc900fd3
-
-ZVBeXx7kWiF0yPOORntrN6BsyIJE7krqTVhRfk6GAllaLQv0jvb31XHB1oWOaqnx
-tb7kUuoBeQdl1hs/iAnkDMc59WJfEK9A9cAD/SgxTgdENOrzFSRNEfqketLA4eHZ
-2sOLkSfv58HwA0p0gzqSrLQBo/6ZtF/57HxH166PtErPNTS1Usu/f4Oj0UqxTfbZ
-B5LHsepyNLt6q/15fcY0TFYJwvgEXa4SridjT+8bTz2T+bx3QFijGnl7EdkTElni
-FIwnDjFZaAULqoyUIB1y8guEZVkaWKncxPdRfhId84HklWdrrLtP5D6db1xNNpsp
-LzGdciD3phJp6K0hpl+WrhYxuCKURa27tXMCuYOFd1hw/kM29jFbxSIlNBGN4OLL
-v4wYrJFM21iWsz9c7Cqw5Yls2Rsx0QrXRFIxwT25z+HNx1fysQxYuxf3r+e2oz8e
-8Os7hvcxG2XDz01/zpx8kzxUcLuh+3o5UOYlo9z6qsjaD5NUXY+X90PUrVO9fk5y
-8o8pnElPnV88Ihrog5YTYy6egiQWHhDk2I4qlYPOBQNKTLg3KulAcmC9vQ8mR5Sy
-p3c3MTgh0A3Zk5Dib+sQ0tdbwDcB2JCTqGal1FNEW5Z7qTHA4Bdm2l7hGs8cRpy4
-Ehkhv3s5wWmKcbwwlPuJ0UfPeDn6v9qE2/IkOy+jWgTpaFyWtXHc1/XdqMsJ8xN0
-thJw/GMtNabB1+zuayJnvmbJd2qW1smsFTHqX3BovXIH4vx1hE2d0lJpEBynk+wr
-gpPgrRoEiqsPcsRoVjvKH3qwJLRdcGYhKqhbvRdynlagCLmE8iAI99r82u6t+03h
-YNpRbafY4ceAYyK0IlRiJvGkBMfH7bMXcBMmXyQSBF27ZpNidyZSCHrU5xyHqJZO
-XWUhl9GHplBfueh5E831S7mDqobd8RqnUvKVygyEOol5VUFDrggTAAKKN9VzM3uT
-MaVymt6fA7stzf01fT+Wi7uCm5legTXG3Ca+XxD6TdE0dNzewd5jDsuqwXnt1iC4
-slvuLRZeRZDNvBd0G7Ohhp6jb2HHwkv9kQTZ+UEDbR/Gwxty4oT1MnwSE0mi9ZFN
-6PTjrSxpIKe+mAhgzrepLMfATGayYQzucEArPG7Vp+NJva+j6FKloqrzXMjlP0hN
-XSBr7AL+j+OR/tzDOoUG3xdsCl/u5hFTpjsW2ti870zoRUcK0fqJ9UIYjh66L7yT
-KNkXsC+OcGuGkhtQ0gxx60OI7wp4bh2pKdT6e111/WTvXxVR2C3XhFBLUfNIz/7A
-Oj+s0CaV4pBmCjIobLYpxC0ofLplwBLGf9xnsBiQF5dsgKgOhACeDmDMwqAJ3U/t
-54hK/8Yb8W46Tjgbm0Qsj5gFXHofnyqDeQxAjsdCXsdMaPB8nyZpEkuQSEj9HlKW
-xIEErVufkvqyrzhX1pxPs+C839Ueyeob6ZWQurqCLTdZh+3bhKcvi5iP+aLLjMWK
-JT9tmAuFVkbPerqObVQFbnM4/re33YYD7QXCqta5bxcVeBI8N1HdwMYrDVhXelEx
-mqGleUkkDHTWzAa3u1GKOzLXAYnD0TsTwml0+k+Rf0QMBiDJiKujfy7fGqfZF2vR
-----END RSA PRIVATE KEY-----
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/key.pem
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/key.pem
@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA1k1NO4wzCpxZ71BoSiYSWh8SE9jHtg6lz0QjMQXzFuLhpedj
-HJYx9fYbD+JVk5vnRbUqNUeZVKAGahfR9vhm5I+cm359gYU0gHawLw91oh4JCiwU
-u77U2obHvtvcXLf6Fb/+MoSA5wH7vbL3T4vR1+hLt+R+kILAEHq/IlSdLD8CA0iA
-+ypHfCPOi5F2wVjAyMnQXgVDkAhzefpuJkhN1yUgb5WK4qoSuOUDUYq/bRosLdHX
-DJiWRuqaU2zxO5cHVlrNAE5RuspfEzl4YP6boZTOomLEDbBTSJWgX2/ybvY7o4sC
-w7KrvyBIqSK9HbfaK1nFMFGoiSH6+1m4amWKrwIDAQABAoIBAQC802wj9grbZJzS
-A1WBUD6Hbi0tk6uVPR7YnD8t6QIivlL5LgLko2ruQKXjvxiMcai8gT7pp2bxa/d6
-7/Yv2PxAlFH3qOLJhyeVsf7X2JVb/X8VmXXDYAiJbI0AHRX0FJ+lHoDK3nn+En9Q
-zSqgyqBhz+s343uptauqWZ2kkE3VNyqlPBhmKc5NcbR7Sgb4nJ3CkNAcxRkl1NeI
-BRFdsTUYRNR3Vd++OvOzI4uzZfCIeUVqx+r7/SeLW0UwqeprMm7g+hFQLfH+e9SA
-9lx0EIRoQFwgvKju2eogpSwvkSlObXnESu5OHYtnc+jpsOC0EbQgO0d6CqVZiqjR
-2dRYsZkhAoGBAO69loXSAsyqUj0rT5iq59PuMlBEAlW6hQTfl6c8bnu1JUo2s/CH
-OJfswxfHN32qmi99WbK2iLyrnznNYsyPnYKW0ObwuoqAdrlydfu7Fq9HSOACoIvK
-jRMOsiJtM3JX2bHHV7yIwJ1+h++o2Ly803j7tKtYsrRQVZiWeTcR2IRZAoGBAOXL
-bJFLbAhm3zRqhbiWuORqqyLxrDmIB6RY8vTdX47vwzkFGZJlCuL+vs6877I6eOc9
-wjH9qcOiJQJ4DWkAE+VS5PAPoj0UDRw7AkE9v3RwnmxvAfP5rPo5KimYxKq4yX6r
-+Qc4ixwftCj0rxFoG4lnipwBFq4NXuHtIhbZXMZHAoGBAOGfatGtV9f0XyRP+jld
-yxoO0p3oqAw86dlhNgFmq0NePo+UgxmdsW5i4z1lmJu6z1xyKoMq3q7vwtrtr6GD
-WGhB/8tBVgnuvkUkVzw/44Bi7gxGb1OtaQXJra+7ZBN70tCgg9o5o080dWOZPruf
-+Hst5eDJQpoGEd7S1lulEeqBAoGBAKAqdIak6izE/wg6wu+Q5lgW3SejCOakoKb1
-dIoljkhDZ2/j1RoLoVXsNzRDzlIMnV6X1jYf1ubLqj4ZTUeFTVjGuVl1nCA0TJsD
-qiOtFTfkkxeDG/pgaSeTFocdut4/o/nNhep5h8RXeKwfN7LLPH4+FAd+Xr98BEk2
-jk8cu6RbAoGAHI9yRXKjlADBZLvxxMGHRfe7eK4PgABmluZLdsXzNmXxybrZDvdC
-teipvIUSym7tvdDB6LHXKVp4mYeqHe/ktRatlhbQyPso2VPoMFQyuRBYKKFFAh0V
-3d6EyTRnIxn/NW+XdcCUeufFfd+3BHyux68PyUsTtKRCJYfhExzJf70=
-----END RSA PRIVATE KEY-----
--- a/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/multi.pem
+++ b/gateway/vendor/github.com/docker/go-connections/tlsconfig/fixtures/multi.pem
@ -1,28 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIC3DCCAcSgAwIBAgIDAw0/MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNVBAMTBHRl
-c3QwHhcNMTYwMzI4MTg0MTQ3WhcNMjcwMzI4MTg0MTQ3WjAPMQ0wCwYDVQQDEwR0
-ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArVIJDnNnM1iX7Xj8
-bja4WsgHuENRBsBCROTDjQL1w7Ksin2jmCl/D7Gk9ifRJZ/HPE3BKo6B+3CDXygJ
-Qvoe8SGWi6ae8lN4VgPoW7xDViAWhVmjIr+dNQXWD0hCq0YZuXyYSi5iXWeRaTvx
-2eoG2VSkNnkc/0weEhX1nBGBscuz1UZqWp53m09eL7otngcNcdjmvLPiw4E3cric
-UoLVonzf4ZE84Q7nNmfWfMKh4zJUyn8N766GAAoC6RAKsJ0xSDeRjkzSy7vGJKBv
-nTBe6X1xyFZaN0mAjtRkYaxI9ZfI8K41Trhd88s4B4G61p70DY3dMLmuF8wGHVCF
-lMMV6wIDAQABo0EwPzAOBgNVHQ8BAf8EBAMCAqQwGQYDVR0lBBIwEAYIKwYBBQUH
-AwMGBFUdJQAwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAQEA
-LriCH0FTaOFIBl+kxAKjs7puhIZoYLwQ8IReXdEU7kYjPff3X/eiO82A0GwMM9Fp
-/RdMlZGDSLyZ1a/gKCz55j9J4MW8ZH7RSEQs3dJQCvEPDO6UdgKy4Ft9yNh/ba1J
-8/n0CqR+0QNov6Qp7eMDkQaDvKgCaABn8at6VLtuifJXFKDGt0LrR7wkQBJ85SZB
-9GdfNSPzEZkb4FQ2gPgAk7ySoQ6Hi6mogEORbtJ7+Xiq57J+cEZQV6TOuwYgBG4e
-MW3h37+7V5a/absybik1F/gcx4IbEBd/7an6a+a2l5FeTED5kpzvD4+yrQAoY8lT
-gccRdP0O4CsLn7zlLRidPQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBTzCB9qADAgECAgMDDT8wCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEdGVzdDAe
-Fw0xNjAzMjgxODQxNDdaFw0yNzAzMjgxODQxNDdaMA8xDTALBgNVBAMTBHRlc3Qw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQy8xfFkSiJA10EC1MMJzkLgu6csocC
-UNyix7zOqijLsASE4an5LQsZ1PuhgVYnL+B9rAcnXgJaLM8YOmLRPqNdo0EwPzAO
-BgNVHQ8BAf8EBAMCAqQwGQYDVR0lBBIwEAYIKwYBBQUHAwMGBFUdJQAwEgYDVR0T
-AQH/BAgwBgEB/wIBATAKBggqhkjOPQQDAgNIADBFAiEAwUrZY7fHwr4FWONiBJo6
-97V9GAbj70ZJqV5M7rt+hMECIFY66kUrv0sG2vlhicSIGwSOdB3VcijdZSelzLn1
-iRk5
-----END CERTIFICATE-----