Vendoring with Glide and delete function handler

gateway/vendor/github.com/docker/libtrust/tlsdemo/README.md

@@ -0,0 +1,50 @@
+## Libtrust TLS Config Demo
+
+This program generates key pairs and trust files for a TLS client and server.
+
+To generate the keys, run:
+
+```
+$ go run genkeys.go
+```
+
+The generated files are:
+
+```
+$ ls -l client_data/ server_data/
+client_data/:
+total 24
+-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
+-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json
+-rw-r--r--  1 jlhawn  staff  275 Aug  8 16:21 trusted_hosts.json
+
+server_data/:
+total 24
+-rw-r--r--  1 jlhawn  staff  348 Aug  8 16:21 trusted_clients.json
+-rw-------  1 jlhawn  staff  281 Aug  8 16:21 private_key.json
+-rw-r--r--  1 jlhawn  staff  225 Aug  8 16:21 public_key.json
+```
+
+The private key and public key for the client and server are stored in `private_key.json` and `public_key.json`, respectively, and in their respective directories. They are represented as JSON Web Keys: JSON objects which represent either an ECDSA or RSA private key. The host keys trusted by the client are stored in `trusted_hosts.json` and contain a mapping of an internet address, `<HOSTNAME_OR_IP>:<PORT>`, to a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted server. The client keys trusted by the server are stored in `trusted_clients.json` and contain an array of JSON objects which contain a comment field which can be used describe the key and a JSON Web Key which is a JSON object representing either an ECDSA or RSA public key of the trusted client.
+
+To start the server, run:
+
+```
+$ go run server.go
+```
+
+This starts an HTTPS server which listens on `localhost:8888`. The server configures itself with a certificate which is valid for both `localhost` and `127.0.0.1` and uses the key from `server_data/private_key.json`. It accepts connections from clients which present a certificate for a key that it is configured to trust from the `trusted_clients.json` file and returns a simple 'hello' message.
+
+To make a request using the client, run:
+
+```
+$ go run client.go
+```
+
+This command creates an HTTPS client which makes a GET request to `https://localhost:8888`. The client configures itself with a certificate using the key from `client_data/private_key.json`. It only connects to a server which presents a certificate signed by the key specified for the `localhost:8888` address from `client_data/trusted_hosts.json` and made to be used for the `localhost` hostname. If the connection succeeds, it prints the response from the server.
+
+The file `gencert.go` can be used to generate PEM encoded version of the client key and certificate. If you save them to `key.pem` and `cert.pem` respectively, you can use them with `curl` to test out the server (if it is still running).
+
+```
+curl --cert cert.pem --key key.pem -k https://localhost:8888
+``` 

gateway/vendor/github.com/docker/libtrust/tlsdemo/client.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+
+	"github.com/docker/libtrust"
+)
+
+var (
+	serverAddress        = "localhost:8888"
+	privateKeyFilename   = "client_data/private_key.pem"
+	trustedHostsFilename = "client_data/trusted_hosts.pem"
+)
+
+func main() {
+	// Load Client Key.
+	clientKey, err := libtrust.LoadKeyFile(privateKeyFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Generate Client Certificate.
+	selfSignedClientCert, err := libtrust.GenerateSelfSignedClientCert(clientKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Load trusted host keys.
+	hostKeys, err := libtrust.LoadKeySetFile(trustedHostsFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Ensure the host we want to connect to is trusted!
+	host, _, err := net.SplitHostPort(serverAddress)
+	if err != nil {
+		log.Fatal(err)
+	}
+	serverKeys, err := libtrust.FilterByHosts(hostKeys, host, false)
+	if err != nil {
+		log.Fatalf("%q is not a known and trusted host", host)
+	}
+
+	// Generate a CA pool with the trusted host's key.
+	caPool, err := libtrust.GenerateCACertPool(clientKey, serverKeys)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Create HTTP Client.
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				Certificates: []tls.Certificate{
+					tls.Certificate{
+						Certificate: [][]byte{selfSignedClientCert.Raw},
+						PrivateKey:  clientKey.CryptoPrivateKey(),
+						Leaf:        selfSignedClientCert,
+					},
+				},
+				RootCAs: caPool,
+			},
+		},
+	}
+
+	var makeRequest = func(url string) {
+		resp, err := client.Get(url)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer resp.Body.Close()
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		log.Println(resp.Status)
+		log.Println(string(body))
+	}
+
+	// Make the request to the trusted server!
+	makeRequest(fmt.Sprintf("https://%s", serverAddress))
+}

gateway/vendor/github.com/docker/libtrust/tlsdemo/gencert.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"encoding/pem"
+	"fmt"
+	"log"
+	"net"
+
+	"github.com/docker/libtrust"
+)
+
+var (
+	serverAddress            = "localhost:8888"
+	clientPrivateKeyFilename = "client_data/private_key.pem"
+	trustedHostsFilename     = "client_data/trusted_hosts.pem"
+)
+
+func main() {
+	key, err := libtrust.LoadKeyFile(clientPrivateKeyFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	keyPEMBlock, err := key.PEMBlock()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	encodedPrivKey := pem.EncodeToMemory(keyPEMBlock)
+	fmt.Printf("Client Key:\n\n%s\n", string(encodedPrivKey))
+
+	cert, err := libtrust.GenerateSelfSignedClientCert(key)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	encodedCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	fmt.Printf("Client Cert:\n\n%s\n", string(encodedCert))
+
+	trustedServerKeys, err := libtrust.LoadKeySetFile(trustedHostsFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	hostname, _, err := net.SplitHostPort(serverAddress)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	trustedServerKeys, err = libtrust.FilterByHosts(trustedServerKeys, hostname, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	caCert, err := libtrust.GenerateCACert(key, trustedServerKeys[0])
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	encodedCert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
+	fmt.Printf("CA Cert:\n\n%s\n", string(encodedCert))
+}

gateway/vendor/github.com/docker/libtrust/tlsdemo/genkeys.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"log"
+
+	"github.com/docker/libtrust"
+)
+
+func main() {
+	// Generate client key.
+	clientKey, err := libtrust.GenerateECP256PrivateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Add a comment for the client key.
+	clientKey.AddExtendedField("comment", "TLS Demo Client")
+
+	// Save the client key, public and private versions.
+	err = libtrust.SaveKey("client_data/private_key.pem", clientKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = libtrust.SavePublicKey("client_data/public_key.pem", clientKey.PublicKey())
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Generate server key.
+	serverKey, err := libtrust.GenerateECP256PrivateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Set the list of addresses to use for the server.
+	serverKey.AddExtendedField("hosts", []string{"localhost", "docker.example.com"})
+
+	// Save the server key, public and private versions.
+	err = libtrust.SaveKey("server_data/private_key.pem", serverKey)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = libtrust.SavePublicKey("server_data/public_key.pem", serverKey.PublicKey())
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Generate Authorized Keys file for server.
+	err = libtrust.AddKeySetFile("server_data/trusted_clients.pem", clientKey.PublicKey())
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Generate Known Host Keys file for client.
+	err = libtrust.AddKeySetFile("client_data/trusted_hosts.pem", serverKey.PublicKey())
+	if err != nil {
+		log.Fatal(err)
+	}
+}

gateway/vendor/github.com/docker/libtrust/tlsdemo/server.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+	"html"
+	"log"
+	"net"
+	"net/http"
+
+	"github.com/docker/libtrust"
+)
+
+var (
+	serverAddress             = "localhost:8888"
+	privateKeyFilename        = "server_data/private_key.pem"
+	authorizedClientsFilename = "server_data/trusted_clients.pem"
+)
+
+func requestHandler(w http.ResponseWriter, r *http.Request) {
+	clientCert := r.TLS.PeerCertificates[0]
+	keyID := clientCert.Subject.CommonName
+	log.Printf("Request from keyID: %s\n", keyID)
+	fmt.Fprintf(w, "Hello, client! I'm a server! And you are %T: %s.\n", clientCert.PublicKey, html.EscapeString(keyID))
+}
+
+func main() {
+	// Load server key.
+	serverKey, err := libtrust.LoadKeyFile(privateKeyFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Generate server certificate.
+	selfSignedServerCert, err := libtrust.GenerateSelfSignedServerCert(
+		serverKey, []string{"localhost"}, []net.IP{net.ParseIP("127.0.0.1")},
+	)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Load authorized client keys.
+	authorizedClients, err := libtrust.LoadKeySetFile(authorizedClientsFilename)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Create CA pool using trusted client keys.
+	caPool, err := libtrust.GenerateCACertPool(serverKey, authorizedClients)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Create TLS config, requiring client certificates.
+	tlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{
+			tls.Certificate{
+				Certificate: [][]byte{selfSignedServerCert.Raw},
+				PrivateKey:  serverKey.CryptoPrivateKey(),
+				Leaf:        selfSignedServerCert,
+			},
+		},
+		ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientCAs:  caPool,
+	}
+
+	// Create HTTP server with simple request handler.
+	server := &http.Server{
+		Addr:    serverAddress,
+		Handler: http.HandlerFunc(requestHandler),
+	}
+
+	// Listen and server HTTPS using the libtrust TLS config.
+	listener, err := net.Listen("tcp", server.Addr)
+	if err != nil {
+		log.Fatal(err)
+	}
+	tlsListener := tls.NewListener(listener, tlsConfig)
+	server.Serve(tlsListener)
+}