Upgrading server dependancies (#6431)

5 files changed, 50 insertions, 11 deletions

diff --git a/vendor/github.com/xenolf/lego/README.md b/vendor/github.com/xenolf/lego/README.md
index 852f0a833..5dc9d550d 100644
--- a/vendor/github.com/xenolf/lego/README.md
+++ b/vendor/github.com/xenolf/lego/README.md
@@ -127,6 +127,12 @@ To renew the certificate:
 $ lego --email="foo@bar.com" --domains="example.com" renew
 ```
 
+To renew the certificate only if it's older than 30 days
+
+```bash
+$ lego --email="foo@bar.com" --domains="example.com" renew --days 30
+```
+
 Obtain a certificate using the DNS challenge and AWS Route 53:
 
 ```bash
diff --git a/vendor/github.com/xenolf/lego/acme/client.go b/vendor/github.com/xenolf/lego/acme/client.go
index ef0f80b7f..bcb844371 100644
--- a/vendor/github.com/xenolf/lego/acme/client.go
+++ b/vendor/github.com/xenolf/lego/acme/client.go
@@ -330,6 +330,10 @@ DNSNames:
 	challenges, failures := c.getChallenges(domains)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
 		return CertificateResource{}, failures
 	}
 
@@ -373,6 +377,10 @@ func (c *Client) ObtainCertificate(domains []string, bundle bool, privKey crypto
 	challenges, failures := c.getChallenges(domains)
 	// If any challenge fails - return. Do not generate partial SAN certificates.
 	if len(failures) > 0 {
+		for _, auth := range challenges {
+			c.disableAuthz(auth)
+		}
+
 		return CertificateResource{}, failures
 	}
 
@@ -493,10 +501,12 @@ func (c *Client) solveChallenges(challenges []authorizationResource) map[string]
 				// TODO: do not immediately fail if one domain fails to validate.
 				err := solver.Solve(authz.Body.Challenges[i], authz.Domain)
 				if err != nil {
+					c.disableAuthz(authz)
 					failures[authz.Domain] = err
 				}
 			}
 		} else {
+			c.disableAuthz(authz)
 			failures[authz.Domain] = fmt.Errorf("[%s] acme: Could not determine solvers", authz.Domain)
 		}
 	}
@@ -586,6 +596,13 @@ func logAuthz(authz []authorizationResource) {
 	}
 }
 
+// cleanAuthz loops through the passed in slice and disables any auths which are not "valid"
+func (c *Client) disableAuthz(auth authorizationResource) error {
+	var disabledAuth authorization
+	_, err := postJSON(c.jws, auth.AuthURL, deactivateAuthMessage{Resource: "authz", Status: "deactivated"}, &disabledAuth)
+	return err
+}
+
 func (c *Client) requestCertificate(authz []authorizationResource, bundle bool, privKey crypto.PrivateKey, mustStaple bool) (CertificateResource, error) {
 	if len(authz) == 0 {
 		return CertificateResource{}, errors.New("Passed no authorizations to requestCertificate!")
diff --git a/vendor/github.com/xenolf/lego/acme/messages.go b/vendor/github.com/xenolf/lego/acme/messages.go
index 36db3b217..79ccf154e 100644
--- a/vendor/github.com/xenolf/lego/acme/messages.go
+++ b/vendor/github.com/xenolf/lego/acme/messages.go
@@ -93,6 +93,11 @@ type revokeCertMessage struct {
 	Certificate string `json:"certificate"`
 }
 
+type deactivateAuthMessage struct {
+	Resource string `json:"resource,omitempty"`
+	Status   string `jsom:"status"`
+}
+
 // CertificateResource represents a CA issued certificate.
 // PrivateKey, Certificate and IssuerCertificate are all
 // already PEM encoded and can be directly written to disk.
diff --git a/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go b/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go
index d079d5e13..97d692382 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/azure/azure.go
@@ -12,6 +12,8 @@ import (
 
 	"strings"
 
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/xenolf/lego/acme"
@@ -69,7 +71,9 @@ func (c *DNSProvider) Present(domain, token, keyAuth string) error {
 	}
 
 	rsc := dns.NewRecordSetsClient(c.subscriptionId)
-	rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	rsc.Authorizer = autorest.NewBearerAuthorizer(spt)
+
 	relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
 	rec := dns.RecordSet{
 		Name: &relative,
@@ -103,7 +107,8 @@ func (c *DNSProvider) CleanUp(domain, token, keyAuth string) error {
 
 	relative := toRelativeRecord(fqdn, acme.ToFqdn(zone))
 	rsc := dns.NewRecordSetsClient(c.subscriptionId)
-	rsc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	rsc.Authorizer = autorest.NewBearerAuthorizer(spt)
 	_, err = rsc.Delete(c.resourceGroup, zone, relative, dns.TXT, "")
 	if err != nil {
 		return err
@@ -121,7 +126,11 @@ func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
 
 	// Now we want to to Azure and get the zone.
 	dc := dns.NewZonesClient(c.subscriptionId)
-	dc.Authorizer, err = c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+
+	rsc := dns.NewRecordSetsClient(c.subscriptionId)
+	spt, err := c.newServicePrincipalTokenFromCredentials(azure.PublicCloud.ResourceManagerEndpoint)
+	rsc.Authorizer = autorest.NewBearerAuthorizer(spt)
+
 	zone, err := dc.Get(c.resourceGroup, acme.UnFqdn(authZone))
 
 	if err != nil {
@@ -134,10 +143,10 @@ func (c *DNSProvider) getHostedZoneID(fqdn string) (string, error) {
 
 // NewServicePrincipalTokenFromCredentials creates a new ServicePrincipalToken using values of the
 // passed credentials map.
-func (c *DNSProvider) newServicePrincipalTokenFromCredentials(scope string) (*azure.ServicePrincipalToken, error) {
-	oauthConfig, err := azure.PublicCloud.OAuthConfigForTenant(c.tenantId)
+func (c *DNSProvider) newServicePrincipalTokenFromCredentials(scope string) (*adal.ServicePrincipalToken, error) {
+	oauthConfig, err := adal.NewOAuthConfig(azure.PublicCloud.ActiveDirectoryEndpoint, c.tenantId)
 	if err != nil {
 		panic(err)
 	}
-	return azure.NewServicePrincipalToken(*oauthConfig, c.clientId, c.clientSecret, scope)
+	return adal.NewServicePrincipalToken(*oauthConfig, c.clientId, c.clientSecret, scope)
 }
diff --git a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
index 43a95f18c..1f1af790f 100644
--- a/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
+++ b/vendor/github.com/xenolf/lego/providers/dns/rfc2136/rfc2136.go
@@ -23,11 +23,13 @@ type DNSProvider struct {
 }
 
 // NewDNSProvider returns a DNSProvider instance configured for rfc2136
-// dynamic update. Credentials must be passed in the environment variables:
-// RFC2136_NAMESERVER, RFC2136_TSIG_ALGORITHM, RFC2136_TSIG_KEY and
-// RFC2136_TSIG_SECRET. To disable TSIG authentication, leave the TSIG
-// variables unset. RFC2136_NAMESERVER must be a network address in the form
-// "host" or "host:port".
+// dynamic update. Credentials must be passed in environment variables:
+// RFC2136_NAMESERVER: Network address in the form "host" or "host:port".
+// RFC2136_TSIG_ALGORITHM: Defaults to hmac-md5.sig-alg.reg.int. (HMAC-MD5).
+// See https://github.com/miekg/dns/blob/master/tsig.go for supported values. 
+// RFC2136_TSIG_KEY: Name of the secret key as defined in DNS server configuration.
+// RFC2136_TSIG_SECRET: Secret key payload.
+// To disable TSIG authentication, leave the RFC2136_TSIG* variables unset.
 func NewDNSProvider() (*DNSProvider, error) {
 	nameserver := os.Getenv("RFC2136_NAMESERVER")
 	tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")