particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge-composer/vendor/github.com/letsencrypt/boulder/sa/proto/sa.proto
Ondřej Budai 29f66a251f go.mod: update github.com/containers/image/v5 
Version 5.22 introduced a new option to /etc/containers/policy.json called
keyPaths, see

https://github.com/containers/image/pull/1609

EL9 immediately took advantage of this new feature and started using it, see
04645c4a84

This quickly became an issue in our code: The go library (containers/image)
parses the configuration file very strictly and refuses to create a client
when policy.json with an unknown key is present on the filesystem. As we
used 5.21.1 that doesn't know the new key, our unit tests started to
failing when containers-common was present.

Reproducer:
podman run --pull=always --rm -it centos:stream9
dnf install -y dnf-plugins-core
dnf config-manager --set-enabled crb
dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core
git clone https://github.com/osbuild/osbuild-composer
cd osbuild-composer

# install the new containers-common and run the test
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm
go test -count 1 ./...

# this returns:
--- FAIL: TestClientResolve (0.00s)
    client_test.go:31:
        	Error Trace:	client_test.go:31
        	Error:      	Received unexpected error:
        	            	Unknown key "keyPaths"
        	            	invalid policy in "/etc/containers/policy.json"
        	            	github.com/containers/image/v5/signature.NewPolicyFromFile
        	            		/osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88
        	            	github.com/osbuild/osbuild-composer/internal/container.NewClient
        	            		/osbuild-composer/internal/container/client.go:123
        	            	github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve
        	            		/osbuild-composer/internal/container/client_test.go:29
        	            	testing.tRunner
        	            		/usr/lib/golang/src/testing/testing.go:1439
        	            	runtime.goexit
        	            		/usr/lib/golang/src/runtime/asm_amd64.s:1571
        	Test:       	TestClientResolve
    client_test.go:32:
        	Error Trace:	client_test.go:32
        	Error:      	Expected value not to be nil.
        	Test:       	TestClientResolve

 When run with an older containers-common, it succeeds:
 dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm
 go test -count 1 ./...
 PASS

To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0.
Unfortunately, this wasn't so simple, see

go get github.com/containers/image/v5@latest
go: github.com/containers/image/v5@v5.22.0 requires
	github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires
	github.com/honeycombio/beeline-go@v1.1.1 requires
	github.com/gobuffalo/pop/v5@v5.3.1 requires
	github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3

It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been
recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this
broke a ton of packages depending on it. I was able to fix it by adding

exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible

to our go.mod, see
https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657

After adding it,
go get github.com/containers/image/v5@latest
succeeded and tools/prepare-source.sh took care of the rest.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-08-29 10:25:38 +02:00

272 lines
7.6 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package sa;
option go_package = "github.com/letsencrypt/boulder/sa/proto";
import "core/proto/core.proto";
import "google/protobuf/empty.proto";
service StorageAuthority {
// Getters
rpc GetRegistration(RegistrationID) returns (core.Registration) {}
rpc GetRegistrationByKey(JSONWebKey) returns (core.Registration) {}
rpc GetSerialMetadata(Serial) returns (SerialMetadata) {}
rpc GetCertificate(Serial) returns (core.Certificate) {}
rpc GetPrecertificate(Serial) returns (core.Certificate) {}
rpc GetCertificateStatus(Serial) returns (core.CertificateStatus) {}
rpc CountCertificatesByNames(CountCertificatesByNamesRequest) returns (CountByNames) {}
rpc CountRegistrationsByIP(CountRegistrationsByIPRequest) returns (Count) {}
rpc CountRegistrationsByIPRange(CountRegistrationsByIPRequest) returns (Count) {}
rpc CountOrders(CountOrdersRequest) returns (Count) {}
// Return a count of authorizations with status "invalid" that belong to
// a given registration ID and expire in the given time range.
rpc CountFQDNSets(CountFQDNSetsRequest) returns (Count) {}
rpc FQDNSetExists(FQDNSetExistsRequest) returns (Exists) {}
rpc PreviousCertificateExists(PreviousCertificateExistsRequest) returns (Exists) {}
rpc GetAuthorization2(AuthorizationID2) returns (core.Authorization) {}
rpc GetAuthorizations2(GetAuthorizationsRequest) returns (Authorizations) {}
rpc GetPendingAuthorization2(GetPendingAuthorizationRequest) returns (core.Authorization) {}
rpc CountPendingAuthorizations2(RegistrationID) returns (Count) {}
rpc GetValidOrderAuthorizations2(GetValidOrderAuthorizationsRequest) returns (Authorizations) {}
rpc CountInvalidAuthorizations2(CountInvalidAuthorizationsRequest) returns (Count) {}
rpc GetValidAuthorizations2(GetValidAuthorizationsRequest) returns (Authorizations) {}
rpc KeyBlocked(KeyBlockedRequest) returns (Exists) {}
// Adders
rpc NewRegistration(core.Registration) returns (core.Registration) {}
rpc UpdateRegistration(core.Registration) returns (google.protobuf.Empty) {}
rpc AddCertificate(AddCertificateRequest) returns (AddCertificateResponse) {}
rpc AddPrecertificate(AddCertificateRequest) returns (google.protobuf.Empty) {}
rpc AddSerial(AddSerialRequest) returns (google.protobuf.Empty) {}
rpc DeactivateRegistration(RegistrationID) returns (google.protobuf.Empty) {}
rpc NewOrder(NewOrderRequest) returns (core.Order) {}
rpc NewOrderAndAuthzs(NewOrderAndAuthzsRequest) returns (core.Order) {}
rpc SetOrderProcessing(OrderRequest) returns (google.protobuf.Empty) {}
rpc SetOrderError(SetOrderErrorRequest) returns (google.protobuf.Empty) {}
rpc FinalizeOrder(FinalizeOrderRequest) returns (google.protobuf.Empty) {}
rpc GetOrder(OrderRequest) returns (core.Order) {}
rpc GetOrderForNames(GetOrderForNamesRequest) returns (core.Order) {}
rpc RevokeCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
rpc UpdateRevokedCertificate(RevokeCertificateRequest) returns (google.protobuf.Empty) {}
rpc NewAuthorizations2(AddPendingAuthorizationsRequest) returns (Authorization2IDs) {}
rpc FinalizeAuthorization2(FinalizeAuthorizationRequest) returns (google.protobuf.Empty) {}
rpc DeactivateAuthorization2(AuthorizationID2) returns (google.protobuf.Empty) {}
rpc AddBlockedKey(AddBlockedKeyRequest) returns (google.protobuf.Empty) {}
}
message RegistrationID {
int64 id = 1;
}
message JSONWebKey {
bytes jwk = 1;
}
message AuthorizationID {
string id = 1;
}
message GetPendingAuthorizationRequest {
int64 registrationID = 1;
string identifierType = 2;
string identifierValue = 3;
// Result must be valid until at least this Unix timestamp (nanos)
int64 validUntil = 4;
}
message GetValidAuthorizationsRequest {
int64 registrationID = 1;
repeated string domains = 2;
int64 now = 3; // Unix timestamp (nanoseconds)
}
message ValidAuthorizations {
message MapElement {
string domain = 1;
core.Authorization authz = 2;
}
repeated MapElement valid = 1;
}
message Serial {
string serial = 1;
}
message SerialMetadata {
string serial = 1;
int64 registrationID = 2;
int64 created = 3; // Unix timestamp (nanoseconds)
int64 expires = 4; // Unix timestamp (nanoseconds)
}
message Range {
int64 earliest = 1; // Unix timestamp (nanoseconds)
int64 latest = 2; // Unix timestamp (nanoseconds)
}
message Count {
int64 count = 1;
}
message CountCertificatesByNamesRequest {
Range range = 1;
repeated string names = 2;
}
message CountByNames {
map<string, int64> counts = 1;
}
message CountRegistrationsByIPRequest {
bytes ip = 1;
Range range = 2;
}
message CountInvalidAuthorizationsRequest {
int64 registrationID = 1;
string hostname = 2;
// Count authorizations that expire in this range.
Range range = 3;
}
message CountOrdersRequest {
int64 accountID = 1;
Range range = 2;
}
message CountFQDNSetsRequest {
int64 window = 1;
repeated string domains = 2;
}
message FQDNSetExistsRequest {
repeated string domains = 1;
}
message PreviousCertificateExistsRequest {
string domain = 1;
int64 regID = 2;
}
message Exists {
bool exists = 1;
}
message AddSerialRequest {
int64 regID = 1;
string serial = 2;
int64 created = 3; // Unix timestamp (nanoseconds)
int64 expires = 4; // Unix timestamp (nanoseconds)
}
message AddCertificateRequest {
bytes der = 1;
int64 regID = 2;
// A signed OCSP response for the certificate contained in "der".
// Note: The certificate status in the OCSP response is assumed to be 0 (good).
bytes ocsp = 3;
// An issued time. When not present the SA defaults to using
// the current time. The orphan-finder uses this parameter to add
// certificates with the correct historic issued date
int64 issued = 4;
int64 issuerID = 5;
}
message AddCertificateResponse {
string digest = 1;
}
message OrderRequest {
int64 id = 1;
}
message NewOrderRequest {
int64 registrationID = 1;
int64 expires = 2;
repeated string names = 3;
repeated int64 v2Authorizations = 4;
}
message NewOrderAndAuthzsRequest {
NewOrderRequest newOrder = 1;
repeated core.Authorization newAuthzs = 2;
}
message SetOrderErrorRequest {
int64 id = 1;
core.ProblemDetails error = 2;
}
message GetValidOrderAuthorizationsRequest {
int64 id = 1;
int64 acctID = 2;
}
message GetOrderForNamesRequest {
int64 acctID = 1;
repeated string names = 2;
}
message FinalizeOrderRequest {
int64 id = 1;
string certificateSerial = 2;
}
message GetAuthorizationsRequest {
int64 registrationID = 1;
repeated string domains = 2;
int64 now = 3; // Unix timestamp (nanoseconds)
}
message Authorizations {
message MapElement {
string domain = 1;
core.Authorization authz = 2;
}
repeated MapElement authz = 1;
}
message AddPendingAuthorizationsRequest {
repeated core.Authorization authz = 1;
}
message AuthorizationIDs {
repeated string ids = 1;
}
message AuthorizationID2 {
int64 id = 1;
}
message Authorization2IDs {
repeated int64 ids = 1;
}
message RevokeCertificateRequest {
string serial = 1;
int64 reason = 2;
int64 date = 3; // Unix timestamp (nanoseconds)
int64 backdate = 5; // Unix timestamp (nanoseconds)
bytes response = 4;
}
message FinalizeAuthorizationRequest {
int64 id = 1;
string status = 2;
int64 expires = 3; // Unix timestamp (nanoseconds)
string attempted = 4;
repeated core.ValidationRecord validationRecords = 5;
core.ProblemDetails validationError = 6;
int64 attemptedAt = 7; // Unix timestamp (nanoseconds)
}
message AddBlockedKeyRequest {
bytes keyHash = 1;
int64 added = 2; // Unix timestamp (nanoseconds)
string source = 3;
string comment = 4;
int64 revokedBy = 5;
}
message KeyBlockedRequest {
bytes keyHash = 1;
}
Reference in a new issue View git blame Copy permalink